Given the potential economic advantage of digital identities and the need to protect them against identity theft, how can digital identities be managed?
SELF-SOVEREIGN IDENTITY
With increasing digitalisation, there are more and more opportunities for our identities to be used online for things like e-commerce and social networking. The World Economic Forum predicts that the use of online identities could unlock the economic value equivalent of 6% of GDP in emerging countries and 3% of GDP in developed countries by 2030 [1].
However, the potential economic value must be balanced with growing concerns about privacy and identity theft. According to the Australian Institute of Criminology, the estimated direct and indirect cost of identity crime in 2018 – 19 in Australia was $3.1b. This could be under-reported, given that identity crimes are often under-reported because of the person’s fear of being shamed or blamed and the challenges in recovering a stolen identity.
Given the potential economic advantage of digital identities and the need to protect them against identity theft, how can digital identities be managed?
HOW ARE DIGITAL IDENTITIES MANAGED NOW?
Until recently, the leading digital identity management methods have been the centralised and federated identity models.
CENTRALISED IDENTITY MODEL
The centralised identity model is where a single entity or authority manages and controls individuals' identities within a system or organisation. In this model, a central authority typically maintains a database or directory that stores and authenticates user identities.
Under this model, users typically have a unique identifier, such as a username or ID linked to their personal information, credentials, and access privileges. The central authority manages user accounts, user roles, and permissions and provides services like user registration, password reset, and identity verification. When users need to authenticate themselves or access resources within the system, they verify their identity and gain authorisation.
While the centralised identity model provides a convenient way to manage and control identities within a system, it has certain risks and challenges. For example, if the central authority is compromised, unauthorised access to user identities and sensitive information may occur. This has happened in many instances of identity theft. Another risk is that the model can limit user privacy and give the central authority significant control and potential abuse of power.
FEDERATED IDENTITY MODEL
The federated identity model allows users to access multiple applications or systems using a single set of credentials. A person can use their identity information from one trusted source (called an identity provider) to authenticate and access resources in multiple different organisations or domains (called service providers) without creating and managing separate user accounts for each system.
In a federated identity model, the identity provider acts as a trusted third party that authenticates the user's identity and provides the necessary credentials or tokens to the service providers. The service providers, in turn, rely on the identity provider's authentication and authorisation decisions to grant access to the requested resources.
Self-Sovereign Identity (SSI)
Although a universal definition of self-sovereign identity is difficult to find, the core notion is that individuals have complete control and ownership over their digital identities. It empowers individuals to manage their personal information, selectively disclose it, and authenticate themselves without relying on centralised authorities or third-party intermediaries.
There are several advantages of the self-sovereign identity model.
Privacy and Control
SSI allows individuals to maintain greater privacy by giving them control over their personal data. Instead of relying on centralised databases where personal information is stored, individuals can choose what information to share and with whom, reducing the risk of data breaches and unauthorised access.
Security
With SSI, individuals have greater security over their identities. Traditional identity systems often require individuals to provide personal information to multiple organisations, increasing the risk of identity theft and fraud. SSI utilises cryptographic techniques to secure and authenticate identities, making it more resilient against hacking and fraudulent activities.
The use of online identities could unlock the economic value equivalent of 6% of GDP in emerging countries and 3% of GDP in developed countries by 2030.
INTEROPERABILITY
SSI allows individuals to consolidate their identities from various sources, such as government-issued documents, social media platforms, or financial institutions, into a single digital identity. This makes it easier to authenticate oneself across multiple platforms without needing separate usernames and passwords.
PORTABILITY AND PERSISTENCE
Self-sovereign identities are portable and can be used across different devices and platforms. Individuals carry their digital identities wherever they go, reducing the need to create new accounts or undergo lengthy identity verification processes.
SSI also enables individuals to maintain persistent identities even if organisations or services change, ensuring continuity and reducing the risk of data loss.
TRUST AND EMPOWERMENT
SSI empowers individuals by giving them greater agency and control over their digital lives. It establishes a trust framework where individuals can verify the authenticity of information and interact with others more transparently and securely. This fosters trust between parties and reduces reliance on centralised authorities, enabling peer-to-peer interactions and decentralised governance models.
RISKS ASSOCIATED WITH SELF-SOVEREIGN IDENTITY
While SSI offers benefits, potential risks also need to be considered. Here are some of the critical risks associated with self-sovereign identity:
PRIVACY CONCERNS
Just as there were privacy concerns with the Centralised and Federated Identity models, the SSI model does not remove all the privacy concerns. SSI relies on using decentralised technologies such as blockchain to store and manage identity information. This enhances privacy by reducing reliance on centralised authorities. However, if the underlying technology is compromised, it could lead to unauthorised access or exposure of sensitive information.
USER ERROR AND DATA LOSS
With self-sovereign identity, individuals are responsible for managing their digital identities and associated cryptographic keys. This places a burden on users to store and protect their keys securely. If a user loses their keys or makes a mistake, they may lose access to their digital identity or risk having it compromised.
LACK OF STANDARDISATION
The SSI landscape is still evolving, and more standardised protocols and interoperability between different SSI systems must be developed. This lack of standardisation can create challenges in establishing trust and seamless identity verification processes across other platforms and organisations.
ADOPTION AND INTEGRATION CHALLENGES
The widespread adoption of SSI requires the participation and cooperation of various stakeholders, including governments, businesses, and individuals. Achieving widespread adoption can be complex and may need more support from existing identity management systems and regulatory frameworks. Integration with legacy systems and infrastructure can also be challenging.
SOCIAL ENGINEERING AND IDENTITY THEFT
As with the other two models, identity theft is an ongoing issue.
SSI relies on individuals' ability to authenticate their own identities and share selective information with others. This introduces the risk of social engineering attacks, where malicious actors trick individuals into revealing their private information or granting unauthorised access to their digital identities.
LEGAL AND REGULATORY CONSIDERATIONS
The implementation of SSI involves legal and regulatory challenges. Existing laws and regulations may need to be updated to accommodate the decentralised nature of SSI, determine liability and responsibility, and establish frameworks for dispute resolution and identity verification.
Self-sovereign identity offers individuals enhanced privacy, security, control, and interoperability in the digital realm. It aligns with decentralisation, user empowerment, and data protection principles, providing a foundation for more trustworthy and inclusive digital ecosystems. However, it is not without inherent risks. Some of these risks, such as identity theft and user error, are the same whatever model is used. Some of the risks are because the self-sovereign identity model is relatively new, and legal and regulatory bodies are still considering the implications of this model. Despite this, it is a model that should be considered.
