What If You Owned Your Identity?

March 17th 2022, Written by Jonty Needham.

Self Sovereign Identity (SSI) is a relatively new way of managing identity. It involves the people who are the identity holding and owning the credentials supporting that identity leading to a huge number of benefits. These include hugely increased resistance to theft, being outside of the wills or outages of the larger tech companies and distributed by the one entity who should actually have the right to do that.

Identity management is difficult. Webshops, social media sites, bank accounts, local authority portals and government organisations all require some form of authentication and authorisation. 

One way of managing all this is to have an account and password for each of these. This can get quickly out of hand, especially since reusing passwords is highly ill-advised due to seemingly regular breaches of security that make it into the news.

So having a password manager is a popular solution that many choose; one password to access the password manager and then it will create individual passwords for each individual account. Those passwords will then end up being highly strong as they do not need to be memorable. However, forgetting your password manager password or trying to access your accounts on a device that does not have your password manager can be a real pain.

Federated identity providers like Google, Microsoft, Apple, Amazon, etc solve this problem. They manage token generation with authentication and authorisation for the users in a seamless way, one set of account details and then they sort everything out for the user.

This is great. Apart from the following:

• The big players don’t integrate with each other

This problem has been seriously highlighted with Apple integrating with driving licences in certain states in the US, and refusing to work with any other providers thus forcing those states to exclusively use the Apple way of doing things. 

• Single point of failure 

Facebook compromises – 533 million accounts were stolen in 2019 with emails intact.

• Single point of censorship

The ID providers could come under pressure either externally or internally to remove the access they grant to online services without notice to any individual.

Me, myself and I

Self Sovereign Identity gets away from all these and goes a lot further. 

Key Difference:

• The entity who is the identity owns and manages that identity.

Through provably secure (long-term secure) cryptographic technologies, holders are able to: 

• Request credentials from issuers

• Have those credentials registered on a decentralised distributed system (blockchain, but we’ll come to that later) in such a way that no-one can know what they are, just ask the holders about them. (we’ll talk a bit about that later, too)

• Own their own credentials and be the way those are distributed.

• Use those credentials across multiple different systems.

• Decide what attributes of those credentials are visible to others and what shouldn’t be. 

  • The attributes that are invisible to others can still have questions asked about them, like “Are you over 21?” “Does your licence enable you to drive at least this vehicle?”. The holder then, through their app, allows the request to be proven – or not.

  • The proof cannot be faked. If it’s correct, it’ll go through. Which means it’s trustworthy.

Let’s work through an example. 

Buying age restricted products usually requires presentation of a driver's licence or passport. However with SSI, the approach looks very different.

1. Some trusted authority (like the government) issues the user a driving licence as an SSI credential.

2. The holder can then choose to hide all the details from the driving licence from public eyes.

   1. Why is this useful? This means that an identity holder can choose exactly what they want to reveal to others about their credentials, and only that, even to the extent of only allowing knowledge about the credentials (I am over 18, I don’t live in London, I earn over £20,000 a year).

3. When attempting to buy age restricted products, the buyer gives the vendor a couple of credential strings of characters which they can then use to query attributes of the credential.

4. The vendor then requests a proof that the buyer is at least X years old

5. The buyer (at the counter) will get the request through on their phone, and then (assuming they can actually generate the valid proof) tap “Verify” and a verification will be sent to the vendor, at which point he can allow the sale.

In practice, some of this detail would be hidden away with a funky NFC based communication where this check can happen seamlessly when our buyer walks into the store and taps their phone. But the key thing is that the vendor can safely sell what they can without breaching the law and without worrying about whether the authentication method is fake, and the purchaser can easily purchase what they need to without revealing their date of birth, address, driving licence number etc.

A credential issued from your job could contain your salary, which you never reveal to anyone. When applying for a loan, a loan provider just needs to know that you earn at least X. The holder then verifies only the proof that they earn X. Nothing else.

In general, SSI’s are issued by an issuing authority and then logged on a distributed ledger which in all the current solutions is a blockchain. The holder will distribute a couple of strings, the connection id and the schema id to verifiers, and the verifiers can then request proof that the credential is actually valid. The key difference comes in here – the holder supplies the proof of validity. Not Facebook, Google, Apple, Amazon etc.

Blockchain? Why?

We won’t do a deep dive on blockchain here. There are loads of those and we could write dozens of blogs on that. The key point is that a blockchain is distributed, or decentralised, ledger that runs instructions. It can consist of millions of nodes, and some do. Some of those instructions correspond to data artefacts, some correspond to contracts between businesses that are executed as the conditions are fulfilled, some are for transferring money. Regardless of the purpose, every node on the blockchain has the same set of instructions to run. This guarantees that the results everywhere of, for example, querying a database that’s built by the instructions on the blockchain, are exactly the same. In this case, because the holder has been issued the credential and owns it, it goes on the blockchain as an item so that every participating node has the same entry. No-one gets to mandate that this entry or that entry is better or worse than any other. They all go on all participating nodes, exactly the same.

It means that no-one can remove your identity accidentally or maliciously. Ever.

Involving others

The connections and identities are all defined as ‘Decentralised IDentifiers’ – DID’s. These are generated per user and per comms channel. There is a standard for these and that standard involves one key property – interoperability. This ensures that the issuing market for DID’s is open and interoperable. Going back to the electronic driving licences on an iPhone; if that were replaced with a DID issued by Apple it would naturally interoperate with any other issuer, and as an issuer, Apple no longer needs to worry about distributing it.

Bank account creation across national boundaries is hugely influenced by SSI. Given that the SSI ledger is distributed and decentralised, certificates can be obtained across national boundaries because they are owned by the holder and, as they are DID’s, they are interoperable. Provided a bank trusts the credential issued by a foreign government, all is well. If they don’t, then the holder is unlikely to be able to obtain a bank account in that nation by traditional means.

Overall, the SSI’s are 

• Decentralised – always available and persistent

• Owned by the holder

• The Decentralised ID (DID) standard forces interoperability

• Enable cost reductions for verifiers and therefore holders

• By design, border agnostic

At TekTowr we have demonstrators using SSI for credential management for drone pilots, streamlining the process of approval of a pilot for a mission plan from what is currently quite laborious to an easy minutes-long process. Also for onboarding users onto decentralised systems where without SSI it would be necessary to have centralised public key (PKI) issuers which are often targets to attack and require expensive bridging agreements to get between PKI providers over national boundaries.