Digital Identities and decentralized identities
Some time ago, I had the pleasure of speaking at the Global NFT Summit about decentralized Identities and NFTs as identities. It's a fascinating topic, so I figured I should write down what I came across in my research. (There will be a part 2 on NFTs as identities and some thoughts later on :))
Someone told me after the presentation that I'd have to include more Memes, so I'll try my best for this post. Note that this post can't possibly cover the psychological aspects of identity, nor how you chose to build your sense of identity. If you want to base it on your Hogwarts house, your affiliation with a specific cryptocurrency or your favorite football team is up to you.
Let's start with the concept of digital identities because so far, whenever someone speaks of decentralized identities, they mean a type of digital identity.
What are digital identities?
In short, digital identities are a collection of data that represent a unique person or entity. They can include demographic data and behavioral data. Marketers love them, especially if they're into targeting (I'm not — in fact, we're working on making that entirely redundant). Some of this data might even include personally identifiable information, such as social security numbers or bank accounts that can identify the person behind the data.
Authenticated vs. not
Authenticated digital identities rely on personally identifiable information to verify the person. One could also say they require a "Proof-of-Human," and tie you as a person to the identity.
Non-authenticated digital identities are also called probabilistic because they leverage big data and piece together what might be one person using IP addresses, search queries, and more. Google's Cohort targeting solution uses this approach to determine which group of people they can show the same irrelevant ad.
Models of digital identity
There are broadly three models of digital identity
- silo-ed: the most annoying one, where users have to create new login credentials and a password (without using the same, obviously) for every service they sign up to.
- Federated: love using Login with Google? That's federated digital identities, where you can use your login credentials from one service across many. Of course, then that service provider also knows what other platforms you use.
- Decentralized: the thing we love in web3 is an identity that is stored in a digital wallet and doesn't rely on centralized entities to manage it.
Why do we like the idea of decentralized identities? Multiple reasons, but to just name a few
- Hacks, breaches, copycatting, and theft are common occurrences with any identity that's kept by a centralized platform
- no control for those who own the identities -> you have no idea what it's used for. Still, you can guess from all the ads you receive.
- no real awareness of what they know about you, which you might not want to know, but maybe yes. 👀
- fraud risk: also on the business side, where it's expected that merchants will lose up to $206 billion cumulatively between 2021–2026.
Oh, and then there's also the roughly 1 billion people worldwide that can't claim ownership of their identity, locking them out from progress.
What are decentralized identities?
If you have ever used a crypto wallet before, you get the idea. Your public key is pretty much your identity when interacting with blockchains.
Similarly, decentralized identities are credentials users receive from several issuers and store in a digital wallet. Managing identities on-chain removes the intermediaries (such as Google or Meta) and enables individuals to take control over their data.
By allowing the individuals true ownership of their digital identity, Decentralized Identity architectures abate the privacy concerns for individuals and security challenges for enterprises. — Gartner® Emerging Technologies: Critical Insights on Decentralized Identity, November 9, 202¹¹
Unlike centralized identities, users can now decide when to share their information and with whom. We also call that "Selective Disclosure." Technologies for decentralized identities might also implement Zero Knowledge Proofs — this way, you could verify that you have certain information without revealing the actual information. Pretty cool.
Sometimes you might also come across the term self-sovereign identity (SSI) concerning decentralized identities. It seems that many use these interchangeably, even though the notion of SSIs is broader, and in my view, decentralized identities are just the way we technically implement them.
Self-sovereign identity is an idea that existed before blockchain and describe identities owned and controlled by the individual, without the need for a government to issue them—every libertarian's dream.
Another acronym you might see is DIDs or decentralized identifiers. This is a type of globally unique identifier designed to enable individuals and businesses to generate their own identities. Using digital signatures, others will then be able to verify identities. It's a standard created by w3, without presupposing any particular cryptography — and can therefore be used across protocols.
Once decentralized identities are widely-supported, they could contribute to a vastly improved user experience. Imagine accessing service just as you access DeFi these days by connecting your wallet without having to deal with many passwords.
Beyond putting users in control — which is an overall goal of web3 and blockchain all along, decentralized identities also
- facilitate access: now, all one needs is an internet connection and a smart device
- benefit organizations. How? Well, especially SMEs aren't always well-equipped to withstand cyberattacks. And identities are still high in demand, so giving users control over their identities and not collecting it but only verifying whenever they log in would ease their burden.
Usecases are abundant; pretty much everywhere we rely on login credentials, one could use decentralized identities instead. A few at the top of my mind are:
- KYC: every time you sign up for an exchange, or banking service, you must submit the same paperwork again. What if you could just go through it once and then just share the fact that you're verified with other providers? Companies like SumSub would be in a great position to pull that off.
- Health care: Your health record on a public blockchain? No. But your identity, with the relevant data, only revealed to your treating practician? Seems sensible.
- Access management: Whenever I worked in corporate environments, setting up a whole new set of accounts was always a pain in the a*s. And then, of course, they had to revoke access once I quit ensuring I couldn't steal anything manually. Decentralized identities could be a better way to grant access (connect with wallet, if you have a certain credential, you get into all the services you need — kinda like discord roles). Once the employee quits, it's just one credential that needs to be revoked.
That's it from me for today. Overall, decentralized identities are an exciting space to watch. I wonder how realistic it is for us all to have them, considering that private key management is still complex — and indeed, the big web2 platforms have little interest in giving up their federated identity power.
I hope we get to a point where the internet is more usable, even without AdBlock, and keeping track of millions of credentials. Sure, it might put password managers out of business, but I wouldn't mind if, instead, I got a wallet with all the credentials😆
Watch out for part 2, which I’ll write whenever inspiration hits me. Because you never know when the below happens. Except I use Canva.