Decentralized Identity: Gaining Security and Trust for Digital Identities
Our modern digital world has proven that the current way of managing identity in cyberspace needs to change. If your digital identity is compromised by your activity online, it’s a safe bet that it is already being controlled by conglomerates. With the push of a button or an automated algorithm, digital identities can be compromised instantaneously. But what is a digital identity? Rather, what is your digital identity, and how do you protect it?
Digital Identity Explained
In the physical world, we have many forms of identification to help prove we are, in fact, who we say we are. We have driver’s licenses, passports, credit cards—even library cards help establish our identity. In the digital world, these tangible items consist of usernames and passwords, which we use to access our identity objects—our tweets, Facebook photos, email and personal bank accounts.
Anything we do online makes up our digital identity. Rather than ‘holding’ onto these items ourselves, they are often stored and managed by identity providers (IdPs). In using an IdP, the user has shifted all responsibility for identity protection to a system that is, in essence, merely protected by a password. In a world where stolen identities are on the rise and identity theft happens every 22 seconds, this makes no sense.
Anyone who steals the IdP password also could steal your identity.
Decentralized Identity is Key to Secure Ownership and Control
Why should a third-party system have so much control over verifying your identity? The answer is, they shouldn’t. Data in an IdP can be easily modified or even erased—then what happens? The IdP could mistakenly leak your personally identifiable information (PII), blocking access to your identity and consequently blocking access to sites using your data. You could be locked out of your identity. For example, if Google terminates your account, you won’t be able to log into hundreds of other applications, which all count on Google to verify you.
A third party should not have that much control over your ability to authenticate yourself. That’s where a fairly new concept known as decentralized identity (DID), or self-sovereign identity, comes into play.
A DID framework establishes unique and secure access connections between users and systems without a third-party IdP. It is controlled and, more importantly, managed by the account holder—you!
It’s like a digital wallet—the user is responsible for keeping their identity secure. There is no exchange of passwords; biometric authentication is used and the user only releases the minimum information required to establish a secure and trusted connection. With DID, an underlying decentralized blockchain ensures identities are cryptographically authentic and tamper-proof.
Decentralized identity reduces fraud via enhanced security and passwordless access to help ensure system and network integrity, user privacy and elevated compliance.
DID in Action
Though DID is still a fairly new concept, some rather large companies are taking the plunge and taking a chance on decentralized identity management. Microsoft, for example, is collaborating with members of a newly formed Decentralized Identity Foundation (DIF) to develop standards, identify technical components and code deliverables for an open source DID ecosystem.
The DIF recently introduced Microsoft Entra Verified ID which uses DIDs to cryptographically verify user information and prove that the user is the owner of a verifiable credential.
There are three primary steps in Microsoft’s verifiable credential solution:
1. A user requests a verifiable credential from an issuer.
2. The issuer of the credential attests that the proof the user provided is accurate. They then create a signed verifiable credential.
3. The user signs a verifiable presentation with their DID and sends it to the verifier. The verifier then validates the credential by matching it against an issuer’s public key on the blockchain.
DID Vulnerabilities
As with any new technology, DID brings its own security risks in managing and securing a new attack surface, which consists of blockchain code, private keys, post-authorization cookies and nodes.
Blockchains store identity operations—everything from creating an identity, revoking keys or even restoring an identity—and are made up of code. Code can be broken; it can contain bugs that eventually turn into vulnerabilities. Since DID is a new concept, the possibility of security issues introduces a different attack surface. The average person can’t keep track of an entire blockchain-that’s what nodes are for. They also provide reliable data for the chain. However, some nodes can be malicious. Threat actors can target nodes and modify the user’s data. This is an ongoing challenge across all decentralized systems.
Another vulnerability area involves post-authorization cookies. Let’s say you’ve verified and authenticated your identity on a DID system and a cookie or access token was created. If malware happens to be running on your device, that cookie could be stolen after the DID authentication process is finished.
The user (you) controls and manages their own identity, which is a double-edged sword. Humans are notorious for making mistakes; we want that control, but do we want that responsibility? With DID, our identities are only as secure as the private keys that run them, and we are responsible for running/using those keys. What happens if you lose your phone or are unable to recover the master password? There’s no third party to help you restore access to your digital identity.
In the future, DID could allow everyone to truly own and have control over their digital identity. However, there are still some security and usability concerns that must be addressed for it to fully come to fruition, giving users and organizations greater control over their data while delivering a higher degree of security and trust.
