Digital Identity: Moving to a Decentralized Future

The internet is fundamental to commerce and social interactions. Both require robust systems of identity so they can function, but identity wasn’t built into the internet’s original design. To compensate for this shortcoming, organizations have built nonuniversal services that confirm identity and control over accounts. Unfortunately, these have generally been local in scope.

Today identity is typically managed at the application or enterprise level. Occasional attempts to federate beyond that level have achieved only moderate success, mostly in noncritical areas such as social apps. As a result, most internet users maintain over 90 individual username and password combinations, and the unintended consequence is that each provider they interact with has become a honeypot of personal information vulnerable to theft.

Digital identity isn’t working very well for the people who have it, and at least 1.1 billion people don’t have any digital or legal identity at all. Efforts such as India’s government-sponsored Aadhaar are underway to correct this, but by centralizing so much information and the control over it, these efforts are creating a new kind of problem while solving another.

What is required is an approach to digital identity that is simple, secure, portable, and under the control of the person it represents. The emerging field of decentralized digital identity may be the solution.

What Is Digital Identity?

As interactions move from face to face in the physical world to the internet, people must be able to prove who they are online. Digital identity is identity that can be verified over digital channels with identifying credentials that are digital, portable, secure, and verifiable in real time.

For most people today, their legal identities are represented by offline physical documents such as passports. Their social identities may be digital, but those identities are probably controlled by a large social platform vendor such as Facebook or LinkedIn that uses impermanent terms of service to control users access to their social identities. Behavioral identities are mostly in a person’s search and usage histories with platform vendors and ad-tech databases, where they may be bought and sold without a person’s knowledge or consent.

Physical identity methods fail online, because digital copies of physical documents are easy to forge and because remote presence is tough to verify. Physical identity methods also are not scalable in the way platform- and software-based businesses increasingly require. Such issues have been apparent from the early days of the internet, and they have led to the two predominant solutions of centralized and federated identity in use today.

For service providers, this solution is neither secure nor efficient. User passwords are often compromised (in part because users repeat passwords across services) or forgotten, leading to costly security breaches and password reset customer service calls. All of these drawbacks gave rise to the second solution, the federated model, where a single party in charge of both the onboarding and authentication of users offers identity solutions to different enterprises.

The most popular providers of federated identity services are social media sites (Figure 2), and their primary offering related to identity is portability. People can have the same username and password combination across multiple services, and online services don’t need to build their own identity management infrastructure.

This approach has several major drawbacks. It’s not very useful for high-touch services such as banking that have more stringent onboarding requirements. It also creates massive pools of user data that can be monetized by social media sites at best and serve as honeypots for hackers at worst.

Some of the more shocking online developments in recent years (Table 1), including the Cambridge Analytica scandal¹ and the Equifax data breach² , can be traced to the limitations of the centralized and federated approaches to digital identity. The economic and personal cost of such scandals and breaches have opened the door to a better solution.

Figure 5. Flow for a digital driver's license issued to an individual who then uses it to open a bank account.

Whereas public-private cryptography in a blockchain like that of Bitcoin tracks the provenance of a digital token, for identity the DLT infrastructure can be used to track the provenance of verifiable credentials.

Decentralized systems must integrate with existing identity and access management (IAM) systems, manage keys appropriately (including key recovery and revocation), and implement all of it through privacy by design principles—for example, by using the emerging technology of a zero-knowledge proof or zero-knowledge protocol.

Benefits of Decentralized Digital Identity

Decentralized digital identity creates the potential for win-win benefits across consumers, enterprises, and society. Some of the notable benefits include the following:

• Privacy and convenience: Decentralized identity systems are private by design, giving users the full control of how their identity is shared. These systems also simplify account setup and access at all participating providers, eliminating the need for login ID and passwords.
• Security and fraud reduction: Users are more secure because they aren’t managing passwords. Businesses are more secure because they no longer control honeypots of descriptive PII (Figure 6). Identity fraud is reduced because there are no login IDs and passwords to steal and reuse.
• Cost savings and efficiency: Costs may be reduced for customer onboarding, data management and security, and lifecycle management.
• New opportunities: Digital identity will open opportunities for new products and new business models.

Figure 6. Decentralized identity systems shift the risk of data loss away from large central stores. Any single security breach will yield a much smaller haul of PII, thus changing the economics of a break-in attempt. Source: Gartner, 2017

Example Use Cases of Decentralized Digital Identity

Decentralized identity is promising and is attracting significant attention and investment. However, some important challenges must be overcome for broader adoption:

• Canada BankID / Verified.Me: A network of major Canadian banks and other service providers are federating identity across a permissioned Hyperledger Fabric blockchain. The network streamlines logins, data sharing, and account setup so users can conduct traditionally face-to-face business online.
• IDKEEP: Backed by PayPal and the Omidyar Network, IDKEEP is a partnership between Luxembourg’s LuxTrust and Cambridge Blockchain to build a GDPR-compliant identity network that will resolve both identity and personal data challenges across banking, health care, insurance, and other services. IDKEEP is an enterprise network that leverages Cambridge Blockchain’s permissioned blockchain service and off-chain personal data service.
• CULedger / MyCUID: CULedger is a credit union service organization that, in concert with Evernym, is building a consumer-focused digital credential and data system called MyCUID. It supports self-sovereign principles and uses the Sovrin network. Its goal is a global identity for credit union members. “With the help of Evernym’s Sovrin Identity Network, MyCUID uses a person-to-person network of distributed, private agents working in parallel with the distributed ledger to give credit union members a lifetime portable digital identity that does not depend on any central authority and can never be taken away.”
• TrustNet: TrustNet is being built in cooperation between Finland’s research and industry partner network and the Sovrin Foundation. “TrustNet is a heavily industry-networked research project that focuses on developing a blockchain-based distributed environment for personal data management following the MyData principles.” It leverages the Sovrin self-sovereign identity network running on the Hyperledger Indy blockchain to manage identity and access to personal data stores.

Implications for the Financial Services Industry

Few industries are more impacted by identity than financial services and banking. Identity affects the entire customer journey, starting from KYC and onboarding and continuing through account login, verification for large transactions, sanctions screening, anti-money laundering (AML) monitoring, loan screening, and vouching for a client’s creditworthiness. Decentralized digital identity can serve as a new infrastructure layer for all of these services, moving authentication from the foreground to the background and becoming a catalyst for creating simple, seamless, and secure experiences for customers.

The decentralized identity architecture has the potential to reduce the complexity of the current identity management infrastructure while introducing flexibility by promoting a role-based and modular architecture. With data privacy and security built into the solution, decentralized identity can provide new ways to reduce identity fraud and associated risks in operations.

Over the long term, decentralized identity represents the transformation of a major customer interface (identity) that is fundamental and core to financial services firms. The value that exists today in creating, using, and managing digital identities can be expected to be redistributed over a new ecosystem as it takes shape and evolves. This should open opportunities for new services and business models. Regardless of how the future plays out, the current role that banks play as institutions of trust puts them in an advantageous position to impact the development of this emerging technology.