Decentralized Identities (DI): What it is, and the benefits for IAM
DI is a new way to handle your customer's personal information that lowers your business risk and compliance requirements, while saving money on security.
Aug 28, 2023 • 7 Minute Read
- Software Development
- Engineering Leadership
Most people don’t own their own name.
Sounds weird, right? But this is the reality we live in. For the most part, people and the digital identities that represent them are separate. Take a moment and think about all the multiple profiles you’ve likely got floating around, such as your identities for:
Imagine each digital identity is a physical card with your personal data written on them: your name, phone number, credit card details, and so on. Whenever an app or device asks, we hand one of those little cards over. But once we do, it’s in their hands: they can sell that card, share it with someone else, or lose it (data leaks).
Most of the time, you don’t know what’s happening with these cards; you just trust they’re taking care of them. And most of these are duplicates, in the hands of multiple identity providers and companies.
Sounds risky. How do we solve that problem?
According to traditional identity management, the best approach is to centralize all these identities: hand out fewer cards, or only trust one identity provider. Less footprint, less risk. That’s Security 101, after all. There’s also less passwords to remember, and a simplified sign-in process.
Still, there’s holes in this approach. What happens if the one identity provider you trust goes out of business, or mistreats your personal information? You still don’t own your identity. To use our earlier analogy, they now hold all the cards.
Now, is this really the best form of identity management? How could you get your personal details back so they’re not misused? Enter decentralized identities.
What are decentralized identities?
Decentralized identities (DI), also known as self-sovereign identities (SSI), are a way for people to take control of their own identity (It is theirs, after all!). Instead of people relying on companies or platforms to manage their identity information, they can create and manage their own digital identity.
For businesses, it’s also awesome, because it reduces the amount of personal information they have to store and protect. Suddenly, that nightmare of a big data breach where all their user’s personal information is leaked is far less likely. For developers, decentralized identities eases development overhead by providing a standards-based approach to identity and credentials.
Since the benefits of DI are fairly numerous, here’s a more thorough breakdown.
The benefits of decentralized identities for individuals
Ownership and control: All your identity information is with you, not the centralized identity providers (social media platforms, online services, etc).
Portability and interoperability: You can use the same identity across all your platforms, services, and organizations. No need to create separate accounts or profiles (then remember to update them).
Trust and security: You can choose what you share and with who. DI uses cryptography and blockchain technology to make sure your personal info is safe.
Audit trails: With a DI, you can check the audit trail of who you’ve shared information with.
Less identity silos: DIs break down the walls between different identity providers who might not work well together. Rather than making multiple identities in different places, you’ve got one single identity that they can recognise and verify.
Intermediary disintermediation: DIs mean you don’t need as many people in the middle to authenticate, verify (and store) your identity information
The benefits of decentralized identities for businesses
Less business risk: DIs mean you have less need to securely store your customer’s Personally Identifiable Information (PII). All your organization needs to do is request it when needed.
Cost efficiencies: With DIs, organizations don’t need to create and maintain their own identity infrastructure. This means less money spent on servers, databases, and security measures.
Regulatory compliance: DI can help businesses comply with data protection regulations (like GDPR) by reducing the amount of personal data they store and minimizing the risk of data breaches.
Trust and reputation: Since DIs respect user privacy and give them control over their data, this builds consumer trust.
The benefits of decentralized identities for developers
Simplified integrations: DI provides devs with standardized protocols and frameworks for integrating decentralized identity systems into their applications and services. No need to build the wheel again from scratch.
User-centric approach: Developers can empower users by enabling them to control their own identity information.
Enhanced security: DI uses cryptography and blockchain technology.
Interoperability and collaboration: Developers can integrate their apps with DI frameworks, so identity verification can be fairly frictionless across platforms.
What are the limitations or downsides of decentralized identities?
So far, I’ve painted a fairly rosy picture of DI. However, all this new-found freedom and security is not without its own risks.
Industry providers are in the business of securing identities, and as a result, they’ve gotten pretty good at it. If you decide to take your identity back from them, that means the onus of keeping it safe is then on you.
Tech literacy is another issue. Not everyone is going to get their head around digital identities, and if you lose your private keys, there’s less support there to get it back due to the protections and autonomy inherent in them in the first place.
Because of that literacy barrier and the fact it’s early days, DI isn’t widely adopted yet. People are still using centralized identity management models, and shifting from this is a big task in terms of changing infrastructure, protocol, and how users behave.
On the upside, Microsoft is focusing on supporting decentralized identity solutions for businesses, so DI is now more than just frontier technology.
Exploring the technology behind decentralized identities
We’ve talked a lot about the pros and cons of DI, so now let’s delve into the actual technology behind it. DI is powered by digital identifiers and verifiable credentials, so it’s important to address those two concepts first.
What exactly are Decentralized Identifiers (DIDs)?
Decentralized Identifiers are a Uniform Resource Identifier (URI) that associates a subject with a DID document.
A Uniform Resource Identifier (URI) is basically a way of identifying something on the Internet.
A subject is a person, group, organization or something else that needs to be identified.
A DID Document is a set of data that describes the subject. The subject can use the DID Document to authenticate itself and prove it’s association with the Decentralized Identifier (DID)
Decentralized Identifiers are a key component of Verifiable Credentials.
What are Verifiable Credentials?
Verifiable Credentials are a way to prove you have certain attributes. This could be proving your age, that you’re licensed to operate a motor vehicle or something else. Verifiable Credentials are designed to provide a secure, private, and verifiable way to prove our credentials (or attributes).
An example of Verifiable Credentials at work
You’re excited to buy the latest cutting-edge phone, the TechBrick 2000. Confidently, you strut into the store, ready to make your choice. But the phone provider has a laundry list of demands before they hand over the shiny device.
“Are you old enough to own a phone?” They demand. You say yes, and they ask you to prove it, so you show them your license.
“Can you actually pay for your phone?” They ask next. Geez, rude! But you show them your payslips and bank account records, which you conveniently had in your back pocket.
“Can I copy all of that?” They finally ask, whipping out their copy machine. You don’t really have a choice — you really want that TechBrick 2000, and they need to prove they’ve checked your credentials.
They make a duplicate of every personal document you have. You might own the TechBrick 2000, but the phone provider is now the proud owner of all your Personally Identifiable Information.
Let’s contrast this with Verifiable Credentials. In this case, the phone provider requests the credentials they need without actually needing to hold your documents hostage with an indefinite release date. Instead, they simply receive a special credential, signed by a trusted issuer, like a golden ticket to getting your phone.
So, now you’ve got your TechBrick 2000 without sacrificing your PII to identity document collectors. The phone provider gets what they need, so it’s win-win.
How to get started with this technology
If you’re looking to start exploring Verifiable Credentials and the Decentralized Identities that power them, you can get started today with Microsoft Entra Verified ID.
Microsoft Entra Verified ID can act as an issuer, issuing verified credentials to users or a verifier, verified provided credentials, or both. I cover Microsoft Entra Verified ID in my latest course, AZ-500: Manage Identity and Access.