Self-Sovereign Identity (SSI): Autonomous Identity Management

Learn why Top Industry Analysts consistently name Okta and Auth0 as the Identity Leader
Read more
Okta
Updated: 07/21/2022 - 11:19
Time to read: 9 minutes

Self-sovereign identity (SSI) is a form of digital identity that the user has complete control over. This means that the user decides who sees what information and when. 

Digital identity is a user’s online identification, similar to a physical identification card such as a passport or driver’s license. A digital identity contains characteristics or attributes of the user. With self-sovereign identity, this sensitive identification information is kept secure and private. It is in control of the user at all times.

Self-sovereign identity uses blockchain technology. SSI systems are decentralized using a digital and secure peer-to-peer channel that relies on the triangle of trust. There are three entities in the trust triangle with SSI: the issuer of the digital ID, the owner of the ID, and the verifier of the ID. 

Unlike with other forms of digital identity, with SSI, not all of the information on the ID needs to be shared each time. This can help to guarantee privacy and security by only sharing pertinent information with the ID requestor.

Understanding self-sovereign identity

Self-sovereign identity (SSI) can help instill the same level of trust and freedom for sharing or distributing identity characteristics in the digital world as an individual has in the physical world. SSI is user-centric, which means that the user owns their own data and does not rely on a central authority to prove that they are who they say they are. 

With SSI, the user is in complete control over what information they share and with whom. By using a common identity metasystem, users are able to verify their digital identity across multiple platforms in variable locations. Self-sovereign identity is therefore private, secure, and portable.

Protocols behind SSI

SSI relies on three main protocols: verifiable credentials, decentralized identifiers, and distributed ledger technology (DLT) or blockchain. 

  • Verifiable credentials: The verifiable credentials protocol, as standardized by W3C, ensures that the statements made by the digital ID issuer are done so in a privacy-respecting and tamper-evident manner. With self-sovereign identity and verifiable credentials, techniques are used to preserve privacy using public-key cryptography and digital watermarking.

The owner of the credential can decide how much and exactly what components of the digital ID to share with the verifier, allowing them to only show what is necessary and requested. The ID verifier is then able to instantly verify the data without needing to contact the issuer of the ID.  

  • Decentralized identifiers: Typical digital identifiers rely on intermediaries to provide a connection between two parties. This can include email providers, mobile network operators, Facebook, and Google. These intermediaries store personal digital identity information in a centralized database. 

This centralized database is vulnerable to a potential data breach where threat actors can gain access to these personal credentials. The interactions between these connections are not protected either, and the user has no control over how the metadata gathered by these parties is used.

It could be used innocently, for example, to tailor ad content on your social media based on your interactions. It could also be used for malicious purposes, however. The main point is that you, as the owner of the credential, have no control over how this collected metadata information is used.

SSI relies on a decentralized identifier (DID), which can be either private or public. With a private DID, no one outside of the secure peer-to-peer connection is privy to your interaction or your personal identity information. A secure channel is used that does not rely on a central authority.

Public DIDs are used to share only the information that the ID owner wants and needs to share. This is done through a secure connection.  

  • Distributed ledger technology (DLT) or blockchain technology: Blockchain technology is behind decentralized databases. It allows everyone within the secure network to have the same source of truth about the validity of the credentials and who attested to the validity of the data contained in the credential all while keeping the actual data private. The verification of proof is then based on the validity of the attestor.

For example, if you need to prove your age without sharing your actual date of birth, you can simply share the signature of the issuing authority of your credential, such as a government-issued ID, and the verifier can then validate that you are of age since they trust the issuer. No personal data is stored within the blockchain, and anything put in the distributed ledger (the blockchain) cannot be deleted or altered, making it immutable.

What is digital identity?

A digital identity is a user or entity’s digital identification, and it is comprised of characteristics or data attributes. This is what is used to identify a user or entity online and in the digital world.  

A digital identity can include the following information:

  • Username and password
  • Date of birth
  • Social Security number (SSN)
  • Online history and transactions
  • Citizenship
  • Business license
  • Medical information
  • University degree
  • Attestations from colleagues or friends
  • Social media accounts and activity

Digital identities are linked to at least one digital identifier, which can include a domain name, URL address, or email address. Digital identity information can be stored in a digital wallet, much like physical identifiers are kept safely in a wallet on your person or in a safe place. 

Types of digital identities

Digital identities have evolved along with technology in an effort to keep personal identifiable information (PII) safe from bad actors.

The earliest model of digital identities is called the siloed model. The user would need to request a digital identity credential from each service they wished to use. The user would then have to present the respective login credentials to each service each time.

This can create friction for the user and present a security risk with the potential for weak passwords. The user also has no control over their data, such as what is being shared, how, and with whom.

The second model is called federated identity. It uses a third-party issuer of digital identity credentials, such as Facebook and Google. With this model, the user is issued a digital identity credential from this third party, which can then be used to log in to additional services. 

Identity management is outsourced to an identity provider (IdP), which then becomes the middleman of trust. These providers keep digital identity and credential information in a centralized database, often with financial incentives to do so. This has both privacy and security issues. 

The third, more evolved type of digital identity is self-sovereign identity. This model takes user privacy and security concerns under consideration as well as provides a frictionless user experience. 

Benefits of self-sovereign identity

In 2021, there were nearly 1.5 million reports of identity theft reported to the Federal Trade Commission (FTC). 

Using SSI gives the user control over their digital identity and can provide a more secure method of keeping sensitive information out of the wrong hands. Some of the benefits of SSI include the following:

  • Credential issuing is fast and simple.
  • Credentials can be verified at any time and in any place regardless of whether or not the issuer still exists and is online.
  • Cryptography ensures that credentials are tamper-proof.
  • Using selective identity disclosure technology, digital identities are kept private and under the user’s control. The user decides what information to reveal and remains in control of the relationship with the ID verifier.
  • A digital and secure peer-to-peer channel is used to connect the issuer of the ID, the owner of the ID (the user), and the verifier of the ID. Not even the SSI system provider knows what information is being shared.
  • SSI uses a decentralized system, which means that personal identity information is not stored on a centralized server and therefore is much harder for a threat actor to hack.
  • Most of the time, you will only need to know the password to your digital wallet with SSI and not multiple passwords for different sites. This helps to reduce potential password fatigue, which can lead to insecure, weak, and repeated passwords.

Distinguishing self-sovereign identities

With SSI, there is a triangle of trust between the owner of the digital ID (the user), the issuer of the credential (a trusted entity), and the ID verifier (typically a third party). The owner of the digital ID gets to decide how their information is shared and in what way. 

There are two main methods of authentication used to preserve the privacy of the digital ID while allowing the owner of the ID to prove that they meet the necessary requirements. This occurs without showing all of the identifying information. 

The first method is selective disclosure, which allows the user to generate proofs from a select few attributes of their credential. For example, they can prove their age by sharing their birthdate from a government-issued ID without also sharing the rest of the data from that ID, which can contain a personal address and more. 

The second method of authentication is the zero-knowledge proof (ZKP). This method uses cryptography to prove that the owner of the ID meets a specific requirement without actually sharing the supporting information. 

SSI uses asymmetric encryption methods, which generate a public and private key when a connection is made between the issuer of an ID and the owner of the ID. The public key is shared between both parties, while the private (secret) key is used to verify the information. Each of these connections is stored securely in the digital wallet.

Examples of real-world self-sovereign identities

SSI can help in a variety of industries to enhance the user experience, cut governmental bureaucracy, enhance banking practices, streamline healthcare, detect academic fraud, avoid personal data breaches, maintain GDPR (General Data Protection Regulation) compliance, and help individuals whose ID-issuing authority no longer exists be able to verify their identities.

Some real-world examples of the use of self-sovereign identities include the following:

  • The Providence of British Columbia, Canada, has the first Indy-based production ecosystem that relies on the verifiable organizations network (VON) to deploy a decentralized identity system. In Canada, every business owner must have three different tax numbers from three different levels of governmental bureaucracy: local, provincial, and federal. With SSI, only one trusted organization within this value chain will issue a digital verifiable credential that the other organizations are able to verify.
  • The European Blockchain Services Infrastructure (EBSI) is another effort to use SSI capabilities to launch and operate EU-wide cross-border public services, allowing users to control their own identity without relying on centralized authorities.

Self-sovereign identity can also be beneficial to the banking, healthcare, humanitarian aid, and human resources (HR) industries. In banking, SSI can help to secure user data and maintain privacy, which can help with the Know Your Customer (KYC) and industry compliance regulations. 

Think of all the paperwork and different entities involved in securing a mortgage, for example. With self-sovereign identity, this process could be streamlined.

When used within HR, SSI could potentially speed up employee onboarding and help individuals to verify necessary information even if the issuing authority no longer exists. This can be especially helpful for refugees, for instance, who have no ability to prove their degrees or business licenses if the issuing institution has since been destroyed. 

Within healthcare, a patient’s identity is extremely important, but many of the systems involved in complete medical care do not properly communicate. Self-sovereign identity could ensure that patients receive the treatment they need while protecting sensitive identity information.

Additional resources

For more information on the security and convenience of a digital wallet, this resource can help. You can learn more about blockchain technology here. Additionally, Okta offers more details on federated identity. 

Ultimately, self-sovereign identity, or SSI, is a type of digital identity model that can help users to protect and control how their data is used and viewed, offering a high level of privacy and security.

References

Verifiable Credentials Data Model v1.1. (March 2022). W3C.

New Data Shows FTC Received 2.8 Million Fraud Reports From Consumers in 2021. (February 2022). Federal Trade Commission (FTC).

General Data Protection Regulation (GDPR). Intersoft Consulting.

Decentralized Identity. (December 2018). BC Government.

European Cross-Border Services with EBSI. European Commission EBSI.

What Is a Digital Wallet? (March 2022). U.S. News & World Report.

What Is Blockchain? (2022). Euromoney Institutional Investor, PLC.

What Is Federated Identity? (2022). Okta.