SSI: a primer in 11 steps

Huge technological advances have driven the growth of digital-first and phygital ecosystems. Individual interactions at every stage will require those individuals to prove their identities. Examples include opening a bank account, getting a new phone subscription, or making secure online payments, among others.

From booking a vacation online to checking in at the hotel, each step requires you to establish your identity. So, let’s consider how verification of identity works. Think of it as a “triangle of trust,” connecting the issuer, the holder (in this case, the user), and the verifier. Take the use case of driver’s licenses. In this scenario, the road authority issues the license; it is the issuer. The individual driver is the holder, who presents the license, when asked, to a rental company, for instance (or the insurance company, in case of a problem). The rental/insurance company is the verifier. 

As the digitalization of our lives gathers pace, digital identifiers will soon be required at every stage within a process of identification and authentication. In this context, self-sovereign identities (SSIs) present a workable solution for managing the many interactions among the three roles outlined above. 

According to Robert Heinze, Director Technology & Innovation Management at G+D, SSI can best be achieved through a combination of cryptography and decentralization. “The concept of verifiable credentials included in the current SSI specifications is a fundamental game changer for digital identity management. They could be superior in unattended use cases, and conveniently transfer the use cases of an ID card in the digital world. They aim to enable quick and cost-efficient identification with the highest standards of privacy and security,” he said.

Let’s examine why this is important, and how we can build toward it.

1. A secure, independent, digital ID layer

An identification protocol is required that is easy to use, widely accepted, digital-specific, and completely secure from a data privacy standpoint. At the same time, it should be operationally independent of commercial players. SSI can address this need.

2. Decentralize the triangle of trust

Currently, identity schemes are centralized. With SSI, this ceases to be the case. The USP of SSI is that there is no requirement for an immediate connection between issuer and verifier, said Heinze. In essence, the advantages of the physical ID in your pocket are transferred to your digital wallet. To take one example: when you show your ID at a nightclub to establish how old you are, it is taken at face value. The verifier (the nightclub) doesn’t initiate a call to the road authority/passport office to check the ID’s validity. This is transferred into the digital sphere with your SSI credential.

The further advantages of such an approach include:

• Speed: verification/validation happens in real time.
• Security: the issued credential is digital and secured cryptographically. It can be verified offline as well.
• Convenience for a smart generation: digital natives will gravitate toward such an offering that doesn’t require the presentation of physical elements.

Efficiency: governments and other bodies can save operational costs through digitalization, boosting eGovernment initiatives, etc.

3. The rise of the VC

Let’s talk about verifiable credentials (VCs, in this context). VCs are credentials that hold the identity attributes of a person, similar to an ID card today. They are provided by the issuer. With the strong backing of the security and developer communities, standards for VC creation and verification are available (and increasingly being adopted) through the work of the Worldwide Web Consortium (W3C) and the Decentralized Identity Foundation (DIF). This creates an environment that is perfect for interoperability, which can be created even without blockchain. Recent advances in areas such as distributed networks and cloud computing have enabled the use and adoption of VCs that are purely digital. These can be stored electronically on a mobile device or in any smart wallet.

4. Control your data

In the current scenario, physical documents contain too much information, much more than is actually required for the action for which they are presented. Consider the use case of renting a car: the rental company demands your license, which has all your information on it, including where you live, your age, etc. However, all the rental company really requires is proof that you’re legally allowed to drive. There is clearly a mismatch here between the information required and the information presented.

SSI solves this issue, because it has been designed with certain things in mind, such as “selective disclosure.” This is a very important part of SSI. It enables the holder of a VC to present only selected claims of that credential. Take the use case of car rentals above: the rental company only needs to know that you are licensed to drive. It doesn’t need to know where you live, but that information is on your physical license. With SSI, that personal information is never presented.

5. Zero-knowledge proof (ZKP)

Think of this as a logical extension, even an intensification, of the way privacy is built into SSI. It simply answers the question that is asked by the verifier, without furnishing further details. To stay with the car rental example above: the company will want to know if you’re old enough to drive in that particular country. With ZKP, the answer will be yes or no. Your age is never revealed.

6. Sidestep data mining

With the centralized architecture of current identity ecosystems, there is a trade-off between convenience and data privacy. They are all based on “centralism,” which is to say, your information is stored with a central entity, which claims to identify you on your behalf. The verifier asks a third-party site, which knows a great deal about you, to establish who you are.

If it wants, a provider can dig deep into your data and profile you very completely. SSI gives you the option of sidestepping data miners, since it is designed with decentralization in mind. SSI is meant to radically inhibit intrusions into one’s digital life.

7. SSI can replace physical passwords

Physical passwords are cumbersome, inconvenient to remember, and non-secure if used again and again. SSI in its current specification addresses these issues.

You may see a number of identities in your wallet to begin with, as every service you use creates an access credential. However, the architecture of SSI helps in two ways:

• Decentralization allows for higher access code protection, as data isn’t exposed to a single source of failure.
• Being “smart,” the wallet helps you find the VC that is requested for the particular service.

Due to these factors, login and registration will converge over time, as identification and authentication will be handled in one convenient workflow.

8. SSI is intrinsic to digital sovereignty

In the European Union, among other jurisdictions, “digital sovereignty” has been identified as a key area of focus. Not only do individuals need to regain control over their data; the concentration of private data in the hands of a few players (private or otherwise) is a cause for concern, and must be actively mitigated.¹ 

SSI is designed to give that sovereignty back. It helps create a strong open-source community, acting in highly standardized ways, that allow for interoperability with governmental, civil, and commercial needs.

9. Is there enough trust in the trust triangle?

We’ve seen all the wonderful aspects of the SSI specifications in the market. However, there are still some interesting challenges in designing trust into the SSI ecosystem. It starts with the proper integration of a trust anchor such as the “core identity,” which is required in order to make the SSI ecosystem commercially relevant. Several government-funded projects are currently working on solutions to how core identity issuance might work in a digital age. G+D is part of that movement.

10. Verification vs. validation

Another challenge pertains to how trust can be designed into the relationship among the actors in the triangle. While SSI is brilliant when it comes to verification of the credential, there are still some drawbacks to SSI’s role in validation, which addresses the key issue of whether the credential was issued in the right way to the right person. Certain aspects, such as convenient credential binding, are still missing. These interesting challenges lie ahead of us.

11. Current hurdles to adoption

• Early-stage technology remains an issue. There could be a perception that the tech has not yet been stress-tested in “real world” conditions.
• Fear of high transformation costs. Since the field is quite new, decision-makers may balk at the price of making the switch. This is both in terms of initial investment and in operational costs down the line that may be hard to predict.

In a fast-changing scenario like this, partnerships that provide guidance and expertise are critical. Among other things, G+D’s in-house team is working to provide solutions to questions that still are of interest in the SSI world, such as the central issue of core identity issuance in the digital age. What is clear is that SSI has the potential to transform how we view identity in our increasingly digital world.

Published: 30/01/2024