We’re in the midst of an identity crisis. Whenever we log in from our kitchen tables or conduct transactions through a bank that offers no in-person service, we find ourselves needing to prove our identity over and over to people and institutions we’ve never physically met. Each time, we’re asked to surrender a bit of our privacy. We’re making a trade — access for identity. We’re taking a calculated risk on the privacy of our personal information in order to get the products, services or information we want. The entity at the other end of the transaction — an employer, bank, medical provider or utility — also takes a calculated risk. They rely on “good enough” confirmation of identity to open the gate to high-value assets.
We’ve been building this digital-first ecosystem for well over a decade — ecosystems that rely heavily on our ability to confirm our own identities and the identities of those with whom we engage whether in person or online. The pandemic most certainly accelerated that approaching reality by several years. So, now, instead of comfortably plodding along at the normal pace of societal change, we find ourselves facing something of an identity crisis.
A square-peg-round-hole problem
Even those of us who have known mobile phones and the internet our whole lives have strong internal biases and beliefs when it comes to identity. Most of us believe identity is comprised of social security numbers, credit card numbers, employee numbers, head shots, usernames, passwords and mother’s maiden names. But allowing employers, governments and businesses to store and access all of that information presents very real risks.
The major problem is that we have built security and access on identification systems and theories that were the best possible answer in a physical-first world. We’ve continually refined these conventional methods to fit the convenience and security needs of a digital-first world, yet they remain plagued by the inherent frictions they create and security vulnerabilities they present. The Equifax breach of 2017 is a prime example. Many individuals didn’t know that they had been a victim of the Equifax breach because they didn’t know that Equifax had handled their personally identifiable information in the first place. That’s because the credit reporting agency was contracted by other lenders and financial institutions to run credit reports. Equifax’s failure to patch a security vulnerability put 147 million people’s identities at risk.
The acceleration of the digital-first future made it clear that this approach to identity needs to be rethought around preserving privacy and stronger trust models – an approach that is built from the ground-up for a digital-first world.
Identity shouldn’t demand tradeoffs
Just think about how most of us conduct online purchases of clothing, music, plane tickets or streaming services. We want those things badly enough — and we trust the organization on the other end of the transaction enough — that we surrender those valuable identifiers which, in the wrong hands, could conceivably ruin us financially. Moreover, even the most occasional online buyer likely has their name, address, credit card information and bank account numbers stored on dozens of sites.
We’re willing to tolerate this risk because it promises to make future transactions much faster. All we must do is manage a bunch of usernames and passwords — a task that’s increasingly made invisible by fingerprint, facial recognition and other smartphone biometrics — and we can enjoy the ease of one-tap shopping while sitting on the couch or walking down the street. But even as it gets easier on the user side to manage those credentials, they’re highly vulnerable to various forms of theft and fraud.
The new paradigm: Decentralized identity
So, how do we fix this for both us and the organizations on the other end of the transactions?
The answer is decentralized identity — a new paradigm that gives individuals full ownership of their identities. All the information used to build an identity is encrypted and protected with digital keys that can be used to confirm an individual’s identity without ever exposing all the critical elements of that identity. Employers, governments and retailers don’t store those critical identity elements. The individual does. This includes anything that might be required to conduct a secure transaction, such as name, birthdate, home address, credit card numbers, bank account numbers, employment verification, citizenship, education credentials and credit history.
Knowing this information is stored on countless servers around the world makes life more secure for individuals. Employers, governments, retailers and other entities can verify this information and protect their interests through the use of trusted authorities.
How do we get there?
More privacy, less fraud. More convenience, less friction. Even in incredibly polarized times, these are things everyone can agree on. So, what do we need to create this more secure identity paradigm? And more urgently, why haven’t we implemented it yet?
The answer to the first question is complex, of course. But at a fundamental level, there are three core elements of decentralized identity — or, as it is also called, “self-sovereign identity”:
- Identity Wallet: Individuals use an app to create their identities and manage access to employers, government agencies, banks, retailers and other service providers. The user’s unique cryptographic keys are created when the wallet is established.
- Blockchain Ledger: The use of blockchain allows the construction of a platform that stores information about personal and verified data without holding actual documents or details. For example, instead of storing a scan of a birth certificate, blockchain allows the use of a validated token that confirms the information.
- Decentralized Identifier (DIDs): Globally unique and persistent identifiers allow for the creation of private and secure peer-to-peerconnections between two parties. It contains details such as the public key, verification information, service endpoints.
- Zero-knowledge proofs: In a DID system, zero-knowledge proofs are a way to assert an attribute of your identity, without revealing personally identifying information. For example, zero-knowledge proofs would communicate only that you are the age of majority, without disclosing your birthdate or even actual age.
In most proposed decentralized identity frameworks, the digital wallet submits a registration payload with a public key to the blockchain, which, in turn, generates a unique identifier. Private keys remain securely stored in the individual’s digital wallet and are used during the authentication.
What’s holding us back?
The movement to decentralized identity is underway. Companies like Entrust are developing the core technologies and roadmaps for building self-sovereign frameworks. The benefits are clear and CISOs and CIOs at forward-thinking companies are already developing strategies for deploying those frameworks.
But decentralized identity will only go mainstream when every entity in the ecosystem accepts it and makes it a standard process. We see this with banks issuing digital credit and debit cards. They can issue them, and consumers can adopt them, but for them to take hold, merchants need to deploy the infrastructure required to accept them. A bank can choose to issue a digital version of their credit card that is compatible with decentralized identity protocols, but this is only useful to the cardholder if there are stores that accept it. The same holds true for digital driver’s licenses. Most governments would love to switch to digital licenses that citizens store on phones or other mobile devices. But programs like that will only gain momentum when car rental companies, hotels, bars, local municipalities, and other others who rely on driver’s license identity verification accept them.
Another hurdle to adoption is the reluctance to let go of the consumer data monetization model. Organizations may be hesitant to adopt technology that reduces their access to customer data, which in recent decades has been sold, combined, correlated and analyzed for marketing purposes. This “data-sharing economy” would be impacted since decentralized identity allows consumers to reveal less private information. But less sharing and better control of personal data is unambiguously good for the consumer. And with every industry now firmly in the age of customer-centricity, what’s good for the consumer is, in the long run, what’s good for business.
Time to make it happen
The technology is rapidly evolving toward commercial solutions. Forward-thinking organizations are moving this direction. Standards organizations are emerging and publishing clear guidance. And individuals are rapidly learning the value and necessity of privacy and security. Now, it falls on CIOs and CISOs at corporations, government agencies, banks, retailers, airlines, schools and hospitals need to understand the technology, embrace it and encourage the other members of their digital-first ecosystems to join together and make it happen. For some the key obstacle might be cost. For others, it might be overloaded security teams with too many critical issues to address. But the benefits to everyone in the equation — corporations, governments, employees, customers, citizens — are simply too great to ignore.