MOXY.studio CTO. Helping decentralize the web with IPFS.
This is the first article of a series of three about decentralized identity, where we’ll cover the problem, state of the art, and new developments. If this excites you, be sure tosubscribe. If you’re in a hurry, there’s a TL;DR at the bottom.
Identity is a crucial part of our everyday lives and a pillar among our society. But the definition of “Identity” is somewhat subjective and people have different interpretations of its meaning. Let’s question ourselves:
Is it your physical traits like your height, age, fingerprint or DNA?
Is it your personality traits like kindness, pro-activity or rudeness?
Is it what you have accumulated or achieved throughout your life, such as your experiences, health records or academic degree?
Is it what others assigned to you, like your government issued ID or phone number?
All of these and many others contribute to your uniqueness and, consequentially, form your identity. This still holds true in the digital world, where everything that you do online also makes you, you.
Most internet-based services require you to identify yourself in order to deliver a personalized experience. This is traditionally done via accounts that you create for each service, which are often based on a username/email and a password. However, people often forget these credentials as they are difficult to memorize. To make things worse, they also have to replicate their basic details in all of these services. The user experience is bad, to say the least, and the management of all these access credentials and basic details can be cumbersome.
Single Sign-On (SSO) introduced by popular services, such as Google and Facebook, made everything more convenient to users. Conversely, these services use non-interoperable models, regardless of using open-standards such as OAuth, meaning developers have to do different integrations to capture as many users as possible. Moreover, it creates a hard dependency on them. What if they kick you out? What if your government decides to ban them in the country you live? What happens when they cease to exist? It’s hard to believe that these giants might shut down one day, but the same could be said for companies that went bankrupt during the DotCom Bubble.
Everything you do online, such as buying a book or uploading a photo, is stored in the services you use. Thus, the service is responsible for keeping the content online and accessible to you. Yet, as proven many times in the past, huge sets of data have been lost due to human error. MySpace recently admitted losing 12 years’ worth of music and many of these songs are now lost forever. It is reminiscent of the fire of the Library of Alexandria, where a massive amount of knowledge was reduced to ashes.
Furthermore, services have to abide legal authorities who might rule orders to delete content or to completely eclipse them. As an example, the Prime Minister David Cameron of United Kingdom threatened to shut down Twitter, among other social networking sites during the 2011 England riots, which would have affected access to social content for everyone in the UK.
Trust model & Security
Who’s to say that the data you produce wasn’t tampered with? This is not a concern for most users as they trust the services they use act in good faith and won’t modify users’ data. At the same time, users assume these services are secure, which we know it’s not always true. In fact, we hear about security breaches on mainstream services often, in which huge amounts of data are leaked.
What if data wasn’t stolen but modified without anyone noticing it? For example, what consequences would there be if an attacker modified your medical records in a hospital, such as your blood type, a day before you having surgery?
The internet can pose privacy and safety risks. Most services prompt the user to disclose sensitive information which will be stored on their side. In many cases, the security measures employed by these services are poor, resulting in situations like Equifax, in which sensitive data was leaked, including credit card information, emails, phone numbers and home addresses.
Are there better ways for services to enhance privacy by improving the way they store sensitive data? Is it even necessary to store this type of data on the service in the first place?
Most of the problems described above are a consequence of the data silos created by centralized services. Thus, we may say they are closed platforms that operate the infrastructure, own the data and decide who has access to it. But arguably, identity in particular should be controlled solely by its owner. It should be built on open standards, with well-defined data models, semantics and interactions.
By decentralizing the identity system, we are effectively replacing the tightly-coupled identity solutions each service has, with a more open, flexible and powerful alternative. This unlocks a whole set of experiences and opportunities for everyone. We have reached a pivotal moment in history where technology is making this possible, and people, businesses and other entities are more sensitive than ever on the matter of digital identity, as it has become an integral part of our lives.
“Decentralized Identifiers (DIDs) are a new type of identifier for verifiable, self-sovereign digital identity. DIDs are fully under the control of the DID subject, independent from any centralized registry, identity provider, or certificate authority.”, Decentralized Identifiers (DIDs)
In short, DIDs are user-generated, self-owned, globally unique identifiers rooted in decentralized systems, such as Bitcoin, Ethereum and IPFS. DIDs resolve to DID Documents which describe how to use that specific DID. Most importantly, it contains a set of cryptographic material and endpoints that can be used to interact with the identity subject.
There are several DID Methods implemented on different distributed ledgers and networks, and each one include the precise methods by which DIDs are resolved and deactivated and DID Documents are written and updated.
“Credentials are a part of our daily lives; driver’s licenses are used to assert that we are capable of operating a motor vehicle, university degrees can be used to assert our level of education, and government-issued passports enable us to travel between countries. This specification provides a mechanism to express these sorts of credentials on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable.”, Verifiable Credentials Data Model
DIDs begin by being “trustless” in the sense that they don’t directly provide meaningful identity attributes. However, trust between DID-identified peers can be built up through the exchange of Verifiable Credentials — credentials about identity attributes that include cryptographic proof. These proofs can be verified by reference to the issuer’s DID and DID Document.
Both of these open standards are becoming notoriously important as they grow in adoption. For example, Microsoft has recently announced they are building a Decentralized Identity solution which uses DIDs and Verifiable Credentials, highlighting the potential importance these standards might have in our future lives.
Following the previously mentioned problems of centralized identity and by attaining perception of what the decentralized alternative can bring, a few solutions jump to eye:
Universal Single Sign-On by leveraging authentication based on DIDs and Verifiable Credentials.
No data-tampering as everything you do can be cryptographically signed and verified by others.
Services can interact with endpoints defined in your DID Document to process payments or to send messages (no more emails or credit cards being stored by others 👌).
Enables users to manage and store their own data and also empowers them to contribute to the permanence of each other’s data. Services can still contribute to the network, ensuring a baseline quality and responsiveness.
The benefits of Decentralized Identity transcend the use-cases of the internet. Let your imagination fly, and imagine how it would be to buy alcohol in a physical store with this system in place:
You go into a liquor store while carrying your identity wallet 📱, containing your DID and Verifiable Credentials you have been collecting from issuers.
After choosing a bottle of your favorite red wine 🍷, you go to the cashier in order to pay.
Because you are 21, but actually look like an 18 year old 👶, the cashier asks for a proof of your age.
You establish a secure communication channel between your wallet and theirs, by using NFC, scanning a QR Code or any similar mechanism. The cashier initiates a handshake ceremony 🤝, asking you to disclose your DID and prove control over it via a cryptographic challenge.
Using that same channel, the cashier then prompts for a credential, issued by the government’s DID, stating you are 21 or older.
After you send it, the cashier checks if the credential is authentic, by verifying if the cryptographic signature matches a public key listed in the government’s DID Document.
If the signature is indeed valid, the cashier allows the purchase. Finally, you use the same wallet to pay 💵 for the wine and to automatically fill the VAT number for expenses, which may also be in the form of a credential.
There was no human intervention involved, except when facilitating the establishment of the communication channel. Everything else happened behind the scenes. The overall experience was much more friendly and secure than what’s currently being done.
Enter Identity Manager and Nomios
The concepts presented above aren’t new. In fact, there are a few solutions that you may already use to bring Decentralized Identity to the web, such as uPort , Blockstack or Jolocom.
While DID’s, Verifiable Credentials and DID based authentication provide interoperable models for common use-cases, the reality is that existent solutions are closed in their own DID-method ecosystems.
On one hand, developers wanting to embrace identities using different DID-methods have to integrate with different SDKs, each one having its own APIs, increasing integration complexity and crippling adoption.
Some of the libraries you have to integrate in your applications
On the other hand, users are often asked to authenticate using specific DID-methods because the application they are interacting with may be limited by the DID-methods they support. As a consequence, users are required to use multiple wallets to manage different identities they own, which are conceptually the same.
Our friend Rick Sanchez has to manage multiple identities to interact with applications 😢.
The Identity Manager (IDM) is a unified identity wallet specification that aims to support multiple DIDs and multiple DID-methods. While ambitious, this is a win-win for both developers and users. It has a strong focus on user & developer-experience, while providing an easy way to have authentication and signing in applications.
Additionally, we will be helping on interoperability efforts, such as collaborating on the Credential Handler API, which enables websites to request identities’ credentials from any wallet as well as to help them to correctly store credentials for future use.
The prompt users get when authenticating to applications.
A walk-through over all the features Nomios currently has, including authentication and signing.
Both IDM and Nomios are open-source and being actively worked on. They are in alpha stage, and open to projects, companies and organizations interested in adopting and helping shape this open standard.
Centralized services create data silos that can be harmful for digital identity.
By decentralizing the identity system we may replace current identity systems with a more open, flexible and powerful alternative.
This is now possible thanks to technology and social breakthroughs, in which people, businesses and other entities are more sensitive than ever on the matter of digital identity.
DIDs, Verifiable Credentials and other standards are becoming notoriously important as they grow in adoption.
However, while DIDs, Verifiable Credentials and DID based authentication provide interoperable models for common use-cases, the reality is that current solutions are closed in their own DID-method ecosystems.
We are building IDM and Nomios which are in line with the concepts of Decentralized Identities but with a focus on interoperability, user experience and developer experience.
In the next article, we will be explaining the reasons that led us to create IDM, do an in-depth analysis on the state of the art, dive into its current features and briefly talk about its roadmap.