The Who’s Who of Decentralized Identity Systems
A look at the different identity standards and platforms.
“The concept of identity is fundamental to human activities. The identity of an individual, their attributes, and representation of the self is understood worldwide regardless of culture. Modern society binds the notion of individual identity with a legal identity, such as social security numbers, passports and driving licences. This binding leads to situations where one can lose their identity if the state rescinds it. It is especially apparent in the case of refugee crises, where migrants have difficulty living in countries in which they are not registered.” -. Self-Sovereign Identity using Smart Contracts on the Ethereum Blockchain
What are DIDs?
Decentralized IDs (DIDs) are accepted standards for creating unique identifiers for people, organizations or things. Some DID’s allow for a self-sovereign identity, which means that you are the owner of your identity. DIDs allow for interoperability between dApps and companies through standardization. They have many applications, but one of the more interesting and industry-specific use cases is ‘know your customer’ (KYC). DIDs could ultimately be used by organizations to manage KYC requirements. This would allow for more secure interactions and control over the data that accumulates around a specific identity, as multiple third-party applications don’t need to be used to verify an identity.
Use cases for DID KYC include: 1) ICOs, for the verification of the buyer’s identity needed for legal requirements, and 2) service-based tokens, where one needs assurance that the service provider is legitimate and not going to disappear and steal your tokens. This is useful for when the anonymity that blockchain provides becomes a detriment to the dApp, company or organization.
DIDs are not currently accepted as KYC, as legislation does not move as fast as technology, and refinement is still needed.
Today’s KYC methods have third-party governance to prove certain financial, criminal or identity aspects relating to a person. This comes at the cost of privacy and security, and these methods are typically inefficient and time-consuming, such as having to provide bank statements and utility bills (depending on your country’s requirements).
Why do we need DIDs?
“You know how you can use your Facebook or Google account to login to different websites around the internet? Self-Sovereign Identity is like that except instead of Facebook or Google controlling your identity, you are in control. This is a more private and secure digital identity that helps you avoid being tracked online or having your data stolen in a massive breach.” — What’s the best way to describe decentralized identity to the world?
The current standard for digital identities for online users is to have multiple accounts with various third-parties who provide authentication and password controlled IDs, such as Google and Facebook. As much as these identities can be linked, they are not interchangeable, nor are they owned and controlled by the user. In fact, the user has very limited control over who has access to their data, although the EU has made some initial steps towards changing this.
Self-sovereign DIDs allow for an individual to take control of their own identity, which means that it cannot be altered or revoked by a third party. Individuals no longer need to worry about privacy breaches and data leaks, as they now own their data and have absolute control over who has access to it.
Investigating use cases
DIDs come in many shapes and forms. Some are partially centralized using governments and organizations as third-party identity verifiers. Others (such as Civic) use Optical Character Recognition (OCR) in conjunction with government-issued passport/ID photos as proof. Some are completely decentralized (such as uPort) using self-attested data, like an email address, to start building up the data around an identity.
Most use cases are focused on KYC, but the possibilities go much further. DIDs could be used for credit scores, accountability for online actions such as identifying online “trolls” and hate speech. With the growing research into zero-knowledge proofs, we are approaching a stage where sensitive information can be protected and access controlled on-chain. The implementations are only as limited as your imagination.
Here we’ll look at the various popular identity standards, the uses and who is contributing towards improving them.
DID dApps/ Platforms:
Non DID Standards mentioned:
What are DID standards & why do we need them?
In Ethereum, DID standards are interfaces. This means that there is a standardized way of implementing them, which allows for interoperability.
These standards allow for multiple dApps to use them, and multiple contracts and wallets to be able to call their functionality without knowing the inner workings of the code. This is important because if there was no standard, every wallet would have to create a proxy contract for every dApp that they visit in order to access the dApp’s functionality. This would quickly become chaotic and unmaintainable.
Through the implementation of these standards, there can be fewer proxy contracts that the user would have to interact with, which prevents a mess of proxies that have the rights to act on the user’s behalf. This also reduces risk and exposure.
DID standards usually consist of a standard and a registry. The registry usually acts as a database of the contracts and addresses that use the DID. This registry can be thought of as the proxy contract for wallet addresses.
Bloom’s mission is to decentralize credit scoring, with a focus on international adoption. Using the Bloom token (BLT) for their credit system, Bloom facilitates the issuing of loans from lenders with lower fees.
The Bloom ID creates a, “global secure identity without exposing your personal information. Big banks and data providers vouch for your identity and creditworthiness. Bloom IQ reports and tracks current and historical debt obligations of a Bloom ID by pulling key data points that assist in painting a clear picture, allowing complete control over all your information.” — What is Bloom? — An Introduction to the Bloom Protocol.
The Bloom ID, trusted third parties and the Bloom IQ feed into the Bloom score, which is your credit risk score. Bloom’s app is currently iOS exclusive.
Bloom uses a variant of the Minime (ERC20 compliant) standard. This information is tucked away in their repo and could not be found in any resource, including the white paper. The Minime standard allows for the cloning of tokens.
Minime tokens keep a history of all changes at any given block. The variant of Minime that Bloom uses is called MiniMeIrrevocableVestedToken. Irrevocable meaning not able to change, reverse, or recover; final. This adds the functionality to createTokenGrants. A token grant is a way of restricting the token receiver’s ability to spend the tokens in terms of what it can be spent on and the time period in which it can be spent. The Bloom ID is restricted to their ecosystem and is not reusable outside of it.
Civic’s mission is to create a personal identity verification protocol with a focus on reusable verification of data and mainstream adoption for things like passport and national ID replacement. The user must take photos of their national ID and passport, and then fill in the remaining requested information. The ID is verified using a selfie and Optical Character Recognition (OCR) to test user liveliness and likeness to photos. Civic accomplishes this by storing the user’s personal identity on their device, using the device’s built-in biometrics as proof of ownership. The reason for utilizing local storage is that, should someone want to hack the system, they would have to target individual devices making it much harder to accomplish the widespread data leaks and breaches that we have seen on Web2.0.
Civic uses the Bitcoin blockchain for recording transactions and does not have an Ethereum DID standard. Data is stored in a Merkel tree. Only the tree root, and not the leaves (data points), end up going on-chain. This allows the user to provide hashed data to a dApp or organization without revealing the data itself.
“The hashed data can be used as a fingerprint for the data being attested to.” — Civic white paper.
The ERC20 token is used as their tradable form of settlement between participants to an identity-related transaction within the ecosystem.
Sovrin is a decentralized, global public utility for self-sovereign identity, standardizing the online identity format and the verification of those credentials. Sovrin uses the Hyperledger blockchain, and is, therefore, not usable by Ethereum contracts or wallets until the completion of the Polkadot project. Sovrin accomplishes this by having only Sovrin validators as nodes, bringing an element of centralization to the platform. Sovrin’s 4 pillars of requirements are; government (network trust in system), performance (self-sovereign identity at internet scale), accessibility (DID for all) and privacy (strongest privacy standards).
Sovrin uses the Hyperledger Indy project as the framework for their DID. The Indy project provides, “tools, libraries, and reusable components for creating and using independent digital identities rooted on blockchains or other distributed ledgers so that they are interoperable across administrative domains, applications, and any other ‘silo’.” — Hyperledger Indy project.
Sovrin doesn’t store any private data on the blockchain.
“No private data is stored on the Sovrin ledger — even in an encrypted form” — Sovrin white paper.
This is done to align with the EU GDPR’s right to be forgotten. Sovrin has taken into account the breakability of encryption, which could, in theory, be breakable through quantum computing and provides that as a further reason for not encrypting data and adding it to the blockchain. Sovrin takes advantage of zero-knowledge proofs for proving information without revealing it, such as revealing the date of birth to prove age.
uPort’s mission is to provide identity ownership, with a focus on interoperability, as well as user adoption. They often have breaking changes but are easily contactable. Currently, uPort is the most supported DID dApp for Ethereum. The Zug ID project and the Swiss Federal Railway project are two real-world applications that highlight uPort’s capabilities.
uPort allows for claims to be made on the ERC1056 DID in the dApp. It allows for QR code scanning to connect to dApp websites and approve transactions. uPort is developer focused, allowing developers to use the platform as, “a way of securely interacting with users and their data, while simultaneously respecting privacy.” — Releasing uPort Libraries 1.0
uPort gives users greater control over their data, reduces overheads and builds GDPR compliance into their architecture. uPort also offers uport-connect, a decentralized equivalent of Facebook connect. This allows users to use their uPort identity on a web browser. This feature provides, “preconfigured flows to authenticate users, request data from their uPort mobile app, issue verified data back to them, and make transactions on the Ethereum network.” — Releasing uPort Libraries 1.0
Using ERC1056 as their DID standard, in combination with the ERC780 claims registry, uPort has created a W3C compatible, DID attestation architecture. Any address, wallet or identity is compatible with the ERC1056. This is much more inclusive than other models as any Ethereum address can be used in an attestation, without needing that address to interact with a smart contract. Other DID standards require a specific contract to be created in order to access the benefits of the DID, which has a significant cost associated with it. The single most important thing about uPort’s identity standard is that its W3C compliant. This means that regardless of the system or blockchain, it complies with the universally accepted standard. uPort is available on both iOS and Android.
The standards in Ethereum are constantly changing, along with the platforms that use this. Treat this more as an introduction to the platforms, rather than be all and end all. As this is intended to be a living document, we will keep this article up-to-date on the latest in decentralized identity platforms.
Further reading for the curious:
- 10 things you need to know about Self Sovereign Identity, part 1
- A First Look at Identity Management Schemes on the Blockchain
- Ethereum Token Standards Exhaustive List
- Have I been pawned (see how many times your data has been hacked)
- Why I’m excited about Self-Sovereign Identity
- Bloom Medium
- Is anyone else worried by how much Bloom is advertising? (2017)
- Where Bloom cloned the vested Minime tokens from
- The MiniMe Token: Open Sourced by Giveth
- State of dApps: Ranking of identity dApps
- Reasons Why Civic Can Become the Most Promising Cryptocurrency in 2018
- What is Civic?
- Different Approaches to Ethereum Identity Standards
- uPort white paper (outdated — 2016)
- In the Scramble to Fix Digital Identity, uPort Is a Project to Watch
- The Basics of Decentralized Identity (uPort article)