digital change Security Sovrin

Why decentralization for Identity

Digital identity is not simple. We have to look at the challenges to understand the right approach to solving the challenge.

I often get asked why ID Crypt Global believes so firmly in a decentralized approach to identity. Now I am not an IT technical person, rather ID Crypt was an idea of mine based on my personal experience, but I very much understand the guiding principles behind a decentralized approach. In this post, let us have a look at some of the things we should always take into consideration when we talk about identity, and in doing so, I can link back to why decentralization addresses these concerns and therefore is the right approach.

#1 Privacy

Often identity companies talk of a singular digital identity, and therefore you read tag lines like “our singular global identity allows you to…” The issue here is, if you have a singular global identity which you share, it becomes very easy to track who you are, your preferences, your habits and to correlate more of your data together.

We therefore cannot have a situation where we have a singular digital identity. We should accept that digital identity should be more like my purse. By this I mean, within it, I hold multiple identities. My identity with my local gym is very different to that of my bank. My identification to enable me to drive my car is very different to that used to access my office building. Identity therefore needs to be inclusive of my relationship with that other person, business, building or whatever it needs to be.

Decentralization enables us to implement an infrastructure that empowers lots of issuers of digital identities to participate. By having a decentralised digital infrastructure, digital identities can be more granular, more focussed, and therefore I can start to build up identiies in a digital world in the same way I hold them in my purse. This stops criminals from being able to correlate my data, it keeps my data safe and allows me to control what I am sharing.

#2 Security of my data

Many identity solutions must spend vast amounts of money on securing their infrastructure, their servers that hold our personal data. The data has to be held there because effectively, businesses or people who wish to verify my identity have to pull that verification from the identity solution. Now this is true of any identity issuer, to an extent, however, the challenge is many see their Identity solution as the definitive Identity solution, meaning the vision is to have millions of peoples individual data stored, with that data being verified by everyone else.

Not only does this feed our first point of privacy of our data, but if there were to be a cyber breach within that identity soluition provider then all of our data for all of us would be comprimsed. This gives potentially access to all the other businesses and services we use with that identity. The security risk is just too great.

A decentralized approach means most issuers have limited data on the identities that they have issued. They will hold some data but not necessarily all the data that is even used within the issued identity. The issuer is also very focussed on their identity that they issue, which means any breach there is limited to the type of identity provided. However, here is the main selling point of decentralization at this point, by breaching the issuer you have not gained access or any information on other the businesses, websites and services I interact with. You cannot even use that data to engage with those businesses. Why you may ask, well its because in a decentralized world, the identity actually lives with its owner, the businesses that interact with that digital identity interact directly with that digital identity which is owned and held by the individual. The issuer of it has nothing to do with individuals use of that identity nor of the businesses that use it.

#3 flexibility

Identity needs to be flexible, the claims we need to make about ourselves will be dependent on what information is required. The identity solutions that we use have to therefore be very flexible based on the use case.

A decentralized approach allows multiple issuers of identities, but equally important it allows issuers to create multiple types of identities either off of an industry agreed identity or something very specific. By enabling this flexibility, digital identity can really work in any use case that we can think of, without compromising our privacy or security.

#4 Being always available

A digital identity will become / is the cornerstone of services that we use. This means it must be always on, always available and work in “offline” situations. Far too many identity providers have features on their website that show the “availability of services”, or their “up-time”. The reality is however, identity is mission critical, it can never be down and as I said, has to work offline.

A centralised approach places a dependency on that service provider by anyone (businesses) that uses that identity provider. If the provider goes offline, well then so do all the businesses that depend on it. In the financial services sector this is known as a systemic dependency, or a singular point of failure. Put simply, you cannot have a service provider have an IT issue which then stops your business from working.

A decentralized approach distributes identity and associated services. Verification is done against a decentralized infrastructure, which means if a node/provider goes offline, it doesn’t matter as another node is always available. In addition, the identity is provided by the identity holder, so as long as their mobile phone (for example) is working, they can share that identity. The decentralized approach removes that systemic dependency, that singular point of failure now has resiliency built in across every single issuer and user of that decentralized digital identity.

#5 Cost

The final point is the cost of creating, maintaining, and enabling people and business to use that digital identity. A centralised approach creates centralised cost points, making an identity solution expensive to run. Now this expense is not just a technology one, rather it is also a people and process one. A singular provider of an identity must scale with demands, which means their costs go up and up. In a decentralized world, this is very different.

First off, verification costs are distributed across the company needing to verify an identity and the global community who run the decentralized identity infrastructure. This means costs are shared and become negligible to the community and the verifying business. Issuers costs are focused on their specific issuing capabilities – tasks such as authentication, verification, access to the raw data, well those costs are distributed too.

All in all, a decentralized approach is far more cost effective to everyone involved. This is key if digital identity is to really be the right of everyone, and to help address such challenges as financial inclusion.

A parting thought…

While digital identity is still relatively young, we must all ask ourselves, what are the principles we wish to buy into. For me, the only set of principles that really work are those of SSI (Self-Sovereign Identity) of which there are 12. You can read them here:

Principles of SSI – Sovrin

Leave a Reply