How decentralized identity can empower people’s data ownership and privacy
In a previous blog, we discussed how wallets are turning digital and how individuals and organisations can benefit from it. In this article, we will take a look at the identity model called Bring Your Own Identity (BYOI or BYOID), and how decentralization can bring much-needed privacy and data ownership into it.
Summary
- BYOI is based on trust between a service provider and a third-party identity provider
- It makes secure sign-up and onboarding simpler and requires no additional credentials for users to remember, but it comes with a cost when implemented using federation
- Decentralizing BYOI removes the direct dependency on the third-party identity provider, gives people ownership and freedom to use their identity anywhere, and minimizes risks of storing personal data
BYOI in a nutshell
The BYOI model is used when a person uses their pre-existing identity from a third party to access a website or service and has to verify their identity securely. Essentially, they bring the identity they own to a new service. The service provider trusts the third party, so they can also trust the identity that has been verified by the third party. This greatly simplifies the process that the service provider goes through and ensures the person is who they say they are.
Most often BYOI is associated with federated identity providers, especially social media services that provide “social login” using accounts created on their platform. Examples of social login providers include Google, Facebook, and Microsoft. But BYOI is more than just signing in with social media accounts. All that is needed for a person to bring their identity from any identity provider is for the service they use to trust that provider.
Who owns your data?
Using social login is very convenient for the user and for the service provider. However, it gives an increased amount of power to the platform where users create their identities. The more information users add to their identity, the more personal data is accumulated on that platform. It is not always clear how this data is being used, or even how it could or should be used. As a user, you don’t own the data that is held on the platform, you only get access to that data.
This is not only a problem of social media platforms and BYOI. Any service that needs some form of identity verification usually requires excessive amounts of personal data, as demonstrated by Elias on his experiences on buying a house. In some cases, they will only require temporary access to the data, but sometimes the data will be stored for longer, in some cases indefinitely unless it is explicitly requested to be removed.
Who is responsible for keeping your data safe?
The amount of personal data that is stored in various places across the internet and beyond is undeniably problematic. Even if the person has a complete trust that their data is not being misused, massive databases of personal data are a goldmine that will attract illegitimate attempts to access that data. A breach of a service like that has a serious impact on many people’s lives and severe consequences.
This is one of the areas addressed by data protection legislation such as GDPR, and it is why many companies try to avoid storing sensitive data. Using BYOID is very attractive to especially smaller companies that cannot set up the necessary infrastructure and security for protecting sensitive personal data. Instead of verifying identities themselves and gathering all the information required to do that, they form a trust relationship with a third party and delegate them the responsibility.
Decentralizing BYOI
We can address many limitations common to BYOI by adopting a decentralized identity approach. A verifiable credential can be used to carry the verified identity of a person from one organization to another. Similarly, to any BYOI model, a third-party identity provider can be used to verify the identity of a person, and that verification can be carried over to a service provider that trusts the identity provider. But unlike federated and social logins, verifiable credentials can be used to avoid the problems with data accumulation, and it is the perfect antidote for data security risks and oversharing of personal data. Above all, it ensures that the ownership of the data is with you.
Bring Your Own Credential
The main difference between federated and decentralized BYOI is where the data lives. In the case of decentralized identity, when the person’s identity has been verified, a result of that verification and cryptographic proof of it is handed over back to the person. They will store it in the form of a verifiable credential in their digital wallet. The data is now in the hands of the person (quite literally), instead of only having access to that data.
Having ownership of the data is empowering for individuals and making that ownership tangible in the form of a mobile phone can really feel liberating. Data ownership as an abstract concept might not be the best-selling point of decentralization for individuals, but the experience of being in control that it can give to people should not be underestimated.
Once the individual has their identity credential in the wallet, they don’t need to go back to the verification service when they need it. Instead, they can use the existing proof of identity wherever they go. Using their identity is not dependent on the identity provider’s service being available, and the service they are using doesn’t need to be integrated with the identity provider’s systems. All that is needed is the service to trust the issuer of the credential.
Distributed user data
Having personal data distributed to numerous devices with no central access has more benefits than just privacy and data ownership. It makes the reach of a potential data breach almost trivially small (although still not to be neglected because of potentially serious risk from the individual’s perspective). Services utilizing decentralized identity in its fullest don’t necessarily need to store any personal data within the service, and instead request it directly from the user only when needed.
Decentralized identity can also effectively combat oversharing of personal information. With zero-knowledge proofs and selective disclosure, services can request only the very minimum set of details that are required. For example, proving that you are a student shouldn’t require you to share your full name, student number, date of birth, and all the other information that your student card might have. Instead, the fact that you have a student number might be all that you need to tell.
Using verifiable credentials makes it very clear when credentials from your wallet are sent somewhere. Any time a service wants to access information about your identity, the digital wallet that holds your identity credential will request your approval before sharing the information. The confirmation can be bound to biometric data like fingerprint or face identification. This helps to prevent misuse of the credentials in the digital wallet in case someone else gains access to your phone.
What does it look like?
It might all sound like wishful thinking and a bit far-fetched without an actual, practical example. Luckily, Condatis already have several of those! We have been working with our clients to build decentralized identity solutions that utilize the BYOID model and prove that it can bring significant value to them and their users.
Bring your identity across organization boundaries
Enabling staff members to bring their employer identity from organization to another was at the core of the NHS Digital Staff Passport and Sellafield solutions. In both cases, organizations can issue staff member identity as a verifiable credential. When working temporarily on a site outside their primary organization, the employee can bring their identity to a new site using already verified details about their employment for a much smoother onboarding experience.
Bring your identity from school to work
As part of the work, we did with The Royal Melbourne Institute of Technology (RMIT), we demonstrated how verifiable credentials can be used to help the transition from university to working life. In our Proof of Value solution for RMIT, university alumni can bring their degree certificate in a form of a verifiable credential to their new employer. This can replace a lot of manual work in checking the authenticity of a degree certificate and makes it a lot quicker and more secure.
The RMIT use case also shows how the use of decentralized identity technology is not limited to strictly identity-like credentials. A certificate for a degree or completed training is a perfect example of a credential that many would much rather have in an easily verifiable digital format.