Decentralized identity (DID) challenges some core assumptions about how online authentication works.\u00a0 In particular, the idea that a third-party authority is required to manage the sensitive data that comprises identity.\u00a0 DID holds out the promise of reducing reliance on such authority and returning some degree of control of the data to the data\u2019s owner, with possible privacy and accessibility boons.Traditionally, digital identity is maintained by organizations trusted to secure that information in their datastores.\u00a0 This model has, over time, revealed itself to be subject to several shortcomings.\u00a0 These shortcomings can be overviewed as follows:Organizations are subject to hacking;Organizations may not always handle the information in alignment with users\u2019 wishes;User information is scattered among many providers, increasing risk and reducing convenience;Users lack control of their own data, including the ability to revoke access to the data.Of course, these shortcomings are nothing new, and many attempts have been made to address them. In particular, federated single-sign-on (F-SSO or federated identity) is a technique that addresses some of these problems.\u00a0 When a user hits \u201cSign-in with Google,\u201d for example, they are at least reducing the inconvenience and risk of maintaining their accounts at a fine-grained level across a multitude of services.\u00a0 They can at least hope the single sign-on (SSO) provider they are relying on will offer a consistent degree of protection and privacy.\u00a0In the end, though, such approaches are half-measures because they exist within the same conceptual framework.\u00a0 Instead of establishing who we are and what facts are valid about us with different organizations, we could establish these things with the one organization that is legitimately in charge of each data point's validity, and then use those facts in interacting with service providers.To make such a scheme work, we\u2019d need a globally available, yet secure datastore to which all actors could refer in establishing agreed upon facts.\u00a0 It turns out such a thing exists in the form of blockchain technologies.\u00a0 Decentralized ID depends upon the capabilities introduced by web3 platforms.Traditional identity vs. decentralized identityCompare figures 1 and 2 below for a high-level sense of how these two models contrast.\u00a0 Figure 1 is an idealized look at how things work in the conventional model, and figure 2 is a similarly simplified view of the DID process. Matthew TysonFigure 1. Conventional Identity Model Matthew TysonFigure 2. Decentralized Identity ModelThe key takeaway in this comparison is that the identity information is persisted to the public blockchain, where it can be used in a zero-knowledge fashion.\u00a0 Like zero trust, zero knowledge as a term is something of an exaggeration.\u00a0 It really means: minimum knowledge.How decentralized identity worksYour identity may include the fact of your citizenship; let\u2019s say you are a British citizen. That simple fact of being a British citizen entitles you to certain rights.\u00a0 Services may grant certain capabilities based on that truth.\u00a0The DID model allows you to establish a relationship between your private key (your blockchain wallet) and your citizenship.\u00a0 The issuing authority signs off on the truth of your claim and, thereafter, third parties can check your public key to see that the holder of the private key is in fact a British citizen.In establishing your identity claim this way, you can make fine-grained and otherwise anonymous requests to services.\u00a0 You can obtain whatever rights and abilities are dependent solely upon citizenship by revealing only that you are a British citizen.\u00a0 No other information goes along with that claim (like your passport, say).\u00a0 Furthermore, no information but your public key is obtained by the service in the process.In general, users can supply their public key (i.e., their wallet address), and service providers can then validate claims with the issuing authority.\u00a0 It is possible also for the system to confirm with the user that they want their address to be accessed for a given claim by a given entity, as well as later revoke that access.\u00a0 This all goes through the global blockchain network, leaving the control of the data in the user\u2019s hands via their private keys.This is the sense in which DID is also referred to as self-sovereign identity (SSI).Potential downsides of decentralized identityInterestingly, decentralized ID doesn\u2019t eliminate centralized authority.\u00a0 In some ways, it puts more emphasis upon it.\u00a0 In one sense, identity authority is more closely integrated into the operation of identity verification across the web.\u00a0 In another sense, despite its distributed and tamper-resistant nature, the blockchain network or networks that exist in this model are themselves a kind of central datastore.\u00a0 The computers running this network are imagined to be distributed heterogeneously, making them outside the control of a single entity.\u00a0 Still, architecturally that datastore becomes a central repository of identity.Moreover, an identity blockchain is a curious animal in that it seems to lack a clear mechanism for motivating node operators, unlike a cryptocurrency network, for example.\u00a0 This thought leads to real questions about how vulnerable an identity blockchain might be to Byzantine attacks (like a 51% attack).\u00a0 Especially considering the sensitivity of the data and the kind of nation-state actors that might be interested in compromising such networks, implementing them securely is nontrivial, to say the least.Some kind of hybrid model, wherein the blockchain\u2019s basic premise of a distributed ledger is united with a trusted vendor of distributed identity is most probable.\u00a0 Perhaps in the future, governments will have a hand in this, but for now big tech is already filling that space\u2014witness Microsoft, IBM, Okta as well as efforts at standardization from the W3C.Even more fundamental, beyond questions of implementation, the idea of assigning an ID to every individual and then using that to provide a universal understanding of who is able to do what smacks a little of totalitarian fantasy.\u00a0 In the wrong hands, such a thing is the potential setting for a dystopian nightmare.Of course, such concerns are remote today.\u00a0 Implementation questions large and small are plentiful.\u00a0 Most likely, we will see a range of different blockchain networks that are sponsored by and devoted to differing industries and interests.\u00a0 A car insurance network, for example, in which car insurers participate to provide proof of insurance in a DID manner.Cross-chain interoperability holds out the promise of negotiating across differing blockchains, but this again is a non-trivial technical problem.Supporters of DID point to a potential democratization of identity, with a concomitant improvement in access to services for underserved communities.\u00a0 A nice presentation of that argument is found here.\u00a0From another view, the philosophy of free-as-in-speech infused into the open-source software ethos may have a powerful influence on DID.\u00a0 This is an interesting area of interaction between high-math, high-tech, and the high-minded.\u00a0 One tenet often seen in the decentralized movements is the idea of code as law.\u00a0 That simply means that the details of a transaction are made logically explicit and available to participants as embodied in the source code.\u00a0Such an ideal hopes that code as law would eliminate behind the scenes shenanigans by bad actors in government and elsewhere. But code as law has already seen prominent fails.\u00a0 For example, when the Ethereum network rolled back the blockchain to reverse a $50M hack.The state of DIDAlready today DID is actively in use with digital currency.\u00a0 One can prove and make use of tokens based on wallet private keys.\u00a0 Services like sign-in with Ethereum (SIWE) make it possible to leverage the same wallets to authenticate with web apps that we use today as a drop-in replacement for standard credentials like email or phone.\u00a0Another reality of DID today: loss of private keys has severe consequences.\u00a0 The public key portion of the DID model is remarkably resistant to tampering\u2014it can be basically shared freely with whoever, establishing its claims without fear of it leaking information.\u00a0 That is the point made in this article where the writer describes \u201cun-phishable cryptographic keys.\u201d\u00a0 In one sense, that is true, but if we turn our attention to the private keys, something else entirely is evident: When the private keys of a wallet are lost (a tantalizing target for phishers), the loss is severe.\u00a0Whatever is secured by that private key is imminently vulnerable.\u00a0 Mechanisms can be devised for mitigating this, to be sure, but then we begin rolling back some of the convenience and power we had hoped to achieve with DID in the first place.Like much of web3\u2019s promise, the reality of decentralized ID is still coming into focus, and what is seen is a collaboration of older technology with newer, an integration of strengths and a mitigation of weakness between different approaches.\u00a0 As Brendan Eich colorfully said, web3 is a lot like the early days of the web itself, full of both promise and peril, like \u201cfrontier towns are, before you pave the streets and put up the street lamps.\u201dDID is certainly going to play a role in digital identity going forward.\u00a0 It\u2019s not something that can safely be ignored.\u00a0 Nor is it going to simply replace what is familiar overnight.\u00a0 It\u2019s a great time to start looking at the possibilities inherent in DID.