Is sensitive customer data an asset or a liability? When we think about the most successful companies in recent years that have leveraged customer data to build competitive advantages—such as the FAANG companies (Facebook, Amazon, Apple, Netflix, and Google)—we think of customer data as an asset.
However, with ever-increasing data breaches and the introduction and enforcement of global data privacy regulations, business leaders now understand that customer data, particularly sensitive customer data such as personally identifying information (PII), can be a liability to the business.
One way for businesses to reduce this risk of storing sensitive customer data is to not store customer data, such as identity data, in the first place—by employing decentralized identity solutions.
With today’s current centralized identity management software models, a company retains the end user’s PII, such as name, email address, passwords, and other identifiers to authenticate the user online. Contrastingly, decentralized identity tools put the user at the center of the identity equation and in charge of their data online.
What is Decentralized Identity Software?
Decentralized identity software allows end users, such as customers, to maintain direct control over their identity information and easily share or revoke access to that data. The identity data remains in possession of the end user and the company only validates the identity or any other sensitive user information.
The concept of an individual having direct control over their digital identity without the use of a centralized registry, identity provider, or certificate authority is called self-sovereign identity (SSI).
For example, in the physical world, to enter a bar with an age requirement policy, a patron has to prove their age by presenting their birthdate on a government-issued photo identity (ID) card. The bar’s bouncer would confirm the patron’s identity by comparing the ID photo to the person’s face and then reviewing the birth date. Doing so, the bouncer is also able to see other identifying information such as name, physical address, and more on the ID card.
In a decentralized identity scenario, the patron would just need to share a digital card that states that they meet the age requirement, but is not the actual data (specific birth date) itself.
How do decentralized identity solutions work?
In today’s digital identity ecosystem, validating a person’s digital identity is most commonly achieved through account-based credentials. Users can have multiple accounts and often use the same usernames and passwords across them to reduce sign-in friction, but this introduces the risk of hacked credentials. Some account-based credentials are provisioned by centralized identity providers, such as social login providers, and then federated to third parties. There are risks associated with this model as well, including downtime with the identity provider, or having the user tracked across multiple accounts.
So how does decentralized identity work differently from account-based credentials?
There is no central store of identity data. Instead, the user brings their digital identity credentials, which were granted to them by a trusted authority, to be verified by the organization seeking to validate their identity.
There are three main parties in a decentralized identity use case: |
|
The issuer provides a credential to a person often after a typical real-world vetting process. For example, a newly hired employee at a company would need to present their physical government ID, fill out paperwork, and then be given a physical badge and a digital employee credential. The credential creates a pair of cryptographic keys:
- A public key that is stored in a distributed ledger via a unique decentralized identifier (DID) to enable a verifier to look it up when required.
- A private key that is stored in a credential wallet on their mobile device, that the new hire can use for authentication to access employee accounts, like a business email account.
To authenticate their user identity, the new hire (the subject) would present their public key associated with their employee credential to the email provider (the verifier), which will then look this up on the public ledger. The ledger returns the unique DID and presents a challenge for the employee’s private key to respond to. If the employee possesses the correct private key tied to the DID associated with the public key, then the user is authenticated and verified and thus granted access to the email account.
In the above scenario, the email provider does not need to store sensitive user identity information. The authentication is done based on trust from the credential issuer who gave the employee a credential and wrote this information on a public ledger for others to verify.
Decentralized identity for improved security and authentication
In current models, identity data can be difficult to secure, validate, and often adds frustrating friction to the user’s authentication process. For example, passwords alone are not a reliable way to authenticate that a person is who they say they are online. Many tools such as multi-factor authentication (MFA) software have emerged to address this, but they can be a hassle for the end user. Similarly, fake identities are frequently and easily created on social platforms, which makes social logins an unreliable source for identity verification purposes. To combat this concern, companies can employ fraud detection software for high-risk transactions.
With decentralized identity, however, companies do not have to store sensitive user information, which reduces or even entirely removes the risk of compromised personally identifiable information (PII) in data breaches.
Companies also do not have to invest in security products such as encryption software to secure identity data that does not exist in the first place. Furthermore, since there is no need to store sensitive information like PII, the cost of data storage and storage management software is reduced.
How it impacts the existing identity market
Decentralized identity is new and niche at the moment, and players are staking a claim in the market, as noted in G2’s recently created Decentralized Identity software category. Software heavyweights like Microsoft and IBM are getting into the space as Microsoft announced their decentralized identity pilot in September 2020 while IBM has an alpha version of their decentralized identity product available.
Additionally, decentralized identity can be seen as a continuation of a trend already taking hold in an adjacent space of data privacy. The concept of centering individuals in the data ecosystem is an emerging trend—people-centric data privacy technology seeks to best operationalize honoring individuals’ choices regarding the data a company stores on them. To achieve this, companies need to stop thinking of data as being stored in silos, but rather organized around the individual.
How decentralized identity impacts the existing identity market raises some big questions. How will this impact today’s identity providers? How will this impact single sign-on (SSO) software providers or companies that offer password managers? How will this impact advertisers who rely on customer data (not just identity data)? We do not have the answers, but it’s essential to pose the questions.