IAM

The Era of Self-Sovereign Identity

Self-sovereign identity is a concept in the digital movement that only the user should own their identity data fully without intervention from outside administration. COVID-19 has created a situation where everyone tries to digitize their day today activity to reduce human contacts. With that we have faced the biggest challenge of protecting our identity. This is the reason that we have to  move to the era of Self-sovereign identity, and let’s see how it helps us. 

Using a Self-sovereign Identity

Recently I had to go to the bank and cancel my card, due to some fraud transactions recorded by third parties. When the bank requested me to confirm whether I have provided my bank credentials to those third parties, I wasn’t able to do that. Because I couldn’t remember where I had given my bank details. Simply, I didn’t have control over my identity with those third parties. 

With the emergence of the internet throughout our day today lives, and the rapid increase of online usages increases some issues. Data theft, online fraud, and especially identity thefts. 

When you interact with online businesses to buy things you always have to trust some third parties to fulfill your actions. Most of the time these third parties are service providers. Sometimes we provide our details to these third parties to act like us and do some actions, for example doing payments. And the scariest thing is these third parties collect confidential details from a lot of people and make them one sole target of hackers. 

And due to the increasing usage of the internet and the necessity, we can’t stay away from using our details. Due to the current situation of COVID-19, digitalization is very important. 

But when we do something similar physically we don’t face this much of a problem, For example, if someone asks you to verify your identity, we show our ID or driving license. Or when you do payment at the store, you just provide your bank card. In this way, the control and the ownership of the data stay with you. And the verifier accepts that because it’s a verifiable credential. And the verifier doesn’t have access to all the details we provided to the place where they issued that driving license or the bank card. This is the self-sovereign identity, we just need a digitized version of this. 

By using a self-sovereign identity, the individual identity holders can control and create their credentials completely, without having to ask permission from a centralized authority or intermediary and give control over how their personal data is used and shared.

Relationship between entities, identities and attributes / identifiers: Wikipedia
 

Verifiable Credentials and Decentralized Identifiers (DIDs)

Verifiable credentials (VCs) are the electronic equivalent of the physical credentials, such as: driving licenses, diplomas, passports, etc. Technologies make verifiable credentials more trustworthy and secure than their physical counterparts.

The data model for verifiable credentials is a World Wide Web Consortium Recommendation, “Verifiable Credentials Data Model 1.0 – Expressing verifiable information on the Web” published 19 November 2019.” 

This can be explained using the following example: 

Behind these verifiable credentials, we have a set of claims that are bound to that, and those claims make the subject, it represents the person and only the owner has access to those details and only he can control that information. And you can present these claims and requests for a verifiable credential from an authorized issuer. And at the verifier, it will be verified  cryptographically.

For example, a credit card is a traditional and physical verifiable credential. When you request for a credit card from an issuer, in this case from an authorized bank, you have to present several documents, your bio data, your salary information which are claims to represent the subject, which is you. And when you get the credit card you can use that and do payments at the store where it verifies your identity through this card without presenting your personal confidential details. 

When we digitize this concept rather than using a physical card , we replace that with cryptography. The most common concept for this is to have a digital wallet, which can be accessed only by you. This doesn’t mean this is the safest way, you have to be responsible to protect your data, but it reduces the risk of exposing centralized identity details of a lot of users. This is where decentralized identifiers come to the picture. 

Decentralised identifiers (DIDs) are described as the linchpin of self-sovereign identity. So, they are a type of identifier that enables a verifiable, decentralized digital identity. 

A DID identifies any subject (e.g., organization, data model, a person, etc.) that the controller of the DID decides that it identifies. These identifiers have been designed in such a way that the controller of a DID has control over it and can be decoupled from centralised registries, identity providers, or certificate authorities.

Verifiable Credential based Authentication via OpenID Connect. 

Wikipedia describes OpenID Connect as a “simple identity layer on top of the OAuth 2.0 protocol, which allows computing clients to verify the identity of an end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner. In technical terms, OpenID Connect specifies a RESTful HTTP API, using JSON as a data format.

WSO2 Identity Server can act as an OpenID provider. OpenID provided by WSO2 Identity Server can be used to sign-in and sign-up for external services. Also WSO2 Identity Server acts as an OpenID consumer. Any OpenID can be used to sign-in and sign-up for the WSO2 Identity Server. And WSO2 provides connecters to connect with more verifiable registries. 

The OpenID provider will ask for a username or password as basic , but this can be improved to the level of using biometric authentication using mobile phones. Then OpenID providers issue an identity token with the requested information. The information contained in this token is similar to the details printed on your credit card. 

There’s a way to improve this further by using Verifiable Credential Authentication with OpenID Connect (VC-AuthN OIDC). Because with the above model OpenID provider becomes centralized and has a bit more control over the data. And with the details available within OpenID provider, can authenticate access to another site or service. This is a feature of federated identity and it violates the concept of self-sovereign identity. 

VC-AuthN OIDC uses the OpenID connect standards to easily integrate with the supported systems and also provide a way to authenticate using the verifiable credentials, giving the control back to the user. This is more similar to the traditional OpenID connect, the only difference is in the token information. Rather than using the user’s information to construct the token, this use claims in the verifiable credentials presented by the user. 

How blockchain facilitate self-sovereign identity  

The evolution of identity management moving toward a user-centric control approach. Self-sovereign identity evolved more with the popularity of blockchain technology.  Blockchain doesn’t only solve above mentioned challenges, it provides the missing link to use cryptography to prove identity. 

We can use the same example to explain this. The bank is the issuer of the claim holder which is your credit card. And the bank will link to the decentralized identifier on the blockchain that signs the claims via keys. Your digital wallet, which holds your claims, has keys that link to the decentralized identifier controlled on the blockchain. And you can use that to countersign the credit card. And at the store as a verifier, can check whether this is issued by the bank and it belongs to you. This is the usage of blockchain to look up decentralized identifiers.

Conclusion

With the evolvement of Identity management, we have reached the era of user centric self sovereign identity. This gives back the control again to the user and makes it more real like a digital world. This makes digitization more secure and reliable for the users, which is a necessary thing for today, when we need to isolate from people to overcome this pandemic. 

References:

Are the users from your company protected?

Learn about Access-control security and anticipate to identity theft.

Written By

Thara Perera

Senior Engineer