Today, the notion of identity has never been so central to our societies. Yet one billion people still cannot prove their legal existence (1).
Since the advent of the internet, and its new technologies and applications, our physical and traditional identity is being transformed. More precisely, it is being transposed and renewed from the physical to the digital world. Historically materialized by physical identity documents, it is connected and digitalized in front of new IT uses and behaviours: identity documents become digital and give rise to a regal digital identity.
Today, digital identity seems to be borderless. Our digital uses and behaviours are increasing and developing rapidly (social networks, mobile applications, intranet/internet sites, connected objects). If digital identity is an unprecedented progress for our societies, its management by a handful of players - often private (GAFAM, BATX) (2) - raises many technical, economic, legal and political questions.
From the centralisation of data to its protection and marketing, the challenges of a trusted digital identity, partly based on blockchain technology, are emerging. A new market, advocating a decentralised and sovereign identity model, is opening up to companies, citizens and States alike.
Decentralised identity: a conceptual and technical paradigm shift
A person's identity refers to all the attributes that can characterise him or her in relation to other people. Therefore, our personal identity consists of an infinite number of fixed (eye colour), variable (hair colour), but also root (legal name and surname) and extended (diplomas) personal attributes.
In the context of our current digital identities, these innumerable attributes and identity data are generally under the control of organisations and servers external to the individual to whom they refer. As a result, digital identity regularly raises a number of issues: it is fragmented among various (often private) organisations, not very interoperable and accessible, expensive and complex to secure. In some cases, its management is opaque, to the detriment of users and their personal data, which is sometimes sold with impunity.
To address these limitations, decentralised identity gives users control over the use and exchange of their data: it proposes an unprecedented reinvention of the way people's digital identities are conceived, generated and used.
This new concept places the user at the centre of identity management models, either wholly or partially, and removes the need for a trusted third party. For the first time, the user has the technical possibility to become an actor - and no longer a mere spectator - of his own digital existence.
Technically, the decentralised identity scheme (3) proposes that the user “issue” his own identity by creating one or more unique identifiers, called decentralised identifiers (4), to which he will associate his verifiable credentials (VCs) (5).
In practical terms, people use credentials on a daily basis to prove that they are who they say they are: passports, driving licences, certificates and diplomas, insurance cards, medical certificates, etc. Generally, these certificates and proofs of identity are made of plastic or paper.
By analogy, these physical credentials become verifiable credentials (VCs) when they are in a standardised digital format, and stored directly on the user's phone and/or sometimes in the cloud. As such, VCs are standardised digital certificates that facilitate the sharing of information online in a sovereign and secure manner. The term “standardisation” indicates that there is a compliant method for computer programming a verifiable certificate (VC). This method is currently being standardised by the World Wide Web Consortium (6).
By combining verifiable credentials from recognised authorities, such as governments or companies, users can create digital counterparts (7) that extend their physical credentials: a national identity card becomes a “digital twin”, just as valid as its physical, official version. Once generated, a person's verifiable credentials can be shared by the user - via email, SMS, QR code - with any third party, in order to prove to them certain root or extended information attached to their identity.
Here, cryptography, together with new standards under development, plays a central role in the technical realisation of a decentralised identity. Indeed, its implementations use cryptographic proofs (unforgeable “digital fingerprints”), in order to provide mathematical certainty of the link between a person and his/her personal data.
However, decentralised identity does not necessarily require - as the underlying digital infrastructure - a blockchain. Indeed, the technical standards used make it possible to offer all types of entities (such as people, connected objects) autonomous and shareable verifiable attestations: regardless of the digital register on which they evolve (centralised, distributed or decentralised servers).
However, it is clear that the combination of these new W3C standards and blockchain technology is undeniably judicious. Consequently, the intrinsic advantages (8) offered by a decentralised blockchain infrastructure are naturally transposed to these standards, as soon as they are based on the latter. Indeed, many decentralised identity projects are now using blockchain technology.
An “augmented” digital identity, a new field of possibilities
The contributions of decentralised identity in comparison with conventional methods and techniques of identity management are numerous.
With decentralised identity, digital identity becomes more accessible and easy to use. Once deployed, a verifiable credential can be easily shared between different internet services for authentication: users no longer need a password for each service and identity becomes consented, portable and interoperable across digital services.
Many traditional services and applications can connect to this decentralised system to request permission to access users' identities. Thus, it is at the sole discretion of users to agree to share certain desired information or to choose when to grant or revoke access to their data (VCs) by third parties.
By design - inherently respectful of privacy and personal data (9) - decentralised identity makes it less likely that digital services and third parties will aggregate data or abuse users' privacy.
Decentralised identity is more secure than centralised digital identity as the user alone controls access and sharing of their identity attributes. Identity becomes more complex to usurp, a boon for 8% of French people who say they have been victims of identity theft in the last ten years (10).
A decentralised identity system gives security as well as cryptographic reliability to the stored data and their interactions between different entities: it allows technical traceability, in real time or a posteriori, of acts and responsibilities.
For example, in case of injustices or “digital censorship” without legitimate reasons by an online service (such as a social network), these unjustified acts (unfair competition, censorship, unjustified closure of professional accounts) would be easily and technically traceable and then demonstrable by the users or companies, an element that would facilitate possible legal proceedings: the law would become “augmented” by this new digital trust and efficiency.
With decentralised identity, each interaction is based on a unique cryptographic proof stored in a distributed and/or decentralised system, which is itself resilient by nature. In this way, some of the infrastructure costs are shared between companies, public institutions and any other organisations involved in the underlying and common infrastructure - often blockchain.
As a result, a new era of collaboration is emerging for organisations: they can benefit from the same technical infrastructure, while developing private and sovereign applications on top of it. “Siloed collaboration” disappears in favour of users controlling their data, their credentials and their verifiable credentials. Moreover, since the user theoretically manages his or her identity alone, he or she becomes responsible for it, without this responsibility falling on the identity provider, as it does today.
Ultimately, the scope of decentralised identity is proportional to the needs of those sectors that require systematic identification of their users. In other words, it is almost infinite: the banking sector (KYC process), the insurance sector (proof of claims), the private sector (digitisation of business cards), the public sector (digitisation of driving licences, passports), the education sector (diplomas, certificates of training), the health sector (proof of vaccination), and many others to come.
A new technology on the way
In theory, decentralised identity would allow its users not only to become “masters” of their digital identity, but also perhaps by extension, to become masters of their “digital destinies”. At the same time, this new model of augmented identity, based on digital trust, represents a new opportunity for companies, States and more generally all other entities evolving in the digital universe.
In fact, decentralised identity will remain a hybrid (centralised and decentralised) in the medium term. Indeed, to claim mass adoption one day, it will have to generate technical, economic, political and legal unanimity.
In a few decades, a free, autonomous identity based on the Right to Be You, could well surpass the reality of the imperfect digital identity we carry today.
(1) Desai, V. T., Diofasi, A., & Lu, J. (2018, April 25). The global identification challenge: Who are the 1 billion people without proof of identity? World Bank Blogs
(2) GAFAM is the acronym for the five largest US web companies - Google, Apple, Facebook, Amazon and Microsoft, which dominate the global digital market while offering digital identification systems to their users. BATX stands for Baidu, Alibaba, Tencent, Xiaomi, the four largest technology companies in China.
(3) As with all new technologies, technical approaches, terminologies and philosophical currents are numerous and evolving. Decentralised identity is no exception to this rule: some authors distinguish between the notions of decentralised identity and “identity in its own right”, better known as “self-sovereign identity”. Self-identity proposes a new computing arrangement in which the user is fully sovereign - from the online creation of his identity attributes to their sharing with third parties - over the life cycle and management of his digital identity. It offers a degree of user control that goes beyond the generic notion of “decentralised identity” While it is agreed that an identity in its own right is necessarily a decentralised identity, a decentralised identity is not always an identity in its own right. For the sake of simplicity, the majority of authors group these two terms together under the same notion of “decentralised identity”, which we will favour in this article.
(4) The term Decentralized Identifers (DIDs) stands for “Globally unique persistent identifiers that do not require a centralized registration authority and are often generated and/or registered cryptographically. Many—but not all—DID methods make use of distributed ledger technology (DLT) or some other form of decentralized network.”. Source: https://www.w3.org/TR/did-core/#terminology
(5) Verifiable attestations have a standard defined by the World Wide Web Consortium and can be found at: https://www.w3.org/TR/did-core/#terminology
(6) The W3C is one of the main Internet standards organisations: https://www.w3.org/
(7) While the integrity of the information in a verifiable certificate can be simply verified, its veracity cannot. Therefore, although the auditor is obliged to trust the issuer of the attestation, he does not need to contact the issuer directly to verify the information, as long as he trusts the issuer.
(8) Reference is made to the characteristics/advantages of blockchain technology: immutability, speed, security, accessibility, pseudonymity of registry transactions.
(9) Les standards techniques du W3C se fondent sur les « 10 principes de l’identité auto souveraine » énoncée en 2016 par Christopher Allen sur son blog personnel : « Existence, Contrôle, Accès, Transparence, Pérennité Portabilité, Interopérabilité, Consentement, Minimisation, Protection »,
The W3C technical standards are based on the “10 Principles of Self-Sovereign Identity” set out in 2016 by Christopher Allen on his personal blog: "Existence, Control, Access, Transparency, Persistence, Portability, Interoperability, Consent, Minimalization, Protection", http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html
(10) CSA, Les Français et la criminalité identitaire, survey, Fellowes, Oct 2012, page 4.