Decentralized Identity: Emerging Web3 Infrastructure
One of the most troubling things about web2 is the lack of control we have over our identities. Each website we use stores some of our data–which may be sold by that platform, sometimes without users’ knowledge or permission. This data may include personally identifiable information such as age, phone numbers, residential address, credit card numbers, or Social Security Number.
The EU’s GDPR standard gives users the right to request removal from a database, but that would be onerous to accomplish. Meanwhile, our personal data sits in centralized data stores companies create in order to more easily comply with GDPR.
Most importantly, personal data stored by corporations and social-media platforms is a frequent target for data thieves–and companies don’t always immediately inform customers that their data may have been stolen. Just in the early months of 2023, a few of the largest data breaches included:
- Some 200 million Twitter users’ email addresses were published online, after a hacker demanded but was denied a $200,000 ransom by the social-media platform.
- A data breach at T-Mobile exposed 37 million customer records, the company said in January. Stolen information included names, street addresses, emails, phone numbers, T-Mobile account numbers, and birth dates.
- AT&T disclosed that some 9 million customers’ records were compromised after an attack on one of its vendors.
- PeopleConnect, which operates two popular background-check sites, saw 20 million customer records publicly exposed by a hacker. Data published included hashed passwords, first and last names, phone numbers, and email addresses.
- Activision had a data breach in December 2022 that was only disclosed in February ’23, after a security-research firm discovered it. Reportedly, an attacker tricked an employee into giving them database access via a SIM-swap scam.
With data theft from corporate databases affecting millions of people, the need for a better way to control and protect our identities is obvious. Corporations shouldn’t own our personal data. An emerging solution in web3 is decentralized identity
What is decentralized identity?
Decentralized identity is a framework for identity management that allows individuals to own and control their personal information. It gives users control over where and how any part of their identifying information is shared online. It’s also sometimes called “self-sovereign identity.”
The idea is that identity-related personal information should be self-controlled and portable. The owner decides when their data will remain private as well as if, when, and where each specific piece of data will be shared. Users should be able to employ a single decentralized identity to log into any platform they visit online, rather than having to create new profiles for each site.
There are three parties that interact when a person uses decentralized identity:
- Issuers grant credentials to individuals.
- Controllers are the users who add such credentials to their own decentralized identity and control access to them.
- Verifiers ask controllers for permission to see and verify a credential.
How do issuers, controllers, and verifiers interact in granting or receiving access to personal data? Several pieces of technology must work together to enable decentralized identity.
What makes decentralized identity possible?
To manage their own decentralized identity, users need to employ three key elements:
- Self-custodial identity wallet: A self-hosted wallet must be used, in order for users to retain full control of the identifiers that will manage their decentralized identity.
- Decentralized Identifier (DID): The user obtains a unique identifier for securing their identity and stores it in their wallet. The DID usually includes a public-private key pair. The public key enables the user to share only the specific pieces of their ID they want to show to the specific entities or individuals they wish to view them. The private key is known only to the user and secures the data from becoming public.
- A Blockchain: DIDs are usually stored on a blockchain, although their associated credentials are usually not.
Once a user has a self-custodial wallet, creates their unique identifier, and stores it in the wallet, they can then use their identifier to securely store various pieces of personal information and credentials.
What are credentials and how are they verified?
Verifiable credentials provide proof of who you are and what you’ve accomplished. Some credentials are verified by an outside institution. To be verified, credentials will usually have a cryptographic attestation from the issuing party–a person, agency, organization, or network.
In other cases, credentials are self-attested, as with your opinions or ideas you’ve posted in social media. Another form of attestation is social, with groups of people verifying that you are who you say you are. Decentralized identity provides the opportunity to bring together all types of evidence that prove who you are and what you stand for, in a way traditional forms of ID do not.
Use cases for decentralized identity
There are many situations where decentralized identity becomes useful for individuals, groups, and organizations:
- Help people who don’t have a verifiable identity. The World Bank estimates that 850 million people worldwide–primarily in low- and middle-income economies–have no proof of their identity. This excludes them from participating in many economic opportunities. DID can help people who lack traditional credentials such as a birth certificate to verify their identity in other ways.
- Data monetization. Instead of Facebook making a mint selling your demographic information to advertisers, users would be in the position to be paid for their data.
- Data portability. Having a single DID you could use everywhere would make it much easier to move between apps, platforms, and jobs. No more starting from scratch filling out job applications, for instance, because you’re new to the employer’s platform.
- Enable DAOs. On-chain DIDs would help decentralized organizations grant members more accurate recognition and rewards, as well as ensuring fairer voting on governance issues.
- Eliminate password-based logins. Passwords are easily stolen, lost, or forgotten. Switching to a universal login based on your decentralized identity credentials simplifies internet usage and potentially makes it more secure.
- Reduce fraud and hacking. If users can avoid storing personal data in large corporate databases, their risk of having their personal information stolen is greatly reduced.
- Prevent Sybil attacks. Decentralized identity provides robust verification of who people are. This helps avoid attacks based on the generation of many false identities.
In sum, many of the problems that plague us in today’s world of centralized ID storage could be eliminated by widespread adoption of DID.
What are the challenges of implementing decentralized identity?
Thus far, no perfect, complete decentralized identity solution has emerged that resolves all the concerns around self-management and blockchain-based storage of personal data. Each approach to decentralized identity has its own pros and cons. For starters, self-custodial wallets are often a physical device that the user must securely store–and that can possibly be lost.
In its analysis of three early decentralized identity solutions, an IEEE working group found none fulfilled all of the criteria they defined as desirable, including the ability to create a DID without a traditional trusted ID document such as a passport or driver's license. One issue all solutions appeared to struggle with is user experience–interfaces were difficult to navigate. The group noted more must be done to make decentralized identity solutions user-friendly.
Given the nascent state of decentralized identity tools, be sure to study any solution you plan to use carefully, to understand all the ramifications of taking control of your identity online.
Emerging standards for decentralized identity
As with any emerging technology, it would help if there were broadly accepted standards for its implementation. So far, no broadly accepted standard has emerged. The main organizations currently developing standards for DID are:
- Decentralized Identity Foundation–An open-source project working to make DID interoperable between all organizations, individuals, apps, and devices.
- World Wide Web Consortium (W3C)–This organization’s credentials community group is working on making DID align with W3C standards.
- Internet Engineering Task Force–Decentralized, data-oriented networking is one of the areas of interest for this open, international group of engineers.
As organizations undertake projects, they may refer to one of these sets of standards to help ensure interoperability of their decentralized identity solution across the ecosystem.
What projects are developing decentralized identity solutions?
Many established companies as well as web3 startups are exploring ways to enable various aspects of decentralized identity. Many projects focus on serving a corporate market–here, we’ll focus on solutions aimed at individuals. Top players include:
- BrightID–Targeting people who have no verified credentials, BrightID allows people to begin establishing identity with just a photo and name.
- Ethereum Name Service (ENS)–What if you could sign into your social media and other platforms with just your Ethereum username? That’s what ENS and the smart contract Sign in with Ethereum are enabling, with over 530 different site integrations and counting.
- Gitcoin Passport–This DID tool allows you to accumulate “stamps” that validate your identity, enabling access to more platforms as you build reputation.
- Lens–The Lens protocol enables the development of social networks where users will retain ownership of their identities and their content.
- Proof of Humanity–PoH employs a network of people vouching for each other, or “webs of trust,” to help verify people’s identities.
- Quadrata–issue identity passports to a user’s wallet as a non-transferable NFT. This passport would publicly verify that the owner of the address is who they say they are. It could even verify claims about AML risk and on-chain reputation. Many projects are working on similar concepts, including Dock Network and Fractal.
- SelfKey–This project has developed a noncustodial wallet that allows you to manage your identity and control your personal data.
- SpruceID–They’re building an open-source stack designed to give users data control. Their Credible project is creating digital versions of credentials such as drivers’ licenses.
This is just a small sample of the diverse projects that are building elements needed for wide adoption of decentralized identity.
What’s next for decentralized identity?
At Dragonscale, we’re excited by the promise of decentralized identity. It is a core part of web3 infrastructure that will strengthen and enable the use of other decentralized services. Rather than having Google or Facebook control identity management, or relying on traditional username/password systems that are vulnerable to hacking, we need services users can own and control.
The field is still developing, and isn’t without its challenges. But we’re happy to see so many projects working on decentralized identity and hope to see great solutions emerge from this experimentation.