In our journey toward a digital economy, we increasingly rely on digital identities. However, most identities are stored in centralized repositories that are inefficient, provide poor user experience and present a juicy target for attackers. Blockchain technology is being praised for its potential to reduce inefficiencies and address cost- and security-related friction in a wide range of application areas, and digital identity management represents a key potential application of blockchain.
The 451 Take
Digital identity solutions have evolved from a centralized approach toward a self-sovereign approach (with federated and user-centric approaches in between). Particularly for consumer-facing use cases, any aspiring identity management solution will need to strike a balance between user control and autonomy, fairness, transparency, flexibility, and security. Blockchain will likely be a key component of such a future, although the blockchain-based digital identity market is currently fragmented, with consortia and startups offering different solutions. We provide a few notable examples in this report.
Context
When the internet was designed and built, the seven layers of the internet (OSI model) didn't include a native identity layer. While it was cool to be able to access any person from any location, anybody can appear to be anyone, and thus we are still dealing with fallout in the form of spam and fake news. And while HTTPS is helpful in terms of securing packets, businesses and government agencies have been using internal databases to manage the identities of people and devices. When we access and use services online, for example, we typically do so by identifying ourselves through usernames and passwords, which are typically stored in a variety of password repositories scattered across numerous organizations and applications. These centralized and siloed systems are inefficient, are prone to fraud and breaches, and provide poor user experience, at the very least.
We undoubtedly spend a lot of time creating and managing usernames and passwords, which are increasingly an unsafe way to protect our identities online. Additionally, we have little to no control over our own personal data. This is also true with cloud applications: Most SaaS applications have their own directory system and repository of user data, so if a user or company is using 50 different SaaS applications, which is not uncommon, the user's identity data and attributes are scattered across those applications. This is something that identity-as-a-service (IDaaS) vendors like Okta, OneLogin and Ping Identity have tried to help solve in recent years.
With the increasing sophistication of cyberattacks and severity of data breaches, regulations regarding how to manage digital identities and user access are also becoming more stringent and prescriptive. For example, the EU's new General Data Protection Regulation (GDPR), which will come into force on May 25, can mean hefty fines for those that don't take the necessary measures to protect the personal data of citizens of the EU.
From centralized to self-sovereign identity
Most identity repositories today are centralized – they are owned and controlled by a single entity and score low on user control and portability. Although new concepts have emerged with improved levels of user control and portability, such as federated identity (the ability to apply single sign-on across organizational domains) and user-centric identity (Facebook Connect or OpenID), none of these approaches solves the problems of centralization or presents true user control and autonomy.
While the concept of self-sovereign identity has been around for a few years now, there is no consensus about what self-sovereign identity should look like in practice. Several identity and security experts have been wrapping their heads around what self-sovereign identity means, and a number of startups have started to develop different approaches and solutions.
Identity and access management (IAM) vendors that offer solutions for managing the digital identities of consumers in addition to traditional employees can be grouped into a new category, known as customer identity and access management (CIAM). Managing identity for end consumers presents new challenges for IAM vendors, including scale (millions of potential consumers versus thousands of employees), pricing, user experience and privacy. Vendors in this new category include Gigya (acquired by SAP), Janrain, ForgeRock, UnboundID (acquired by Ping), Stormpath (acquired by Okta) and Auth0. Most of these vendors offer some combination of authentication, social login, self-service account management, user preference management and extreme scalability, but few offer decentralized identity stores.
We believe that self-sovereign identity should have user autonomy, control and protection at its heart, and solutions should be built with a set of key principles in mind, which we present below:
We don't think that blockchain is the universal solution to the identity problem; however, it certainly provides a missing link by allowing people and organizations to prove things about themselves online, as they do offline, using decentralized and verifiable identifiers. Identity-related information can be looked up (verified) without involving a central directory or paper-based document. Additionally, the identity owner does not need to overshare, and the recipient does not have to store unnecessary sensitive data.
When a Facebook account is linked to use a service, the personal data is requested and collected from a Facebook server. In an identity system using blockchain technology, the same request would go to a trusted endpoint like a smartphone, with the identity owner exercising full control over what data is shared.
A self-sovereign digital identity would replace all the paper-based documents and keep all sorts of information about an individual or a business, such as passport information, driver license, social security number, medical records and social media credentials, among other data, and use a single key that is stored on a blockchain. This would enable users to keep their information private and share a public key generated on the blockchain that can verify their identity. In other words, active data sets (e.g., home address or date of birth) are stored off-chain at trusted endpoints, and the blockchain is used to validate the identity attributes with cryptographic proofs. Additionally, all transactions are recorded on the blockchain. A Blockchain-based identity system can be used for all sorts of online services, including public ones such as electronic voting. It also has the potential to help solve both consumer and business requirements by providing convenience, simplified and improved user experience, greater control over personal data, improved protection of privacy, reduced risk and cost of data breaches, prompt auditing, and more efficient compliance.
Examples of blockchain-based and decentralized approaches
Blockcerts is an open standard for issuing and verifying credentials on a blockchain, developed by Learning Machine and the MIT Media Lab with self-sovereign digital identity in mind. It uses the Bitcoin blockchain to ensure that credentials are authentic and valid; however, according to its creators, other blockchains could be included, too. Blockcerts follows a claim-based approach where individuals and organizations can use multiple digital identities (e.g., Facebook account, decentralized identifier, etc.) and prove ownership through public/private key cryptography. The Decentralized Identity Foundation was formed in 2017 to develop a common approach to decentralized identity. Members include Accenture, Blockstack, Hyperledger, IBM, Iota, R3 and Tierion. They have identified the technical components that are required to meet user needs and enable interoperability between decentralized identity systems.
The Dubai Government is working on a city-wide blockchain pilot with IBM and ConsenSys in an effort to become a blockchain-powered government. Proofs of concept in plan include streamlining ID verification to reduce business registration times, and digitizing and tracking citizens' health records, wills and contracts, among other assets.
Estonia, possibly the most digital nation in the world, operates a national digital identity scheme leveraging blockchain technology from Guardtime. All government data about individuals is stored on a distributed ledger that individuals control and use for different services. All databases (education, healthcare, tax, police, etc.) are digitally linked on the X-Road data-exchange platform. Estonians can, for example, log into their medical records using their digital IDs, and see which medical professionals have done the same and when. The system consists of an existing database that can be accessed by licensed healthcare professionals and citizens via the national eID card. When a record is accessed or altered, the activity is logged into the blockchain, a 'keyless signature' (time stamp) is returned and stored with the record, and the blockchain verifies who made the changes.
Estonia has also launched an e-Residency program that allows anyone in the world to apply for a transnational digital identity, which can be used for establishing and running a location-independent company, signing contracts and documents digitally, accessing banking and other business services, and accepting payments.
HYPR is an authentication platform provider that aims to decentralize users' authentication data by moving the information out of identity repositories and to their personal devices. By decentralizing user authentication data, enterprises make it nearly impossible for hackers to access sensitive user information via a single point of attack. HYPR essentially functions as middleware, and allows enterprises to choose their own authenticators or biometrics to authenticate users, such as fingerprint ID or facial recognition.
California-based Ohanae has been around since 2007 and provides security for file sync and share (FSS). It is also a member of Salesforce's AppExchange Partner Program. The company is now developing a decentralized identity platform called TrustChain (based on self-sovereign principles) and leveraging Quorum, an enterprise-grade version of Ethereum developed by JPMorgan. The TrustChain network, as envisioned by the Ohanae team, will be governed by a board of trustees that will approve the validators (financial institutions, healthcare providers, telcos and governments) that run the nodes of the distributed ledger. This governance model is very similar to what Sovrin is proposing (see below). The company has plans to raise money through an ICO to back up its efforts. The new utility token, Ohana, is meant to be the preferred payment method for Ohanae's TrustChain-based services.
ShoCard created an identity management application using public/private key encryption and data hashing. Besides the scanned and signed identity card, the data also includes biometrics. Through ShoCard's application, people can carry and manage their identity data on their mobile devices, and determine what details to share (e.g., if someone only needs to prove that they are not a minor, why would they share their name and citizenship?). ShoCard hashes ID attributes into Bitcoin's blockchain. It uses a blockchain so that third parties can verify, via cryptographic operations, that the original data has not been changed or manipulated.
Nonprofit Sovrin Foundation has launched a decentralized self-sovereign identity network that operates as a mix of governance and technological innovation. The network is open and public in the sense that anyone or anything (people, organizations and things) can get a Sovrin identity, and is permissioned because only known, trusted and vetted entities (called 'stewards') can run the validating nodes of the network that are spread around the globe. Stewards need to be approved by the board of trustees (representatives of Sovrin identity owners) and enter into a contractual relationship with the Sovrin Foundation.
Sovrin uses the open source Plenum Byzantine Fault Tolerant protocol (developed by Evernym) to reach consensus among the nodes. It works with decentralized identifiers that break an identity into components and uses zero-knowledge proof cryptography to give identity owners control over when and how their digital identities are deployed. Private data is stored off-ledger, and only public data is kept on the Sovrin ledger.
The 451 Take
Digital identity solutions have evolved from a centralized approach toward a self-sovereign approach (with federated and user-centric approaches in between). Particularly for consumer-facing use cases, any aspiring identity management solution will need to strike a balance between user control and autonomy, fairness, transparency, flexibility, and security. Blockchain will likely be a key component of such a future, although the blockchain-based digital identity market is currently fragmented, with consortia and startups offering different solutions. We provide a few notable examples in this report.
Context
When the internet was designed and built, the seven layers of the internet (OSI model) didn't include a native identity layer. While it was cool to be able to access any person from any location, anybody can appear to be anyone, and thus we are still dealing with fallout in the form of spam and fake news. And while HTTPS is helpful in terms of securing packets, businesses and government agencies have been using internal databases to manage the identities of people and devices. When we access and use services online, for example, we typically do so by identifying ourselves through usernames and passwords, which are typically stored in a variety of password repositories scattered across numerous organizations and applications. These centralized and siloed systems are inefficient, are prone to fraud and breaches, and provide poor user experience, at the very least.
We undoubtedly spend a lot of time creating and managing usernames and passwords, which are increasingly an unsafe way to protect our identities online. Additionally, we have little to no control over our own personal data. This is also true with cloud applications: Most SaaS applications have their own directory system and repository of user data, so if a user or company is using 50 different SaaS applications, which is not uncommon, the user's identity data and attributes are scattered across those applications. This is something that identity-as-a-service (IDaaS) vendors like Okta, OneLogin and Ping Identity have tried to help solve in recent years.
With the increasing sophistication of cyberattacks and severity of data breaches, regulations regarding how to manage digital identities and user access are also becoming more stringent and prescriptive. For example, the EU's new General Data Protection Regulation (GDPR), which will come into force on May 25, can mean hefty fines for those that don't take the necessary measures to protect the personal data of citizens of the EU.
From centralized to self-sovereign identity
Most identity repositories today are centralized – they are owned and controlled by a single entity and score low on user control and portability. Although new concepts have emerged with improved levels of user control and portability, such as federated identity (the ability to apply single sign-on across organizational domains) and user-centric identity (Facebook Connect or OpenID), none of these approaches solves the problems of centralization or presents true user control and autonomy.
While the concept of self-sovereign identity has been around for a few years now, there is no consensus about what self-sovereign identity should look like in practice. Several identity and security experts have been wrapping their heads around what self-sovereign identity means, and a number of startups have started to develop different approaches and solutions.
Identity and access management (IAM) vendors that offer solutions for managing the digital identities of consumers in addition to traditional employees can be grouped into a new category, known as customer identity and access management (CIAM). Managing identity for end consumers presents new challenges for IAM vendors, including scale (millions of potential consumers versus thousands of employees), pricing, user experience and privacy. Vendors in this new category include Gigya (acquired by SAP), Janrain, ForgeRock, UnboundID (acquired by Ping), Stormpath (acquired by Okta) and Auth0. Most of these vendors offer some combination of authentication, social login, self-service account management, user preference management and extreme scalability, but few offer decentralized identity stores.
We believe that self-sovereign identity should have user autonomy, control and protection at its heart, and solutions should be built with a set of key principles in mind, which we present below:
- Cogito ergo sum: Users should be at the heart of identity and have full ownership over it. Identity should be an established right that can't be turned off or taken away.
- Continuity: Identities should be continuous, be persistent and last for as long as the user wishes.
- Control: Users should have access to their data and full control over what part of their identity is revealed, as well as when, how and to whom. Sharing of identity data should only occur with the consent of the user. Disclosure of identity data should involve only the amount necessary to accomplish the task in question.
- Mutability: Users should be able to add or update identity attributes, since those may change over time.
- Portability: Identity data should be portable and as widely shareable and usable as possible.
- Security: The identity system should be fault tolerant and resistant to external attack.
- Transparency: The system that operates the network should be open and transparent. Authorized parties should be able to access data, and users should be aware of claims associated with their identities (who accessed what data and when).
- Trust: Trust should be intrinsic, and therefore encoded in the system. Digital identity should enable trusted interactions between individuals, businesses and institutions.
We don't think that blockchain is the universal solution to the identity problem; however, it certainly provides a missing link by allowing people and organizations to prove things about themselves online, as they do offline, using decentralized and verifiable identifiers. Identity-related information can be looked up (verified) without involving a central directory or paper-based document. Additionally, the identity owner does not need to overshare, and the recipient does not have to store unnecessary sensitive data.
When a Facebook account is linked to use a service, the personal data is requested and collected from a Facebook server. In an identity system using blockchain technology, the same request would go to a trusted endpoint like a smartphone, with the identity owner exercising full control over what data is shared.
A self-sovereign digital identity would replace all the paper-based documents and keep all sorts of information about an individual or a business, such as passport information, driver license, social security number, medical records and social media credentials, among other data, and use a single key that is stored on a blockchain. This would enable users to keep their information private and share a public key generated on the blockchain that can verify their identity. In other words, active data sets (e.g., home address or date of birth) are stored off-chain at trusted endpoints, and the blockchain is used to validate the identity attributes with cryptographic proofs. Additionally, all transactions are recorded on the blockchain. A Blockchain-based identity system can be used for all sorts of online services, including public ones such as electronic voting. It also has the potential to help solve both consumer and business requirements by providing convenience, simplified and improved user experience, greater control over personal data, improved protection of privacy, reduced risk and cost of data breaches, prompt auditing, and more efficient compliance.
Examples of blockchain-based and decentralized approaches
Blockcerts is an open standard for issuing and verifying credentials on a blockchain, developed by Learning Machine and the MIT Media Lab with self-sovereign digital identity in mind. It uses the Bitcoin blockchain to ensure that credentials are authentic and valid; however, according to its creators, other blockchains could be included, too. Blockcerts follows a claim-based approach where individuals and organizations can use multiple digital identities (e.g., Facebook account, decentralized identifier, etc.) and prove ownership through public/private key cryptography. The Decentralized Identity Foundation was formed in 2017 to develop a common approach to decentralized identity. Members include Accenture, Blockstack, Hyperledger, IBM, Iota, R3 and Tierion. They have identified the technical components that are required to meet user needs and enable interoperability between decentralized identity systems.
The Dubai Government is working on a city-wide blockchain pilot with IBM and ConsenSys in an effort to become a blockchain-powered government. Proofs of concept in plan include streamlining ID verification to reduce business registration times, and digitizing and tracking citizens' health records, wills and contracts, among other assets.
Estonia, possibly the most digital nation in the world, operates a national digital identity scheme leveraging blockchain technology from Guardtime. All government data about individuals is stored on a distributed ledger that individuals control and use for different services. All databases (education, healthcare, tax, police, etc.) are digitally linked on the X-Road data-exchange platform. Estonians can, for example, log into their medical records using their digital IDs, and see which medical professionals have done the same and when. The system consists of an existing database that can be accessed by licensed healthcare professionals and citizens via the national eID card. When a record is accessed or altered, the activity is logged into the blockchain, a 'keyless signature' (time stamp) is returned and stored with the record, and the blockchain verifies who made the changes.
Estonia has also launched an e-Residency program that allows anyone in the world to apply for a transnational digital identity, which can be used for establishing and running a location-independent company, signing contracts and documents digitally, accessing banking and other business services, and accepting payments.
HYPR is an authentication platform provider that aims to decentralize users' authentication data by moving the information out of identity repositories and to their personal devices. By decentralizing user authentication data, enterprises make it nearly impossible for hackers to access sensitive user information via a single point of attack. HYPR essentially functions as middleware, and allows enterprises to choose their own authenticators or biometrics to authenticate users, such as fingerprint ID or facial recognition.
California-based Ohanae has been around since 2007 and provides security for file sync and share (FSS). It is also a member of Salesforce's AppExchange Partner Program. The company is now developing a decentralized identity platform called TrustChain (based on self-sovereign principles) and leveraging Quorum, an enterprise-grade version of Ethereum developed by JPMorgan. The TrustChain network, as envisioned by the Ohanae team, will be governed by a board of trustees that will approve the validators (financial institutions, healthcare providers, telcos and governments) that run the nodes of the distributed ledger. This governance model is very similar to what Sovrin is proposing (see below). The company has plans to raise money through an ICO to back up its efforts. The new utility token, Ohana, is meant to be the preferred payment method for Ohanae's TrustChain-based services.
ShoCard created an identity management application using public/private key encryption and data hashing. Besides the scanned and signed identity card, the data also includes biometrics. Through ShoCard's application, people can carry and manage their identity data on their mobile devices, and determine what details to share (e.g., if someone only needs to prove that they are not a minor, why would they share their name and citizenship?). ShoCard hashes ID attributes into Bitcoin's blockchain. It uses a blockchain so that third parties can verify, via cryptographic operations, that the original data has not been changed or manipulated.
Nonprofit Sovrin Foundation has launched a decentralized self-sovereign identity network that operates as a mix of governance and technological innovation. The network is open and public in the sense that anyone or anything (people, organizations and things) can get a Sovrin identity, and is permissioned because only known, trusted and vetted entities (called 'stewards') can run the validating nodes of the network that are spread around the globe. Stewards need to be approved by the board of trustees (representatives of Sovrin identity owners) and enter into a contractual relationship with the Sovrin Foundation.
Sovrin uses the open source Plenum Byzantine Fault Tolerant protocol (developed by Evernym) to reach consensus among the nodes. It works with decentralized identifiers that break an identity into components and uses zero-knowledge proof cryptography to give identity owners control over when and how their digital identities are deployed. Private data is stored off-ledger, and only public data is kept on the Sovrin ledger.
Csilla Zsigri
Senior Analyst, Cloud Transformation & Blockchain
Csilla Zsigri is a Senior Analyst for 451 Research’s Cloud Transformation channel. Csilla also works on custom research, providing strategic guidance, as well as market and competitive intelligence, to technology vendors, service providers and enterprises.
Garrett Bekker
Principal Security Analyst
Garrett Bekker is a Principal Analyst in the Information Security Practice. He brings a unique and diverse background, having viewed enterprise security from a variety of perspectives over the past 16 years. Garrett spent over 10 years as an equity research analyst at several investment banking firms, including Merrill Lynch, where he was the lead enterprise security analyst, in addition to covering infrastructure software and networking companies.
Keith Dawson
Principal Analyst
Keith Dawson is a principal analyst in 451 Research's Customer Experience & Commerce practice, primarily covering marketing technology. Keith has been covering the intersection of communications and enterprise software for 25 years, mainly looking at how to influence and optimize the customer experience.