In the second of a three-part series, an anonymous banking insider explains the failures of modern digital identity protocols and the ways we can fix them.
In the second of a three-part series, our anonymous contributor outlines some of the core components of a modern digital identity strategy, including: Decentralized Identifiers (DIDs), Verifiable Credentials (VCs), and Verifiable Data Registries (VDRs) - all of which rely on digital signatures (which were explained in Part 1). These tools and standards enable us to bring much needed trust to the digital realm by mirroring the norms of how we establish trust in the physical world - with secure credentials possessed and presented by citizens that authenticate their intent. Scaled utilization of this new approach could dramatically reduce identity-related fraud, mitigate the “honey pot” problem, and unlock a new era of digital trust in the United States.
As discussed in Part 1, our approach to digital identity in the United States remains a significant and expensive threat to individuals, businesses, and government alike.
Without a modern and cohesive identity infrastructure and strategy in the US, all 3 of these groups (individuals, businesses, governments) effectively defer to banks and their identity verification (“IDV”) providers to verify an individual’s identity. While state and federal government agencies may not have direct ties to the banks, they are in fact relying on many of the same IDV providers the banks use to establish a citizen’s identity in a digital context.
As discussed in detail in Part 1, banks have a self-interested, risk-based approach to identity resolution. If a bank’s IDV provider misemploys an individual’s identity, the bank’s primary concern is ensuring that it can sufficiently mitigate the risk of loss that the bank might suffer - not the victim - as a result of that error. Individuals and our society more broadly are left to bear the collateral damage and costs of identity theft.
As highlighted previously, this problem is exacerbated by the fact that the current identity verification model requires us to use our “secrets” (our sensitive identifying information) as our identifiers. Despite someone’s sensitive identifying information (such as a social security number) being compromised, possession of this information (by anyone) is often still treated as sufficient proxy of that individual’s intent to authorize the appropriation of their identity. This allows anyone in possession of the “secrets'' to engage in transactions that can expose the individual to significant legal and financial risk, such as establishing an account, opening a credit line, or applying for a loan. Forcing someone to use her compromised personal information as her identity authenticator is the equivalent of forcing her to use her home address as the key to her front door.
The obvious solution is to separate our secrets ( or “authenticators”) from our identifiers. But how? The answer: Self-Sovereign Identity (“SSI”), achieved through the use of decentralized identifiers and digital signatures. As explained below, by using these tools, we can significantly improve our control and consent over the use and disclosure of our identity and dramatically reduce the risk of identity theft. Adopting and deploying these approaches at scale will usher in a desperately needed return of self-sovereignty over the use of one’s identity in a digital context. Before we get there, however, it’s important to discuss “credentials,” a key concept in the conversation around identity.
In the context of digital identity, a “credential” is a piece of information or a set of data that makes claims related to the identity of an individual (or organization). Generally, a credential contains three critical pieces:
A simple example of a physical credential is a driver’s license; it identifies the subject of the credential via an individual's name. It also states claims about the subject, including a photograph, height, weight, along with several other relevant attestations - e.g., the individual referenced in this license lives at the stated address, was born on the stated date, and is licensed to operate a motor vehicle in the issuing state. Driver’s licenses also contain various security features to enable others to confirm their authenticity; these vary by state but can include holograms, microprinting, ghost images, and/or features that are only visible under ultraviolet light.
As discussed above, IDV providers evaluate information and risk signals on behalf of their institutional customers (such as banks or government agencies) to determine if end-users are who they say they are. Once an IDV provider has verified an individual’s identity to its own satisfaction, it provides the results of its verification to its client. Because the assessment of the end-user and subsequent decision from the IDV is funded by the institutional customer, however, those identity attestations are generally viewed as property of the business that paid for it. As such, while an end-user may have successfully established his identity for a given financial institution or government agency, their resulting digital identity claims are siloed and restricted to the domain of that business / agency. The end-user’s “identity” within this context does not belong to the end-user at all - but is rather a proprietary and permissioned profile that the user can only access within the confines of the specific institution’s policies and procedures.
Unlike a physical credential (e.g. a, driver’s license), which is issued directly to the person that is the subject of the credential and is intended to be universally recognized and self-sufficient, most of our digital identity credentials are siloed and context-dependent, issued not to the person that is the subject of the credential, but to government agencies and private corporations that restrict the end-user from using them to establish her identity with any other institution.
It also becomes apparent that with this context, we cannot simply construct our “identity” - digital or otherwise - as a singular object or notion; be it a credential, biometric, or other singular concept. Christopher Allen summarized it perfectly in his 2016 insight : “Today, nations and corporations conflate driver’s licenses, social security cards, and other state-issued credentials with identity; this is problematic because it suggests a person can lose his very identity if a state revokes his credentials or even if he just crosses state borders.” In the case of digital identity claims issued by an IDV provider, the end-user’s “identity” within this restricted and permissioned space may be revoked at any time, as deemed necessary or prudent by the institution that “owns” it.
So if our identity is not an individual credential or claim, what is it? At the simplest level, an individual’s identity is simply a collective interpretation of claims about the individual that can be made by anyone. Most claims that relate to someone’s identity in the egoic sense are self-authored (e.g., “I am an Eagles fan”), but many other aspects of our identity in a public-context are issued by third parties, including governments, schools, employers, or other groups. Below, we’ll review two common forms of third-party claims (a student transcript issued by a university and a driver’s license issued by a state) and explore how new standards and technology are making the process of issuing, verifying, and using claims more secure, convenient, and effective.
As we’ve discussed, today’s prominent IDV providers (which operate as private businesses) are the primary authors of claims about an individual’s identity in a digital context, which are made for the benefit and ownership of businesses and government agencies in the US. If we want to move away from centralized reliance on IDV providers to determine if we are who we say we are, who is going to make these determinations, and how?
Beyond the current manifestation of digital identity in the US, we see a world where any person or entity can craft and express a claim about any other person or entity (identity-related or otherwise) which can quickly and provably have its authorship verified. However, a claim is just a claim - and verifying the source of a claim has nothing to do with verifying its veracity. In general, one’s belief in or reliance on any claim is a function of social trust, which can be built on private relationships, public reputation, legal agreements, and / or standardized trust frameworks. By examining the roots of trust in the analog world, we’ll be able to more clearly understand the foundations and merits of a new paradigm of identity which many refer to as Self Sovereign Identity (“SSI'').
In the analog world, we generally establish trust via one-on-one (or direct) interactions. For example, if I were to enroll as a student at a university, I would be required to provide identifying information (“identifiers”), such as my name, address, and social security number. The university would verify this identifying information to whatever level of assurance it deems necessary, and upon completing that process, it would link “me” to these identifiers in their systems. Upon graduation, as I walk across the stage to collect my diploma, that document will be addressed and handed to the person that the professors and students believe to be the individual who has been attending classes and passing exams using that identifying information. Through this trusted relationship (built in part on my continued use of my identifiers, specifically my name), the university will issue a credential (the diploma) that references “me” (the subject) and that I have graduated (the claim). The university will also note in its records that the student with my name and (other identifiers) has indeed graduated, and those internal records / claims will likely take the form of an academic transcript (another credential).
In this context, my graduation claim is not inherently a part of me or my identifier, but it instead relies on my identifier to have context or meaning. This separation of “me” and “my name” is critical as we begin discussing the notion of decentralized identifiers.
In this example (and most all social interactions of the analog world), a person’s name is their primary identifier. As we've discussed, using a person’s name or social security number as both his identifier AND identity authenticator has been a primary driver in the historical failure and exploitation of our national identity management approach. However, thanks to technology agnostic standards published by the World Wide Web Consortium (W3C, the predominant global standards organization for the Web), we now have a globally recognized way to establish and leverage identifiers that do not contain any personal information.[2] These identifiers are known as Decentralized Identifiers (“DIDs”).
Just as each individual book can be identified by its unique ISBN number (international standard book number), and all US vehicles similarly have a unique VIN (vehicle identification number), a DID is simply a form of a universal resource identifier that includes a globally unique text string. The DID is also accompanied by a declaration of the DID Method in use (of which businesses and governments have published almost 200 at this point). DID Methods are specifications that define how DIDs are created, resolved, and updated on a specific Verifiable Data Registry (more on that below).
Together, this set of information (DID and DID Method) enables others to lookup basic information about the DID which is stored in an accompanying DID Document. These DID Documents detail the authentication mechanisms for that specific DID, providing details about the type of cryptography that was used to generate the public-private key pairs (discussed in Part 1) that secure the DID via digital signatures. While the public key (the public identifier) of the DID is stored in the DID Document and available for anyone to see, the accompanying private key is kept secret by the DID controller (acting as a “password”) and enables them to prove control of the DID.
Source: W3C Decentralized Identifiers (DID) v1.0
To locate the accompanying DID Document of a given DID, this new paradigm of digital identity relies on a Verifiable Data Registry (or “VDR”). At a high-level, a VDR is simply a role that a system performs to mediate the creation and verification of identifiers[1] - which can be as simple as a public database. At their core, VDRs enable the resolution of DIDs to DID Documents.
VDRs come in many forms, and like all things, have trade-offs. Perhaps the most decentralized, secure, immutable, and permissionless VDR in the world right now is the Bitcoin network. Other examples of popular VDRs include peer-to-peer networks such as the Bittorrent network, decentralized file systems, distributed ledgers, or other databases (permissioned or otherwise) such as web domains (which are mediated by the DNS system[3]), government databases, and other public databases.
Source: W3C Decentralized Identifiers (DID) v1.0
To understand why DIDs and VDRs are important, we must recognize that in order to move away from a world where only private and centralized entities can credibly author, own, verify, and interpret claims related to our identity, we must build the standards, technology, and tools to enable any person or entity to author, hold, present, and verify claims. Further, we must ensure that we have an identity infrastructure that is resilient and not centrally-controlled by private corporations, and instead enables the private sector to securely leverage and bolster government sector claims. Importantly, this new paradigm will enable this for all claims, not just claims from governments. This new paradigm enables us to move from a singular standard of privatized identity assurance to an open gradient approach, where those that need to rely on identity-related claims are able to do so as they see fit, and without the permission, interpretation, and dependency of a handful of centralized entities.
This new model of digital identity leverages a framework called the “trust triangle”, whereby each participant plays one or more roles. Let’s establish some basic terminology and concepts that underpin this open model:
Verifiable Credentials Trust Triangle (Wikipedia)
This approach enables significant benefits for all parties involved, and also solves for important problems that can arise when moving from physical to digital credentials. If we look back at the example of a prospective employer seeking to verify that I graduated from a given university, it’s clear that our current model is inferior to this new approach:
Instead, if this university were to pursue this new approach, they would simply:
With this approach:
This model dramatically reduces the costs, risks, and time of issuing, holding, and verifying claims / credentials of all kinds. This is why universities such as Harvard (and many others) have adopted this model of credential issuance and verification.
In the above example, it’s clear that there are significant benefits in using this new methodology when it comes to issuing, holding, presenting, and validating a graduation claim. In this case, the university issues the credential using their DID to me, which contains my name directly inside of the credential.
However, the real benefits of this approach become apparent when we realize that Issuers can create credentials which do not necessarily contain any sensitive identifying information - but instead identify the subject of the credential via a DID. By removing the Holder’s sensitive identifying information from digital credentials altogether, Verifiers will never receive it, yet they will still be able to verify the claims of Holders and Issuers nonetheless.
Some regulations today (particularly around banking, as discussed previously) require that businesses capture and store the name and other personal identifying information of their customers. In these cases, Verifiers (banks) will indeed likely require a Verifiable Credential that does contain PII to comply with today’s regulations. However, many other use cases which contribute to the collection (and subsequent leaking and exploitation) of our PII do not have this requirement. Most businesses today store sensitive customer information predominantly for marketing or customer management purposes. However, in many cases the exchange and storage of this information is not required by any law or regulation, but is instead simply a result of there being no other viable way to collect, verify, and log the credentials of customers. DIDs and Verifiable Credentials present a new way to overcome many of these challenges while continuing to be able to satisfy the requirements of businesses and governments.
For example, consider another prominent use case: age-restricted access. The requirements of a bar or restaurant that serves alcohol (in the US) are to ensure that imbibing patrons are over the age of 21. Today, people satisfy these requirements by presenting their physical credentials (usually a driver’s license) which shows their birthday and photograph - but these credentials also contain an abundance of other information well beyond the requirements of this specific use case. Instead of simply confirming that I’m over 21, I’m now disclosing my name, address, and other sensitive information which is well beyond the initial requirements of age verification. Additionally, the doorman is also tasked with evaluating the security features and authenticity of my physical credential.
Instead, imagine a world where a state’s Department of Motor Vehicles issues a credential to a citizen as a product of a trusted relationship. This trust is based on whatever identity verification and authentication processes are in place for issuing a physical credential - except the citizen now also holds a digital version of this issued credential as well. This credential does in fact contain sensitive personal information, but it is crafted in such a way that enables a Holder to selectively disclose components of the credential when desired. Instead of a singular digital credential that contains all of the citizen’s sensitive personal information in a unified form (like the physical credential), their digital credential contains multiple component attestations from the DMV, including that the citizen to whom the credential was issued is over 21, her picture was taken at the DMV, and that she is licensed by the state to operate a motor vehicle.
The citizen, using her digital wallet on her phone, is now able to craft a “Verifiable Presentation” of this credential to the doorman or bartender, which enables her to selectively disclose and present individual parts of the attestations within her credential. In this case, the citizen would select the DMV's claim that she is over 21 years old, along with her photo that was taken at the DMV when the credential was issued, and then show the employee a scannable code on her phone which represents the details of the claim. With a phone (or another tool which doesn't necessarily require an internet connection), the employees at the bar are able to scan the code which contains the information necessary for them to cryptographically verify that:
In this model, the restaurant is able to instantly and confidently accept this cryptographically secure claim from the DMV, without collecting or storing any sensitive personal information of the end-user. They can also view the cryptographically signed image of the Holder to authenticate that the person presenting the credential was the same person that the credential was issued to, if they desire. Notably, they don't have to manually inspect and validate the security features of a physical credential to ensure authenticity of the claims - they can instead use the open cryptographic methods that secure the DID of the DMV (and Holder, if desired) to confirm that the DMV did in fact author this credential, and that the contents of the message have not been tampered with.
Another important outcome of using this technology is that the Verifier (restaurant) does not have to “phone home” to the DMV to confirm the authenticity of the claims in the credential. This is important because like a physical credential, a digital credential should ideally not have any external dependencies which require Verifiers to validate claims with Issuers. The reasons behind this principle are grounded in the privacy interests of end-users, ensuring that the Issuer (DMV) does not have insight into how or where I am using my credentials - in the same way that a physical credential does not usually result in the Verifier inquiring about the validity of my credentials to the Issuer.
Verifiable Credentials enable us to work back towards the grounded physical security model of analog society where simply possessing someone’s personal information is not sufficient to establish that person’s identity for the purpose of (as an example) opening an important account in that person’s name. Instead, Verifiers operating in a digital context will require the presentation of a signed credential which the citizen digitally possesses. Should this credential ever be compromised, lost, or stolen, the citizen is able to authenticate themselves with the Issuer, have a new credential issued, and publicly broadcast (in a way that does not disclose sensitive personal information) that the previous credential should not be trusted.
Given our fractured, reactive, and ad-hoc approach in the US, we are years behind other countries like Singapore, Canada, and Australia - all of whom are leveraging Verifiable Credentials at varying levels of federal scale across multiple use cases to enable their economies. The good news is that over a dozen US states (including Arizona, California, Colorado, Louisiana, and Utah) are issuing Verifiable Credentials today at varying levels of scale. Many states are in the pilot stages, while other states have issued credentials like this to almost a million of their constituents. Businesses in various industries - such as healthcare, logistics, media, and many more also continue to invest in and build out infrastructure to leverage this new paradigm to author and verify claims in partnership with their clients, partners, and the public.
As we look to accelerate our journey towards a world where US citizens retain consent and authorization over the utilization of their identities, we must focus on the most critical points of leverage to quickly refine and execute our national strategy. Deriving and executing a cohesive digital identity strategy could unlock up to 13% of GDP by 2030 by lowering the friction for trusted interactions / commerce and dramatically reducing costs of fraud for citizens, businesses, and government. By moving away from a framework in which our sensitive personal information is used as an identifier AND an authenticator - and instead towards one where personally-linked identifiers are public by design - we can build systems that empower citizens to truly decide when and how their information is disclosed and used.
In our third and final piece in the series, we will discuss opportunities and recommendations for policy-makers to consider as our country looks to close the gaps on our national approach to digital identity.
Author’s public key: bb4a72725487478e517396c04eb4e96a42a554b42f90946b4bf0c7d2a3ac9a4e__________________________________________________________________________