Skip to main content
Digital Identity| 11 min

Self-Sovereign Identity - What is it?

Self-Sovereign

As the digital world continues to evolve, so does our understanding and approach to digital identity and identity management. Whether you need to verify identity of internet users, or use digital signatures, you need to decide which identity model to depart from. In a world where data privacy is increasingly important, Self-Sovereign Identity (SSI) is emerging as a powerful framework that aims to give users control over their digital identity. The concept is also central to discussions about digital identity wallets, as well as using blockchain technology for digital identities. In this blog post, we will discuss the history and evolution of digital identity and identity management on the internet, and explore the principles of Self-Sovereign Identity (SSI).

 

Self-Sovereign Identity has evolved over three phases

Origins of Self-Sovereign Identity - 3 Phases

 

The idea behind self sovereign identities originates sometime in the early 2010s and gained wide traction after it was introduced in a in 2016 by Christopher Allen*. In the post, which is recommended for reading in full if you have a genuine interest in the topic, Allen describes the gradual evolution of identity on the Internet and why he thinks it needs to evolve to the next stage of Self-Sovereignty. We have adjusted the names of the phases in this text to what we think better signify the main themes during the periods.

 

Phase 1: Service-Centric Digital Identity

 

When the Internet began in the 1980-90s, centralized organizations became the issuers and authenticators of digital identity, starting with the core infrastructure identity components of IP addresses and domain names. As the Internet grew, the organizations controlling these digital identity systems created hierarchies that gave more flexibility, but centralized control was maintained.

Also, users had to create unique digital identities for each site they interacted with, digital identities that the sites themselves controlled. This system is still basically how the Internet works today, but since its inception there have been attempts to move control of digital identity back to users. The first step to do this was federation.

 

Phase 2: Federated Digital Identity

 

Around 2000, several businesses launched initiatives with the purpose of letting a user create a digital identity with one service provider, and then reuse it across multiple sites - federated identity management. The advantage was that user experience was simplified vs the previous site-by-site system, but the control of the digital identity was kept with the service providers.

This type of digital identity system was initiated by Microsoft, which at the time had a very dominant market position, which would have been further entrenched if it also controlled digital identities. This phase did not create a significant impact in terms of user adoption, but was a precondition for the later technologies which were developed partly to counter the limitations of this model.

 

User-Centric Digital Identity

Phase 3: User-Centric Digital Identity ambitions (de facto leading to a centralized identity paradigm)

 

In the early 2000s, several different collaborative initiatives were launched with the explicit purpose of moving  control of digital identities back to users, and building a user-centric identity model. This movement resulted in several technology standards being launched, starting with OpenID (2005) and leading to OAuth (2010), FIDO (2013) and OpenID Connect (2014).

The two purposes of these technical standards were user consent and interoperability, and to allow users to share digital identities between services, thus originally it was intended to create a decentralized digital identity system. However, ownership of user-centric identities remained with the services that first registered them, and they gained widest traction with the global ad giants who federated their own login systems, in effect creating an oligopoly of centralized digital identities with the companies managing these systems in control. 

If you’re using e.g. your Google or Facebook account on other services, you are thus reaping some of the benefit of these technical standards, but you are also subject to collection of metadata on your Internet usage by these digital identity providers. In addition, you’re creating a single point of failure for your different digital identity interactions and if you’re shut out of or lose control of the service, you lose access to all the sites that you access through this service provider identity. 

 

The 10 principles of Self Sovereign Identity (SSI)

 

To solve the problems created by User-Centric Identity frameworks, Allen proposed a next phase that he described as Self-Sovereign Identity (SSI), using a term that had started to become popular among the experts in the field. He formulated 10 principles that such a self-sovereign identity system should work towards. These principles were technology-neutral in themselves and described, on a philosophical level, how to reach a desired state where people really would have complete control over their identity. Allen has since focused on digital identity work using blockchain technology.

Ideologically, the principles are broadly aligned with a libertarian ideal, where individuals should be given freedom and personal autonomy and where the state is seen as an agent that can abuse its power and rob them of their rights by taking away or controlling their identity data, and digital identities. Still, the principles allow for states to act within the system as verifying entities of identities, and they are not explicitly anti-government. In summary, the principles are:

  1. Existence. Users must have an independent existence. Digital identities must always point towards a real individual and not exist in purely digital form. 
  2. Control. Users must control their identities. The user must be the ultimate authority on its own identity and decide on which parts of the identity to refer to and to hide.
  3. Access. Users must have access to their own data. A user must be able to retrieve all the data within the identity pertaining to the user. This does not mean that the user can modify all claims, but it must be able to access them. 
  4. Transparency. Systems and algorithms must be transparent. Anyone should be able to examine how they work.
  5. Persistence. Identities must be long-lived. Identities should last for as long as the user wishes, and ideally forever. This, however, must not contradict the right to be forgotten. 
  6. Portability. Information and services about identity must be transportable. The user must remain in control of its own identity even if a third party that is used to hold aspects of it disappears. 
  7. Interoperability. Identities should be as widely usable as possible. This requires them to work globally across segments and service providers.
  8. Consent. Users must agree to the use of their identity. Sharing of identity data and identity attributes must only occur with the consent of the user, and claims made by others can only be shared validly after the user has given consent.
  9. Minimalization. Disclosure of claims must be minimized. Only the data needed to accomplish a task should be shared and no more. 
  10. Protection. The rights of users must be protected. If there is a conflict between the needs of the identity network and the rights of individual users, the network should err on the side of the users. 

 

Where do we go from here?

 

The Self-Sovereign Identity model offers a promising solution to the challenges posed by our current digital identity landscape. By empowering users with control over their identity and ensuring transparency, portability, and protection, SSI can pave the way for a more secure and privacy-conscious internet.

However, there is no established eco-system today that adheres to all SSI principles, and there is a continuing dialogue as to whether it is possible to enact in practice. There is definitely more work to be done before we can achieve a digital environment where the user's identity can be truly owned and controlled by themselves. For example, the principles of SSI does not take into consideration the problem of creating multiple digital identities, which will become a real and practical problem for any identity management system.

Also, SSI is just a set of principles, and there is a need of guidelines on how to implement them in practice. Here, the concept of Decentralized Identity, based on blockchain technology, is an interesting extension of SSI, that could assist. If you are interested in exploring what Decentralized identity can add, you can read more about that in this blog post.

 

References

 

Allen, C. (2016, April). Life with alacrity. Retrieved May 4, 2023, from http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html