In the digital world, identity is key to everything we do. Want to pick up from where you left off in your latest streaming TV series? Desperate to know when your impulse-bought top-of-the-range flight simulator rig is turning up? Whatever we do in the digital world, being able to prove who we are and what permissions we have to access information is critical.
The same is true in digital business.
Digital identity is the gateway for accessing the systems that your employees, your partners and your customers rely on. But establishing who has what access rights is getting harder — at least if you’re stuck to using antiquated ideas about identity management.
Today’s any given business process might depend on a handful of interconnected systems, each of which may be running in different clouds. At every step across that process, your business reputation depends on ensuring that only those people with sufficient privileges are able to access specific information.
Research and advisory firm Forrester notes in their January 2, 2020 report, New Tech: Decentralized Digital Identity (DDID), Q1 2020, “Today's digital identity frameworks are centralized, suffer from a lack of trust, aren't portable, and don't give consumers control.”
A new approach is needed. One of the most promising is around decentralized identity, says Dave Elliman, Global Head of Technology at Thoughtworks. In a decentralized identity system, entities — people, organizations and things — gain control over their identities and allow trusted interactions.
The power of this approach is that it enables people to share different parts of their identity with different services as they see fit, says Elliman. “When dealing with your health insurer there’s a level of detail that you might exchange that would be completely inappropriate for your mortgage provider to know. The promise of a centralized identity system is that you can have a single system that enables you to authenticate yourself with multiple entities.”
But it’s not just individuals that could gain from a decentralized approach to identity and authentication.
Today’s businesses are already dealing with incredible complexity when it comes to managing customer data. Customers might have a number of different ‘identities’ they adopt when dealing with a company, explains David Colls, Director, Data and AI Practice, at Thoughtworks Australia.
For instance, a single individual might be a long-standing, high-value client for your company, while also acting as treasurer to the local football team that also has an account for you. “If you have decentralized identity as a deliberate architectural construct, it puts power back in the hands of the customer but in a way that makes it easy for organizations to provide services to the different identities that a customer chooses to adopt,” says Colls. “That will be a real enabler for dealing with a lot of the complexity that we're seeing as a result of the emergent decentralized identity phenomenon.”
Building decentralized identity on solid foundations
Decentralized identity systems are fundamentally different from current approaches.
Today, most of the enterprise-level thinking around next-generation authentication is focused on initiatives such as SPIFFE, the Secure Production Identity Framework For Everyone, says Elliman.
SPIFEE aims to solve the problem of authentication across distributed cloud systems, without having to rely on APIs keys or passwords.
But these approaches put the onus on the enterprise to manage authentication. A true decentralized identity system puts the individual in control. And there is growing support for this type of user empowerment from regulators, says Elliman.
If you look at the General Data Protection Regulations from the EU or the California Consumer Privacy Act, they’re addressing questions of identity with a sharp focus on giving power back to the individual, says Danilo Sato, Principal Technology Consultant at Thoughtworks UK.
Notions such as the right to be forgotten or the principle that individuals can demand to know what data companies are holding about them are a real challenge for businesses today. “From the perspective of an individual, I’d be really skeptical about whether a company was really going to destroy my personal data if I asked them to,” says Sato.
A decentralized identity system solves that by only sharing that data the individual wants to share; and if they change their minds about sharing it or decide an organization no longer needs it, they have the control to revoke access.
One core enabler for building a decentralized identity system is standards. Bodies such as as the Decentralized Identity Foundation are leading the way here. Its mission is to develop the components of an open, standards-based, decentralized identity ecosystem for people, organizations, apps, and devices. Much of its focus on the notion of open decentralized identifiers — something that is utterly unique, persistent and can be managed by individuals.
Enter the blockchain
It’s at this point that many advocates for decentralized identity start to talk about blockchains. After all, we’re looking at decentralization and cryptographically secured exchanges. That’s bread and butter stuff for blockchain.
Elliman, however, sounds a note of caution.
“Blockchain is definitely one promising avenue for decentralized identity; but it’s by no means the only one. Many of the very powerful ideas behind decentralized identity can work without blockchain, so it’s important not to conflate the two.”
But while some blockchain enthusiasts have gotten over-excited about its potential in a myriad of applications, there are some firm reasons for at least considering its role in decentralized identity.
Take money, for one. While the COVID pandemic has hit IT investments across the globe, sectors such as banking, government and healthcare are expected to continue to prioritize investments in blockchain-based identity management solutions, according to analyst group IDC. It estimates that identity management accounts for more than 7% of all blockchain spending. Clearly, there are enough businesses persuaded of blockchain’s viability to put some serious cash behind it.