Blockchain is one of the buzzwords that triggered a wave of innovation and pioneer spirit in the identity and access (IAM) community. The promise of secure registration and access, but with less effort, identity verification and overly complicated password requirements — it’s almost too good to be true.
The emergence of blockchain as a technology for applying a decentralized and tamper-evident shared-ledger enables new experimentation in how best to implement a common trust domain, which Gartner refers to as the identity trust fabric (ITF). An ITF is the key component that reduces the role of central identity providers in managing trust. It’s possible that it could circumvent central authority altogether.
“ Once a decentralized identity is legally established, it can be verified by enrolled service providers within the ecosystem”
“One of the most promising new concepts around IAM is a so-called ‘decentralized identity,’” explains Homan Farahmand, research director at Gartner. “This technology enables people to register as users or access services very easily. All they need is identity wallet software and an ITF for verification as part of a decentralized identity ecosystem.”
What is a decentralized identity model?
Imagine you move to a new country and need to register for all kinds of services: voting, driver’s license, banking, electricity, entertainment subscriptions. Right now, you have to register individually with each service provider and prove your identity to open an account. And every time you want to access this account, you need to prove your identity again, either by password or other credentials. A decentralized identity radically simplifies this process. You prove your identity once to a trusted third party and store the proof of your identifier in an ITF. The ITF and its related infrastructure (i.e., decentralized identity network, services and verifiable claim exchange protocols) stand between you and your service providers and handle all requests for identity and access.
“Once a decentralized identity is legally established, it can be verified by enrolled service providers within the ecosystem for granting access or conducting transactions,” says Farahmand. “For this model to succeed, you need a public but permissioned immutable fabric to store proof of identifiers cryptographically. A practical way to implement an ITF at the moment is through blockchain technology because it provides a decentralized and reasonably secure way to store and verify the proof of identifiers for identities (and their profile attributes).”
However, beyond experimentation, blockchain technology is still a work in progress, with issues that require industrial-scale resolutions, such as blockchain platforms governance, scalability and performance. Additionally, broad adoption depends on open source availability, practical standards, adherence to privacy by design, simple financial models, a rich ecosystem of service providers and acceptable user experience.
How services can be accessed via a decentralized identity
There are several possibilities. In one simplistic example, a person creates a pair of private and public keys in an identity wallet. The public key (identifier) is hashed and stored immutably in an ITF. A trusted third party then proves the user identity and certifies it by signing with its own private key. The certification record is also stored in the ITF. If the user wants to access a service, it’s enough to present its identifier in the form of a QR code or within a token. The service provider verifies the identity by comparing the hash values of identifiers with their corresponding hash records in the ITF. If they match, access is granted. In more advanced scenarios, the user can derive separate key pairs from a master private key to generate separate identifiers for different relationships to enable privacy-friendly protocols.
What is needed to leverage the potential of decentralized identity
“We are in the very early stages, and there is still a lot to be done on developing these services at industrial scale and sorting out the legal issues, related regulation and compliance sides of things,” says Farahmand. “Nevertheless, IAM leaders can explore decentralized architectures relevant to their business model now, especially if they plan to modernize their systems in the coming years. The first step is to establish a dedicated team and initiate a limited-scale proof of concept project, such as business-to-consumer user verification and registration.”