The cover of his book featured the famous cartoon “On the internet, nobody knows you’re a dog”, originally published by The New Yorker in 1993.

So, it is clear that since the dawn of the Internet, the conversion of identity from physical to digital has posed itself as a problem.

But what is a Digital Identity?

An identity is defined as a “set of attributes related to an entity” [ISO/IEC 24760–1]. Less formally, it is a combination of attributes that belong to an individual.

Hence, a digital identity is the transposition of this combination of attributes in a digital system, used to identify a defined subject.

Types of Digital Identity

Model #1: Traditional Centralized Model

In this model, the simplest one, the trust between the user and the organization is proved through the use of a combination of username and password stored in an organization’s database, and a new combination of username + password is required for each different website, app or service that requires a login.

Siloed centralized model

As result, it is necessary to create and manage as many different credentials as the number of services you want to access.

Model #2: Federated Identity / Third-Party IDP

In this model, users can use identity information established in a previous domain, to access another. The domain where the identity is originally created acts as Identity Provider (IDP) between the user and the organization that the user is trying to access. The IDP issues the digital credential, providing a Single Sign-On (SSO) experience.

The main point of strength of this model is that reduces the number of credentials to be maintained, giving a great amount of identity portability. However, this model is still centralized and poses no regard to the user’s privacy, since social login allows tech giants to track, target and monetize the online behaviour of their users.

This model introduces a third party: the Identity Provider (IDP)

Some well-known examples of such model are Google, Facebook, or SPID, and the most common standards used in the industry are OAuth2, SAML and OpenID.

Issues with the current models:

The underlying problem with this system is that Digital Identity has always been treated from the perspective of the managing organization and not from the user’s perspective.

Consequently, these models have some downsides to be considered:

• Data stored in a centralized database can be tampered or stolen.

• The centralized model implies high costs to store and manage data.

• Users are not in control of their identities.

• Missing standardization of digital claims.

• User’s privacy is at risk.

Alternative models:

The NFT industry, one of the trends that emerged in 2021, brought into the industry a lot of innovation: .jpeg of stones sold for millions of dollars. Jokes apart, the underlying technology such as Blockchain and Smart Contracts, is something intended to last and to radically change the way we think and interact with Web and Digital Identity.

Particularly interesting, is how NFTs changed the concept of ownership. What is the value of owning NFTs? Can’t I just screenshot an image? Or when does a model own her image? In our case, when does an individual own his identity?

NFTs brought mainstream the concept of user-based ownership, which represents the non-revocable ownership right for digital assets. This, in the context of digital identity, means that the user owns each aspect of its digital identity.

A new approach to digital identity comes with the concept of decentralized identity, which aims at giving back to the user full control over it. This model relies on the blockchain’s characteristics of cryptography, decentralization and immutability, which enables digital trust.

Model #3: Decentralized Identity

This model allows the creation of a system in which digital identity is given back to the user through the use of an identity wallet that contains its related verifiable credentials from certified issuers (such as the Government).

Those credentials in the digital identity wallet are the equivalent of the cards in a physical wallet. Each one is issued by an entity and reveals some information about the owner.

Verifiable credentials are composed of 3 basic parts:

• **Metadata **describes the properties of the credential, such as the issuer, the expiry date, a public key to use for the verification process and so on (W3C).

• **Claims **are statements made about a subject, for example, “Mario’s date of birth is 01/01/1990”.

• **Proofs **are data about the identity holder that allows others entities to verify the origin of the data.

To each verifiable credential is attached a so-called Decentralized Identifier (DID). The DID is then stored on the blockchain, which acts as a distributed ledger that anyone can consult to verify those credentials. DIDs are what enables verified credentials to be verified anywhere and at any time, establishing trust between the parties and guaranteeing the authenticity of the data and attestations, without actually storing any personal data on the blockchain. On the blockchain are stored only the DIDs, which do not provide any kind of information about the DID owner.

From a high-level perspective, this model’s architecture can be summarized as down below:

But what about privacy?

In the real world, if I want to order a beer at the bar, I have to show my ID card proving that I am over 18 years old. Assuming I show my ID to the bartender, he will know all my personal information such as my first and last name, as well as my date of birth.

For digital identity, you can implement Selective Disclosure, which means generating individual proofs from a credential.

This means that I can choose to show only my date of birth, and skip all the other non-necessary personal data for the age confirmation.

But there is something else, which seems almost like magic, that allows you to prove an attribute from a credential without actually revealing its value.I’m talking about** Zero-Knowledge Proofs**, which allow us to have digital privacy for the first time since the Internet was born. How does it work?

Through the use of cryptography one entity can prove to another entity that they know certain information or meet a certain requirement without having to disclose any of the actual information that supports that proof. The entity that verifies the proof has “zero knowledge” about the information supporting the proof but is “convinced” of its validity. This is especially useful when and where the prover entity does not trust the verifying entity but still has to prove to them that he knows a specific information. (source: tykn.tech)

For example, I could prove that I am over 18, without showing my exact date of birth.

Real-world examples:

The Decentralized Identity Foundation and Decentralized Identifiers working group of W3C are developing standards in this field.

The Turkish Ministry of Foreign Affairs, together with the United Nations Development Programme and the Instanbul Chamber of Commerce wants to implement a functioning model of Self-Sovereign Identity (a.k.a. Decentralized Identity) to help refugees in the country to find employment and gain financial independence.

In the Education field, the Digital Credentials Consortium was created by a dozen of Universities, including Harvard, Berkeley and MIT to reduce resume fraud and develop “infrastructure for issuing, sharing, and verifying digital credentials of academic achievement”.

CanDID is a platform for the implementation of decentralized identity that leverages already existing credentials from legacy authorities. Moreover, relieves the user from the burden of managing their own keys with the consequent possible key loss. Other challenges addressed (and solved) by this system are the Sybil attack resistance (i.e. how to issue one credential per user) and compliance with regulations like Know-Your-Customer (KYC) and Anti-Money-Laundering (AML) while, at the same time, preserving user’s privacy.

Conclusion:

The siloed digital identity model may have been appropriated for the early days of the Internet but today this model is showing its downsides and limitations.

Tech giants have saved us the hassle of remembering dozens of passwords for as many accounts, but at the cost of losing possession and control over our identities.

As the internet of value grows in popularity, the emergence of robust decentralized identity solutions is only a matter of when. It is clear that only by charting a future that returns control of identity to the individual, we can pioneer the challenges and opportunities that Web3 has to offer.

[Credits: Blockworks.co]