Self-Sovereign Identity: The Ultimate Beginners Guide!
After this post you’ll know exactly what Self-Sovereign Identity is, its characteristics, benefits and underlying technology.
Our expertise in SSI led us to where we are now: working with the Turkish Ministry of Foreign Affairs and the United Nations Development Programme, helping to increase refugee employability in Turkey with our Self-Sovereign Identity platform, Ana.
Let’s dive in.
Models of Digital Identity
The first model of digital identity was a Siloed one. Each organisation issued a digital identity credential to a user to allow them to access its services. Each user needed a new digital identity credential for every new organisation he engages with. That provided a poor user experience. Just remember all the websites you had to register and create new passwords and login details for.
The second model of digital identity is called the Federated one. Because of the poor user experience of the first model, third parties began issuing digital identity credentials that allow users to login to services and other websites. The best examples of this are “Login with Facebook” and “Login with Google” functionalities. Companies “outsourced” their identity management to major corporations who have an economic interest in ammassing such large databases of personal data. This, of course, raises privacy and security concerns.
Facebook, Google and others became the middlemen of trust.
The emergence of Blockchain technology, Decentralized Identifiers and Verifiable Credentials allowed the creation of a third model of identity: Self-Sovereign Identity.
What is Self-Sovereign Identity?
A Self-Sovereign Identity is an identity you own. It’s yours.
Only you hold it, on your own personal digital identity wallet, and only you decide who gets to “see” it and what of it they get to “see”.
“Yes, but my national ID card, my Student ID and my Gym Membership card are all mine. They are in my pocket right now. What’s the difference?”
Let’s break down the differences:
When it comes to physical identification credentials, your Government, University, Gym, Employer or a Store (in case of a loyalty program), etc. issues you a physical credential (ie: a card) attesting that you are a Citizen, Student, Member, Employee or Customer of that organisation.
The problem with current physical identification credentials:
- The process of obtaining them is often time consuming, bureaucratic and costly. For both the ID Owner and Issuer Organisation. This is worsened if you lose your ID and need to obtain a new one.
- They can be defrauded. Leading to impersonation and ID theft. The only way to check its authenticity is often by contacting the issuing organisation. The verifier has no means to constantly check authenticity with the issuers nor do the issuers have means to constantly confirm authenticity.
In 2017, 1 million children were ID theft victims. Children are a popular target, as these IDs help thieves establish a fraudulent ‘clean slate’. It cost families over $540 MM in out-of-pocket expenses. (source)
- They are not private. When you use them to prove something about yourself, the verifier has access to all the information in that credential. Information that, most times, they do not need.
- In more extreme cases, the issuer’s repository of the credentials can be destroyed and there is no way to confirm the identity’s authenticity. I.e: in war and natural catastrophes scenarios. We have met countless Syrian refugees who are unable to prove their academic qualifications because their universities have been destroyed.
When it comes to Digital IDs, you either register at a Service with a username/email address and a password or you use a third party login service like “Login with Facebook/Google”.
The problem with current digital identification credentials:
- Having to register and sign up with different login credentials to every new online service is cumbersome for the user. The issuer has increased friction during on-boardings. Managing multiple passwords is hard and using the same password is a security risk (for password management, we’re big fans of 1Password. We highly recommend them if you want to increase your password security).
- No control over what data is being shared and with whom.
- The verification of your credentials is dependent on the availability of the issuer. If their service is offline, or disappears, your credentials cannot be verified.
- Third party login services have a financial incentive to collect and store your data. In return for simplifying your sign-up routines, your privacy is compromised. Your meta-data becomes easily correlated which, in the best case, makes you trackable for advertising and, in the worst case, may be used to sway an election.
- Your personal data is stored on the issuer’s servers. Centralised storages of personal data create “honeypots”. This data is at risk of breaches, leaks or hacks. Putting the user in harm’s way – as their data can be exploited – but also the organisation. Exposing it to Privacy related fines (i.e: GDPR) and loss of customer’s trust.
Characteristics of Self-Sovereign Identity
So what makes Self-Sovereign Identity different from the above mentioned Physical IDs and current Digital IDs?
Why is SSI better?
- A secure and digital peer-to-peer channel is established between ID Issuer, ID Owner and ID Verifier. When credentials are exchanged not even the Self-Sovereign Identity system provider knows what is being exchanged. Credential issuing becomes simpler and faster.
- SSI Credentials are tamper-proof through the use of cryptography.
- They are private and under your control. SSI uses Selective Identity disclosure technology.
The ID Owner chooses what attributes of their identity they want to “show” and is always in control of the relationship with ID Verifiers (knowing what data is being shared).
- Self-Sovereign Identity credentials can be verified anywhere, at any time. Even if the issuer does not exist anymore (with the exception of situations where the issuance of credentials happened using Private DIDs and the DID of the issuer was not written on the ledger. More about what DIDs are later in this blog).
- Personal Data is not stored on centralised servers. Avoiding the honeypot problem. Meaning that for hackers to steal 50 million digital identity records they would have to hack those 50 million people individually. Considerably more difficult.
- Self-Sovereign Identity tries to abolish multiple passwords. You just need to know your wallet password.
For an Identity to be Self-Sovereign it has to:
- be User-centric. Each user owns his own data and does not rely on a central entity to prove claims about himself.
- allow for Consent and Control. Each user has full control and consent on what personal information he is sharing and with whom.
- be Interoperable. Self-Sovereign Identity uses a common identity metasystem. This allows users to verify their identity across multiple platforms and locations (that use the same metasystem).
A Self-Sovereign Identity is thus portable, private and secure.
How does Self-Sovereign Identity work?
Let us give you a real-world example of Self-Sovereign Identity in action. Recently we piloted this technology in Turkey with the Ministry of Foreign Affairs, the United Nations Development Programme and the Istanbul Chamber of Commerce.
The objective? With more than 3 million refugees in the country, Turkey wants to implement Self-Sovereign Identity to help increase refugee employability and financial independence.
This is how the pilot played out:
- (Syrian) Entrepreneurs need to complete a Work Permit application in order to hire refugees. Currently, this process is lengthy and paper-based.
- Several Syrian Entrepreneurs physically verified their ID with the Chamber of Commerce. The Chamber of Commerce used our Ana Dashboard to issue them a digital cryptographic proof, a Verifiable Credential, attesting that they have a registered business.
- The Syrian Entrepreneurs stored those credentials in their digital identity wallets. Our Ana app.
- Without leaving the Ana app, the Entrepreneurs were able to start a Work Permit Application and use their Verifiable Credentials to prove their identity and that they own a registered business.
A demo of Ana.
In the future, job-seeking refugees may also be able to request digital credentials such as the Work Permit itself or their Residence Permit. They’ll be able to hold those credentials in their Ana wallet as Verifiable Credentials and use them to prove their identity and access services directly from their mobile phone. Turning time-consuming, bureaucratic and costly processes into easier and fast ones.
Using Self-Sovereign Identity, applying for a Work Permit becomes simpler and faster. With just a few taps.
In this case Ana uses Self-Sovereign Identity to:
- make the credentials issued by the Chamber of Commerce become digital, tamper-proof and verifiable anywhere, at any time.
- establish a secure and digital peer-to-peer connection between the Chamber of Commerce and the Entrepreneur. Not even we can see what is exchanged between them.
Self-Sovereign Identity and Blockchain
But what about the underlying tech?
Blockchain technology, Decentralized Identifiers and Verifiable Credentials are the 3 pillars of Self-Sovereign Identity.
As conceptualised and standardised by the W3C, the Verifiable Credentials protocol is one of the three pillars of Self-Sovereign Identity, together with the Decentralized Identifiers protocol and Distributed Ledger Technology (or Blockchain).
The physical credentials we use in our daily lives – like ID Card, Driver’s license, Health Insurance Card or even a University Diploma – rarely have a counterpart in the digital world. How could a digital credential, a digital asset, be as trustworthy as the physical ID Card that your Government issued to you?
According to W3C, “Verifiable credentials represent statements made by an issuer in a tamper-evident and privacy-respecting manner.” (source)
Verifiable Credentials, in essence, allow for the digital watermarking of claims data through a combination of public key cryptography (more on this later!) and privacy-preserving techniques to prevent correlation. The effect of this is that now, not only can physical credentials safely be turned digital, holders of such credentials can selectively disclose specific information from this credential without exposing the actual data (imagine proving you are above the age of 21 without having to show your ID card!), where third-parties are instantly able to verify this data without having to call upon the issuer.
In the following W3C graphic, we can see clearly the relationship between ID Issuer, ID Holder and ID Verifier and how a Verifiable Data Registry (the blockchain) is used to verify the credentials’ data without the need to contact the issuing party.
The are two different levels for preserving the privacy:
- Selective Disclosure
- In selective disclosure you can generate proofs from a few attributes from a credential.
- E.g If you have to prove your age from a Driver’s License and if you are not comfortable with sharing the address that comes in the driver’s license credential, you can prove your age by skipping the address from the credential.
- Zero Knowledge Proof
- In ZKP you can prove the attribute from a credential without actually revealing the value.
- From the above example of the Driver’s license, you can prove that you are above 18 without revealing your date of birth.
A Zero-Knowledge Proof is a method of authentication that, through the use of cryptography, allows one entity to prove to another entity that they know a certain information or meet a certain requirement without having to disclose any of the actual information that supports that proof. The entity that verifies the proof has thus “zero knowledge” about the information supporting the proof but is “convinced” of its validity. This is especially useful when and where the prover entity does not trust the verifying entity but still has to prove to them that he knows a specific information.
Verifiable Credentials, and Self-Sovereign Identity, uses this to allow a person to prove that their personal details fulfil certain requirements without revealing the actual details.
For example, one could prove that she is over 18, without showing her exact date of birth.
The following W3C graphic demonstrates this. How two credentials could be presented as to prove that the ID holder is over 18 years of age and has a University degree:
Decentralized Identifiers (DIDs) are an integral part of Self-Sovereign Identity. It allows for the creation of unique, private and secure peer-to-peer connections between two parties.
Currently, we are reliant on the identifiers from intermediaries such as Google, Facebook, email providers or mobile network operators to connect us. This has big consequences for our privacy, since the (meta)data gathered by those parties from the interactions over those connections are not within our control.
Even when using a messaging service such as WhatsApp, where your communication is encrypted, the intermediary (Facebook) can still see and collect your metadata. This alone could tell them: who you messaged, at what time, for how long, in which intervals, from what location, while using which apps.
By then taking that data and combining it with other (meta)data from you and the friend you messaged, these intermediaries can create a much more accurate profile. For instance, if your friend was talking to you about race bikes, it might just be that you get targeted ads for race bikes as well, even though your conversation was end-to-end encrypted, just because your friend searched for race bikes around the time you talked!
While ads about race bikes are mostly harmless (mostly), these data correlation practices at scale have also been used to interfere in elections. This is in part a result of having the power over these identifiers be in the hands of a centralised few, with near unrestricted access to your private information.
Back to Decentralized Identifiers. We can make a distinction between two types of DIDs: Public DIDs & Private DIDs (sometimes called “peer”, “pairwise”, “pseudonymous” or “pairwise-pseudonymous” DIDs).
Private DIDs can be exchanged between two parties to create a secure channel that no one else is privy to. This means no third party has knowledge of what happens across that channel or who is behind it. The best part? You can spin up as many separate DIDs for as many separate relationships as you see fit to prevent correlation of your private information, without relying on a single central authority. No more unsolicited race bike ads! (Or election meddling, hopefully).
In a world where private DIDs are the default, public DIDs, then, are strictly for when a subject wants to be publicly identifiable (e.g. a government office issuing passports). They could also be used to kick off the exchange of private DIDs between two parties.
So, what does this mean in practice? Imagine the government wants to issue you a digital version of your passport alongside your physical copy. You intend to leave the physical version in a safe at home and use the digital version for practical matters.
At the municipal service desk, you are asked to scan a QR-code. Here, the DIDs are exchanged, creating the secure connection. Through this secure connection, the clerk now issues you your digital passport in the form of a Verifiable Credential. You accept, storing it in your (digital) wallet.
Now, on your way home, you decide to pick up a bottle of wine for dinner, and because you use night cream, the cashier asks for your ID. Not wanting to share a host of private information with a stranger (i.e. full name, date of birth, place of birth, document number, etc.), you generate a QR-code from your wallet that proves you are of legal drinking age!
The cashier scans it (again, exchanging DIDs, creating a secure connection) and verifies that this proof is indeed true and derived from a valid form of identification, issued by a valid authority. This is all done automatically on the backend, in part by checking the public DID of the municipality, as well as the schema, credential definition and revocation registry, all registered to the verifiable data registry, or blockchain. Hello, private dinner-time vino!
DIDs, then, also benefit institutions and organisations who issue or verify identity. Their decentralized nature makes identity always available for verification. As opposed to a system where identity is in a centralized database that may be rendered useless if it becomes offline for any reason (or, in a worst case scenario, destroyed).
Kim Hamilton Duffy, Co-chair of W3C Credentials Community Group and Architect of the Digital Academic Credentialing Infrastructure at MIT (Digital Academic Credentials Initiative), considers DIDs an important tool for the proliferation of Self-Sovereign Identity. Managing cryptographic keys is a cumbersome process. DIDs make it easier for an individual to “retain ownership of their identifiers over time”. Kim adds that “They offer cryptographic strength while factoring in the full lifecycle of keys, including expiration and revocation”. Decentralized Identifiers help prevent a “situation in which all of a person’s data is tied to a single individual identity profile” by allowing an individual to have as many DIDs as he or she may wish in order to “curate their identity profiles and increase their privacy”. (source)
Distributed Ledger Technology (DLT), commonly simply called “Blockchain Technology”, refers to the technology behind decentralized databases providing control over the evolution of data between entities through a peer-to-peer network, using consensus algorithms that ensure replication across the nodes of the network.
More simply put:
Imagine a book (or ledger) that anyone could obtain, free of charge, where anything written on its pages would be there forever, and at the same time, would be cross-referenced with the other books to check whether what was written to be valid and true; this is the essence of DLT.
In identity management, a distributed ledger (a “blockchain”) enables everyone in the network to have the same source of truth about which credentials are valid and who attested to the validity of the data inside the credential, without revealing the actual data.
Through the infrastructure of a blockchain, the verifying parties do not need to check the validity of the actual data in the provided proof but can rather use the blockchain to check the validity of the attestation and attesting party (such as the government) from which they can determine whether to validate the proof.
For example, when an identity owner presents a proof of their date-of-birth, rather than actually checking the truth of the date of birth itself, the verifying party will validate the government’s signature who issued and attested to this credential to then decide whether he trusts the government’s assessment about the accuracy of the data.
Hence, the validation of a proof is based on the verifier’s judgement of the reliability of the attestor.
By leveraging blockchain technology Self-Sovereign Identity establishes trust between the parties and guarantees the authenticity of the data and attestations, without actually storing any personal data on the blockchain.
This is crucial as a distributed ledger is immutable, meaning anything that is put on the ledger can never be altered nor deleted, and thus no personal data should ever be put on the ledger.
An example of the architecture of Ana, Tykn’s Self-Sovereign Identity platform:
Self-Sovereign Identity Wallet
In the context of Self-Sovereign Identity, a wallet is the place (e.g.: a mobile app) where ID Owners store their credentials.
What makes the wallet and the credentials secure?
Each credential is made of several pairs of public and private keys.
Public and Private Keys
Asymmetric cryptography is one of the most used and most important methods of securing communications. This is because the key that encrypts the data is completely different from the one that decrypts it.
The most common asymmetric keys are built over a function called Rivest–Shamir–Adleman (RSA). This algorithm always generates two pairs of keys: a private key and a public key.
When encrypting data with the private key, only the public key can decrypt it.
If you encrypt data with the public key, only the private key can decrypt it.
As a side note: this encryption method is the keystone of the modern https communication because it makes it really safe to exchange data between servers and clients. The clients hold the public key and the server uses the private key to serve the information.
Back to Self-Sovereign Identity wallets:
The public key is exchanged with the other party. When sending information, your wallet encrypts the data using your private key. The other party is able to read that data because they possess the previously shared public key.
Each connection holds its own pair or public and private keys. Stored in the wallet.
The Benefits of Self-Sovereign Identity
An identity management system where organisations store the minimum necessary personal data of their users means less personal data management and less bureaucracy. Reducing data management costs and increasing the efficiency of identification processes. All while putting people’s privacy and security first.
According to Darrell O’Donnell, a digital identity expert, companies are realizing the major liability that is storing personal data of customers (or employees). Every breach, loss or theft of personal data may turn into significant lawsuits and fines. Which may mean that, in the near future, companies will also start working their way into Self-Sovereign Identity solutions.
Self-Sovereign Identity Use Cases
Self-Sovereign Identity is benefiting several industries. Reducing governmental bureaucracy, shaping a more efficient healthcare system, detecting academic fraud, creating a better banking experience, helping to provide a more efficient humanitarian aid distribution system and helping companies avoid personal data breaches and GDPR fines.
KYC – Know Your Customer
Since 2016, Rabobank, one of The Netherlands’ biggest banks has been researching Self-Sovereign Identity.
Rabobank believes that with their extensive “Know Your Customer” – KYC – and due diligence processes, they could provide “directly verifiable data” that the customer could provide to third parties or use verifiable credentials in order to onboard new customers.
We interviewed one of Rabobank‘s Blockchain Specialists, David Lamers, about the work they have been developing regarding Self-Sovereign Identity.
Another use case that Rabobank believes can bring added value to customers is in regards to Mortgages.
Mortgage flows require a lot of time and documents from several different sources. Most of those documents are not verifiable. Self-Sovereign Identity would allow for the direct verification of that data and the source.
Rabobank also wants their employees to be in control of their own data.
Reusing “certificates or assessments they achieved or did at Rabobank everywhere else. Therefore we do projects in order to save certificates, diplomas, trainings and employment credentials”. They believe SSI would “drastically improve employee onboarding times”.
The government of British Columbia, Canada, is using an open-source blockchain framework, Hyperledger Indy, to streamline their services and cut red tape.
Canadian companies claim they waste more than 6 billion dollars (CAD) every year on unnecessary bureaucracy. This governmental project – The Verifiable Organizations Network – believes decentralized identities and trusted credentials are the solution.
Each Canadian business owner has to use three different tax numbers and navigate three different levels of governmental bureaucracy: local, provincial and federal.
Using Self-Sovereign Identity, one trusted organisation within the value chain – such as the provincial government – can issue a digital Verifiable Credential to the business owner and the other organisations – such as the federal government or a financial institution – can verify that credential and trust the attestation made by the first organisation.
According to Product Lead John Jordan, their team wanted to show that this innovative technology can even be applied to more than just identity.
Use cases such as “professional associations that register members like doctors, nurses, or engineers; standards groups that certify food as organic or kosher; or businesses that need to prove their facilities have been inspected”. It can be used “to support private and secure P2P connections where verifiable credentials can be used to build trusted relationships. This can help streamline any process that involves trust.”
Tykn has been working with the Turkish Ministry of Foreign Affairs to leverage Self-Sovereign Identity to help increase refugee employability in Turkey.
The European Self-Sovereign Identity Network (ESSIF)
In 2019, the European Commission announced the creation of EBSI, the European Blockchain Services Infrastructure.
EBSI “aims to become a ‘gold standard’ digital infrastructure to support the launch and operation of EU-wide cross-border public services leveraged by blockchain technology” (source). That’s according to Daniel Du Seuil and Carlos Pastor Matut, convenors of ESSIF, one of EBSI’s use-cases.
ESSIF, the EU Self-Sovereign Identity Framework, intends to implement a “generic Self-Sovereign Identity capability, allowing users to create and control their own identity without relying on centralized authorities” (source)
Among others, the problems ESSIF wants to solve are data silos, lack of data control, privacy issues, lack of universality and interoperability.
For more information on ESSIF, you can check Daniel’s and Carlos’ great presentation on it.
Tykn leads the development of the 121’s Digital Identity Backend.
121 is an Initiative of the 510 Data Team of The Netherlands Red Cross and began in 2018.
121 believes a digital identity creation will speed up Cash Based Aid in the future, by allowing people affected to access aid digitally and safely. 121 co-designs with People Affected by disasters, Aid Workers and People Donating, and uses robust and available technology to create the solutions you need.
Tykn’s Digital Identity Backend System is built on Sovrin technology,, a distributed, global public utility that establishes a Self-Sovereign Identity network. It utilizes the W3C’s Decentralized Identifiers (DIDs) standard and consequently offers an interoperable identity management system back-bone.
Sovrin’s ledger enables everyone in the network to have the same source of truth about which credentials are valid, which are revoked and who attested to the validity of the data inside the credential, without revealing the actual data.
The importance of identity is paramount in the healthcare industry. According to a World Bank report on The Role of Digital Identification for Healthcare:
“Providers need to know a patient’s identity to access relevant medical and treatment histories and ensure that they are giving consistent and appropriate care.
Patients also need documentation to prove enrollment in insurance programs or other safety nets that cover medical expenses. (…)
Health insurers need to be able to identify patients to ensure that those for whom claims are submitted are actually insured and to facilitate the adjudication of claims based on the patient’s history.
A secure, inclusive, and responsible method of uniquely identifying and authenticating healthcare users over time and across facilities is central to each of these needs and the goal of achieving universal health care”.
Although this World Bank report focuses on the use of unique identifiers – that are a matter of concern privacy wise due to the possibility of correlation – the reasons they present for the importance of identification in healthcare we deem as valid.
Efficient identification becomes jeopardized in countries where identity and information systems are weak. Either because their records are paper-based or because their digital identity management system does not allow for interoperability with other systems. Impeding record or data transferring between organisations. Which ultimately leads to less efficient health services.
Private and secure channels for data transfer, that provide trust between health facilities, patients, insurers and government are thus of absolute importante. One that a Self-Sovereign Identity could provide.
Interoperable Healthcare Systems
By using a common identity metasystem, institutions within the healthcare industry could easily and seamlessly verify digital Verifiable Credentials issued by other organisations (and even issue some themselves). A healthcare facility could trust the authenticity of a patient credential without even having to check the actual data there contained.
These privacy maintaining channels would be assured through cryptography and Zero-Knowledge Proofs. The verifying organisation would just have to check the blockchain to verify the authenticity of the signature of the attesting organisation or physician. If the signature matches the one in the patient’s credential, it’s authentic.
And you may ask, “But how do we know whether to trust the physician?”.
Phil Windley, Sovrin’s Chairman, answers this question: “Professionals can also create proofs from verifiable claims written about them to show that they have specific qualifications, certifications, or work at specific institutions. These claims are, in turn, verifiable in the same manner, creating a chain of trust.”
Non-interoperable identity systems are costly for the institutions and troublesome and stressful for the users. When patients arrive at the new facility, the need for duplicated registrations and paperwork increases bureaucracy for one side and frustrates patients in need of care.
“By allowing for secure and accurate identification and authentication of patients and enabling information exchange, they can increase the efficiency of patient management, improve the quality of treatment, reduce administrative burdens for patients, facilitate access to insurance, reduce fraud, and improve data collection.” (World Bank Report)
The digitization of healthcare identity systems is not enough though. Institutions must make sure their digital records are private and secure. Centralised healthcare records pose a major privacy risk for both patient and organisation.
Self-Sovereign Identity is the innovation in healthcare that provides the decentralization, security, privacy and interoperability for a more efficient healthcare system.
More than 1 billion people around the world do not have a recognised identity document. Some of them because they never had it in the first place.
Having no identity documents has grave consequences for these peoples’ lives as they are not able to access healthcare, education or banking services.
An interoperable identity system would allow hospitals, midwives or birth facilities to easily communicate a birth to the government who can instantly issue a digital birth certificate.
Identity and Access Management Softwares (IAM) are used by companies to authenticate, authorize, manage and create a central repository of their users/employees.
Whenever a new employee is onboarded into a company, a whole new set of accounts has to be created. A lot of different accounts. From a simple email account to databases, servers, AWS or even Slack.
Once this employee leaves, all these accounts have to be revoked as they were created: manually one by one. One instance of a not properly revoked credential can open the door for vulnerability. As a malicious former employee can access the company’s network and steal data.
Through the use of Self-Sovereign Identity the user would be onboarded on all the different services using his own credential or one created by the company. One that the employee would store on his identity wallet. On the moment of revocation, only one credential would have to be revoked to cut access to all of the accounts.
Self-Sovereign Identity could also be an innovation for the Identity and Access Management space by improving the audit trail. For compliance reasons, these enterprise softwares register a log of user access for fraud prevention. Though the method through which that log is created – sometimes a text file – is of concern as privileged users could modify or delete logs for nefarious reasons. Blockchain, due to its immutable nature, could be a prime use case for access log security.
Self-Sovereign Identity reduces the level of bureaucracy and increases the speed of processes within organisations by allowing for a greater interoperability between departments and other institutions.
If a digital identity is stored on a centralised server, it becomes a honeypot for hackers. Looking to breach it and leak it in order to misuse the personal details there contained. A centralised storage of identity is then a liability to the organisation.
A personal data breach – such as the CAPITAL ONE case – may result in huge fines due to privacy regulation infringement or simply due to customer trust loss and consequential damage to the organisation’s brand.
Also, GDPR implemented the right to data portability. Previously, companies could “lock-in” customers by shutting their access to their personal data. Now, each user has the right to get a copy of the data each company possesses of him. Self-Sovereign Identities would facilitate this transfer of data and its consequent sharing with other parties. An innovative technology that gives the user the freedom to share what he wants with whomever he wants.
Self-Sovereign Identity's Struggles
Self-Sovereign Identity is not a silver bullet though.
What huddles and challenges does this technology have?
Plumbing Vs Housing
Kim Hamilton Duffy, Co-chair of W3C Credentials Community Group and Architect of the Digital Academic Credentialing Infrastructure at MIT (Digital Academic Credentials Initiative), believes “those of us working in the decentralized identity space have not done a great job communicating the value-add or articulating concise use cases that, if solved, would actually warrant adoption.” (Source)
Self-Sovereign Identity has a problem that we internally at Tykn call the Housing Vs. Plumbing (an analogy we stole from our advisor Darrell O’Donnell).
Self-Sovereign Identity, Blockchain, Verifiable Credentials and Decentralized Identifiers, the agents, the wallets and the protocols are the plumbing. A lot of the talk in the SSI space is about this infrastructure and less about the “housing” that’s going to be built on top of that plumbing. What are the apps and solutions built on those foundations? What is the enabled value proposition that comes from this plumbing?
Kim believes that for SSI to achieve mass adoption “we need to (1) improve usability and capabilities (particularly in “exceptional” cases requiring recovery of control), (2) develop interoperability standards currently missing in the decentralized identity stack, and (3) focus on compelling user-focused scenarios. (Source)
Again, we agree.
Data hoarders will be data hoarders
Some companies have a financial interest in amassing large quantities of personal data (i.e: for ad tracking). In these platforms, personal data is self-provided. According to Dr. Oskar Van Deventer, Scientific Coordinator at TNO, a Dutch Governmental R&D Institute, “[p]ersonal information will have even more value if it is not self-provided, but verifiably signed by a trusted issuer.” (source) Which may tempt these companies (or Governments) to capture as much of your verified data as possible.
“Countermeasures will require a combination of technology, education, and legislation. Wallet applications need to be designed such that they properly inform users what information is requested and warn users if a request is deemed suspicious. This may include solutions for plausible deniability towards unreasonable data requestors. Education is needed to educate and warn citizens what information they don’t need to share. Legislation, e.g. GDPR, needs to be enforced to counter-act data-guzzling practices.” (source)
For Dr. Oskar an even more nefarious application of Self-Sovereign Identity may come from criminals. For him, the secure and encrypted peer-to-peer communication channels that SSI creates may give criminals a way to elude the authorities. For more on this, we strongly advise Oskar Van Deventer’s article Self-Sovereign Identity – The Good, The Bad and The Ugly.
Leave No One Behind
While applying principles of Self-Sovereign Identity would be a welcome departure from the current globally siloed, paper-based approach to identity management, it is certainly not a silver bullet, and much work lies ahead of us still.
From a legal and regulatory perspective, for instance, a lot remains opaque and undefined.
Self-Sovereign Identity may solve the problem of the 1 billion people around the world who do not have an identifying document plus all those vulnerable people who suffer from identity related problems. But for that to happen, SSI must not be solely mobile app-based. It should be available on web browsers and feature phones alike as a large portion of these vulnerable people do not have money to purchase a smartphone nor do they have stable internet connection. Self-Sovereign Identity relying uniquely on smartphone apps constitutes a UX problem that we, the SSI community, need to pay close attention to.
Self-Sovereign Identity Books and Resources
You're still here? Wow!
If you want to dive deeper into Self-Sovereign Identity here are some excellent resources.
- Kaliya Young and Heather Vescent’s “Comprehensive Guide to Self-Sovereign Identity”
- Christopher Allen’s Path to Self-Sovereign Identity
- Kaliya Young’s “Domains of Identity”
- Kim Hamilton Duffy’s Interview and Blog
- Joe Andrieu’s Functional Identity primer
- Philip Sheldrake’s blog
- Phil Windley’s blog
- Steve Wilson’s blog
- Tim Bouma’s blog.
- Elizabeth Renieris’s blog
- Our Definitive Guide to Blockchain Identity Management