Skip to main content
Digital Identity| 10 min

What is Self-Sovereign Identity (SSI)?

What

Self-Sovereign Identity (SSI) empowers users by giving them control over their digital identities, enhancing data privacy. Digital identity has evolved from service-centric to federated, and now to user-centric models, each with limitations. Current centralized systems still pose privacy risks and single points of failure.

SSI, guided by ten principles proposed by Christopher Allen, aims to ensure user control and security. While challenges like managing multiple identities persist, and a complete SSI ecosystem is not yet in place, continued innovation and collaboration, especially with blockchain technology, offer a promising path toward true digital identity ownership.

 

TL;DR

 

  • Control over digital identity empowers users: SSI gives users control over their digital identities, enhancing data privacy.

  • Evolution of digital identity: Digital identity has evolved through service-centric, federated, and user-centric phases, each with its own limitations and control issues.

  • Current centralized identity challenges: User-centric identities, while better than previous models, are still controlled by major service providers, leading to data privacy concerns and single points of failure.

  • SSI principles prioritize user control: The ten principles of SSI, proposed by Christopher Allen in 2016, aim to ensure users have complete authority over their identities, focusing on existence, control, access, transparency, persistence, portability, interoperability, consent, minimalization, and protection.

  • SSI's potential for a secure digital future: SSI offers a promising solution for a secure, privacy-conscious internet by enabling user control and transparency.

  • Challenges and future directions: There is no complete SSI ecosystem today, and challenges like managing multiple digital identities persist. Continued innovation and collaboration are necessary, and exploring decentralized identity through blockchain technology could support SSI implementation.

  • How might we enable true digital identity ownership for users?: Achieving a digital environment where users fully own and control their identities requires further advancements in technology and adherence to SSI principles.

 

self sovereign identity truid
Self-Sovereign Identity has evolved over three phases

Origins of Self-Sovereign Identity - 3 Phases

 

The idea behind self sovereign identities originates sometime in the early 2010s and gained wide traction after it was introduced in a in 2016 by Christopher Allen*. In the post, which is recommended for reading in full if you have a genuine interest in the topic, Allen describes the gradual evolution of identity on the Internet and why he thinks it needs to evolve to the next stage of Self-Sovereignty.

We have adjusted the names of the phases in this text to what we think better signify the main themes during the periods.

 

Phase 1: Service-Centric Digital Identity

 

When the Internet began in the 1980-90s, centralized organizations became the issuers and authenticators of digital identity, starting with the core infrastructure identity components of IP addresses and domain names. As the Internet grew, the organizations controlling these digital identity systems created hierarchies that gave more flexibility, but centralized control was maintained.

Also, users had to create unique digital identities for each site they interacted with, digital identities that the sites themselves controlled. This system is still basically how the Internet works today, but since its inception there have been attempts to move control of digital identity back to users. The first step to do this was federation.

 

Phase 2: Federated Digital Identity

 

Around 2000, several businesses launched initiatives with the purpose of letting a user create a digital identity with one service provider, and then reuse it across multiple sites - federated identity management. The advantage was that user experience was simplified vs the previous site-by-site system, but the control of the digital identity was kept with the service providers.

This type of digital identity system was initiated by Microsoft, which at the time had a very dominant market position, which would have been further entrenched if it also controlled digital identities. This phase did not create a significant impact in terms of user adoption, but was a precondition for the later technologies which were developed partly to counter the limitations of this model.

 

user centric digital identity
User-Centric Digital Identity

Phase 3: User-Centric Digital Identity ambitions (de facto leading to a centralized identity paradigm)

 

In the early 2000s, several different collaborative initiatives were launched with the explicit purpose of moving  control of digital identities back to users, and building a user-centric identity model. This movement resulted in several technology standards being launched, starting with OpenID (2005) and leading to OAuth (2010), FIDO (2013) and OpenID Connect (2014).

The two purposes of these technical standards were user consent and interoperability, and to allow users to share digital identities between services, thus originally it was intended to create a decentralized digital identity system.

However, ownership of user-centric identities remained with the services that first registered them, and they gained widest traction with the global ad giants who federated their own login systems, in effect creating an oligopoly of centralized digital identities with the companies managing these systems in control. 

If you’re using e.g. your Google or Facebook account on other services, you are thus reaping some of the benefit of these technical standards, but you are also subject to collection of metadata on your Internet usage by these digital identity providers. In addition, you’re creating a single point of failure for your different digital identity interactions and if you’re shut out of or lose control of the service, you lose access to all the sites that you access through this service provider identity. 

 

The 10 principles of Self Sovereign Identity (SSI)

 

  1. Christopher Allen's 2016 proposal for SSI outlined ten principles to ensure users have complete control over their identities:

    1. Existence: Digital identities must correspond to real individuals.
    2. Control: Users must be the ultimate authority over their identities.
    3. Access: Users must have access to their own data.
    4. Transparency: Systems and algorithms must be transparent.
    5. Persistence: Identities should last as long as the user wishes.
    6. Portability: Identity information must be transportable.
    7. Interoperability: Identities should work globally across various services.
    8. Consent: Users must consent to the use of their identity data.
    9. Minimalization: Only necessary data should be disclosed.
    10. Protection: The rights of users must be protected, prioritizing users over the network.

 

Where do we go from here?

 

The Self-Sovereign Identity model offers a promising solution to the challenges posed by our current digital identity landscape. By empowering users with control over their identity and ensuring transparency, portability, and protection, SSI can pave the way for a more secure and privacy-conscious internet.

However, there is no established eco-system today that adheres to all SSI principles, and there is a continuing dialogue as to whether it is possible to enact in practice. There is definitely more work to be done before we can achieve a digital environment where the user's identity can be truly owned and controlled by themselves.

For example, the principles of SSI does not take into consideration the problem of creating multiple digital identities, which will become a real and practical problem for any identity management system.

Also, SSI is just a set of principles, and there is a need of guidelines on how to implement them in practice. Here, the concept of Decentralized Identity, based on blockchain technology, is an interesting extension of SSI, that could assist. If you are interested in exploring what Decentralized identity can add, you can read more about that in this blog post.

Conclusion

The journey toward fully self-sovereign digital identities is ongoing. While significant progress has been made, achieving a digital environment where users truly own and control their identities requires continued innovation and collaboration. For further insights, explore the concept of Decentralized Identity and its potential contributions to SSI.

 

References

 

Allen, C. (2016, April). Life with alacrity. Retrieved May 4, 2023, from http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html

Recent posts

The NIS2 directive in EU: A country-by-country breakdown

As the updated NIS2 directive takes effect, this article examines how each EU country is progressing...
Read more

How to build a European digital student identity

Verification
Digital Identity
Managing international student identities is complex, involving fragmented systems for university ac...
Read more

How to write a process description for domain registration ID checks

Verification
Digital Identity
The NIS2 Directive, particularly Article 28, imposes new responsibilities on domain name registrars ...
Read more