The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
In 2023, the unfettered expansion and acceleration of internet technologies crashed headlong into the generative abilities of AI, leaving people struggling with the concept of what reality is now. Can we trust what we see and hear on social media? Is the image of the person you are looking at a real person? Most importantly, after all those times you have logged into websites using a password and maybe even a phone-based multi-factor authentication (MFA) code, do you know if you are keeping yourself and your information safe? Self-sovereign identity was the topic for discussion with Paul Fisher, Lead Analyst at KuppingerCole, Ward Duchamps, Director of Strategy & Innovation at Thales, and myself, host Steve Prentice, on the Security Sessions Podcast, Self-Sovereign Identities: Whose Life is it Anyway?
We explored the idea that personal identity is a crucial part of your existence, but more often than not, we give much of it away or at least use it as payment for access to some highly desired service like TikTok, LinkedIn, or Google. All these services, which appear free, are purely a trade: their engaging content for your data. We have commoditized ourselves through our fascination with everything the internet can deliver.
Control over the movement and storage of data
Some countries have worked hard to establish controls over the movement and storage of personal information. Perhaps the most famous of these remains Europe’s GDPR. There are others, of course, but they are frequently countered by divisive issues ranging from defending personal freedom through to political agendas. There is no global protection for personal identities. Added to this mess is the fact that consumers find password management tedious and tend to believe any data breach involving their identity will quickly blow over, and life will just go on.
It might be time for people to take greater responsibility for their identities – owning and sharing, but in a manner that doesn’t give it all away, retaining control over it while also removing the need to have dozens or hundreds of passwords, basically, creating an identity system for this new century.
When people first talk about moving beyond typed passwords, the first thing that often comes to mind is biometrics, like retinal scans, palm scans, and the type of facial recognition technology that allows us all to unlock our phones simply by looking at the camera. But these simple biometric techniques tend to work just like passwords in that they are presented as tokens that open a door somewhere. They are ideally better than text-based passwords since the owner of the face or fingerprint needs to be present to push through the transaction, but they are still static identifiers. There needs to be something more – something deeper, more complex, and most importantly, something that remains solely with its owner, from which selected parts may be produced as needed, without giving everything away to an organization that keeps it all forever.
We never needed a wallet inspector to buy a coffee
On our podcast, Ward Duchamps analogized this to a physical wallet or purse. A wallet is a physical holder into which you add credit cards, loyalty cards, a driver’s license, health card, paper money, and more. When you go to make a purchase in a brick-and-mortar store, you don’t hand the entire wallet over to the cashier and wait for the person to copy everything inside it. Instead, you selectively choose a payment method and hand that over and nothing else.
However, with most online identity transactions, the amount of vital personal information given away can be staggering. It can easily include health information, credit card information, home addresses, birthdates, and much more, either by handing it out directly or by giving enough information for cybercrime gangs to piece it together with data from other sources. Either way, sooner or later, your entire identity ends up out there.
Enter self-sovereign identities
This is where the concept of self-sovereign identities comes in. As Jason Keenaghan, Product Management Director, Identity and Access Management, writes:
Self-sovereign identity (SSI) is an architecture for managing digital identities where individuals or organizations have full ownership and control over their identities and personal data. Individuals with self-sovereign identities can store their data on their devices and selectively share it with third parties that they want to interact with in a peer-to-peer manner. In this type of information exchange, there is no centralized repository or owner of the data. And there is no intermediary in the middle of the exchange that can keep track of who is accessing what service.
In other words, share only what you need and keep control over all of it.
Ward Duchamps goes further with this concept, suggesting that not only should people keep their identities closely under their own control, but also, the type of information that establishes a person’s identity and credentials should shift from static identifiers like passwords and even facial scans to behavior-based attributes that are more multi-dimensional. Consider, for example, about a regional accent – a subtle word or turn of phrase someone uses that could only have been picked up by having lived in that location. Or conversely, someone who claims to be from somewhere but clearly does not use the lexicon will be quickly noticed. Similarly, AI-based robots – whether generated onscreen or real-life robots like Mika, the world’s first AI CEO still lack the subtle eye movements and facial gestures that other humans instinctively read and interpret.
Paul Fisher, Lead Analyst at KuppingerCole, a firm that specializes in the strategic management of digital identities, points out that although any type of identification process can conceivably be abused or re-used, if the root data, such as biometric and behavioral information were stored in the blockchain, this might make it easier for an individual to more safely hold on to that key set of attributes and use it as the base set from which selective sharing without retention could occur.
Does the self-sovereign identity concept have appeal?
Self-sovereign identity is still a relatively nascent concept. Although it offers individuals greater capacity to protect themselves against the abuse of personal data that occurs both legally and illegally in the global marketplace, it must still clear the barrier of human acceptance. People have grown used to using passwords as a type of formalized process required to undertake a transaction, the same way they use a key or a wireless fob to unlock their car. As Paul Fisher states on the podcast people might be currently quite happy using their phone’s camera to read their face and unlock that same phone, but it is unlikely they will be immediately comfortable using any camera anywhere to log into their bank account. They still feel there must be an extra formalized step, a password or secret to make them feel more secure.
Ultimately, self-sovereign identities comes down to a matter of trust in a technology that we can’t see, but one that works in favour of individuals rather than for a huge global corporation, and will rely on people’s own willingness to support and use it and will also rely on companies and organizations to build the infrastructure that will allow self-sovereign identity wallets to become as common as tap bank cards are today.