Decentralized System and Identity: The Future of Technology
![Karlos G. Ray [Masters | BS-Cyber-Sec | MIT | LPU]](https://miro.medium.com/v2/resize:fill:88:88/1*-t4juPfUfftKbJBR2H9QvQ.png){kind=small}
Introduction
Today, all the technologies and apps we use are primarily centralized — that is, they get managed from one central location. Take an example of the Facebook app; everyone uses it for online social activities. The organization is responsible for controlling such apps, user data, digital identity, and other personal details. All these credentials reside in the company’s server or cloud storage. Isn’t this a worrying factor?
Anyone within their organization can misuse such credentials or sell their undercover interests and data to a third party. Well! If you all agree with me on this, let’s dig deep into the concept of decentralization and how decentralized identity will become the future of authentication.
Before understanding the concept of decentralization, let us dig deep into some insight into what centralization is & its shortcomings.
What is a Centralization system?
In the centralized system, all the data, authentication applications, digital identity, and other processes associated with the system reside centrally. Such a system has one central authority to manage, control, and store all the resources. It is advantageous as it provides visibility to the overall process and resources. However, such a system caters to numerous drawbacks, especially when companies ought to deal with identity and personal data or credentials.
Drawbacks of Centralized system of identity and personal data storage
· Data breach:
A centralized form of credential and digital identity storage remains in one central server. Therefore, if cybercriminals compromise the system or use any zero-day attack to penetrate the system, they can easily steal those credentials and misuse them or change them to some arbitrary value. According to IBM, the most recent (2021) IBM Cost of a Data Breach Study found the average data breach cost as 3.92 million USD, with 36 percent (1.42 million USD) of direct business loss. Recovering all stolen digital identities and other personal assets costs a lot for the business.
· Privacy concern:
Another issue that is getting quite a boom is the concern of data privacy. Individuals have become concerned about sharing their private details and credentials with the organization where data is located centrally. Any internal threat can pose a severe issue, or anyone from within the organization can leak or steal those data and share it on the dark web. That is why, nowadays, companies should also follow privacy compliance and industry-standard policies to secure user data. However, the concern of centrally stored digital identity, private data, and login credentials is still a trouble.
· Credential stuffing through automation:
Anyone who has stolen the centrally stored login credentials and digital identities can use automated tools and APIs to perform credential stuffing to compromise other accounts using compromised emails and passwords. For this concern, companies should provide additional security mechanisms to those digital identities and credentials like hashing, encryption, continuous monitoring, etc., which is an additional cost. Any breach of the digital identities & login credentials gets directly pointed out to the company, which is the centralized point of failure.
What is a Decentralized system?
In a decentralized system, no single person or a single group of authority handles or deals with the data. Such a system allows users to store their data without depending on any centralized data center or cloud storage. Some decentralized system uses blockchain technology which makes them more secure. Any unnecessary updates or changes create a new block, and all other members/users associated with the system can see the changes.
What is Decentralized Identity (DID)?
Decentralized identity (DID), also known as self-sovereign identity or distributed identity, or personal identity, is a technique that allows users to manage their Personal Identifiable Information (PII) rather than handing it over to a centralized system. The primary purpose of decentralized identity is to create standard ways wherein internet users can control and manage which app or service can access particular user details and digital identity.
The entire concept lingers on a trust framework for managing identity. In other words, this framework gives identity control back to the consumer through the use of an identity wallet. The digital wallet enables users to grant and revoke access to user identities by any third party. As per Forrester’s report, “Decentralized Digital Identity (DID) is merely a technology buzzword: It promises a comprehensive restructuring of the currently centralized + physical ecosystem of storing and managing digital identity into a decentralized & democratized architecture.”
In a decentralized identity mechanism, identifiers such as usernames, Personal Identifiable Numbers (PINs), & phone numbers get replaced with self-owned IDs. These IDs will allow users to exchange data or authenticate themselves without compromising their security & privacy. Let us further explore the different terminologies and concepts associated with decentralized identity.
Terminologies associated with Decentralized Identity
· Identifiers or Decentralized identifiers: Identifiers are usernames, phone numbers, unique driving license numbers, bank account numbers & other Personal Identifiable Numbers (PINs) that get replaced by a verified self-owned ID called a pseudo-anonymous identifier. These identifiers work on behalf of your original credentials without disclosing user information. They will allow users to verify and exchange data without compromising users’ data security and privacy.
· Identity wallet: It is simply an application (installed on a mobile or computer) that allows users to create a decentralized identity and manage (grant and revoke) access of those identifiers to other companies or service providers.
· Identity owner: Identity owners are the users who create their decentralized identity by sharing their various identifiers to the identity wallet that gets verified by the issuer or identity verifier associated with the app. They are mainly responsible for managing and granting access to their personal information through that wallet.
· Identity issuer or verifier: These are organizations or authorized persons responsible for verifying the identity & issuing a tag that the owner’s identity is fit for decentralized identification purposes. They use the private key to sign the transaction & verify the identity owner(s). For example, Employers, Private firms, Government organizations, University, etc. These trusted authorities verify the accuracy of all user details and whether these details are shareable with other individuals or businesses.
· Distributed Ledger Technology (DLT): It is a technology architecture, together with some protocols that enables the system to simultaneously access, validate & update records in an immutable form over the network that is not centrally located or owned by any specific organization or individual. The most popular DLTs are the Blockchain and Ethereum.
How decentralized identity and app does work?
In a decentralized form of identity, an app or identity wallet operates and handles all the users’ credentials & personal details in a repository known as the wallet. The steps are:
i. These wallets function on behalf of their owner to verify the identifiers in a decentralized identity ecosystem.
ii. The wallet uses cryptographic keys (a private key and a public key) for authenticating users to businesses/login firms while not disclosing any of the user’s personal information and preserving privacy.
iii. The private key becomes the user’s universal login credential that acts as a uniquely identifiable PIN across all platforms and devices.
iv. The app gets assigned with a DID for the first time and then gets fetched (for checking) from the distributed ledger that remains decentralized in the ledger system. That is how the entire verification takes place.
v. The wallet holds verified identity details like the holder’s name, age, address, education, employment details, phone number, financial details, etc.
vi. All such already approved/issued information (endorsed by the issuer or trusted authority) helps establish trust, making the user eligible to perform authentication on other sites/apps.
vii. When the user goes to any app, e-commerce site, social media app, etc., and registers, they only provide the DID that gets authenticated uniquely.
How does Blockchain bring advantage to this system?
Blockchain, which is one of the most widely used DLTs, can help in various aspects to provide security and bring robustness to the future of digital identity management systems. Here is a list of five distinct ways decentralized identity systems can leverage blockchain.
· The integrity of data: As we all know data residing in the blockchain are immutable & permanent; it becomes hard for anyone to modify the blocks or delete any data from the decentralized ledger. Decentralized identity can use blockchain technology to ensure that all the authentication and authorization information remains intact and that no one can tamper with the data. Also, the logs remain unaltered, making the entire identity process safe.
· Privacy of data: Since all user/identity owners’ sensitive data gets converted into a pseudo-anonymous identifier, also known as a decentralized identifier, it becomes easy to store those decentralized data in the blockchain. That helps eliminate the issue of privacy among different identity owners. With the advent of blockchain in the decentralized system, data will remain encrypted, & no one (since it is not residing centrally) can misuse the user’s identity or Personal Identifiable Information.
· Blockchain makes the entire ecosystem trustworthy: Blocks in a blockchain system are immutable. It uses a consensus technique that makes trustful transactions in a trustless environment. It uses various nodes that reside in the blockchain and acts as a trusted source for verifying the user. Along with such transactional data, each block within the blockchain comes with a hash. These hash value gets changed when someone tempers the data. These blocks are a highly encrypted list of transactions or entries shared across all the nodes distributed throughout the network.
· Robust security: Another significant reason decentralized identity systems leverage blockchain is to provide high-end security to users’ data. Blockchain uses highly encrypted algorithms and caters to consensus algorithms, digital signatures, and cryptographic hash modules that work closely to defend user identities from identity thefts and leakages. Because of blockchain, the decentralized identity apps and their systems do not have to implement additional security measures.
· Simplify issuing, verifying, and leveraging DID: Blockchain absorbs all the complexity and makes it simple for the entire decentralized identity mechanism to be simple. Identity issuers can seamlessly issue digital identities through blockchain. Identity verifiers can onboard new identity owners & achieve the information verification process by leveraging blockchain technology efficiently. Users do not find the system risky in storing and managing their identities within the identity wallet.
Real-life use case of Decentralized Identity –
Let us consider a scenario of online Kindle book shopping. We assume a girl Suzane, who wants to buy some Kindle books from the Amazon bookstore online. She wants to use her decentralized identity wallet for the complete process. The wallet already contains her verifiable identities like phone number, email address, bank account details, credit card number, etc. He shares her initial identity like an email address or phone number through the pseudo-anonymous identifier that helps her log in to the Amazon.com website.
Now Suzane brings all the books to the cart. Now, as she goes for the checkout, the website will fetch her bank details from her identity wallet app. Once Suzane uses her biometric to allow the payment, she receives a notification that she successfully bought her Kindle e-book. Here Suzane does not have to share all her bank details and email address with Amazon.com. So, no data is getting centrally stored in Amazon.com’s server/cloud.
Conclusion –
The above details can conclude that decentralized identity through any blockchain technology (Ethereum, Sovrin, etc.) will be the future of identity security and privacy protection. If enterprises can properly implement decentralized identity, they can change the digital identity landscape with more robust security. Even the IAM providers and developers can also leverage decentralized identity for more secure identity management and stay aligned with compliance policies.
![Karlos G. Ray [Masters | BS-Cyber-Sec | MIT | LPU]](https://miro.medium.com/v2/resize:fill:144:144/1*-t4juPfUfftKbJBR2H9QvQ.png)