What is decentralized identity?

Decentralized identity (DID) challenges some core assumptions about how online authentication works.  In particular, the idea that a third-party authority is required to manage the sensitive data that comprises identity.  DID holds out the promise of reducing reliance on such authority and returning some degree of control of the data to the data’s owner, with possible privacy and accessibility boons.

Traditionally, digital identity is maintained by organizations trusted to secure that information in their datastores.  This model has, over time, revealed itself to be subject to several shortcomings.  These shortcomings can be overviewed as follows:

• Organizations are subject to hacking;
• Organizations may not always handle the information in alignment with users’ wishes;
• User information is scattered among many providers, increasing risk and reducing convenience;
• Users lack control of their own data, including the ability to revoke access to the data.

Of course, these shortcomings are nothing new, and many attempts have been made to address them. In particular, federated single-sign-on (F-SSO or federated identity) is a technique that addresses some of these problems.  When a user hits “Sign-in with Google,” for example, they are at least reducing the inconvenience and risk of maintaining their accounts at a fine-grained level across a multitude of services.  They can at least hope the single sign-on (SSO) provider they are relying on will offer a consistent degree of protection and privacy. 

In the end, though, such approaches are half-measures because they exist within the same conceptual framework.  Instead of establishing who we are and what facts are valid about us with different organizations, we could establish these things with the one organization that is legitimately in charge of each data point’s validity, and then use those facts in interacting with service providers.

To make such a scheme work, we’d need a globally available, yet secure datastore to which all actors could refer in establishing agreed upon facts.  It turns out such a thing exists in the form of blockchain technologies.  Decentralized ID depends upon the capabilities introduced by web3 platforms.

Traditional identity vs. decentralized identity

Compare figures 1 and 2 below for a high-level sense of how these two models contrast.  Figure 1 is an idealized look at how things work in the conventional model, and figure 2 is a similarly simplified view of the DID process.

Matthew Tyson

Matthew Tyson

The key takeaway in this comparison is that the identity information is persisted to the public blockchain, where it can be used in a zero-knowledge fashion.  Like zero trust, zero knowledge as a term is something of an exaggeration.  It really means: minimum knowledge.

How decentralized identity works

Your identity may include the fact of your citizenship; let’s say you are a British citizen. That simple fact of being a British citizen entitles you to certain rights.  Services may grant certain capabilities based on that truth. 

The DID model allows you to establish a relationship between your private key (your blockchain wallet) and your citizenship.  The issuing authority signs off on the truth of your claim and, thereafter, third parties can check your public key to see that the holder of the private key is in fact a British citizen.

In establishing your identity claim this way, you can make fine-grained and otherwise anonymous requests to services.  You can obtain whatever rights and abilities are dependent solely upon citizenship by revealing only that you are a British citizen.  No other information goes along with that claim (like your passport, say).  Furthermore, no information but your public key is obtained by the service in the process.

In general, users can supply their public key (i.e., their wallet address), and service providers can then validate claims with the issuing authority.  It is possible also for the system to confirm with the user that they want their address to be accessed for a given claim by a given entity, as well as later revoke that access.  This all goes through the global blockchain network, leaving the control of the data in the user’s hands via their private keys.

This is the sense in which DID is also referred to as self-sovereign identity (SSI).

Potential downsides of decentralized identity

Interestingly, decentralized ID doesn’t eliminate centralized authority.  In some ways, it puts more emphasis upon it.  In one sense, identity authority is more closely integrated into the operation of identity verification across the web.  In another sense, despite its distributed and tamper-resistant nature, the blockchain network or networks that exist in this model are themselves a kind of central datastore.  The computers running this network are imagined to be distributed heterogeneously, making them outside the control of a single entity.  Still, architecturally that datastore becomes a central repository of identity.

Moreover, an identity blockchain is a curious animal in that it seems to lack a clear mechanism for motivating node operators, unlike a cryptocurrency network, for example.  This thought leads to real questions about how vulnerable an identity blockchain might be to Byzantine attacks (like a 51% attack).  Especially considering the sensitivity of the data and the kind of nation-state actors that might be interested in compromising such networks, implementing them securely is nontrivial, to say the least.

Some kind of hybrid model, wherein the blockchain’s basic premise of a distributed ledger is united with a trusted vendor of distributed identity is most probable.  Perhaps in the future, governments will have a hand in this, but for now big tech is already filling that space—witness Microsoft, IBM, Okta as well as efforts at standardization from the W3C.

Even more fundamental, beyond questions of implementation, the idea of assigning an ID to every individual and then using that to provide a universal understanding of who is able to do what smacks a little of totalitarian fantasy.  In the wrong hands, such a thing is the potential setting for a dystopian nightmare.

Of course, such concerns are remote today.  Implementation questions large and small are plentiful.  Most likely, we will see a range of different blockchain networks that are sponsored by and devoted to differing industries and interests.  A car insurance network, for example, in which car insurers participate to provide proof of insurance in a DID manner.

Cross-chain interoperability holds out the promise of negotiating across differing blockchains, but this again is a non-trivial technical problem.

Supporters of DID point to a potential democratization of identity, with a concomitant improvement in access to services for underserved communities.  A nice presentation of that argument is found here. 

From another view, the philosophy of free-as-in-speech infused into the open-source software ethos may have a powerful influence on DID.  This is an interesting area of interaction between high-math, high-tech, and the high-minded.  One tenet often seen in the decentralized movements is the idea of code as law.  That simply means that the details of a transaction are made logically explicit and available to participants as embodied in the source code. 

Such an ideal hopes that code as law would eliminate behind the scenes shenanigans by bad actors in government and elsewhere. But code as law has already seen prominent fails.  For example, when the Ethereum network rolled back the blockchain to reverse a $50M hack.

The state of DID

Already today DID is actively in use with digital currency.  One can prove and make use of tokens based on wallet private keys.  Services like sign-in with Ethereum (SIWE) make it possible to leverage the same wallets to authenticate with web apps that we use today as a drop-in replacement for standard credentials like email or phone. 

Another reality of DID today: loss of private keys has severe consequences.  The public key portion of the DID model is remarkably resistant to tampering—it can be basically shared freely with whoever, establishing its claims without fear of it leaking information.  That is the point made in this article where the writer describes “un-phishable cryptographic keys.”  In one sense, that is true, but if we turn our attention to the private keys, something else entirely is evident: When the private keys of a wallet are lost (a tantalizing target for phishers), the loss is severe. 

Whatever is secured by that private key is imminently vulnerable.  Mechanisms can be devised for mitigating this, to be sure, but then we begin rolling back some of the convenience and power we had hoped to achieve with DID in the first place.

Like much of web3’s promise, the reality of decentralized ID is still coming into focus, and what is seen is a collaboration of older technology with newer, an integration of strengths and a mitigation of weakness between different approaches.  As Brendan Eich colorfully said, web3 is a lot like the early days of the web itself, full of both promise and peril, like “frontier towns are, before you pave the streets and put up the street lamps.”

DID is certainly going to play a role in digital identity going forward.  It’s not something that can safely be ignored.  Nor is it going to simply replace what is familiar overnight.  It’s a great time to start looking at the possibilities inherent in DID.