Decentralized Identity and the Reclamation of Your Privacy

Commercial, Tech, and the Public Sector are reshaping the way you control your identity, privacy, and personal data.

This week features a perspective on the topic of Decentralized Identity and the Reclamation of Privacy, and a host of news and activity in the TradFi and DeFi space especially with respect to TradFi institutions making continued moves into the metaverse, blockchain and cryptocurrency. Additionally, last week featured a major Executive Order on Digital Assets by the Biden Administration which we will cover in a future newsletter. 

On our key topic for today, the current model of identity is characterized by an overly complex, highly fragmented ecosystem across organizational entities and individuals. It also provides for identity that is neither ubiquitous and authoritative nor owned by the individual for the identity itself or associated data.

The future model of identity is characterized by: decentralization, privacy by design, user self-control, openness and interoperability, and global scale and accessibility. 

We will cover both the current and future model across the three key categories that identity spans:

1. Commercial: to include Fortune 500 companies

2. Tech: to include Big Tech (Microsoft, Google, Amazon and others) and Web3 & DeFi 

3. Public sector: to include federal and state & local organizations 

Figure 1: The state of identity may shift from a fragmented, complex web of commercial, tech and public sector entities independently managing identity, to a decentralized, blockchain based ecosystem that puts the user in control of their privacy, data, and identity. 

Let’s dive in to examine the current state of identity and what the future might look like. 

The current state of centralized identity. 

Category 1 - Commercial. Or, otherwise known as Enterprise IT. First category includes the commercial off the shelf (COTS) technology vendor incumbents. Most enterprise technology leverage centralized identity and directory services to include vendor specific (most commonly Microsoft Active Directory Domain Services and Identity and Access, Exchange, as well as vendor agnostic services like LDAP.

The second category features cloud solutions. These services are now also federated out, or even natively hosted, in Cloud Service Provider (CSP) environments to include Microsoft Azure Identity and Access Management, Amazon Web Services Identity, and Google Cloud Platform’s Cloud Identity.

The third and final category of enterprise IT includes the modern digital-natives, to include companies like Auth0, an adaptable third party authentication and authorization platform, and Okta, a similar platform for workforce identity with Single Sign On (SSO) and Multi-factor Authentication (MFA). Most of these three mechanisms are underpinned by network infrastructure to include things like DDI (DNS, DHCP and IP Address Management), which creeps outside of the scope of this document but you can read more about here for a technical deep dive. 

In an industry example, DeFi has grown significantly but requires institutional adoption by TradFi for mainstream acceptance. TradFi requires compliance such as KYC, which is starting to be addressed with solutions such as Permissioned DeFi. Decentralized digital identity could provide the linkage and perfect compromise of TradFi gaining the assurance and compliance they need while still allowing end users and customers to maintain their independence, privacy and ownership of data in line with the vision of Web3. Read more here in an excellent set of Medium posts that map the identity verification technology stack in TradFi as well as address the challenges Web3 must solve for to bring decentralized digital identity to a state of maturity and mass adoption.

These service offerings are highly centralized in nature and thus require complex linkage and trusts established within an organization (e.g. identity federation services), as well as other trust mechanisms both intra-organization and cross organization.   

Category 2 - Tech. In most Web 2.0 platforms, the Big Tech players offer identity services that can easily connect as almost a “Social Single Sign On” mechanism to confirm your identity with other web applications and even process payments. This sign in mechanism is easy to connect with your existing Big Tech and social media accounts, but also require you to allow permissions for those authenticated applications to access your personal data. Examples include Facebook Login, Google Identity, Apple Single Sign On, etc. 

Category 3 - Public sector. The current public sector largely features the same technology products and services used by Commercial, including centralized identity and directory services and other leading technology vendors. There are also a variety of standard citizen and user identification methods leveraged by civil sector and state and local entities (e.g. birth certificates, Social Security numbers and cards, state issued driver’s licenses, and passports). While they are truly unique identification mechanisms, most of these systems and processes are highly manual or supported by legacy technology. Some progress is being made in pockets of individual jurisdictions, such as the state of Arizona putting its driver’s license and state ID in Apple’s wallet.

The future state of decentralized, social, and privacy enabled identity. 

Category 1 - Commercial sector. Most commercial sector organizations have Enterprise IT functions that handle all tech services, to include identity and access management (IAM), and supporting network and domain services. One of the primary anchors for these services includes the Microsoft family of Active Directory and Exchange, a set of mature and highly centralized services.. Microsoft’s Active Directory is enabling Verifiable Credentials such that these services do not necessarily need to be replaced, but rather can accept decentralized identifiers as a means of authentication and authorization. More below in the Tech section for how Microsoft is rethinking this space. Another great concept to look into is Zero Trust, which could also form the network and infrastructure foundation for authentication and authorization that is trust and user based irrespective of network boundaries and organizational demarcations, rather than the current perimeter security-focused mindset.  

Category 2 - Tech. In Big Tech, Microsoft has taken the lead on thoughtware and incubating new technology for the concept of digital and decentralized identity (DDID), and other references for similar concepts such as self sovereign identity (SSI). The vision from Microsoft is clear: 

“Each of us needs a digital identity we own, one which securely and privately stores all elements of our digital identity. This self-owned identity must be easy to use and give us complete control over how our identity data is accessed and used.” (Source)

… this digital identity would be blockchain-based, co-developed by Microsoft and other partners. Microsoft has also partnered with the ID2020 Alliance, a global public-private partnership dedicated to aiding the 1.1 billion people around the world who lack any legal form of identity. The vision is clear, but how would it actually be manifest? Microsoft suggests that a unique identifier, similar to today’s username concept, can be replaced with an identifier that is self-owned, independent, and leverages blockchain and distributed ledger technology (DLT) for data exchange, privacy protection and security of transactions made with the user ID and any other medium. These identities would be built upon principles of: secure, reliable and trustworthiness; privacy protecting and in my control; inclusive, fair, and easy to use; supervisable; and environmentally responsible. 

MIT’s Technology Review also suggests that the future state of identity might be manifest in ways to include the end of passwords as a primary method of authentication. This could perhaps include some blockchain-based ecosystem for the management of user identification combined with alternatives to passwords such as biometrics for login… combining a ubiquitous, decentralized, user owned identification mechanism with methods that truly authenticate and authorize the user (unlike passwords). Some good examples of these digital identity solutions, that are not necessarily decentralized or blockchain-based, include Passbase, NEC Digital Identity (read more here).

Another interesting perspective is the concept of Identity-Native Infrastructure Access. This method suggests linking access to an identity. Instead of sharing passwords or other secrets, access is granted on an individual's identity. Deployed by the world's largest Big Tech companies, it's the only way to securely scale access. This is a way to prevent breaches by eliminating secrets and is a key tenant in adopting Zero Trust Architecture. Read more here in the e-book published by O’Reilly.

In DeFi and Web3, blockchain projects and use cases are going about decentralized digital identity in a variety of ways, to include domains, digital wallets, and web browsing.

Domains - As with all things Ethereum, the concept of domain names are being decentralized with the Ethereum Name Service (ENS). These domain names however are much broader than the traditional web domains we are used to, and includes decentralized naming for a wider range of use cases including websites, digital wallets, and anything that can be used against an Ethereum public address. 

Digital wallets. One might wonder, if the future is truly decentralized, then who will help me if I lose my password? Or, who will help me prevent my funds in an account from being lost or stolen? The advantage of centralized mechanisms is currently founded in institutions backing your assets and supporting you in cases of fraud, loss, or password resets. 

That being said, the DeFi community has been thinking through these problems and incubating a number of new concepts. For account and wallet recovery, Argent (the leading DeFi wallet and pioneer of these new concepts), has implemented the concept of decentralized, off-chain and social recovery. Rather than storing and retaining seed phrases for Ethereum and other blockchain accounts, you can establish “guardians” of other unique identifiers for people and devices you already trust to have limited permissions to enable recovery. Guardians can be people, devices, or third party services. Social recovery can also be performed off-chain (e.g. encrypted in cloud storage on iCloud or Google Drive), to decouple your recovery methods from your device. Social recovery is also free! Read more from Vitalik Buterin, co-founder of Ethereum, on the importance of social recovery and wallet security, also with input from Argent. Other DLT based examples include Hyperledger Indy, Civic Identity Verification,

Another great example also includes Polygon tapping Zero Knowledge (ZK) proofs as the new identity service for its new wallet app, based on reporting from the Defiant (original blog post here from Polygon). For any given “Claim” (an open and verifiable standard that can represent any identity information) the ZK proof can allow the owner of the claim to prove to another party that the claim is true without revealing any information beyond the validity of the claim itself.

Specifically for decentralized identity in crypto finance, reading up on Circle Verite is another great thread to pull on to understand yet another Web3 based, open source framework for providing identity claims in smart contracts that still meets the guiding principles of digital decentralized identity. 

Web browsing. A good example of a modern browser that meets the vision of Web 3.0 and user privacy is the Brave browser. Additionally, the Brave browser and Basic AttentionToken is one of few blockchain projects that has achieved massive adoption at scale and is forcing the market to rethink conventional approaches to identity, and privacy. Brave has cleared 50 million active users on its platform and over 15 million daily active users. Tthe browser's initial draw was a "privacy by default" design, which is very much an anti-pattern to other existing web browsers in the market, or what we are used to with the current Big Tech and social media platforms. Additionally, the Brave browser pays you for your "attention" via Brave Rewards, with its proprietary token, the Basic Attention Token in an attempt to disrupt the industry for how advertising is done and giving the lion's share of ad revenue to content creators. Additionally, the Brave Rewards function allows you to tip the Attention Tokens you earn directly to the creators of your choice, putting you in control of your data and the rewards to the content creators that bring the most value to you.

Category 3 - Public sector. Per the Microsoft Verified Credentials approach above in Tech, a great case study is featured where the UK National Health Service (NHS) is using verified credentials to support swift staff movement between NHS organizations, allowing staff to store their own verified records for employment, clearance, and other attributes on their smartphones. This could potentially be served much wider in a variety of public sector use cases and processes, hopefully to include the more universally accepted means of identification used today. Jurisdictions to include India, Singapore, Argentina, South Africa and Japan have also engaged with the aforementioned NEC Digital Identity solution for facial recognition and biometrics.

How can the Enterprise, Big Tech, and pure play decentralized Web3 projects reconcile for a ubiquitous solution of the future?

These three vectors are the primary domains where identity is established or validated. My hypothesis is that there will be a disruptive innovation battle between incumbents such as Big Tech (Web2) players and new DeFi and Blockchain entrants (Web3, Ethereum-based projects), in a battle for what is the universally accepted standard as well as technology for the future of identity. Given the decentralized nature of these standards, there can also very likely be a hybrid future of ways to control your identity while still operating in a ubiquitous ecosystem, similar to the hybrid hypothesis of all technology and finance. 

Who will truly set the standards for this space?

Check out the following resources to see which bodies are helping set the standards for global adoption of this new approach to identity: 

Decentralized Identity Foundation (DIF). A diverse group of enterprise organizations and decentralized, Web3 projects collaborating to establish an open standards based ecosystem for decentralized identity that is accessible by all organizations and individuals. 

Decentralized Identifiers (DIDs). A W3C specification that features a new type of identifier in enabling verifiable, decentralized digital identity. The open source repository can be found here on GitHub. 

Trust Over IP Foundation (ToIP). An organization with consortium members to include Accenture, MasterCard, and IBM that seeks to promote global standards, leverage the opportunities for interoperable digital wallets and credentials, protect the identities of citizens and businesses, and integrate the technical elements of digital trust with human elements that includes business rules, policies and governance.