Decentralized Identity: The Future of Verification
— Know-Your-Customer, KYC, identity Proofing, Identity Verification, Identity Security, Decentralized Identity — 3 min read
In a previous article about identity verification we discussed the awkwardness of the current digital systems in place for accurately verifying someone's identity. In particular KYC (Know-Your-Customer) solutions.
Fortunately, the Identity Security industry is moving towards intelligent solutions which address the shortcomings of traditional KYC systems.
We’re talking about decentralized identity. Handing over governance of an identity to the end user flips the script on how data is currently handled and how it flows to and from third parties. For example, today, when verifying your identity online, it’s common practice to provide a full scan of your drivers license (front and back), this might just be to prove you’re over 18 or 21, or to confirm your name. Decentralized Identity solves this problem and improves identity security outcomes at a personal level, not just an organizational level.
If you work in InfoSec, you’ve likely been lectured about the concept of ‘least privilege’. Decentralized identity verification allows us to apply this to our own identity. When a business needs to know your DOB to verify you’re of legal age, decentralized identity verification changes the question to a simple question of ‘are you over 18?’, with a ‘yes/no’ response.
Decentralized Identity still allows for centralized control of certain identity information. A government organization is still required to maintain a record to track who has passed their drivers license, for example. However, they can now issue a credential to you that certifies you are allowed to drive a certain type of vehicle.
How can this work in the real world? Here’s some examples.
As a university alumni, you authenticate yourself to your university website and request an attestation certifying that you’ve completed your degree. The university will generate a signed attestation, which is then imported into a credential wallet, which is typically an app on your mobile device. This could then be used to verify that you have met the required education requirements for a job role you’re applying for, or to peer review a research paper. This attestation is also cross-referenced at the blockchain level.
Cross-referencing a signed attestation is important as it allows for additional capability such as credential revocation. This is useful when a credential has a finite lifespan, for example, if you’re required to periodically re-sit an exam to keep your qualifications active.
Putting the user in the center of the data flow decision transfers control to you. Today, large amounts of personal information is shared between organizations using standards such as SAML, OpenID Connect and SCIM. In some instances, efforts have been made to implement consent management. This is where an authentication pauses to let you know what information is about to be shared and giving you the option to deny that request.
However, it is still one centralized repository of user information sharing data with another centralized repository, which can lead to data duplication, and increased potential of your data being stolen. In addition to this, the data is often sensitive, such as address information, date of birth and other identifying details.
In a brave new world, applications you wish to interact with may not have a requirement for progressively profiling you and stockpiling personal data (although many will still try). Functional decisions in applications can be made by verifying a signed credential which states you’re a licensed plumber, or you’re over the age of 18 or 21, or you hold a valid VISA for work purposes, all without handing over eye watering amounts of personal information.
It’s early days now, but many passionate identity security professionals are actively working on standards and open-source software implementations of decentralized identity which will go a long way in reducing friction for the next generation of identity.
To learn more about decentralized identity, here are some links for additional information: