The Resurgence of Digital Identity
Digital identity, or self-sovereign identity, is a technology that leverages asymmetric cryptography to provide authentication, integrity, and non-repudiation for online transactions. It is the prerequisite for several Internet activities, such as issuing certificates, private messaging, and of course, financial operations.
The rise of online identity
Password or private key
The idea of “key pair as an identity” has existed in the last century. However, digital identities were not widely accepted by average users at the time. The main cause is undoubtedly the complexity of using such a system. How can non-tech people conveniently and safely keep their private key in hand? They can’t.
As a result, when web2.0 emerged, web companies needed to verify their customers, they decided to adopt the account-password pattern instead of the public-private key pair. While registering new accounts, users create their own memorable password, and the company saves it. After that, they use a “brain to database” verification for login.
Security and centralization crisis
This simple model works, but it also brings a series of security issues. Since remembering many sets of passwords is tiring, users tend to reuse their passwords everywhere. If one of those services stores users’ passwords in an insecure way (no salt, unsafe hash function, etc.) and gets pwned, all the others are in danger.
OAuth was invented to solve this problem. It allows small companies to rely on an existing service provider. They don’t have to run their own authentication server but simply delegate the work to a third-party company where users already have an account. Nevertheless, even giant firms like Facebook were also caught storing password plain text and leaked. Not to mention the centralized risk, many companies that adopt OAuth suffer from the continuously changing policies. Once a company gets banned from its OAuth provider, the whole business crashes.
The return of digital identity
Nowadays, people in this industry start discussing the alternatives of account-password again. Passwordless solutions such as biometric, SMS, and OTP are feasible, but in terms of identity, key pair still seems to be the ultimate goal. We believe that blockchain, namely Ethereum, is going to make the resurgence of digital identity possible. Reasons below:
Blockchain for user-friendly crypto infrastructure
As mentioned before, usability is the primary concern of key-pair based identity. It is not realistic to require laymen to sign transactions with a command-line tool. Being fully responsible for keeping the keys when using a decentralized system is scary for them too.
People in cryptocurrency are already familiar with all the concepts. As the tool matures, signing with a private key has never been easier.
Thanks to DApp and Ethereum, more and more people have their first experience of owning a private key and signing transactions with it. Plenty of browser extensions, mobile apps, and hardware devices are created to serve the rising demand. Those handy tools are beneficial for the popularization of digital identity, even if they are not built for it.
Blockchain for statefulness
Unlike password verification, public key cryptography itself is stateless, which means the validity of a cryptography signature is context-free. Yet, ‘state’ is required for digital identity in some advanced scenarios. Many GPG users interact with a (somewhat) centralized key server to register/replace/revoke their public key. Overall, we still need states to enrich the usability and expressiveness of digital identities.
Blockchain is the perfect meet for providing states for your identity. Rather than the server in MIT storing key records, Ethereum, the distributed ledger, has ~5K replicas worldwide. All of the records are auditable, tamper-proof, and economically finalized. Projects like ENS are providing an onchain registry for your identity. You can link foreign accounts and add metadata for them in a permissionless way.
Furthermore, by implementing access control with smart contract, your identity on Ethereum is programmable. You can add multisignature, social recovery, and even a dead man’s switch for your root identity while keeping daily usage simple.
Digital identity + OAuth
Toward massive adoption of digital identity, we already have many users owning private keys, but there’s no general solution for service providers yet. Luckily, OAuth has been accepted by many of them already. Combining OAuth and key-based verification, web2 companies can integrate digital identity in the way they are used to.
Eauth is an OAuth2 compatible authentication service based on Ethereum. Integrators may use digital identity as an option of OAuth seamlessly and without any knowledge of cryptography and web3 wallets. While using OAuth usually means handing over control to a third party, identity authenticated via Eauth will always remain non-custodial.
Roadmap to the decentralized world
Admittedly, web2 + login with Ethereum isn’t perfectly decentralized. A decentralized world should be entirely permissionless and trustless, but most of the online activities still happen in web2 servers at present. It’s more likely that web2 and web3 world will go side by side for some time. Meanwhile, Eauth could be the bridge between two worlds.
