Although organizations have considered decentralized identification for several years, it’s only recently become a viable solution for managing digital identities in a robust way.
There’s a spectrum of potential decentralized identification methodologies, ranging from self-sovereign identification – individuals control the information they use to prove who they are – to federated identity – linking an identity to multiple identity management systems.
At its core, decentralized identification is a potential mitigation strategy against the threat posed by a single central authority having access to personal data. Therefore, as organizations increasingly contend with privacy and security concerns, they’re increasingly exploring a decentralized alternative.
What are the flaws with centralized identification?
By definition, identification data contain a vast amount of personal information, which could be foundational or functional. Foundational identities are those that have been assigned by a state, such as a birth certificate, passport, or identity card. Functional identity relates to the addition of other attributes, such as relationship status, employment status, and entitlement to various services.
The data that organizations create, collect and store is valuable, so protecting it from unauthorized access, either internally or externally, is essential. Identity management adds a layer of security by identifying individuals, and then authenticating and authorizing them to provide them with access to your company’s data systems.
Uncontrolled access to functional identities can be particularly problematic, as it could potentially lead to inclusion or exclusion, or similar abuses. “When the allies left Afghanistan, a large database of Afghani citizens who had helped was unfortunately made available to the incoming government, which is very dangerous for those people,” explains professor Jon Crowcroft, researcher-at-large for the Turing Institute. “It explicitly attributes those people that had helped foreign governments.”
It’s worth noting a distributed system isn’t necessarily decentralized. In a distributed system, data is spread over various servers, but may be within a single, centralized, authority. A decentralized system is where multiple authorities and agencies manage the system collaboratively. Therefore, just because a system is distributed does not make it also decentralized. A classic example of a distributed but centralized system would be the NHS in the UK, where there’s a single body overseeing the different health trusts across the country.
Decentralized identification is a methodology dependent on the organizations involved having a shared approach to identity management and control. “It came out of Tim Berners Lee’s Web3 stuff.” adds Crowcroft. “I'm not a big fan of blockchain and NFTs, but agreeing on standard formats and protocols is really good. It's engineering detail, but it matters, as when people agree to those, then you can have a rapid deployment.”
With a decentralized model for identification, there’s no single agency with oversight – and access to – all of the personal data. There have already been instances where companies have been coerced by governments into handing over user data. “We've seen this in the Snowden paper revelations when the US government would use secret courts to coerce companies that ran cloud services to reveal personal information,” says Crowcroft.
Having a decentralized model for an identification system means it’s much harder for third parties to access the information. Instead of there being a single agency to be coerced, bribed, or overcome, there are now several. Whilst it won’t prevent third parties from gaining access to the information entirely, it does make it that much harder.
How can you deploy decentralized identities successfully?
With the growing number of privatized government services, decentralized identification is becoming an increasingly viable methodology for preventing a single private organization from having oversight over a large identification system. Decentralized identification allows governments to deploy the identification model across multiple vendors. With the appropriate agreements in place, decentralized identification also allows cross-border information sharing between countries to be conducted in a transparent and controlled manner.
Although the decentralized identification model is inherently robust, it has a fundamental weakness in that there’s no single authority. For example, there’s no single point of contact for users who have lost or forgotten their passwords. It’s therefore incumbent upon users to have appropriate backups of their security keys, such as a one-time access code.
These attacks are an increasing weapon of choice the more we are increasingly reliant on identity-based authorization. Organizations are adding new layers of authentication, which, inevitably, hackers work to find ways through or around. In this cat-and-mouse game, identity-based attacks are on the rise, and organizations must implement several measures to defend themselves.
In order to be viable, too, there needs to be a stable internet infrastructure so the decentralized identification system can operate between multiple agencies. As such, it has typically been deployed in dense, technologically-educated regions.
In 2021, the Estonian government issued its digital identity card as a decentralized identification system. In this case, it was less concerned about coercive governments abusing data than malicious actors from hostile nation-states accessing it. Although the digital identification system has proven to be highly successful, Estonia is a small country with a population of almost 1.5 million people, approximately the same as the number of people who work for the NHS.
There also need to be redundancy measures in place for when internet connectivity is unreliable, such as in remote regions or when there is poor telecommunication infrastructure. This is akin to carrying a paper copy of an e-ticket for a train or concert in case a smartphone runs out of battery.
“If you were retiring to the Western Highlands, where internet access is patchy, you would still need to be able to prove ID,” says Crowcroft. “If the internet is down that day, you could show up with a credential that you had previously printed in case of an emergency – it’s like I always print my boarding pass because I’m paranoid about my phone breaking. That consideration should be there for things you depend on.”
Given the foundational nature of decentralized identification, it’s best used in projects that are just starting out. Also, given that a decentralized identification would be spread across multiple organizations, these systems are intended for managing large numbers of identities.
When identification management is decentralized, the risk of the data being misused is mitigated due to there no longer being a single point of authority to be attacked, bribed, or coerced. With the agreed formats and protocols established through Web3, decentralized identification could become an increasingly viable method for robustly managing identification systems.
