Society today is faced with a range of privacy issues that require a new approach to identity solutions:
- Large scale fraud, identity theft and data breaches
- Centralized databases of personal information attract motivated hackers
- Brand damage can have lasting effects for years
- More stringent regulatory requirements
- Regulators are demanding increased transparency
- Liability for inaccurate or missing information
- Increasing online transaction volumes and complexity
- Identity-dependent transactions are growing exponentially
- Challenge and cost to distinguish real user vs. fraud
- Complicated consumer experience
- User frustration with limited control and multiple verification methods
- Users will migrate to services that offer the best consumer experience
The Evolution of Identity Solutions
"The Internet was built without a way to know who and what you are connecting to. This limits what we can do with it and exposes us to growing dangers. If we do nothing, we will face rapidly proliferating episodes of theft and deception that will cumulatively erode public trust in the Internet."
Over the last few decades, we have seen several different approaches to internet privacy enter the market, each trying to move the power back to the identity owner. In 2016, Christopher Allen outlined the four (4) categories of identity management in his article The Path to Self Sovereign Identity:
- Centralized: Identity information is created and managed by individual companies or services. The user has limited control over their identity and the user must manage a separate relationship with each service as there are no relationships between providers. The user does not own the rights to its identity so as a result it can be taken away without the user’s consent.
- Federated: Identities are managed by a central service, but provided in a way that can be used with other services. The identity is still controlled by a central authority and can be withheld or revoked at any time, but at least the user can use it on multiple sites. The federation, including the central service, is directly involved in every authentication.
- User-Centric: User-centric is the current standard. The user is given more control, and authentication is performed indirectly through the user so that the identity provider does not have to be directly involved in every transaction. However, this approach still relies on the user selecting an individual identity provider and agreeing to their terms and governance for the user’s personal data.
- Self-Sovereign: All basic requirements of individual control, security, and full portability are supported. The individual is their own identity provider. As such, there is no external party who can claim to provide the identity for them. The individual’s digital existence is independent of any single organization.
IBM believes that the decentralized identity solutions will help to deliver on the SSI vision. The concept of individuals or organizations having sole ownership of their digital and analog identities, and control over how their personal data is shared and used, illustrate the need for a shift towards identity management at the edges of the network. Since identity is such a central part of society, we need to ensure that user decentralized identity solutions adhere to a set of privacy by design principals that will ensure security and flexibility for all identity instrument interactions.
Open decentralized systems enable individuals to fully own and manage their own identities, leading to the idea of “self-sovereign” identity systems. These systems use a combination of distributed ledger and encryption technology to create immutable identity records referred to as verifiable credentials ("credentials"). These credentials represent reputation-based artifacts stemming from relationships ("connections") between peers (people, organizations, things). Each credential contains information ("claims") about the peer made by the issuer of the credential, such as traits from a driver's license or grades on a college transcript. Each peer can accept and store credentials in their identity container ("wallet"). They can then use these credentials with other relationships to help prove:
- who they are
- what they have accomplished
- what privileges they have been granted
- how trusted they are based on thief reputation (trust score)
Conversely, each organization can decide whether to trust credentials presented to them based on business policy, regulatory compliance and/or who attested to the information claims.
Roles and Activities
The meaning of the word identity depends on your situational context. Interest in the data and events associated with identity differs based the role of an individual or entity.
For example, if the goal is to ascertain a degree of certitude about a company and it's products at global scale we would need to establish reliance of global standards for legal entity identifiers so that we could answer questions such as:
- Who is who?
- Who owns who?
- Who sells what?
To address such a problem we would need certified and trusted entities that would gather and verify the necessary data to be able to attest to any claims of certainty about a company and its products. The examiner is just one role in a lifecycle of credential management activities.
- Examiner: Gathers information pertinent to the assessment processes for verifying the validity of information about an entity. This role includes the vetting of digital or physical documents. The vetting process may include usage of external verification services.
- Issuer: Generates and delivers credentials comprised of claims in accordance with some predefined identity instrument schema. A claim is an attestation from an entity (individual or organization) that confirms that the entity has taken specific actions to establish truth about a specific identity trait.
- Holder: An individual or organization holds a credential in a digital wallet. The credential can be used to present proofs of identity, accomplishments, privileges , etc. These credentials are acquired from issuing institutions that the individual has an existing relationship with.
- Verifier: Validates the authenticity of credentials presented by a holder and validates using cryptography that all presented claims were made by a trusted issuer.
The role of the Issuer can vary in complexity. The more due diligence that is performed by the Examiner, a higher degree of value can be placed an issued credential.
Identity Access Management
One common use of digital credentials is in the authentication and authorization process associated with user access to online resources. Depending on the degree of certitude required by verifier business policies, several question may need to be answered:
- Has the user gained access to the device using secure biometrics?
- Has the user gained access to the application containing security artifacts (keys, tokens) using secure biometrics?
- Has the user provided evidence that the device being used is a known and registered device?
- Can the user demonstrate that the credentials being presented were properly acquired?
- Can the user present verifiable credentials in accordance with a policy based request made by the verifier?
5 are commonly handled by SSI solutions. Question
3 is typically required by enterprises and each implementation is different. Question
4 is something that is possible with SSI but not yet throughly investigated.
SSI in Action
These SSI concepts can all be experienced by watching an end-to-end demonstration. IBM has collaborated with industry leaders to bring the SSI vision to reality by incubating the Job-Creds Project.