We can be whoever or whatever we want online. But how do you ensure that an online identity is true? Self-sovereign identity is a new way of establishing trust in the digital world - and goes far beyond the current understanding of identity.
Prince, model or billionaire heiress: people can be anything online - and it is difficult to officially verify online identities. This is set to change soon. What the identity card or passport is in the physical world, the Self-Sovereign Identity (SSI) is set to become in the digital world. It makes it possible to translate physical proof of identity into the digital world. Standardized and trustworthy, highly forgery-proof, verifiable - and, last but not least, data protection-compliant.
Username and password are not enough
Anyone who has to identify themselves to a web service today needs a username and password. Most service providers use a local identity model to uniquely identify their users. This has many disadvantages. Providers are obliged to manage this data securely - and suffer financial damage in the event of a data breach due to follow-up costs and loss of reputation. Users have to manage the many different accounts and passwords, which is time-consuming. To remedy this, federated identity has become established in recent years: Users can identify themselves with the login of another service such as Google or Facebook. This single sign-on is particularly useful for access with lower security requirements. However, this is not enough for companies that rely on stronger authentication. Decentralized identification is important here.
Creating a legal framework
The legal framework for internationally recognized decentralized identities is currently being developed. After the Swiss electorate rejected the e-ID in 2021, Swiss legislators are aiming for a self-managed identity SSI. The consultation on the new law is due to open in mid-2022. The EU has created a framework for a European SSI, and pilot projects are planned for the coming years. North America is also following this path: the standardization organization W3C is currently developing a standard for self-sovereign identities. From a data protection perspective, the SSI is a good solution: it works in line with the currently widespread regulations on the processing of personal data. Decentralized identification also makes data management easier for providers: Thanks to the peer-to-peer nature of SSI, there are fundamentally fewer service providers involved in the data management chain. And because they store less sensitive data, data breaches have less dramatic consequences.
Catharina Dekker, Consultant at Ergon says:
«SSI is revolutionizing our digital interactions..».
Users have the data in their hands
The decentralization of SSI is a paradigm shift: it is no longer the providers who manage authentication data, but the users themselves. To do this, they store verified identity data - known as credentials - in a wallet on their smartphone or other device. From a driver's license to a certificate to social media history, these credentials are far broader in scope than an analogue passport or identity card. An issuer certifies the accuracy of the credentials electronically - and the providers, known as verifiers, also check them electronically. The owners of the wallet - the holders or users - decide which data a verifier sees. Because they, and only they, have sovereignty over their data - a privilege that also comes with obligations. Anyone who loses their wallet, for example, must take care of replacing all ID cards and documents. This eliminates the need for complicated login procedures and the associated password management.
What the SSI can do in everyday life
An SSI has many advantages. Banks, for example, benefit from the recognized digital E-ID: instead of going to a local branch or going through a complicated online identification process, all the customer has to do is pull it out of their wallet and have the required credentials ready. Car rental will also be easier thanks to SSI if there is no need to copy ID cards and driver's licenses. Renters may even be able to get in and drive off straight away because the smart car finds and checks the vehicle key as a verifiable credential (VC) in the wallet.
Digitally certified documents such as certificates or diplomas also make the digital application process easier - and potential employers automatically check the authenticity of the documents.
In order to grant a youth or senior discount, the person's age must be known. However, there is no need to disclose the exact date of birth to a transport company or museum. If you also consider that 99.999% of all people in Switzerland are clearly identified by their full name and date of birth, it becomes clear that processing the date of birth is particularly critical from a data protection perspective.
Thanks to SSI, e-commerce merchants benefit from an immediate credit check and a fast payment process. And with a credential that is directly linked to the buyer's bank. Buyers can also be sure that they are paying with the right bank.
Broad concept of identity
Credentials are not necessarily limited to individuals. Companies and institutions can also receive an SSI and use it in communication with customers and suppliers. For example, this could be the new bank relationship for invoicing customers or the current extract from the commercial register for suppliers and partners. It would even be conceivable for autonomous vehicles to have their own wallet, which they could then use to operate economically autonomously with toll booths or garages, for example. In this case, their “identity” would be linked to the vehicle identification number, for example.
These examples show that the potential of SSIs is enormous. If the state solves the chicken-and-egg problem of introduction, more and more use cases are likely to be economically viable. Especially as digitalization continues to make giant strides. The McKinsey Global Institute has predicted that by 2030, the use of digital identities will generate an economic value of 3% of gross domestic product in industrialized countries and as much as 6% in emerging countries.
In order to grant a youth or senior discount, the person's age must be known. However, there is no need to disclose the exact date of birth to a transport company or museum. If you also take into account that 99.999% of all people in Switzerland are clearly identified by their full name and date of birth, it becomes clear that the processing of the data is not necessary.
Michael Doujak Product Manager Airlock at Ergon says:
«The question is not whether SSI will come. It's when.»
Can trust be managed?
Despite all the advantages of a self-sovereign identity, there are also challenges. For example, how do you ensure that the issuers are really trustworthy? One solution is to set up trustworthy directories. Issuers - for example a health insurance company - can have themselves checked here and receive an entry that verifiers and holders can view. For public authorities, a state directory is a good option. This is a way of managing trust. Another problem lies in the life cycle management of credentials. How can they be updated in a legally compliant manner? What happens if someone loses their wallet or a credential has an expiration date? Here, too, it is important to find a way to create digital trust.
Early adopters benefit
Even if there are still unanswered questions: Self-Sovereign Identity will unleash enormous economic value. If you want to gain initial experience with it now, you can use existing open source technologies. With a successful proof of concept, companies can recognize the possibilities of the new technology and exploit them more effectively. After all, SSI is much more than a digital identity card: it takes the concept of identity into dimensions that cannot yet be imagined. If we as users have full control over our digital identity, this will also change the way we deal with privacy in the digital space. We may no longer be princes, models or billionaire heiresses, but our digital relationships and interactions will take on a new form.
Three types of digital identities
The advantages and disadvantages of Silo, Identity Provider and SSI.Type | Description | Pros | Cons |
---|---|---|---|
Silo |
|
|
|
Identity Provider |
|
|
|
SSI |
|
|
|
Blognews straight to your inbox
The Airlock newsletter keeps you informed about new blog articles.