Decentralized User-Controlled Identity Access Management

Overview

Decentralized Identity Access Management (IAM) can be seen as an extension of distributed ledger technology (DLT) which puts the user in control of their identities using an identity wallet which collects verified information about the user from certified issuers. Linking this technology with a multi-factor authentication mechanism using biometrics like retinal scanning, facial recognition, or fingerprint imaging can turn your childhood sci-fi movie scenes into reality. Security has been in the spotlight since the post-pandemic era as the attack surface has expanded tremendously after remote working. Identity systems are under sustained attack due to credential misuse, inappropriate privilege configuration and other methods. This has resulted in continued spending on cybersecurity which may most likely remain on the higher side as security teams are increasingly adopting new innovative cyber security products & mechanisms to protect networks, cloud infrastructure, IoT devices, as well as user identities and their accesses over enterprise networks.

The Push towards Decentralization

The immense push towards decentralization has led to the formulation of Web 3.0, which represents a third generation in the internet evolution that intends to give users ownership and power of their data and identity over the internet. Blockchain offers a fully decentralized architecture that eliminates the need for intermediaries within the current centralized server-client internet model, where decentralization of identities will play a crucial role. Apart from Blockchain, Web 3.0 would be powered by Interplanetary File System (IPFS), which enables crypto-based wallets to store and provide user-controlled identity. Also, paired use of Decentralized IDs (DIDs) & Verifiable Credentials (VCs) create secure, authenticated, and trustworthy peer-to-peer connections without requiring any centralized intermediary.

Challenges with existing Digital Identity Systems

“What makes you weak helps you realize your true strength” may look like a motivational quote, but in essence, to understand the full potential of decentralized identities, one must know about the challenges of existing digital identity management systems.

• Ownership: User IDs & PIIs are currently stored in third-party remote but centralized servers which may belong to service agencies and/or enterprises, effectively threatening the ownership of ID use.
• Credibility: With deep fakes and many ID theft technologies, digital IDs are meant to be non-trustworthy unless they are verified by the identity issuer, which is more third-party dependent in the current infrastructure.
• Integrity: Considering the user to be genuine, in situations of account hacks or misuse of user credentials, it becomes challenging to ensure the integrity of both the user identity and the credentials.
• Security: While remote working has pushed organizations to go digital, embracing cloud infrastructure, there are still some open areas in securing the communication of user PIIs or identities over the cloud.

While today’s PKI-based digital X.509 certificates can tackle these challenges, it generally uses a certificate authority (CA) that holds a root of trust. But, what if the CA gets compromised? And that is where decentralized IAM becomes handy.

Need for Decentralized Identity Access Management

Internet, at its core, probably never gave a thought to identity, which is why there is no identity layer defined in its build design. However, with the onset of sophisticated cyberattacks like ransomware & botnets, it becomes quintessential to protect user identities and data over the internet, avoiding a single-point failure scenario. Decentralized IAM works on the Self-Sovereign Identity (SSI) principle, which is based on a paired functionality of DIDs & VCs. Decentralized Identity defines user identity over Blockchain fabric using a string pointing to a Blockchain URL where DID document is stored, which holds the information to public key & user information. Verifiable Credentials, on the other hand, is a method used to represent credentials on the web in a secured, private and machine verifiable format using credential metadata and digital proof/signature. When combined, DIDs & VCs build trust within the SSI framework, mitigating most of the challenges. So essentially, it functions in a PKI model but without centralized dependency where the issuer sends its DID public key. The user presents their DID public key at the request of the verifier, who then receives these public keys and digitally signed DID document by both issuer and user to entrust the process with utmost priority to user identity & data security. The below flow diagram illustrates the workflow of a Decentralized IAM.

Use Cases of Decentralized Identity Access Management

While the industry is pondering some real-life use cases, governments across the globe have started embracing this technology in validating users based on their publicly identifiable identities, such as passports, social security numbers or driving licenses. Microsoft presented an interesting use case on how this technique can be used across universities to validate the authenticity of graduates and their transcripts.

Globally, many government-funded consortiums are designing use cases on how this technology can be used to screen passengers or crew members at international borders. Some popular use cases that can be thought of are validating guests at hotel premises or authenticating employee ID across multiple branch offices of an organization. Here at HSC, we are creating unique products based on these technologies, such as:

DID-based solution for zero-touch onboarding of IoT devices which simplifies and secures the IoT device provisioning
A Decentralized IAM (Identity Access Management) solution using DIDs and Verifiable Credentials prevents a service from storing users’ identities and credentials in their centralized database.
Courtesy: GSMA

References: Decentralised Identity