Time to research: idOS
The idOS (Identity Operating System) is the identity layer of web3. They are building an open-source, composable and chain-agnostic solution to enable true decentralized identity across the web3 space.
The idOS is made up of two key elements:
- A compliant dStorage Network of Nodes, managed by Node operators that host user-encrypted data, usually in the form of W3C Verifiable Credentials.
- An Access Management Protocol, allowing users to manage their own data and grant/revoke access to third parties like dApps.
idOS is a joint effort of several leading building partners and ecosystems designed to spark the widespread implementation of decentralized identity across web3. Some of the initial use cases enabled by the idOS include KYC-data syncing between Gnosis Pay and Monerium for easier user onboarding in highly regulated environments or allowing developers on NEAR BOS to leverage ready-made solutions to build decentralized social dApps.
The idOS is not the single magic solution to all decentralized identity problems, but a composable, open-source layer for storing identity data. The table below shows idOS focus and where there is room to develop composable solutions:
Key Features
Chain Agnostic
- Global user pool — Cross-chain interoperability ensures any stakeholder in the system can access a shared pool of users across web3.
- Composable — Anyone can build new tools or dApps on top of the idOS, integrate existing ones and leverage the open-source infrastructure.
- Multi-standard — The idOS works with any identity frameworks (including W3C compatible Verifiable Credentials).
Compliant
- User consented agreement — There are no intermediaries between the user and third parties when user grants access to data.
- Revocations & data deletion — Users are able to revoke data access to third parties and erase data from their idOS profile.
- Time-locked access — Time-locked grants ensure data access for a specific time length with automatic revocation afterwards.
Self-sovereignty
- User-owned — Users have full control over what data is stored and can flexibly grant or revoke access to third parties.
- User-encrypted — Data stored in dStorage nodes is encrypted using the user’s wallet private key.
- Privacy-preserving — Users can choose to only share access grants to credentials for specific parts of the data in their idOS profile.
Decentralized
- Constant data availability — Unlike with identity wallets, data is always online and accessible to parties with active access grants.
- No platform risk — User data is stored across multiple distributed nodes, ensuring access even if one node is down.
- Shared consensus — A dStorage network of nodes secures the idOS. At first, run by building partners, then permissionless.
How is data stored?
The idOS is a place to store your identity data and credentials in a self-sovereign and decentralized way. The data is stored across multiple distributed nodes and is encrypted using the user’s public keys.
Users decide which data is stored in their idOS profile. In general, any data can be stored in the idOS, but the main initial use cases that the idOS will support at launch are:
- KYC/AML (verified)
- Proof-of-personhood (verified)
- Linked wallet addresses (verified)
- User inputs, like social profiles, gaming achievements, participation certificates, etc. (verified/unverified)
At the idOS’ inception, Fractal ID will be the first issuer to provide W3C-compliant Verifiable Credentials. More issuers, like identity verification providers, will be able to leverage the idOS tech stack in the upcoming months.
By default, all identity data is user-encrypted before being added to the idOS. The idOS distributes all encrypted data among its Node providers and uses a consensus mechanism to harmonize the dataset state. Following the idOS table structure, the following guidelines show the encryption state of the data being added to the idOS:
Risk Factors
The idOS is an open-source, self-sovereign and gradually permissionless system. This gives participants far-reaching abilities to perform actions that are highly discouraged:
- Users might choose to upload data to the idOS that is not encrypted and visible to all node providers
- dApps might implement the User Data Dashboard and amend it in a way that intercepts the user’s data
- dApps might amend the access grant SDK to not encrypt data again after it’s shared with them
They have opted against limiting the user’s rights or only allowing curated dApps to participate in the idOS in favor of a more open, self-sovereign system. They will closely monitor these risk factors together with all node providers and keep making the idOS better and safer for users.
System Architecture
The idOS is composed of a dStorage Network of Nodes, secured by the building partners as the initial node providers, and designed specifically to manage identity data compliance and security needs, and an Access Management Protocol, giving self-sovereign control to users of their own data, and allowing them to interact with dApps across the whole web3 space. Additionally, the idOS provides an SDK for dApps to integrate the idOS and a User Data Dashboard, where users can manage their stored data, credentials, and access grants.
The dStorage Network of Nodes is a key part of the idOS. The idOS’ data is stored in a decentralized relational database, thanks to Kwil, one of the building partners. Nodes synchronize data using CometBFT.
Kwil is a byzantine fault tolerant relational database with which developers can build high-throughput, data-intensive decentralized networks. By handling problems like consensus, non-determinism, and access control out-of-the-box, Kwil provides data security, fair value accrual and interoperability with existing web3 tooling. The idOS utilizes Kwil to offer unparalleled privacy and compliance.
Functionality
Compliant dStorage
Compliant, decentralized storage to store identity information is one of the two pillars of the idOS. dStorage allows users to maintain self-sovereignty and privacy while gaining the convenience of cloud storage. dStorage isn’t a new concept to web3, but foremost compliance concerns have kept it from gaining widespread adoption for personal data. dStorage has clear advantages over identity wallets in terms of data availability and composability.
Standard identity formats
The idOS encourages identity verification providers to issue credentials that follow the W3C Verifiable Credentials standard, as it’s the most commonly accepted VC standard today, and their SDK is prepared to work with it.
Granting data access
The Access Management Protocol is the access rights management system of the idOS. It requires access requests to be authenticated and authorized. It governs who has access to data on the idOS.
After establishing address ownership and ownership of the idOS, users can grant others access to their data. The SDK automates some steps of the access grant process like inserting the right receiving wallet address of the dApp, while this needs to be filled in by the user when using the User Data Dashboard. In both cases, the actual verifiable data is decrypted by the user, and encrypted using the receiver’s public key. It is then re-uploaded to the idOS nodes.
Users have now established that they want the receiver to have access. This fact is written into an access grant smart contract on the respective blockchain. This access grant allows receivers to retrieve data at any point in the future, even if the user is offline, as long as the access grant is still active.
This enables a data receiver to use the idOS as a customer relationship management tool (CRM), as they may keep the data in the idOS without downloading it as they have continuous data availability guarantees.
A user has the right to revoke access at any time, disabling the ability of the receiver to access the data. Data grants can be time-locked in case regulatory reasons require data retention for five years. In these cases, an access grant can only be revoked after the time lock has expired.
User Data Dashboard
The User Data Dashboard is one of the tools to allow users to manage their data with the idOS. It is an open-source dApp built on top of the idOS. It is meant to be a resource for teams that want to build their own versions, and individualize their visuals and functionalities.
The main functionalities of the User Data Dashboard are:
- Manage data that has been stored in the user’s idOS profile (edit, delete)
- Manage admin addresses
- Manage access grants (create new ones, revoke old ones, see time locks)
- Directing users to data verification providers to receive verified credentials
Encryption
The idOS uses asymmetric encryption by default to secure user data. For encryption, the user’s public key is used that he or she derived when setting up an idOS profile.
In the absence of a stronger, more recent recommendation, they follow Latacora’s 2018 standards using the asymmetric encryption methods NaCl/libsodium (Curve25519 + ChaPoly AEAD).
The idOS uses passwords as a common non-technical approach to derive keys that can be used for encryption by employing a key derivation function like scrypt. The following process is deployed to derive the key:
- User is asked to choose a password
- Password is normalize it for consistency
- Password is used with Scrypt-js to derive a 32-byte key
- Password is used with tweetnacl-js to generate a new asymmetric keypair (x25519-xsalsa20-poly1305)
To ensure determinism, scrypt parameters are kept constant (CPU/memory cost, block size, parallelization costs, and salt), but using the same salt across all users would weaken this method beyond any reasonable standards because it would easily enable rainbow table attacks, which is why idOS scope determinism to each user. For mitigation, they start by using the user’s idOS ID as a salt by default and will upgrade the idOS by generating a BIP-39 mnemonic seed phrase for each user.
Encryption flow #1: Using derived keys (from seed or password)
Encryption flow #2: Creating a data access grant (using re-encryption)
Tools
Software Development Kit (SDK)
The idOS JavaScript SDK enables dApp frontends to easily work with the idOS. It supports the most common use cases, such as requesting data and access grants from the user. You can find the SDK source on GitHub.
Command Line Interface (CLI)
The idOS command-line tool empowers developers with a convenient interface to the idOS, and can be easily integrated by the backend of any dapp. They are loooking to release it later this year.
User Data Dashboard
The User Data Dashboard is a reference implementation of a user-facing idOS data management application. The User Data Dashboard is meant to be forked, improved and individualized by dApps and other parties utilizing the idOS. You can find the data dashboard source on GitHub.
Product Roadmap
Phase 1 — Alpha (Q3 2023)
Phase 2 — MVP (Q4 2023)
Phase 3 — Growing with their ecosystem (2024)
In 2024, they expect to progressively decentralize their services, constantly work on security and privacy, integrate more partners and create a great experience both for users and for developers.
idOS Software License
The idOS SDK is released under the MIT License, a permissive license known for its minimal constraints on software reuse and notable license compatibility.
dApps leveraging the idOS SDK have the freedom to use, copy, modify, merge, distribute, and even grant sublicenses for it. This license also accommodates its integration into proprietary or closed-source applications. However, there are certain stipulations: all redistributed versions must retain a copy of the MIT License terms and the associated copyright notice.
This ensures that the original copyright and license details from the idOS’ code version remain intact. Importantly, the license dictates that the original code authors cannot be held legally accountable for any issues arising from the code.
$IDOS Launch and Airdrop
Read more here.
Official Links
If you like this research, hit that clap button and follow me here and on Twitter for more research soon. I dive into a wide range of projects in different chains and sectors to research. Thank you for reading!
