Chief Technology Officer at ForgeRock, leading its Labs team investigating innovative approaches to digital identity challenges.
With Bitcoin and other distributed ledger technologies rising in popularity, decentralization is a bona fide trend. (Did somebody say NFT?) There are good reasons why people — and enterprises — want to use decentralized and distributed approaches to reclaim full ownership of their digital resources and protect them from compromise.
With a growing sense of excitement, six years ago, a group of professionals in the identity and access management (IAM) arena started applying these approaches to digital identity to solve difficult problems of security, efficient delivery of trustworthy personal data and “user centricity” all in one go. This effort was known first as blockchain identity, then self-sovereign identity and, most recently, decentralized identity.
The First Era Of Interoperable Identity
The digital identity landscape has matured immensely over the past two decades. Many service providers began to leverage the availability of external identity authorities, such as governments and employers, for validating facts about the authentication and authorization of their end users, helping those users achieve cross-domain single sign-on (SSO). The first common standard for this was the Security Assertion Markup Language (SAML), and it defined a federated identity model in which a trusted identity provider (IdP) communicates with a relying party.
Federated identity has been so successful that it helped fuel the growth of the IAM industry. I had a front-row seat, having co-founded the SAML standards committee, co-authored the spec and built successful solutions and partnerships with it. However, maybe it’s not quite perfect. SAML has little to say about user consent, and it never solved mobile app SSO well. Its newer cousin, OpenID Connect, assists with these challenges, enabling social sign-in and open banking scenarios.
However, the trust between services is tentative. As a result, this approach isn’t being used to leverage available attributes from IdPs that could help the relying parties provide a better user experience. In addition, personal data still resides in IdP-controlled servers, so identity accounts are essentially the property of organizations. This means they’re not just serving as centralized data breach targets, but they’re also — according to decentralized identity proponents — giving end users less control over their identities than in a fully user-centric vision.
Decentralized identity technology aims to do much better, making users and their devices the sole authoritative sources of personal data by using digital identity wallets. These would function as if they were payment wallets, where a user could dole out as much personal data on request as they see fit to share in even more privacy-enhanced ways. Trusted issuers would lodge the data in the form of tamper-resistant verifiable credentials (VCs), and verifiers would have ways of retrieving and checking the sources of these VCs. Distributed ledgers serve to underpin issuer networks.
A large body of standards and open-source software has been developed, and the decentralized approach is seeing some worldwide piloting for consumer use cases in a variety of fields, including healthcare and higher education. At the same time, it’s a complex new technology that makes complex ecosystem demands; it’s not easy to ask many parties to change habits and IT investments so extensively.
Making Decentralized Identity Mainstream
What are some of the challenges decentralized identity faces? There’s a first-mile challenge. Credentials can only be as trustworthy as the identity verification initially performed. How can end users — and even wallets themselves — be truly proofed and trusted so verifiers find value in the result? Then there’s the last mile. How can an explosion of wallets, networks, trust frameworks and verifiable credentials connect with last-mile legacy systems for real-world reliable interoperability? Then there are end users. Does this new cryptographic allocation of authority and liability, designed to be user-centric, also deliver great user experiences and value?
Over the last decade, the world has seen a great number of IAM innovations of a non-blockchain-ish nature. For example, the FIDO Alliance has brought us greater standardization of strong multifactor and biometric authentication, most recently in browsers, and the OAuth family of standards (on which OpenID Connect is based) has enabled strong and finer-grained authorization of third-party API access, with user consent and withdrawal built in. Again, I had a front-row seat, having contributed to efforts such as U.K. Open Banking and Health Relationship Trust (HEART). I also innovated the user-centric data-sharing standard called User-Managed Access (UMA), which enables adding an interoperable share button and comprehensive sharing-dashboard abilities; UMA is called for in the U.K. Pensions Dashboard Programme architecture.
To Decentralize, Form Mutually Rewarding Relationships With Users
What can we take away from the decentralized identity movement? First, trust is everything. If a service provider can’t rely on users to be who they say they are, there’s trouble in River City. Likewise, if a user believes a company’s promises about what personal data it will protect, use and not share further, and the company doesn’t adhere to those promises, trust is eroded. Getting both verification and consent right is critical.
Second, when it comes to consumers of services, we need to think about identity in terms of building and maintaining trusted digital relationships. With adtech cookies in the regulatory crosshairs, and our research finding that 70% of consumers prefer apps that won’t sell their personally identifiable information, we can’t afford to think in terms of one-time purchases or disappointing experiences. Many consumers need to manage person-to-person and person-to-device relationships, too. We’re not alone in this connected world.
Finally, it’s an exciting time! Right now, digital services can already build passwordless and even usernameless experiences so that people can have the best of both worlds — a strongly authenticated and smooth user experience with the services they want and need. It’s possible to build services that let a health insurance member direct the sharing of several streams of health data, including data coming from sources outside the insurer, to members of their family — and to feel confident sharing will stop if someone’s family status changes.
2020 forced the world of identity to step up, and it has. There’s much more innovation on the horizon to look forward to.