Setting the Stage for Universal Decentralized Identity
Setting the Stage for Universal Decentralized Identity
Year after year, the steady growth of cybercrime has steadily pushed digital security experts to venture into new territory when it comes to developing new infrastructures that can truly safeguard personal identifiable information (PII). These efforts have only become more urgent, with 71.1 million people falling victim to malicious cybercrime every single year. After all, the detriment of fallible security systems ultimately falls back on users, as the average individual endures $4,476 in annual losses from these cyberattacks. Thankfully, recent developments have led to the increasingly popular opinion that decentralized identity approaches are much more secure. But as far as implementation goes, we still have a lot of work to do.
What is decentralized identity, and how can it be leveraged to secure digital identity management?
Decentralized identity speaks to a wholly independent process of user identification. Based upon this framework, users are not only empowered to create and monitor their own PII without the help of a centralized third party, but they can also benefit from increased security. In all, this breakthrough in digital identity management is designed to put control of how and when personal data is shared back into the hands of consumers. The idea is to only provide the information necessary to complete a transaction, but no more.
Implementing decentralized identity leverages an open standard framework that uses digital identifiers and verifiable credentials on the blockchain that enable trusted data exchange. The way it works is that, upon presentation, the issuer (the entity that issues the verifiable credential) validates the cryptographic signature of the credential with the verifier (the entity that requests validation of the verifiable credential).
With recently released W3C standards, verifiable credentials now have standard data formats which are easily read by different parties. The promise of verifiable credentials is to replace the need to share physical-world credentials altogether, as a VC can represent all of the same information that a physical credential represents. In fact, according to new market research from Grand View Research, Inc. the global decentralized identity market is expected to reach $102 billion by 2030, representing a staggering CAGR of 88.2%.
Decentralized identity use cases
Decentralized identifiers and verifiable credentials have immense value. On an organizational level, they can simplify onboarding processes so that employees or consumers don’t need to transfer their personal data across various inputs. They can reduce friction, make customer adoption go faster and reduce concerns about data sharing, storage and privacy.
Different verifiable credentials can also be issued for different purposes. Besides the obvious ID carts, consumers can also leverage DIDs to secure digital prescriptions, or prove education credentials, businesses can use verifiable credentials for bills of lading, insurance certificates, export licenses, and more. In short, decentralized identifiers and verifiable credentials present countless personal, organizational, and societal applications when it comes to fortifying personal information.
These applications have even crept their way into California legislature with an amendment to Senate Bill No. 786, which states that “a county recorder, upon request, [may] issue a certified copy of a birth, death, or marriage record… by means of verifiable credential… using blockchain technology”. Though this advancement may precede a long journey towards widespread legal adoption of similar applications, it has the capacity to shine new light on decentralized identity infrastructure to as many as 39 million California residents. Other states are sure to follow.
A particularly exciting development in the realm of decentralized identity infrastructure has recently come from Microsoft with Entra Verified ID. This technology is one of the first mainstream uses of its kind, making it a promising advancement in light of rising cybercrime. With this integration of decentralized identity features, users are able to leverage decentralized identifiers in order to issue and verify credentials without ever compromising on ease of use, security, or privacy.
Of course, with this move to a decentralized identity landscape, plenty of other approaches have been thrown into the mix to combat a consistent rise in cybercrime. One is multi-party computing, which enables several entities to participate in computation while keeping the inputs completely private. Other infrastructures look to zero-knowledge proofs as standard protocol to verify personal identity, using methods to convince a “verifier” that a statement about some secret information is true without revealing the secret itself.
The advantages and disadvantages of DIDs and verifiable credentials
Through its gradual adoption, decentralized identity has offered countless advantages for users seeking to gain control over their digital identity management. With increased security and privacy with a simplified process, this infrastructure allows users to wield full agency over their digital identifiers. Stored on the blockchain, PII is protected in a decentralized storage system that theoretically leverages encryption to mitigate breaches.
However, the reality is that, at least until now, decentralized identity infrastructures are rather nascent and facing low adoption rates. Why? All of this ultimately boils down to usability and interoperability––things that are particularly difficult to scale in this context. With a lack of regulation, many enterprises are also led to question deployment mechanisms. Because identity management systems are designed and managed centrally on the backend, data breaches persist universally––and on a growing scale, a problem that verifiable credentials may not be able to solve.
Beyond this, there are still other security concerns:
1 - How will access to the backend databases be secured? It is not unheard of for nefarious actors to breach identity systems and issue fake credentials.
2 - How is the identity of the actual holder verified if the credential is issued on the blockchain and linked to a device? Device biometrics are only able to verify the owner of a device; so if an attacker can impersonate someone to generate a credential and link it to their digital wallet, how will anyone know that it is not the right person asking for services?
3 - How do entities that need to manage user identity across a “lifetime” leverage these credentials for ongoing access? For example, banks still need to ensure user authentication into a mobile or web application. They will still need to conduct their own KYC/AML checks and will unlikely be able to rely on third party issued verifiable credentials. Users also need to be able to log in, make payments and transfers, add additional payees, etc. On their own, verifiable credentials do not satisfy these use cases.
4 - How does account recovery work? It is rather easy for an issuer to revoke a credential on the backend; but for the consumer getting a new one means having to go through a whole onboarding process again, negating a lot of the ease of DIDs and VCs’ inherent benefits. Additionally, if SIM swaps are any indication of ongoing fraud trends, account recovery using stolen personal data from the dark web is one of the most vulnerable attack vectors.
For these reasons and more, the deployment of verifiable credentials need to be thought through more holistically, but techniques such as multi-party computing and zero knowledge proofs may hold the cards for maintaining the integrity of a decentralized identity system. While the blockchain may be leveraged for the issuance of the credentials themselves, these other frameworks can be used in parallel to provide the needed security design to prevent impersonation and account takeover attacks which can undermine an identity scheme.
How can decentralized data vaults help?
Leveraging multi-party computing, decentralized data vaults split data into multiple pieces, encrypt them and distribute them across peer-to-peer networks. Each piece of data is stored in a dedicated storage node that has a corresponding node that is responsible only for the decryption of the specific data component. If designed properly, user biometrics are required for data verification, and access protocols will limit the number of users that can run verification requests. Threat detection layers alert abnormal activity even with authorized users.
These kinds of systems provide a number of assurances:
- Personal data on the backend is secured and not vulnerable to breaches which can be used for subsequent account takeover attacks;
- Privileged access credentials cannot be shared or distributed;
- The risk of unauthorized activity even among insiders or those with proper credentials is minimized.
Beyond decentralizing data storage, multi-party computing provides a significant other added value––being able to process data, which is key to the functioning of decentralized biometrics.
What are decentralized biometrics?
As the term suggests, decentralized biometrics distributes biometric data and matching activities across a network of nodes. A biometric sample is broken into multiple pieces, each encrypted with a different key, creating multi-layered, multi-dimensional encryption. Decentralization is maintained at all times, during storage as well as during matching, which is conducted by breaking down the new biometric sample again and comparing each of the broken down elements against their stored counterparts without ever reassembling the original sample, leveraging zero-knowledge proofs.
This process affords multiple benefits:
- It can be leveraged for both one to one as well as one to many biometric functions (critical for deduplication and watchlist checks which would be important in the issuance of verifiable credentials);
- It is not dependent on any device, which makes it now possible to verify the identity of the actual holder of a verifiable credential, as well as to streamline account recovery;
- It enables regulatory compliance around data protection requirements around data minimization, pseudo-anonymization, safeguarding personal data, data localization, and preventing unauthorized data sharing.
How do decentralized biometrics and decentralized identity work together to protect PII?
Decentralized identity represents credentials that are stored on a blockchain, whereas decentralized biometric authentication is the process of storing and matching biometric data in a decentralized way.
In addition to the existing uses of this privacy-preserving technology, the use of decentralized identifiers and verifiable credentials can be further developed when considered through the lens of the Circle of Identity. At its core, the concept of the Circle of Identity acknowledges that biometric data collected at account registration will be used to verify identity down the line. When issuing verifiable credentials, collecting user biometrics and associating them with the user’s credentials and ensure proper use and easy reissuance as needed.
For verifiers, the use of verifiable credentials can simplify the account registration process; adding biometrics to that step ensures a closed loop for downstream services.
In all, utilizing DIDs and VCs in the context of a “closed”, or secured, Circle of Identity powered by decentralized biometrics paves a path for true, privacy-preserving infrastructure.
While this transition to a safer security infrastructure may take time and may endure some pushback, it is the only clear path toward large-scale, privacy-preserving systems. Existing methods of security and identity authentication are obviously fallible, as the number of reported breach incidents in the first quarter of 2022 have increased by 14 percent, compared to the same period in 2021, and are getting more and more dangerous. Cybercrime is trending upward, meaning there has never been a more urgent time to adopt decentralized identity approaches across enterprises, organizations, and society as a whole. But as is the case with all technology implementations, a fragmented approach may actually introduce more risk.
Before running full steam ahead with DIDs and verifiable credentials, it is very important for governments and enterprises to ensure they are not pursuing an unbalanced approach, addressing the credential aspect without an overall system security framework. Having a strategic roadmap and a visualization of the final end state is critical. Without these intentional steps, cybercriminals will find ways to exploit these credentials, steal sensitive information, and create new victims. If this point is ever reached, it will be virtually impossible to distinguish between legitimate people and attackers. Despite this looming reality, there is some good news: we still have plenty of time to avert such a disaster.