Web3 has an Identity Problem: Building Decentralized Identity

Institutional adoption of DeFi is dependent on the creation of an identity verification layer for Web3. We explore what decentralized identity could look like and the emerging companies building this vision.

Web3 will be forced to build an identity verification layer, catalyzed by the institutionalization of DeFi and regulation that increasingly sees crypto transactions with a similar lens as traditional money movements and banking systems.

This presents an incredible opportunity: Web3 innovators can re-imagine identity management at scale as the “next phase” of the internet is being built. We don’t have to rely on the identity management of Web2, characterized by consumers handing over sensitive information to a centralized institution without knowing how the data will be used, stored, or monetized.

But what could this new paradigm of identity management look like? Privacy and security concerns stemming from years of controversy with big tech means consumers want to own their identity and control who they share that data with. And, importantly, the technological innovation of distributed ledger (blockchain) technology helps unlock this user-centric identity management at scale. All of these factors together give rise to the impetus for replacing the status quo identity management paradigm of Web2 in favor of decentralized identity (also known as self-sovereign identity or SSI), the new identity management paradigm that can characterize Web3.

Web3 Needs an Identity and Compliance Layer
At its height, DeFi had grown to $100B+ in total value locked in less than two years. However, DeFi is still in its early infancy and further adoption and growth in volume requires buy-in from financial institutions. This presents a problem: DeFi needs institutions for mass adoption. Institutions need compliance.

As we detailed at length here, banks and fintechs are mandated to verify the identity of each user and assess the financial risk of people and transactions to keep bad actors out of our traditional financial systems. At the same time, with the emergence of DeFi and crypto assets, regulators are grappling with how to enforce financial compliance laws within a system purpose-built for anonymity. Today, you can buy crypto without undergoing know-your-customer regulation (KYC) via decentralized exchanges, crypto ATM machines or P2P exchanges. However, regulators are implementing piecemeal guidance viewing crypto transactions with a similar lens as traditional money movement and banking functions. We expect to continue to see new regulation strengthen the requirements for cryptocurrency businesses to assess financial crimes risk, customers’ source of funds and counterparty risk, activities which require an identity verification layer in DeFi.

For example, in June 2022 the EU outlined updated Transfer of Funds Regulation (“Travel Rule”) and Markets in Crypto Assets (MiCA) regulation, the most comprehensive crypto framework globally to date. The framework is expected to be implemented in 2024, and will affect almost anyone transacting in crypto within the EU or sending crypto to the EU.

• Travel Rule: Requires originator and beneficiary data to be collected and verified for any transfer between regulated cryptocurrency businesses, regardless of value (the US has implemented similar rules for transactions above $3,000). More surprisingly, cryptocurrency businesses in the EU will also be required to assess the financial risk involved for every transfer if the counterparty is a third party unhosted wallet.
• MiCA: Outlines the licensing regime for cryptocurrency businesses and applies broadly to all crypto assets (with the exception of DeFi and NFTs, but further regulation is upcoming). It requires that cryptocurrency businesses follow similar licensing rules to those required of traditional financial intermediaries, defines and bans specific forms of market manipulation (insider trading, wash trading, front running) and holds crypto businesses liable for the damages or losses resulting from preventable hacks or operational failures.

Decentralized Identity will Allow Consumers to Own their Identity and Control Who They Share that Data With
The identity management paradigm in Web2 is characterized by consumers handing over sensitive information to a centralized institution without knowing how the data will be used or stored. For example, “Login with Google” and “Login with Facebook” allows companies to piggy-back off of the identity management of Google and Meta, which profit from amassing databases of personal information and tracking users through the internet. But, 75% of Apple users have opted out of third-party tracking to demand privacy, per Liminal Strategy. In fact, one company is flipping the script on selling consumer data by instead paying consumers for their data! Shawbrook Bank offers a 1% APR reduction on loans for consumers who allow the bank to collect their income and expenditure data.

Security is also a concern. Since 2017, 600M identification details have been leaked. Companies’ centralized storage of personal data is a target for these hacks, and so are passwords. In today’s mobile-centric world, consumers keep track of 100s of usernames and passwords while re-using the same combinations, meaning one breached account could unlock all of your accounts.

Instead, Figure 1 envisions a system of decentralized identity, empowering consumers with a secure, encrypted solution to store their identity instead of granting broad consent to numerous apps and services. Rather than allowing full access to all of the information on a driver’s license by default, the consumer is empowered to selectively disclose information. In this case, only revealing a binary yes / no that they are over 18 but not revealing their DOB. Consumers own their data and can take their verified identity with them to present to institutions.

Figure 1; Source: Microsoft

Unlike Web2, Distributed Ledger Technology (DLT) Enables User-Centric Identity Management at Scale
With the emergence of Web3, the next phase of the internet is being built, and DLT enables the type of user-centric identity management described above to work at scale.

• Distributed Ledger Technology (DLT), “Directory”: All participants within a distributed ledger system have access to the same shared ledger and immutable record of transactions. DLT removes the need for siloed and centralized databases and allows for the decentralized unique identification of any thing. Applied to identity management, the distributed ledger becomes a “directory” of identity credentials providing the source of truth of the validity and attestor.
• Decentralized Identifiers (DIDs), “Usernames”: DIDs are unique URL identifiers that are cryptographically verifiable. Although DIDs function like a username to connect an identity with a subject for a trusted interaction, it is not owned by an institution like your Instagram username is owned by Meta.

Figure 2; Source: Decentralized Identity Foundation

• Verifiable Credentials (VCs), “Passport”: Verifiable credentials are claims about achievements or attributes that include a cryptographic proof of who issued them. For example, it’s your on-chain passport, ID card or diploma.
• Zero Knowledge Proofs (ZKPs), “Selective Disclosure”: Zero knowledge proofs and encryption are critical technologies because distributed ledgers are designed to be readable by anyone. To support decentralized identity, distributed ledgers will instead store decryption keys to validate information while the data itself will be encrypted and stored locally on a user’s device. As shown in Figure 1, ZKPs empower the consumer to selectively disclose information.

In a prior article, we detailed the account opening process at a financial institution today. Using these technologies instead, the process becomes much simpler. When a person is born, the government uses its DID to issue and sign a cryptographically verifiable KYC credential attesting to her legal name, DOB and SSN. When she wants to open a checking account, she presents the KYC verifiable credential to the bank. The bank can check that the government has verified the authenticity of her identity, without any other intervention needed, so she is approved for the account with near-perfect trust. Later on, she wants to apply for a loan and the bank requests her credit score. Rather than sharing her exact score, she selectively discloses that her score is within the acceptable range for a prime loan.

Figure 3; Source: Tykn

Decentralized Identity Market Landscape
We are excited about the companies building the infrastructure for this decentralized identity vision, and have categorized them into the user interface layer and the developer layer, and along the Web2 to Web3 continuum.

Figure 4

User Interface Layer: Wallets, Applications and Enablers
If verifiable credentials are the “passports” representing identity, wallets are the storage vectors. Wallets work by storing private keys which prove the user owns and controls their digital assets, and are the gateway to interface with Web3. Wallets are accessible through mobile devices or computers, but if you lose the device, the wallet is still protected and encrypted. In the past several months, Robinhood, Vessel by Stytch, Gamestop and others launched self-custodial wallets to compete with MetaMask and Phantom. Many more will certainly emerge in what will shape up to be a crowded space where each dApp must build connectivity to support many wallets (a problem that Dynamic seeks to solve).

These wallets are centered on digital asset storage today, but a crop of companies are building identity-centric wallets for Web3 including Disco, Onchainid, Serto, Bloom, Fractal and Tuum. Other startups such as Ethereum Name Service (ENS) and Unstoppable Domains sell NFT backed domain names such as “name.crypto” and “name.eth.” Quadrata enables consumers to mint non-transferrable NFTs with KYC/AML identity information and add them to Web3 wallets. Along this same thesis, Portabl enables consumers to collect and manage credentials from synced financial institutions and enables companies to receive pre-verified KYC data, foregoing the need to reverify each customer. It’s inevitable that Web3 wallets will evolve from digital asset storage to blend both payments and identity, to not only be the gateway to every transaction globally, but every authentication globally.

But, wallets exist in Web2. Apple and Google wallets have stored cards, tickets and boarding passes since the 2010s. Both are even doubling down on wallets, for payments and identity. Google recently revamped its wallet and Apple Wallet now supports Arizona and Maryland digital ID cards that are valid at select TSA airport checkpoints. And, according to research by Jason Mikula, Apple likely has patent applications for work with the US Government for a mobile identity credential for KYC to be used for account opening or holding/trading cryptocurrencies, giving Apple an unparalleled first mover advantage. Coupled with a widespread consumer footprint and distribution advantage (75% of iPhones have Apple Pay activated!), Apple poses a significant threat to a new identity management paradigm. It’s challenging to envision them ceding their data moat in favor of decentralized identity when the business is built on monetizing user data.

Developer Layer: Protocols and Infrastructure
Companies are providing the tools for developers to directly embed decentralized identity architecture into the Web3 ecosystem, providing a better UX for consumers without requiring their participation.

Networks such as Ceramic, Filecoin and Spruce’s Kepler are building decentralized data storage enabling composable and reusable data across all applications, unlike the Web2 equivalents of Google or Meta which keep data siloed within their own ecosystem.

Spruce is also building SpruceID, a modular toolkit equipping developers with interoperable DIDs, white label VC wallets and other identity infrastructure. In addition to the consumer-facing wallet, Portabl provides APIs and SDKs allowing Web2 and Web3 companies to verify claims and mint verifiable credentials. NFID is building frictionless, biometric authentication. NFID stores your private keys on your device, and creates a new, hybrid-hardware wallet for each account allowing you to be untraceable while enabling a more robust form of multi-factor authentication.

A host of other companies are building the onboarding, KYC, credit scoring and compliance layers for DeFi including Footprint, Spectral, Violet, Burrata, Shyft, Parallel Markets, Civic and Spring Labs, among others. These companies are creating the crucial identity fabric to support continued institutionalization of Web3 and DeFi.

Consumers and Companies Benefit from Decentralized Identity
So why should consumers care?

• User-Centric and Private: Consumers own their data and have control over what information they share and with whom.
• Secure: Identity is tamper-proof and not stored on centralized servers which are ripe for hacks and breaches.
• Interoperable: Open infrastructure improves interoperability, seamlessly enabling many issuers and users of identity information.
• Passwordless: Aside from your wallet password, you don’t need multiple points of user authorization.

Buy-in from companies is equally crucial to the creation of a new identity management paradigm.

• Less Expensive and More Efficient: Financial institutions pay ~$1 to verify the identity of each consumer who opens an account, even if that same consumer has a verified identity at another institution. Decentralized identity can eliminate the friction and cost of re-verifying credentials.
• Secure: Passwords and centralized databases of personally identifiable information (PII) represent points of failure from a cybersecurity perspective, a focus of the Biden Administration in light of recent attacks.
• Improved Trust: In an increasingly digital world, improved verification improves trust in the ecosystem, ensuring bad actors are kept out.
• Uncapped TAM: Identity touches every industry including financial services, e-commerce, lending, gig economy, healthcare, supply chain, payments and beyond. Estimates for TAM range from ~$265B (Liminal Strategy) to ~$550B (Cheqd).

We spoke with Eamon Jubbawy, Co-Founder of Onfido, who predicts that the infrastructure supporting decentralized identity (data storage, authentication, compliance, wallets, etc.) will propel the next $100B company:

“The big opportunity, the $100 billion company that’s going to be built…is a company that allows consumers to own and control their own data [and] choose who to share [it] with…And everyone wants to move to this model because they realize that whoever ultimately is the provider of online identity [is] the guardian on behalf of the consumers [and] becomes an incredibly important company, but also becomes the gateway for every transaction that happens arguably, globally.”

Areas for Innovation
We’re in the early innings of decentralized identity and are excited to follow along as the companies we identified above, and others yet to emerge, innovate around the following areas.

• Consumer Friction: Empowering consumers with a frictionless and ubiquitous identity solution.
• Credentialing Infrastructure: Equipping institutions, such as governments and universities, with the infrastructure to issue credentials on-chain seamlessly.
• Revocation: Enabling credentials to be updated or removed over time, for example, when you are no longer a member of a club or your driver’s license is revoked.
• Private Key Recovery: Supporting key recovery without centralized storage of keys.
• Anonymity: Ensuring anonymity without the ability to correlate across on-chain interactions.
• Interoperability: Bridging different blockchains employing various schemas while simultaneously satisfying emerging, and potentially conflicting, global regulation.