Digital discretion: self-sovereign identities

There's one thing that all internet users can probably agree on: nothing is more annoying than the ever-growing flood of passwords. In 2017, the average business user had to manage 191 passwords. Even in our private lives, we’re pressured into a new account every time we make a trivial online purchase. This is annoying and, above all, a security risk as people get less and less creative in choosing their passwords. According to a survey, every 142nd password is simply “123456”.

Identity layer for the net

Anonymity was actually a given back in the early days of the internet. TCP/IP protocols were in charge of regulating the communication between machines. The identity of the people behind them was not a factor. But for the processing of transactions, this information, and its verification, is obviously crucial. Especially for us as a digital bank where Constantin works as a software engineer. He is currently developing new concepts for identity management that add an identity layer to the internet: Self-Sovereign Identities (SSI). It is a paradigm shift in the way data are handled. Constantin explains, “What's revolutionary about this approach is that it's self-determined. By contrast, most identities today are managed externally by third parties.” In this article, the developer explains the concept. Another article in this series takes a closer look at the software side of implementing SSI.

Previous approaches are centralized

Traditionally, the problem is solved centrally. Users deposit their ID and password with providers. In addition to its lack of clarity, this model has other disadvantages. The providers keep extensive data profiles with further information (date of birth, place of residence, etc.). Customers are generally unaware of what happens to this information. In analog life, this would be unthinkable. No consumer would leave their physical ID card at the supermarket checkout after having authorized their alcohol purchase, for example. It goes without saying that the card would be returned to the consumer. What could a similar procedure look like on the internet?

Alternative needed

Tech giants like Google have established a second approach to identification: federated identities. Here, large providers take care of users’ complete identity management, enabling them to log in to different third-party providers with the same credentials. This is infinitely more convenient than having 191 passwords. At the same time, it compounds the problems of the first model – because the identity provider now gets access not only to identity data, but all transactions, behaviors and other monetizable information on top. Needless to say, the potential damage is much higher if the identity provider is hacked.

A case for blockchain

That’s why Constantin advocates for the third path of Self-Sovereign Identities. Constantin explains the approach: “As an SSI team – and now it's getting technical – we’re building a kind of decentralized PKI, in other words, a public key infrastructure. We put keys on our blockchain that are used to encrypt identities.” This is enabled by a Distributed Ledger Technologies (DLT) database. Unlike Bitcoin, the blockchain is not open to everyone: only certain entities (government, financial institutions, et al.) can issue identities (issuers). Users (holders) receive credentials from them and store them in digital wallets. In the case of legitimation, they receive claims from the verifier, which they answer in the wallet. The legitimacy of the issuer, whose signature is verified with decentralized identifiers (DID), is critical. A W3C standard already exists for this protocol. The DID is archived on the ledger, which allows decentralized access to the issuer’'s public key and internet endpoints. Private users also have DIDs – separate ones for each institution. This allows the originator of the encryption to be verified without others finding out.

Everyone benefits

The concept may seem abstract at first, but the advantages are very concrete. Users can now make their own decisions about the use of their identity. For example, they can subsequently edit or withdraw data access they have granted. They also have a greater choice of markets. For example, a bank customer could obtain a loan online in Spain if the conditions there are better. This would not be so easy today. Companies also benefit from this. Since they only have to keep the legally required user data, the risk of violating data protection regulations is also reduced. At the same time, data economy improves because less data is collected automatically compared to federated identities. Subscribers are better protected, and customers get an optimized user experience. For example, users can then use fully digital identification methods in addition to Postident or Videoident, Constantin explains. “And if you then use your government-signed identity data, know-your-customer (KYC) processes and money laundering compliance are facilitated.” SSI can also be used in addition to other (e.g. biometric) factors and conveniently handled via smartphone. In addition, there are other fields of application, as Constantin explains, “Wherever identities are involved, SSI can come into play. This also targets the machine domain, e.g. Internet of Things (IoT). That’s an even bigger field than human identities.” Digital supply networks become more efficient and secure through SSI for devices, components and suppliers.

Cooperation is key

Obviously, we cannot implement such a decentralized process on our own. Constantin is therefore working with other companies and government agencies on an interoperable SSI solution known as the “Ecosystem of digital identities” (eID), initiated by the German government in December 2020. The German government laid the foundations for this use of SSI identities through an experimental clause in the Money Laundering Act (GWG). The SSI identity developed in the eID project is nothing more than an identity card, except that it is only digital and on a smartphone. From a purely technical point of view, this enables citizens to “use” their identity in different networks. The physical ID card is “stored” in the smartphone via an integrated chip using NFC. Thus, SSI has an official state reference point, unlike Bitcoin, where such an external reference is intentially avoided.

Incidentally, we support the concept of a “smartphone ID” at the highest level, as our Deputy CEO confirmed at a meeting in September 2021 with the then German Chancellor Angela Merkel. From an EU perspective, there is also a regulatory framework for this in the form of the eIDAS Regulation, which came into force back in 2014. Currently, “eIDAS 2.0” is being discussed, which would enable official identity wallets for all citizens. This would allow them to log in to Facebook, for example, in a “self-determined” manner – without any password or user name at all.

It started as a working group

Self-determination also characterizes the agile work of IT professionals at our bank. For instance, professional interests are promoted outside of one’s core tasks through education budgets. This open culture also led to the collaboration with the federal government on the SSI project. “Actually, the whole thing grew out of an informal working group on the topic of SSI,” says Constantin, describing the start – an interest group set up by an IT colleague, which regularly exchanged views on blockchain-related topics. This turned into a permanent team of 20 people who are currently working on an institutional agent in addition to the government project. This application allows institutions to issue and verify identities. Internal use cases such as KYC processes, money laundering checks, biometrics, building access and device management are also being developed. So there is still a lot of potential here. But tomorrow's identity management is just one of many exciting IT fields at our company.