Get control: Own your digital identity
- Posted on August 16, 2022
- Estimated reading time 5 minutes
Last year, the European Commission announced that all citizens should have access to a digital identity. The combination of ‘government’, ‘IT’, and ‘privacy’ has raised valid concerns with security specialists.
In this blog Alwin Perotti and I will explore the nature of the EU announcement and the three models of digital identity: siloed, federated and decentralized. We will also discuss the strength of decentralized Identity and how it can greatly improve privacy and user comfort when implemented correctly.
Siloed identities: Gives zero insight into who has your data
Most people have been exposed to the first, siloed model of digital identity. Nowadays, to check out from an online store, you usually need to disclose personal data, like your name, address, phone number and email address. The same thing happens in person, from showing your driver's license in a liquor store to copying ID or a passport when you stay in a hotel.
You can even extend these scenarios to business use-cases where, for example, your personal information (PI) will be stored in an HR system and is often shared with third-party systems such as financial systems, CRM systems, or – in some cases – even with customer environments to provide access to these systems.
With such a siloed approach, the average user has zero insight into who has their data, and why. In other words, they don’t “own” their digital identity.
One of the reasons the GDPR legislation was created, was to solve this issue. And it did – at least partly. For example, organizations are only allowed to store data temporarily, and only with a valid argument. But even then, as a user, you don’t always know which organizations and systems have access to your data. And in most cases, you also end up having different accounts within these various environments.
Federated identities: Power still lies with the identity provider
A solution frequently used to limit the number of accounts is the use of federated identities. Federated accounts solve certain challenges, such as decreasing the number of accounts required by a user. And they give the owner of the identity provider control over what information is or isn’t shared. But they are far from ideal: first, a ‘trust’ relationship must be created between the identity provider and the service (such as an application). A wide range of different identity providers are used, which can become challenging to maintain. What’s more, the user still has no control over the information that can be shared, and when – this power lies with the owner of the identity provider.
Decentralized identities hands back control
This is where the strength of decentralized identities comes in. Decentralized identities use the power of blockchain technology and a trusted ledger. In the most common use-cases, users will manage their self-owned identity details using their “wallet”, which is often an application on a smartphone. This identity is initially retrieved by the user from an Issuer. In the example below, we look at decentralized identity scenario where the issuer is a government agency.
In this scenario, the identity information is securely stored in the wallet using cryptographic technology and signed with the private key of the user (Flow 1). This private key is typically either signed by a digital PIN code or biometrics, which prevents unauthorized users from accessing the wallet. Any time a user wants to share specific information through the ledger with a party, this information is signed with the private key. Now the party can use the public available key to verify the information published on the ledger is from the actual user (verifiable credentials).
After the party verifies the user, it’s up to the user themselves to decide what additional information they want to share. This approach allows for a great granularity of information shared by the user (Flow 2). For instance, instead of sharing your full birthdate, it allows organizations simply to verify if you’re above a certain age. The user is also able to revoke the public key at any given moment, which prevents the party from further using this data.
The announcement of a digital identity by the EU Commission in June 2021 represented a key milestone in the wide acceptance of decentralized identities.
However, the announcement also raised concerns among certain experts:
- The EU amendment states that browsers are required to trust party certificates designated by the various governments, without specifying any security requirements. This could lead to security and privacy being compromised, which goes partly against the principle of why decentralized identities were created in the first place.
- The amendment doesn’t enforce any specific requirements regarding the technology used to distribute the information (as required for Decentralized Identities). The existing EU framework (eIDAS) uses a centralized distribution, and due to the technical nature of these solutions, individuals are not the ‘owners’ of their digital identities.
The good news is that various EU member states have indicated they are in favor of using blockchain technology overall improving citizen privacy.
Building identity resilience at an organizational level
Last year, Microsoft announced its decentralized identity solution known as Microsoft Entra Verifiable Credentials (VC) using Microsoft’s ION. VC is based on the W3C open standard Verifiable Credentials Data Model, allowing companies to easily integrate and support decentralized identities.
There is a wide variation of use-cases in which federated identities are considered, such as allowing employees to log in to a partner portal without sharing credentials, or easily providing contractors secure access. But with the power of decentralized identities, you can do so much more. Avanade recently demonstrated that this technology can even be used outside the realm of personal data to verify the authenticity of products and their contents.
In summary, decentralized identities solve many of the challenges that occur when people don’t own their digital identity. Still, this will not answer all the challenges organizations encounter when dealing with identities, personal data, and the GDPR – this is where working with an experienced digital identity provider pays dividends.
At Avanade, we help clients to unlock the benefits of robust digital identity and build identity resilience across their organization. As a preferred Microsoft partner, we also help to integrate the latest Microsoft Entra technologies (such as VC) into their existing environments.