The internet’s missing identity layer
Internet and the web are essentially public goods, that benefit people across the globe. However, the identity systems that currently help consumers use the web are ultimately private goods, primarily benefiting their providers, as opposed to the actual identity owners. Additionally, these systems are fragmented across multiple centralized providers, including the likes of Facebook, Google, as well as other proprietary solutions.
In this article, we first explore the history that has lead us to this point. We then explain the need for, and describe the general outlines of, a truly public internet identity layer, one that primarily benefits the identity owners as opposed to tech giants. In future writings we dive into the technical details of such a solution and how to make it a reality.
Summary
The web’s original vision, of a public information system, did not optimize for the use of private information, which in turn led to lack of a robust identity layer in the early Web 1.0 days. Internet companies such as Facebook, Google and Microsoft were driven to build their own identity layers, during the modern Web 2.0 era. These providers have recently adapted their systems into a standards-based identity provider model. Unfortunately this model, though standardized, is not as open, permissionless, and censorship-resistant as the web.
As of today, no solutions exist that fully satisfy the need for a native internet identity protocol that is also decentralized, permissionless, privacy-enabled, self-sovereign, interoperable and usable. Approaches such as those by legacy identity providers or newer systems designed for national identity, blockchain identity, and offline cryptographic identity, all claim universality, yet fail to address real requirements coming from critical subsets of identity owner groups, namely consumers, early adopters, or organizations.
Any suitable candidate should support a minimum set of common scenarios including account creation, login, privacy, recovery, etc. As an inherently secure system, it should also take advantage of latest proven technology patterns and features, such as password-less authentication, cryptographic public-private keys, and hardware secured cryptographic modules.
As part of a Web 3.0 wave of technologies, not only will such a universal identity protocol affect the existing technology landscape by reducing centralization of power and user lock-in, it will also open up new technical possibilities for developers to take advantage of by building universally interoperable applications. The existence of such an identity layer, is also likely to lay the foundation for future developments in privacy, persona data ownership, decentralized application protocols, digital value ownership as well as personal data stores.
Internet history and architecture
The original internet protocols (TCP/IP, DNS, etc.) as well as the world-wide web protocols (HTML, HTTP, etc.) were all primarily designed to support a universal information system, one that enabled the sharing and consuming of public information in a decentralized and permissionless manner. It purposefully did not focus on the problem of private information.
Web 1.0 came with its own elementary identity subsystem in the form of Uniform Resource Identifiers (URIs), Domain Name Service (DNS) and X509 secure certificates. These protocols allowed website owners to establish the identity and reputation of their sites online. However, this system was never designed to be a general purpose digital identity system, particularly for consumers of those websites.
The closest the internet came to defining a semi-decentralized and privacy-enabled consumer identity system early in its development, was the Simple Mail Transfer Protocol (SMTP). This system defines identifiers as email addresses and information storage instances as mailboxes holding user data. However, as per its original design, this system has primarily been specifically been used for transferring email, as opposed to acting as a general purpose identity system.
Facing the above-mentioned lack of a robust universal identity system, Web 2.0 companies such as Facebook, Google and others built their own proprietary identity systems to support their consumer content and social networking platforms. They later evolved their architectures while supporting the general internet community in developing a standardized identity provider model based on OAuth 2.0 and OpenID-Connect set of standards. In the case of Facebook, and a few others, standardized identity systems have been marketed to app developers as a generalized web identity systems, which offer benefits to developers and users, in terms of development and app usability, but at the cost of ceding developer and consumer power to these rapidly growing technology companies.
A universal identity protocol
The internet needs and deserves a truly decentralized and generally usable identity system. This complete vision can only be fulfilled by a distributed protocol, which:
- Is open, decentralized, permissionless and censorship resistant.
- Allows everyone to own, secure, manage and use their digital identities.
- Is privacy-enabled, allowing data owners to keep their identity and data private if they choose.
- Is usable by consumers.
- Supports tech early adopter scenarios.
- Is based on agreed-upon standards.
- Is interoperable with other consumer and public identity systems.
- Supports a growing variety of applications and use cases through versioning.
As of today there are a few categories of identity systems claiming the position of a universal identity solution, despite always failing to fulfill some portion of the above criteria.
The contenders
The Web 2.0 identity providers, have achieved a considerable level of success, with the help of OAuth 2.0 and OpenId Connect open protocols. Most of the internet’s over 300 billion daily login volume flows through such providers including Facebook, Google, other central providers, as well as miscellaneous proprietary implementations. Facebook has proven by far the most ubiquitous identity provider and identity app platform.
Despite its current success, the Web 2.0 identity provider model has lead to a fragmented and skewed identity ecosystem, in which the consumers and app developers hold little market power, compared to players like Facebook who leverage their centralized market power and control over consumer data.
There are a number of national identity and e-government projects out there, some with moderate levels of success. However, these solutions are inherently not universal, lacking the properties of neutrality, interoperability and censorship-resistance, which disqualifies them for the position of internet’s native identity layer.
For the early adopter audience, the most successful categories include, cryptographic identity products, including PGP, Keybase, etc., and cryptocurrency wallet products, focused on blockchain-based decentralized finance (DeFi) applications. The cryptographic identity products emphasize privacy and control, while cryptocurrency wallet products tout security and trust-less operation. These solutions are generally difficult to use, require extensive operational effort, and fail to effectively connect to the existing consumer identity ecosystems.
Up and coming blockchain-based identity platforms such as Sovrin and overlaying applications such as uPort on Ethereum, promise to be a universal, permissionless and decentralized solution to the identity problem, however due to their blockchain-based design, they especially fail to provide the adequate privacy required by the consumer and early adopter markets, but have the potential to provide an alternative Public Key Infrastructure (PKI) alternative, that can be built upon by other solutions.
Recent work from the Worldwide Web Consortium (W3C) and Decentralized Identity Foundation (DIF), specifically the set of standards being developed on top of the Decentralized Identifier (DID) standard, are a promising collection of technologies that point in the right direction. What is missing at this point however is a framework for creating usable experiences that can cover a large array of common scenarios and use cases. As we go forward, questions around implementing usable “wallet” experiences, recovery processes, connection bootstrapping, etc, have yet to be answered.
Identity owners
In order to avoid the mistakes of most existing contenders, namely ignoring the swaths of potential identity owners and their needs, here we attempt to categorize and clarify the identify said identity owners and their requirements. Generally, most identity owners fit, or are closest to, one of the following categories:
- Consumers — End users with small to medium technology competence. They prefer solutions that are usable and just work, and expect a reasonable level of security and privacy. Focus is on the early majority subsection of all users.
- Early tech adopters — End users with high level of technology competence, who want to understand how things work, and customize the functions of their digital gadgets and apps. They prefer a higher degree of security, privacy and control over their identity, and appreciate productivity.
- Organizations — Public facing organization such as medium-sized businesses, enterprises, institutions, non-profits, etc. who value transparency and high security when it comes to their digital identity and reputation. They prefer robust privacy for internal operations, but this will not be an area of focus for the internet’s identity layer.
While we expect the highest volumes of digital identity usage to occur within the consumer category, a final protocol needs to support additional modes of operation for different audiences. Each of these identity holder profiles have their own set of preferences and requirements for operating their identity, most importantly around security, privacy, effort/usability and secured value levels.
An ideal solution
An acceptable solution is one that takes into account the requirements from all audiences and use cases. A truly universal identity system is expected not only to offer different digital identity flavors per owner type, but to also enable full interoperation between all such identities. To remain relevant, the protocol is expected to evolve over time, in order to cover additional use cases.
In order to build a strong and global ecosystem, it is crucial for the base protocol to be permissionless, censorship resistant, and neutral, otherwise it will not be able to bring in developers and other ecosystem stakeholders and jumpstart protocol growth.
Most of all, a successful solution needs to properly identify and fulfill the needs of identity owners, as well as give them sufficient control over their digital identity and personal information. Supporting password-less interaction is one way to drastically improve usability, and security for the owners. The use of cryptographic public-private key pairs, with specialized hardware support, in the form of secure enclaves, increases security dramatically by reducing the risk of fraud. The pattern of secure hardware support can be seen in most modern phones including the iPhone, as well as many models of hardware authentication keys and hardware cryptocurrency wallets.
Additionally, in terms of operational security of back-end systems, practices such as multi-factor authentication, key rotation, auditing, and automated threat detection have proven effective. Betting on the above-mentioned set of proven technology trends has very limited downside, while presenting enormous opportunity in improving security across the stack.
Verification networks
Verification networks, or known in the industry as “trust frameworks”, are the set of subjective and collective tools that allow users and businesses (relying parties) who use identity systems to evaluate the level trust they assign to the identities they interact with. So how does this aspect of identity system fit within the ideal solution we describe above? In short, it does not, but the answer is nuanced and complex. A better answer is that the protocol will provide extension points for competing instances of verification networks.
There is a major conflict here between the neutral and decentralized nature of the described protocol and its ability to support major use-cases, such as facilitating people and organizations (as Relying Parties) to verify then accept or reject requests based on subjective criteria involving the sender’s identity. Doing so involves the protocol’s ability to help with verification of perceived identities, based on a final assessment made on top of identity information, as well as formal structures of trust and relationships.
Given that trust and verification are both subjective, they naturally cannot fit inside a neutral, decentralized, and distributed protocol. As such, the need arises for a more subjective trust and verification identity layer atop the mentioned internet-native identity layer, in order to provide a complete solution for all identity owners and users, as well as to help cover end-to-end use cases. Competing instances of networks on the trust and verification identity layer will interact with the greater identity system using extension points from the native identity layer. Further details of this layer will be discussed in future writings.
The subjective judgements needed to run any trust framework always lead to the need for some type of governance, in order to harmonize the various interests that are involved in relationships consisting of mutual trust and liability. As such, competing instances of verification networks will certainly need effective public governance systems in order to obtain the public trust they require for functioning and serving their customers properly.
Ecosystem
A solution to the described problem does not only come in the form of a protocol or a verification network, but a carefully curated and scaled up ecosystem, one that is based on the values of neutrality and openness, as is the case with internet and the web.
The ecosystem requires a credibly neutral and capable foundation to set the rules ahead of time, including the base software protocols, community principles, and general rules to evolve by, likely directed by a not-for-profit organization. This unlocks enormous value and allows permissionless innovation on top of this foundation by independent for-profit organizations that will compete in capturing that unlocked value. This ecosystem, its networking effects and its constant growth to new markets and use cases will ensure its usefulness to more and more customers.
Common scenarios
Regardless of the specific use cases supported by a user-owned identity system, it has to support a minimum set of common scenarios, such as account creation, login, privacy, recovery, etc.
In order to better understand these we draw parallels between each of the following supported common scenarios and an existing identity systems such as the Facebook identity system (used within the Facebook social network and used by external web apps through Facebook Login).
Login and account creation
The most frequently performed identity-related action currently occurring on the web is login. The user should be able to log into 3rd-party web services by proving control over a digital identity instance, cryptographically and without the use of passwords. They should also be able to create a virtual account with said 3rd-party web service upon first encounter. The Facebook equivalent of this is the use of “Login with Facebook” button whether you have arrived at a website like AirBnB for the first time to “signup”, or subsequently to “login”.
Privacy and personal data management
The user should be able to define the personal information tied to their identity, and specify privacy and permission rules describing how people and 3rd party web services can access that information.
Facebook login equivalent of this is the information sharing options users are presented with upon signup. Also Facebook allows users to access more granular privacy options in settings after signups.
Recovery
Although recovery is not a common scenario, supporting it is absolutely necessary for users of an identity system to feel confident about using the system. Namely that their identity can be recovered securely in case of unexpected events, such as loss of a device, detection of fraudulent activity, temporary inaccessibility or incapacitation, etc.
In the decentralized world of self-sovereign identity, recovery is inherently different than with centralized solutions like Facebook login. It works through multi-device recovery or social recovery, instead of relying on a central party to detect and resolve recovery issues.
A few parallel experiences while using Facebook are, the password recovery process, and account suspension due to suspicion of fraud.
Connection management
Digital systems have always been used by people as tools to more easily access and invoke their social and commercial connections with other entities. Think of a Rolodex or a personal phone book.
The internet’s identity layer should allow users to mange and utilize the master list of their mutual personal and commercial connections. It should also grant the ability to digitally express personal data sharing preferences for each given connection, even delete connections when desired. For example, a consumer should be able to unilaterally cancel their account with any commercial business, with the expectation that the business will honor their request by deleting their personal data and ceasing automatic payments.
Facebook login provides this functionality in their contacts list and settings pages where you can unfriend a contact or remove an application from your account.
General identity administration
Running a decentralized protocol, that facilitates interoperation between different identities, operated by different entities, comes with the additional complexities of managing changes across them. As such there will be a number of automated processes, such as change propagation and key rotations, as well as manual processes, such as protocol version upgrades and identity transitions. These present different operational requirements for each identity owner audience.
For the consumer audience specifically, experience should remain simple, by allowing a 3rd-party operator to handle them in the background while maintaining security and minimizing required trust.
Web 3.0 and beyond
Web 3.0 generally describes the next transformative wave of internet technologies. A truly decentralized, permissionless and ubiquitous internet identity protocol, is likely to be part of the Web 3.0 wave, with the potential to unlock enormous economic value for all, in ways that are well-known today, as well in speculated ways that we will understand better in the future. A few of the more generally well-known opportunities will be related to strategic realignment of the technology industry, as well as pushing the technical frontiers for developers.
Currently most of the business model moats built by large technology vendors are rooted in locking in customers’ digital identities and relying on the inherent frictions caused by personal data migrations. The existence of a ubiquitous and decentralized identity protocol, has the potential to transform the strategic landscape of digital technology and create more competitive and productive markets.
A foundational layer of all modern software systems and applications is digital identity, and having an interoperable, and usable internet identity layer will empower users, and unleash developers to dream up new distributed applications, protocols, and tools that will push our collective value creation potential to the next level.
Below are some of the more future facing areas of potential, but ones that have been discussed extensively by the technology community in the past.
Privacy and personal data ownership
This is the most anticipated class of benefits we could expect from a universal identity layer that adheres to principles of self-sovereign identity as a movement. Having such an identity layer, first of all, enables identity owners to digitally express their preferences on how their personal data may be used or exposed by other parties. This is a profoundly important step in the road to codifying and enforcing a common set of agreed-upon rules around private data definition and licensing.
For example imagine every user being expected to set privacy preferences for their personal data, with the assumption of high privacy by default. Because such standards-based preferences can be expressed digitally, it will be increasingly more feasible to expect better compliance by service providers, especially when paired with formal legislation and enforcement by governments based on said preferences. For example, imagine all commercial businesses requiring your explicit digital permission before sending you mail.
Decentralized application protocols
The blockchain technology community has already introduced the world to a set of decentralized applications, such as Decentralized Finance (DeFi) protocols, on Bitcoin and Ethereum, that do not rely on a central actor to run, and are resistant to value capture and rent seeking behavior.
Today, one of the factors limiting the traction of additional decentralized application use cases is the limitations of blockchain usability rooted in user experience issues with digital identity. Integrating a robust and usable identity protocol with distributed trust technologies dramatically increases the feasibility of usable and interoperable decentralized application protocols.
For example, establishing a decentralized protocol for licensing, consuming and monetizing digital content (such as music, video, digital art, articles, books, podcasts, news, etc.), will require a variety of non-technical users to maintain an account with the system. This is not feasible on the blockchain today, due to lack of privacy and usability issues. A robust, privacy-enabled, and universal digital identity layer will render building such a system that much easier.
Other examples of decentralized application protocols can be protocols for instant messaging, video calling, calendar sharing, file sharing just to name a few. A variety of app implementations can sit on top the same interoperable protocol and expose it to different groups of consumers.
Digital value ownership
Blockchain and Decentralized Finance (DeFi) have already demonstrated the potential of digitizing value. The final few impediments to mass adoption, and digitally banking the unbanked, have a lot in common with the problems of digital identity. They both work to solve establishing secure digital identities that are permissionless, usable, and recoverable from unexpected events. They are also often based on the same cryptographic fundamentals of securely controlling private keys.
In terms of usability, there already exists overlapping metaphors for keys, identity documentation, payment cards, fingerprints, signets, etc. In terms of technology, being able to securely maintain possession of cryptographic private keys is sufficient to secure access to other digital financial accounts including accounts on the blockchain. There is no reason why a digital identity solution for the masses cannot also be the backbone for digitally owning value on the blockchain-based financial infrastructure.
Personal data store
One of the biggest barriers to reducing migration friction for users who want to move between competing web service providers is the lack of a standard personal data store solution. Often we hear about a new and better web service, we try it only to confirm it is in fact better than the legacy alternative. However we are often unable to move because the data we already use for that scenario is locked into the existing legacy service, and there is no easy way to convert it.
If only there was a standard format for such data, and if only all such service providers were compelled to support it and provide frictionless migration options. The missing piece here, in addition to the data schema standard, is a standards-based personal data store, that can help with the user’s ownership of all application data, while allowing web services to rely on that data. Universal digital identity and data permissions capabilities are the primary barriers to this vision becoming a reality.
Next steps
Looking back at the path that got us (and the internet) to this point, should give us a better understanding of how and why a public identity system has not yet emerged. Yet the possibility of its emergence remains viable, with the potential to drastically transform the web as known today.
Though, it is great to talk about what the future will or should look like, it is even worthier to work on building it, provided we remember and apply the right historical lessons. We have now gathered over four decades of learnings based on the evolution of internet as a public tool, and its mostly positive impact on the world. Unfortunately though, some of these learnings come from large missteps, such as the resulting loss of privacy or accelerating spread of disinformation, which continue to adversely affect people globally.
Endeavoring to correct these mistakes as we build the future sounds like a worthy goal to pursue. Come join us at Universal Identity on this journey.
Updates:
- Details and analysis added around W3C, DIF and DID following feedback from Kaliya Young.
- Details and analysis added regarding perceived identity (Relying Party) automation following feedback from Steve Wilson