In the offline world, establishing your identity can be done fairly easily in many situations. For example, if you go to a liquor store and the staff wants proof that you’re old enough to purchase alcohol, you show them your driver’s license. If you take an international flight and the airline wants proof that you are who say you are, you show them your passport. In these cases, the liquor store and airline do not have any direct relationship with the governing bodies that issued the proof of identity. And they are both free to reject your proof if they don’t feel that it’s authentic.
Of course, there are several problems related to establishing your identity in this manner. For example, proof of identity is often a document or copy, which means that airlines, for example, have to manually read and scan your documents to extract the relevant information. If you move, you have to contact all of the organizations that attest to your identity to change your address. Finally, ID cards and documents can be easily altered, which means additional steps are required to prove their authenticity.
SOLVING IDENTITY PROBLEMS DIGITALLY
Fortunately, a combination of standards and digital signatures can solve these problems. Data can be stored and transported in a machine-readable format. Changes can be managed using APIs to connect, authenticate, and update details. Finally, digitally-signed attestations can be used to prove the authenticity of identity proofs, because the digital signature cannot be forged. A digital signature becomes invalid if there are any changes to the document and cannot be copied from one document to another.
CENTRAL REPOSITORIES ARE HONEYPOTS
Another solution is a central repository of identities. For example, customers give their details and supporting evidence to a credit-reporting agency, which then passes the information to banks and other agencies. If you move, you provide your new details to the credit-reporting agency, which then pushes the updated information to the banks and other agencies. This centralized arrangement can be beneficial in some aspects, but also has its own problems.
First, central repositories can become near monopolies, like the three main credit-reporting agencies in the United States, Experian, TransUnion, and Equifax. Furthermore, while the credit-reporting agency can charge for maintaining the information, the information itself is a liability. An obvious failure in this regard is the Equifax data breach that affected 145.5 million people.
A DECENTRALIZED SYSTEM FOR BETTER IDENTITY PROTECTION
Fortunately, the concept of a “self-sovereign identity” has been gaining traction recently. With a self-sovereign identity, everyone is the original source of their own identity, which is not an administrative mechanism for others to control. Each individual is the root of their own identity and central to its administration.
Self-sovereign identity systems can use blockchain technology of distributed ledgers so that claims can be verified without a centralized repository. In the example of the liquor store above, a government body issues a claim to you, the claim holder, in the form of a digital driver’s license. The government body uses keys linked to their decentralized identifier on the blockchain to digitally sign the license to make it tamperproof and valid. You hold the license in your wallet and use keys linked to a decentralized identifier that you control on the blockchain to countersign the driver’s license. When you present the driver’s license to the staff, they can verify its validity, the issuing body, and your identity. Everyone can look up decentralized identifiers on the blockchain and retrieve any associated public keys.
There are several identity services built on blockchain technology with different standards, which makes interoperability difficult. Furthermore, many people in the world do not have access to the technology required to use these services. Still, future data breaches and privacy issues will likely drive further adoption of self-sovereign identity systems.
Also published on Medium.