Our identity is increasingly becoming digitized—more of our hard copy credentials are converting into digital formats. We use these digital credentials to work, learn, play, socialize, shop, and consume services online and offline every day. It’s so convenient and expected now to be able to have these aspects of life accessible at our fingertips. More than half the global economy is based on or influenced by digital.1 Digital information becomes fluid and interconnected across services. However, it’s not always under our control as individuals.
Digital identity is now on the verge of a major transformation into one that is more secure, privacy-respecting, and portable. Identity was not fundamentally built into the internet, which has resulted in companies building singular relationships with each of us. The development of these separate accounts, each stored in central databases owned by different companies, has led to an increased risk of security and privacy breaches. Simply digitizing a business process or physical ID doesn’t reduce these risks. We need an identity system that brings our identity together, owned by the individual, and makes digital identities portable in a way that is trusted and secure.
To illustrate, consider a plastic driver license. Digitizing a driver license replaces a plastic card with a digital card in your smartphone wallet, for example. If you want to use your license to prove your age, a digital license makes it convenient to share with retailers and service providers, but at the same time, it also becomes easier for companies to see all the information printed on your ID, such as birthdate and gender, thus opening the door to tracking and privacy concerns. When done right though it can improve privacy and security. Instead of simply digitizing the license and moving all the information printed on your ID to an image on a phone, a decentralized approach where you own the identity and can show the information was verified, allows you to share the information that is necessary from your driver’s license and revoke it when needed.
Let’s go through some of the differences between digitization and decentralization of credentials.
Security and your digital identity
Digitizing an identity simply makes a digital representation of an asset, but it doesn’t necessarily mean that it has the same assurance level as the original file or document. While it may be digitized and issued by an official source, the verifier could make a digital copy and store it, which you don’t have control over. Attributes of the credential are often relied on by apps, which are also susceptible to data breaches. To solve for proving the person is who they say they are, we’ve leaned on authentication methods such as usernames and passwords. When an account is hacked, a person is at the mercy of the company to reclaim their account and personal data that is rightfully theirs. With decentralization, you can prove the person is the genuine owner of the real-world identity by verifying their digital signed credentials. Individuals can use a secure, encrypted wallet to store their identity data and easily control access to it. A decentralized identity could replace the need for usernames and passwords altogether and work with other forms of authentication to provide the required level of attestation.
Privacy and data protection
With the increase in digitization, privacy concerns are front and center. People are increasingly aware of the amount of data organizations are collecting and profiting from them, causing some people to turn to VPNs or share false information to devalue the data collected from them.2 Data protection laws, such as General Data Protection Regulation (GDPR), aim to put more control into the hands of users to see and manage their information, but it doesn’t solve the problem entirely. Rather than companies taking copies of your identity data, they could gain permission from the individual to access the required information and verify the data digitally without storing it. New standardized concepts being developed include zero-knowledge proofs, where one party can prove to another party that a given statement is true or false, such as proving your age or citizenship. This limits the data shared to only what is needed. For organizations, it can reduce the burden of managing personally identifiable information (PII) by providing users with complete control over what they share and becoming the stewards of their own data. We believe selective disclosure and minimizing data travel are critical requirements for decentralizing identity.
Portability and visibility
Remember sharing copies of documents through email, before you could store them in the cloud? It created multiple copies of the same document, making it hard to keep track of changes and which one was the most recent file. With decentralization, people can store the original piece of identity data as a credential on their own device, cryptographically signed with their own private key, and share the record with any organization. Then the organization can verify that it came from an authoritative source with a simple check on the ledger. The user retains visibility of how that information was used and for how long the organization has access to it. The use of open standards specifications, such as verifiable credentials from the World Wide Web Consortium (W3C), make it easy for people and companies to receive and present credentials across platforms and services. It allows people to build relationships with organizations that are mutually beneficial.
Turning credentials into digital form isn’t new, but decentralizing identity goes beyond that. It gives individuals the ability to verify their credentials once and use them anywhere as proof of attestation. With the nexus of control shifting to users, they can manage exactly what they want to share and for how long, and safeguard their data locked in their own digital wallet.
Standards for decentralization are still being formalized and tested but it’s not too early to start exploring use cases. Think of areas where the benefits of decentralization can help your business, such as onboarding employees and contractors quickly, or to provide extra assurance for granting access to high-value applications, or recovering an account. With the momentum around decentralization of the internet, currency, assets, and more, we see a decentralized identity system as a crucial component to enable trust and security for the future.
Learn more about Microsoft’s decentralized identity solutions.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
1IDC FutureScape Webcast: Worldwide Digital Transformation 2022 Predictions, Shawn Fitzgerald, Robert Parker, IDC. November 2021.
2What Are Data Brokers – And What Is Your Data Worth?, WebFX Team, WebFX. March 16, 2020.
The post Why decentralization is the future of digital identities appeared first on Microsoft Security Blog.