In the digital world, identity is key to everything we do. Want to pick up from where you left off in your latest streaming TV series? Desperate to know when your impulse-bought top-of-the-range flight simulator rig is turning up? Whatever we do in the digital world, being able to prove who we are and what permissions we have to access information is critical.
The same is true in digital business.
Digital identity is the gateway for accessing the systems that your employees, your partners and your customers rely on. But establishing who has what access rights is getting harder — at least if you’re stuck to using antiquated ideas about identity management.
Today’s any given business process might depend on a handful of interconnected systems, each of which may be running in different clouds. At every step across that process, your business reputation depends on ensuring that only those people with sufficient privileges are able to access specific information.
Research and advisory firm Forrester notes in their January 2, 2020 report, New Tech: Decentralized Digital Identity (DDID), Q1 2020, “Today's digital identity frameworks are centralized, suffer from a lack of trust, aren't portable, and don't give consumers control.”
A new approach is needed. One of the most promising is around decentralized identity, says Dave Elliman, Global Head of Technology at Thoughtworks. In a decentralized identity system, entities — people, organizations and things — gain control over their identities and allow trusted interactions.
The power of this approach is that it enables people to share different parts of their identity with different services as they see fit, says Elliman. “When dealing with your health insurer there’s a level of detail that you might exchange that would be completely inappropriate for your mortgage provider to know. The promise of a centralized identity system is that you can have a single system that enables you to authenticate yourself with multiple entities.”
But it’s not just individuals that could gain from a decentralized approach to identity and authentication.
Today’s businesses are already dealing with incredible complexity when it comes to managing customer data. Customers might have a number of different ‘identities’ they adopt when dealing with a company, explains David Colls, Director, Data and AI Practice, at Thoughtworks Australia.
For instance, a single individual might be a long-standing, high-value client for your company, while also acting as treasurer to the local football team that also has an account for you. “If you have decentralized identity as a deliberate architectural construct, it puts power back in the hands of the customer but in a way that makes it easy for organizations to provide services to the different identities that a customer chooses to adopt,” says Colls. “That will be a real enabler for dealing with a lot of the complexity that we're seeing as a result of the emergent decentralized identity phenomenon.”
Building decentralized identity on solid foundations
Decentralized identity systems are fundamentally different from current approaches.
Today, most of the enterprise-level thinking around next-generation authentication is focused on initiatives such as SPIFFE, the Secure Production Identity Framework For Everyone, says Elliman.
SPIFEE aims to solve the problem of authentication across distributed cloud systems, without having to rely on APIs keys or passwords.
But these approaches put the onus on the enterprise to manage authentication. A true decentralized identity system puts the individual in control. And there is growing support for this type of user empowerment from regulators, says Elliman.
If you look at the General Data Protection Regulations from the EU or the California Consumer Privacy Act, they’re addressing questions of identity with a sharp focus on giving power back to the individual, says Danilo Sato, Principal Technology Consultant at Thoughtworks UK.
Notions such as the right to be forgotten or the principle that individuals can demand to know what data companies are holding about them are a real challenge for businesses today. “From the perspective of an individual, I’d be really skeptical about whether a company was really going to destroy my personal data if I asked them to,” says Sato.
A decentralized identity system solves that by only sharing that data the individual wants to share; and if they change their minds about sharing it or decide an organization no longer needs it, they have the control to revoke access.
One core enabler for building a decentralized identity system is standards. Bodies such as as the Decentralized Identity Foundation are leading the way here. Its mission is to develop the components of an open, standards-based, decentralized identity ecosystem for people, organizations, apps, and devices. Much of its focus on the notion of open decentralized identifiers — something that is utterly unique, persistent and can be managed by individuals.
Enter the blockchain
It’s at this point that many advocates for decentralized identity start to talk about blockchains. After all, we’re looking at decentralization and cryptographically secured exchanges. That’s bread and butter stuff for blockchain.
Elliman, however, sounds a note of caution.
“Blockchain is definitely one promising avenue for decentralized identity; but it’s by no means the only one. Many of the very powerful ideas behind decentralized identity can work without blockchain, so it’s important not to conflate the two.”
But while some blockchain enthusiasts have gotten over-excited about its potential in a myriad of applications, there are some firm reasons for at least considering its role in decentralized identity.
Take money, for one. While the COVID pandemic has hit IT investments across the globe, sectors such as banking, government and healthcare are expected to continue to prioritize investments in blockchain-based identity management solutions, according to analyst group IDC. It estimates that identity management accounts for more than 7% of all blockchain spending. Clearly, there are enough businesses persuaded of blockchain’s viability to put some serious cash behind it.
Elsewhere, COVID has been the catalyst for early implementations of blockchain-based decentralized identity management systems. For instance, South Korea’s Jeju Island has begun rolling out a blockchain-based contact tracing system for tourists. Visitors will be required to download a mobile app upon arrival and issued with a blockchain-based “credential” to identify themselves when visiting tourist destinations.
At Thoughtworks China, the COVID-induced lockdown left a few of our colleagues with time on their hands. Which meant they could focus on their passion: blockchain technology. “A few of us had done some work on decentralized identity for a client using blockchain, and we were interested in applying that to next-generation payment systems,” says Shangqi Liu, Head of Blockchain at Thoughtworks China.
They came up with TWallet, a mobile digital wallet that safeguards users’ privacy. “In China, we already have a number of very efficient ways to use mobile payments, but typically they’re run by large corporations. And we see an opportunity for an independent, open alternative, where the users know their privacy will be guaranteed.
TWallet uses blockchain technology to validate users’ identity and secure the mobile payments. Because the payments are authenticated on the users mobile device, no data is shared across the internet, enabling users to maintain their privacy.
Currently, such blockchain-based approaches to decentralized identity are interesting proofs of concept, says Elliman, but there’s still a long way to go before blockchain becomes a mainstream business technology.
“As of today, blockchain isn’t really built for the speed and scale you’d normally associate with enterprise tech,” he says. “But that’s not to say business leaders should be ignoring this stuff. There’s a real sense that consumer pressure is going to be a serious driving force around self-sovereign identity — where individuals demand that they control how their personal information is shared.”
“Today’s business leaders probably have enough headaches already when it comes to thinking about identity, so you could forgive them for not wanting to think about some massive change in direction. But as we know, it’s the businesses that aren’t focused on developing technology that get left floundering when all of a sudden, the world around them changes,” says Elliman.
With that in mind, you might not start deploying a decentralized identity management system today, but it would pay to think about what it would mean for your business.