It is important to know the principles on which digital identity systems function so that properties of various implementations can be puzzled out, alongside their benefits and drawbacks.
Society is evolving at the speed of light.
It took us as little as some 5-8 years to get used to smartphones completely, which has eventually led to a new level of interaction in society (that’s indeed significant).
Already today, you need much less of your own time to pay the rent or electricity bills, buy the bus, train, or flight tickets, check emails and so on.
This process of automation has virtually no end.
More and more industries and sectors are either just about to make the switch from manual to the digital or have already made it.
The more activities transit to the digital environment, the greater the necessity of identifying parties remotely, so that actions done by users can be attributed to their actual identities.
While technology, as a whole, should be recognized on a legal basis.
That’s already a pressing issue because without digital identity solutions you only have an abstract individual who fulfils the actions (obviously, this isn’t the way it works in the real world).
The advent of digital identity is inevitable in all kinds of spheres: voting platforms, supply chains, educational institutions, public registries, spheres of medical and banking services, etc.
For instance, banks annually spend about $1 billion on the development of digital identity solutions. While the overall biometric authentication solutions market has expanded from $5 billion in 2010 to $17 billion in 2017.
This knowledge simplifies the choice of the technology, its integration and the usage in each particular case.
What defines a digital identity
The internet is full of various definitions of this concept: inaccurate but plain, competent but hard to understand, hypercorrect or just too abstract.
We’ve decided that highlighting the aspects that define a digital identity, as such, is the easiest way for everyone to develop their own understanding.
Digital identities allow to prove identity remotely, no one is able to claim to be someone they’re are not.
It excludes the necessity of having a physical document, a physical presence, or even certain trusted third party that manually verifies your presence and your documents.
As a result, users of a certain system can be authenticated automatically and remotely.
Requirements for an absolute digital identity
So, digital identities are all about the process of identification of users in a certain system. This very process may include the following number of requirements.
It’s not about the features every digital identity system should necessarily have. So, we kind of consider the features of an ultimate platform that contains all of them:
- The party may easily get their identifier;
- The issued identifiers are unique;
- One party may only get one identifier;
- Each party may only get an identifier of its own identity;
- The ability to insert additional attributes related to the identity (height, age, etc);
- The maintenance of personal data with a flexible setup of the permission levels;
- Reliable maintenance and update of data related to user’s identity;
- Quick and easy proof of user’s identity;
And, there’s one compulsory requirement that we’ve decided to point out separately.
Every single digital identity system should necessarily guarantee the authenticity of compliance of the digital record about the person and their actual data (name, age, contact information, etc).
Otherwise, it’s completely meaningless.
As we have already mentioned, there’s no such technology that would allow meeting all the above requirements in a single system. As of today, there are only approaches that aim to reach the ideal:
- Centralized (Authorized issuer);
- Decentralized (Based on the Web-of-Trust);
- The hybrid approach (The combination of advantages of the two above approaches);
Centralized (Authorized issuer)
The responsible agency is managing the system and is in full control of it.
In such case, users, of course, have to trust this agency: that its employees issue the digital identities only to the actual people, that each user gets only one identifier at common-for-all established standards and so on.
In essence, that’s a kind of a digital KYC but in a particular system that allows for the integration with other accounting systems: from the educational and healthcare, to the migration service.
The primary accounting collects the data from other systems and keeps the whole data history.
The benefit: The fact that the system is managed by a single certification authority allows for a better optimization of most processes, such as the database search or check for the uniqueness of data.
The drawback: The responsible agency is free to commit whatever it wants (in terms of the law, of course). This may result in situations when people that are, due to any reasons, excluded from the system (banned by the centralized organization) will find themselves very limited in proving their identity in the related systems.
Decentralized (Based on the Web-of-Trust)
That’s the case when there’s no authorized issuer that you have to trust. Instead, each user is a small part of a distributed authentication network.
The system is trustless to a single certification authority by virtue of decentralization: each user is a certification authority of its own that decides on whom to trust, basing on the objective evidence he is provided with.
In this way, the system turns into a set of circles of trust that intersect with each other, which eventually leads to a kind of a natural selection of those you can trust.
Each user is provided with the information considering who trusts whom and who doesn’t so that he can avoid some vague parties and keep on with the trusted ones.
The benefit: It’s quite evident — the lack of trust towards a single certification center.
The system is completely free and implies no permission for the use.
The drawback: WoT is much more sophisticated than the traditional approach, accordingly, it is much harder to implement and sustain.
It has a lot of limitations related to the introduction to the real world, such as the conceptual mismatch with the traditional way of how things work (especially speaking about the legal basis) or the fact that the knowledge requirements for end-user are much more advanced with a WoT approach than with the traditional one.
On top of that, WoT system is more likely to have lower data update rate because it is distributed. It means that potentially you can have situations when a specific user is no longer trusted but you think he is, because the data on your device hasn’t yet been updated.
The hybrid approach: a combination of the centralized and decentralized
This approach has a lot of different ways of implementation, yet the basic idea stays the same in all of them. In this case, you also deal with a centralized organ that maintains the data and even issues the identifiers.
However, the collection of data about individuals and the verification process are decentralized and accomplished by independent oracles — trusted or partially trusted parties that collect data from the ‘exterior world’ and enter it into the database.
Simply put, oracles could be certain individuals or entities that act independently of each other, but together form a kind of an intermediary level between end-users and the centralized organ.
It is noteworthy that the main idea about this ‘intermediary level’ is to decrease the trust towards the centralized organization.
The benefit: Less trust towards the centralized entity, more confidence as to the authenticity of data about the parties because it is entered by independent oracles, that are less likely to collude with each other (and start entering fake data).
The drawback: It includes all the main weaknesses of the centralized approach: low fault tolerance factor, the presence of censorship on behalf of the responsible agency (which can, at any time, ban whoever it wants to). Besides, the hybrid approach is much harder to implement and sustain, compared to the centralized one.
The way things are today
Some digital identity solutions exist already today. Most probably, you’ve already dealt with the major services that have their own systems for identifying users: big banks, Google, Facebook, Microsoft and others.
Obviously, the minor services (forums, internet shops, cinemas) also have to somehow authenticate their users, but most often do not have enough resources for developing their own systems.
That is why they will be integrating the easy-to-use and robust solutions which are already developed.
This is the case when you visit some website and it allows you to log in via facebook or google authenticator.
As you can see, we already have a kind of a universal solution that allows users to avoid registration and authentication in every corner but use an already authenticated identity. Still, there is a room for improvement because it is far from being absolute.
It is still hard to claim which of the three approaches will be prevailing in the near future. As you can see, each has its benefits and drawbacks, which makes all of them applicable depending on the situation.
It’s quite obvious that if there would actually be a universal solution of introducing digital identities at the legal level, it wouldn’t be the Web-of-trust case.
Web-of-trust is not intended for a wide audience, however, will always exist because solves a particular problem that is present in our society — it determines the natural relationships between regular people but in the digital environment.
The global introduction of digital identity is comparable to the appearance of the railway at the dawn of the Industrial Age.
It was a revolution that over the short term allowed for making an important step in the industrial development that the humanity has been trying to make throughout the centuries.
The digital era requires a digital identity solution as much as the Industrial Age required the railways.