It is hard to find people who love passwords, as they happen to be one of the greatest examples of opposing requirements: secure passwords cannot be remembered and cannot be written down. But there is good news: in 10 years, there will no longer be any passwords. How? Via other means of authentication, and sometimes authorisation, that we all have and use in the physical world right now: passports, driving licences, tax identification numbers and council tax bills are being used to authenticate. Public-key cryptography is also used, but it only works well if you know what you are doing and can protect your private key from theft or accidental loss.
So, what is SSI?
Self-Sovereign Identity (or SSI) combines the worlds of physical and electronic authentication in a manner that is secure, private, effective and easy-to-use. Users don’t need to take care of their keys or remember passwords; there is literally an App for that. It holds your private keys and electronic representation of physical documents. Everything is encrypted and automatically backed up, just like any other simple to use App.
Verifiable Credentials
SSI has introduced the concept of “Verifiable Credentials” or VC, which is now an agreed W3C standard for exchanging information along with the proof that it is genuine. This is backed by public-key cryptography and can also operate with Zero-Knowledge Proofs, which is a wonderfully complex privacy preserving mechanism.
Issuers and Verifiers
Verifiable Credentials are issued from an “Issuer”, the SSI term for the source of the data. For example, the driving licence authority can issue a VC with a digital version of a licence. “Verifier” is the SSI term for the destination of the data, for example a car rental company that needs to know whether their customer has a valid driving licence and meets the age requirement.
Self sovereignty
The “self-sovereign” part refers to having choice and control around your data and privacy.
Firstly, credentials are stored on the user’s side, not in a big database of a company. They are in the App and are protected with their phone’s authentication method like touch or face recognition.
Secondly, users can choose which App they want to use. A few wallet Apps already exist, for example the Connect.Me wallet from our partner Evernym.
Thirdly, SSI needs a “network”, an underlining system to do the plumbing and provide trust. The network can’t “see” any of the user data, they pass through encrypted, but users can choose which network to use anyway. In typical SSI, trust is provided by ledgers like Bitcoin and Etherium to de-centralise it further and enrich user choice. Numerous organisations and consortia, e.g. government, banks and universities, will be running ledgers, although SSI is ledger-agnostic in principle and the operator does not matter. In fact, it doesn’t even have to be a ledger: any trust system, including the current PKI that gives you the green locked padlock on your browser would work.
Fourthly, users can choose who to share their data with. Wallets have a screen informing the user what data are requested and, where this is possible, the use of Zero-Knowledge Proofs (ZKP) may limit disclosure significantly. In the car renting example, the verifier asks whether they have a valid licence and that they are of the required age. The wallet doesn’t need to share the whole licence or the exact date of birth, using ZKP, the wallet can simply answer “yes and yes” in a cryptographically protected and verifiable manner.
Why does SSI matter?
As a user, do you value your privacy and security? Do you like doing things easily? Are you worried that Facebook, Google and Apple know and control too much of you? Would you like to do more things with businesses and governments online? Would you like to know if your electrician is actually certified? Then SSI matters to you.
As a business, would you like to streamline customer onboarding processes? Would you like to practice KYC (Know Your Customer) in a more assured way and with less employee training? Would you prefer not to store Personally Identifiable Information (PII) under your custody but keep it with the user? Then SSI matters to you.
Oh, and it can fix the problem of remembering passwords as well.
Now is the time to embrace Self-Sovereign Identity, and Condatis is here to help
SSI is no longer in the R&D space: it can be implemented commercially to save costs, empower users and keep data safe. We have been working with partners and organisations around the world on developing real-world implementations of SSI technology and integrate SSI with existing IT infrastructures. Speak to a member of our team to learn more about SSI and its possibilities for your organisation.