Decentralized Digital Identities — Overview of a Nascent Industry

Peter Steiner’s cartoon, as published in The New Yorker

On the Internet, nobody knows you’re a dog.” This famous cartoon caption by Peter Steiner, published in 1993, anticipated what is today a serious problem. In the internet of the 21st century, identity theft costs the world $45 Bn annually.

This is because current authentication systems require digital consumers to create one user account for each of the digital services they join, surrendering private information many times and ultimately losing control of who has access to it. At the same time, the companies that are responsible for validating and securing this information are increasingly susceptible to security hacks due to this concentration of sensitive data. As a consequence, we’ve witnessed a worrisome and growing incidence of identity-fraud cases in past years.

With the digitalization of sectors such as finance, health services, and government, in which identity verification is critical, the need for a more robust authentication system has become urgent.

Two years ago at MIT, we initiated academic research on the problem and discovered in decentralized computing architectures an innovative solution that transfers control of private information to the end users. We soon realized that the potential of decentralized identities exceeded privacy protection and promised frictionless onboarding experiences, efficient Know-Your-Customer (KYC) compliance, and drastic reductions in identity-theft rates — so much so that we decided to move from research to execution. Today, we are working at full speed on Gataca, a decentralized digital identity implementation that aims to provide a trusted, global solution for the digital economy.

In this article, we provide an overview of this nascent and exciting industry.

Decentralized digital identities represent a new authentication paradigm that helps users to take back control of private information and provides a one-stop shop for securely authenticating in digital services. The proposed architecture exploits blockchain technologies to provide a neutral, auditable, and trusted identity platform across the globe.

A new solution to old problems. Both identity theft and inefficient KYC processes are old, familiar problems. Most efforts so far have focused on providing more tools to businesses to make KYC more secure and efficient. Decentralized architectures challenge this approach. Why try to build a more efficient KYC when the ideal would be to eliminate the need to perform KYC in the first place? Why not perform KYC once on the user side and share it with third parties? The idea is to create a digital identity with the same (or greater) level of trust accorded to a physical ID card, trusted globally and controlled by the user.

The question is no longer if, but when. Two years ago, there were very few players betting on decentralized digital identities. Today, it is a recognized market whose potential impact has been assessed by renowned analysts including Gartner and McKinsey. Its size was estimated at $90.4 M by Markets and Markets in 2018, and it is expected to grow to $1.9 Bn by 2023.

We are racing toward the peak of inflated expectations in the technology’s hype cycle, so we should expect a mountain of publicity about successful and unsuccessful pilots over the next 12 months. The early adopters are governments, banks, and financial consortiums worldwide, who are already dedicating resources to pilot the concept. One example is the government of Thailand, which in January revealed its plans to put into production a decentralized identity on a national scale.

The motivations leading early adopters to invest in this technology fall into three main areas: cost savings in financial markets, financial and social inclusion for underserved communities, and future economic growth for developed economies, for which it may be crucial. The use cases, however, are almost infinite, including access control for airports and airlines, instant employee onboarding coupled with access control to buildings and IT systems, globally unified health records, a single sign-on across all digital services worldwide, identity delegation, voting systems, and digitization of the real estate industry.

The underlying concept is almost always the same. The end-to-end architecture rests on three major pillars:

First, a digital-ID wallet for consumers -that is, a mobile app that allows users to (a) create, receive, and store verifiable identity credentials and personal information (such as a name, address, email, driver’s license, passport, or academic certificate), (b) validate their authenticity with certified authorities, and (c) share this information securely to gain instant access to digital services.

Second, tools for the issuance and validation of credentials that allow certified authorities to attest to the authenticity and ownership of a credential.

Third, single-sign-on authentication tools that allow businesses to accept decentralized digital IDs for authentication.

Multiple technical approaches for the same concept. Despite agreement on the underlying concept, nascent players have adopted significantly different business models and technical implementations. Some companies are building new identity-purpose blockchain networks, both private and public. Some are building lower-layer protocols and tools for developers, others use existing networks and employ token systems to incentivize users and validators, while others, like us, are pursuing non token based, interoperable applications for users and businesses. Indeed, digital identity is a complex concept, and to date there is no one-size-fits-all solution that covers all use cases.

Among the projects with longer track records, we highlight Gataca (of course!), uPort, Civic, Sovrin, Hyperledger Indy, and Authenteq, but many others pop up every month, each with its own technical approach.

A collaborative competition with no clear leader yet. The beauty of this industry is that these players recognized the ambitious nature of the proposal -building a user-owned identity for the digital economy- and have joined forces under well-respected nonprofit organizations such as the W3C and the DIF to define industry standards jointly. If we want such a profound change in the authentication architecture of digital services, we had better ensure interoperability from the beginning.

In this context, it is unclear who, if anyone, will be the leader or how the competition model will develop. In our opinion, one company may become de facto standard for lower-layer protocols, although much of the heavy work is already being led by W3C working groups. The competition will likely remain on the middle and upper layers, with companies offering interoperability solutions, integration, and migration services for businesses; credentials verification and issuance management for authorities; or advanced ID wallets for consumers. It may be too early to say, but one thing is clear: Decentralized digital identities have come to stay, and it is only a matter of time before the world recognizes it.