We can be whoever or whatever we want online. But how do you ensure that an online identity is true? Self-sovereign identity is a new way of establishing trust in the digital world - and goes far beyond the current understanding of identity.

Prince, model or billionaire heiress: people can be anything online - and it is difficult to officially verify online identities. This is set to change soon. What the identity card or passport is in the physical world, the Self-Sovereign Identity (SSI) is set to become in the digital world. It makes it possible to translate physical proof of identity into the digital world. Standardized and trustworthy, highly forgery-proof, verifiable - and, last but not least, data protection-compliant.

Username and password are not enough

Anyone who has to identify themselves to a web service today needs a username and password. Most service providers use a local identity model to uniquely identify their users. This has many disadvantages. Providers are obliged to manage this data securely - and suffer financial damage in the event of a data breach due to follow-up costs and loss of reputation. Users have to manage the many different accounts and passwords, which is time-consuming. To remedy this, federated identity has become established in recent years: Users can identify themselves with the login of another service such as Google or Facebook. This single sign-on is particularly useful for access with lower security requirements. However, this is not enough for companies that rely on stronger authentication. Decentralized identification is important here.

Creating a legal framework

The legal framework for internationally recognized decentralized identities is currently being developed. After the Swiss electorate rejected the e-ID in 2021, Swiss legislators are aiming for a self-managed identity SSI. The consultation on the new law is due to open in mid-2022. The EU has created a framework for a European SSI, and pilot projects are planned for the coming years. North America is also following this path: the standardization organization W3C is currently developing a standard for self-sovereign identities. From a data protection perspective, the SSI is a good solution: it works in line with the currently widespread regulations on the processing of personal data. Decentralized identification also makes data management easier for providers: Thanks to the peer-to-peer nature of SSI, there are fundamentally fewer service providers involved in the data management chain. And because they store less sensitive data, data breaches have less dramatic consequences.

Catharina Dekker, Consultant at Ergon says:

«SSI is revolutionizing our digital interactions..».

Users have the data in their hands

The decentralization of SSI is a paradigm shift: it is no longer the providers who manage authentication data, but the users themselves. To do this, they store verified identity data - known as credentials - in a wallet on their smartphone or other device. From a driver's license to a certificate to social media history, these credentials are far broader in scope than an analogue passport or identity card. An issuer certifies the accuracy of the credentials electronically - and the providers, known as verifiers, also check them electronically. The owners of the wallet - the holders or users - decide which data a verifier sees. Because they, and only they, have sovereignty over their data - a privilege that also comes with obligations. Anyone who loses their wallet, for example, must take care of replacing all ID cards and documents. This eliminates the need for complicated login procedures and the associated password management.

What the SSI can do in everyday life

An SSI has many advantages. Banks, for example, benefit from the recognized digital E-ID: instead of going to a local branch or going through a complicated online identification process, all the customer has to do is pull it out of their wallet and have the required credentials ready. Car rental will also be easier thanks to SSI if there is no need to copy ID cards and driver's licenses. Renters may even be able to get in and drive off straight away because the smart car finds and checks the vehicle key as a verifiable credential (VC) in the wallet.


Digitally certified documents such as certificates or diplomas also make the digital application process easier - and potential employers automatically check the authenticity of the documents.


In order to grant a youth or senior discount, the person's age must be known. However, there is no need to disclose the exact date of birth to a transport company or museum. If you also consider that 99.999% of all people in Switzerland are clearly identified by their full name and date of birth, it becomes clear that processing the date of birth is particularly critical from a data protection perspective.


Thanks to SSI, e-commerce merchants benefit from an immediate credit check and a fast payment process. And with a credential that is directly linked to the buyer's bank. Buyers can also be sure that they are paying with the right bank.

Broad concept of identity

Credentials are not necessarily limited to individuals. Companies and institutions can also receive an SSI and use it in communication with customers and suppliers. For example, this could be the new bank relationship for invoicing customers or the current extract from the commercial register for suppliers and partners. It would even be conceivable for autonomous vehicles to have their own wallet, which they could then use to operate economically autonomously with toll booths or garages, for example. In this case, their “identity” would be linked to the vehicle identification number, for example.


These examples show that the potential of SSIs is enormous. If the state solves the chicken-and-egg problem of introduction, more and more use cases are likely to be economically viable. Especially as digitalization continues to make giant strides. The McKinsey Global Institute has predicted that by 2030, the use of digital identities will generate an economic value of 3% of gross domestic product in industrialized countries and as much as 6% in emerging countries.


In order to grant a youth or senior discount, the person's age must be known. However, there is no need to disclose the exact date of birth to a transport company or museum. If you also take into account that 99.999% of all people in Switzerland are clearly identified by their full name and date of birth, it becomes clear that the processing of the data is not necessary.

Michael Doujak Product Manager Airlock at Ergon says:

«The question is not whether SSI will come. It's when.»

Can trust be managed?

Despite all the advantages of a self-sovereign identity, there are also challenges. For example, how do you ensure that the issuers are really trustworthy? One solution is to set up trustworthy directories. Issuers - for example a health insurance company - can have themselves checked here and receive an entry that verifiers and holders can view. For public authorities, a state directory is a good option. This is a way of managing trust. Another problem lies in the life cycle management of credentials. How can they be updated in a legally compliant manner? What happens if someone loses their wallet or a credential has an expiration date? Here, too, it is important to find a way to create digital trust.

Early adopters benefit

Even if there are still unanswered questions: Self-Sovereign Identity will unleash enormous economic value. If you want to gain initial experience with it now, you can use existing open source technologies. With a successful proof of concept, companies can recognize the possibilities of the new technology and exploit them more effectively. After all, SSI is much more than a digital identity card: it takes the concept of identity into dimensions that cannot yet be imagined. If we as users have full control over our digital identity, this will also change the way we deal with privacy in the digital space. We may no longer be princes, models or billionaire heiresses, but our digital relationships and interactions will take on a new form.

Three types of digital identities

The advantages and disadvantages of Silo, Identity Provider and SSI.
TypeDescriptionProsCons
Silo
  • Users maintain a separate user account for each provider
  • The oldest and most widely used model of the digital identity relationship
  • Well established
  • Service provider manages compliance, liability and other risks
  • Good privacy protection because no central authority is involved
  • Well accepted by the population
  • Scales very poorly for individuals
  • Reuse of passwords is a security risk
  • People lose the overview. Where did I create profiles?
  • Every service provider needs to become an expert in identity management and security
  • Authentication is one-way and not mutual → enables phishing
Identity Provider
  • Users maintain their user account with an identity provider
  • The identity provider confirms the identity to service providers
  • Users can reduce the number of directly maintained user accounts (and passwords)
  • Identity providers offer an SSO experience
  • Easy for service providers to implement with little integration effort
  • Insufficient privacy protection: the identity provider knows all my service providers
  • Only a few service providers accept identity providers
  • Most identity providers operate at a low level of trust and are unsuitable for e-banking or healthcare
  • The identity provider has a large amount of personal information → Security risk
  • Authentication is one-sided and not mutual → Enables phishing
  • Only works for people and not for the authentication of companies or things
SSI
  • Holder (user) has their own wallet and stores their verified personal data in it
  • Issuers that the Holder trusts may place data in their wallet
  • Verifier (service provider) only receives the data that Holder releases
  • Holders retain control over their data
  • High level of privacy protection because there is no central authority that could monitor the holder
  • Verifiers receive verified data
  • Issuers can declare data invalid (e.g. residential address)
  • Data can lose its validity after a certain period of time (e.g. ticket)
  • Standardized and interoperable → no manufacturer dependency
  • When changing provider, your own access data/relationships/histories are not lost
  • Standards are only just emerging and may still change
  • Solutions for how holders can protect their wallet against loss or theft still need to be developed
  • Reservations and security concerns among the population because the technology is complex and not yet widespread

 

Blognews straight to your inbox

The Airlock newsletter keeps you informed about new blog articles.

Blognews subscription

Information for you

-Our whitepapers-

Executive View: KuppingerCole - Airlock Secure Access Hub for applications and APIs

This KuppingerCole Executive View report provides an architectural and functional overview of the Airlock Secure Access Hub, an integrated platform for secure access management - a multicloud-native security tool for web applications, APIs and beyond.

 

Fill out the form now and receive Executive View!

Whitepaper: Security for cloud-native applications

You can read about how companies can ensure the security of web applications and APIs in Kubernetes in the white paper "Security for cloud-native applications", which was created in collaboration between heise and Airlock.

 

Request whitepaper

Whitepaper: Zero Trust is a journey

The ongoing digital transformation of the world is progressing and having a profound impact on our personal and professional lives in ways that were difficult to imagine just a few years ago.


This white paper discusses the effects of continuous digitalization and its impact.

Request free of charge

Off to DevSecOps

In this white paper, you will learn the most important insights into how you can implement DevSecOps successfully and efficiently, which security components are required for this and the advantages of a microgateway architecture.

 

Request free of charge

Airlock 2FA - Strong authentication. Simple.

Double security - this is what two-factor authentication offers in the field of IT security.


Find out more about strong authentication and the possibilities offered by Airlock in our white paper.

Download for free

Further whitepapers

We provide you with free white papers on these and other topics:

 

  • Successful IAM projects
  • compliance
  • Data protection (DSGVO)
  • Introduction of PSD2
  • PCI DSS requirementsPCI DSS requirements
Request free of charge