Citizen Identification (2/4) : Decentralized identifiers (DID)
In the second article of this serie of blog posts, we will continue to present issues related to the digitization of identification documents going technically deeper on how blockchain technology can contribute to it.
How do Digital Identities Work on a Blockchain?
Blockchain technology by developing the concept of decentralization allows users to create and manage digital identities through :
- Decentralized identifiers (DID)
- Identity management
- Encryption
What is Digital Identity?
A digital identity results from the use of personal information and from the data created by individuals when using online services that can be traced back to the him.
A digital identity may be a pseudonymous profile created online, photos uploaded to social media, posts created or commented on, online bank account, search engine history…. Data that usually form a digital identity include usernames and passwords, drivers license number, online purchasing history, date of birth, online search activities, medical history, etc.
Compared to a paper-based ID such as most driver’s licenses and passports, a digital ID can be issued, stored and authenticated remotely thanks to different digital channels.
A digital ID could be issued by a national or local government, by a consortium of private or nonprofit organizations, or by an individual entity. This definition applies regardless of the specific technology used to perform digital authentication, which could range from the use of biometric data to passwords, PINs, or smart devices and security tokens.
At first glance, we could say that a good digital ID must have the following attributes:
How is Digital Identity Created?
An individual need to sign up to a decentralized (blockchain based) identity and data management platform to create and register a Decentralized Identifier (DID). During this process governed by the cryptography’s rules, the person creates a pair of private and public keys. Public keys associated to a DID can be stored on-chain in case keys are lost, compromised or modified for security reasons.
Additional data associated with a DID such as credentials could be stored on-chain, but due to volume and size issues all the data related to a DID should not be stored on-chain to maintain scalability and compliance with privacy regulations (in EU for example).
What is a Decentralized Identifier?
A decentralized identifier (DID) is a identifier for a person, company, object, etc. Each DID is secured cryptographically by a private key. Only the person in possession of the private key owner can prove that they own or control their identity. Several DIDs can be created for by one individuals, which limits the risk be tracked across the multiple activities in their life. For example, a person could have one DID associated with a streaming platform another entirely separate DID associated with their bank or credit reporting platform or another one for associated with an insurance company.
Each DID is often associated with a series trusted credentials issued by other DIDs, that valid and attest specific information related to this DID (e.g., location, age, diplomas, citizenship, etc.). These credentials are cryptographically signed by their issuers, which allows DID owners to store these credentials online/on-chain themselves instead of relying on a single profile provider such as Facebook, Google, etc.
In addition, currently non-attested data such as articles, videos or social media posts can also be associated to DIDs by the owner of those data for intellectual property protection or credibility since it would for ever be anchored and verifiable on-chain.
How are decentralized identities secured?
A key element of securing decentralized identities on blockchain is cryptography. In cryptography, private keys are known only to the owner, while public keys are shared and widely spread. This pairing mechanism accomplishes two functions:
- The first is authentication, where the “message (i.e., data) is “signed” by the private key, and the recipient of the message can then use the sender’s public key to verify its integrity, ensuring that it came from the private-key holder and was not tampered with in transit.”
- The second is encryption, where “Anyone with the public key canvuse it to encrypt a message to send to the private-key holder, knowing that only they will be able to open it .”
To minimize the possibility of data loss due to keys being compromised, process have been to design to regularly rotate (change) keys.
How are decentralized identities used?
Once paired with a DID, individuals can present the verified and trusted identifier in the form of a QR code to prove their identity and access certain services requiring it. The service provider (government agencies, employer, health insurance, bank, etc.) verifies the identity by verifying the validity (issuer) and the ownership of the presented credential — the credential had been associated with a DID and the user signs the message ( in that case presentation his identity) with the private key belonging to that DID, private key that he is the only one to have. If they match (only!), access is granted.
In the following articles, we will further investigate possibilities offered by the blockchain technologies, such as Cardano and Atala Prism, to develop access to identification documents while making them more secured.
Proof of Africa supports the “African Blockchain Centre for Developers” (ABCD) which aim at creating opportunities by providing blockchain solutions to the world thanks to young talents working in Africa
Learn more about our initiatives here.
Follow us on Twitter here.
