Defining decentralized identity
Decentralized identity is an identity framework that lets people own, manage and control their personal information without relying on a central authority. In traditional, centralized systems, like government-issued IDs or online accounts, we typically rely on a single entity to store and verify our identities.
In a decentralized identity system, identities are not stored inside centralized repositories or governed by identity providers. Instead, they are distributed across a network of nodes, granting users full control over the sharing and verifying of their personal identity data.
Decentralized identity is a fundamental pillar of Web3, built upon its core principles of decentralization, cryptographic security, user empowerment and data sovereignty. Think of decentralized identity as having a virtual wallet that securely stores your identity credentials. Instead of sharing your entire identity with every service you interact with, you can selectively share specific pieces of information, granting them only the access they need. Furthermore, you can simply verify a claim without sharing the actual data. For example, you can verify that you are over the age of 18 without sharing your date of birth, or verify that you have a valid driving license without sending a photo of your ID. There are several benefits to this approach:
- It enables you to have greater control and governance over your personal information.
- It improves data privacy. As identities are not stored in a central data store, it becomes significantly harder for attackers to access them.
- It promotes portability. You can use your decentralized identity across different platforms and services, without having to create multiple accounts.
- Decentralized systems are designed to be transparent and trustworthy, leveraging the immutability of DLTs.
Features: Centralized vs Decentralized
Centralized and decentralized identity represent two fundamentally different approaches to creating, storing and verifying identity.
- Requires trust in the central authority, which may be an identity provider, a government body or any online service.
- Trust is distributed across the network, with no single authority.
- Limited support. Different services require users to create accounts and undergo verification processes.
- Allows seamless use of the same identity credentials across different services.
- Owned and controlled by the central authority.
- Owned and controlled by the user.
- Relies on the security measures taken by the central authority. A single breach may expose data of all users.
- Uses Distributed Layer Technology (DLT) such as blockchain and advanced cryptographic techniques for better security. Public key cryptography is often used for key generation, digital signatures and encryption.
- Typically, costs are much lower because of the prevalence of centralized identity providers in the market.
- Typically, costs are higher because of a larger infrastructure footprint, development complexity and scalability challenges.
- Limited access for people without traditional forms of identification.
- Fosters inclusion by providing digital access to individuals who don’t have traditional forms of identification, like government issued IDs.
- Relies on the availability and uptime of the central system.
- Decentralized nodes ensure high availability.
Is decentralized identity the same as self-sovereign identity (SSI)?
How does the decentralized identity approach work?
Here’s how a typical decentralized identity network works:
A tamper-resistant ledger
Blockchain, or any other DLT, acts as the underlying infrastructure that enables secure and decentralized management of digital identities. Identity-related data, like Decentralized Identifiers (DIDs) and cryptographic keys are recorded on the Blockchain in a transparent and auditable manner.
Creation of decentralized identifiers (DIDs)
Decentralized Identifiers are unique and cryptographically secure identifiers assigned to individuals. There are different methods to create and manage DIDs, with one of the most recommended approaches outlined in the DID core specification by the World Wide Web Consortium (W3C). As per the specification, a DID is made up of:
- The Unified Resource Identifier (URI) scheme
- The DID method identifier
- The actual identifier (which will differ based on the method)
An example of a W3C DID is: did:sample:123121n21bqg21, where did indicates the URI scheme, sample represents the name of the DID method, and 123121n21bqg21 is the unique identifier.
Storage
Users can choose to store their decentralized identities in multiple ways:
- User-controlled storage: Users can store their DIDs and associated data on their personal devices, such as computers, smartphones, or hardware wallets. This approach provides users with full control over their DIDs and ensures privacy and security since the data remains within their possession.
- Cloud storage: Users can also choose to store their DIDs and associated data in cloud-based storage services from trusted providers. Cloud storage offers convenience and accessibility across devices, enabling users to access their DIDs from anywhere with an internet connection. However, it's important to select reputable and secure cloud storage providers to ensure the privacy and protection of the DIDs.
- Decentralized storage platforms, such as InterPlanetary File System (IPFS), allow users to store their DIDs in a distributed and decentralized manner. Decentralized storage provides increased data availability and resilience compared to traditional centralized storage solutions.
- Blockchain-based storage: In some decentralized identity systems, DIDs and associated data can be stored directly on a blockchain. Storing DIDs on the blockchain ensures data integrity and enables verifiability by anyone with access to the blockchain.
Distributed consensus and cryptographic security
Blockchain networks use a distributed consensus algorithm to validate transactions and updates to identity data. This ensures the integrity and authenticity of the stored information. Cryptographic techniques, like public key cryptography, are used to generate and associate keys with DIDs. These keys are essential for authentication, allowing authorized individuals to securely access and control their digital identities.
Selective/minimal disclosure
Decentralized identities allow users to choose which attributes or credentials to share based on the context or requirements of the application. Blockchain-based smart contracts can be used to define the conditions for accessing specific identity data, further facilitating selective disclosure.