Identity Models in the Internet
As humans we find ways to lower uncertainties in one other so that we can exchange value. If you want to travel outside of your country, you need to carry your passport and show it to the immigration officer so that the officer can verify you have the correct permissions to enter the country. In the physical world, if you want to open a bank account, you can travel to a branch and get yourself verified. These are all examples of exchanges of value where organisations learn to trust individuals and provide them a service. If you want to buy alcohol, you have to prove that you are over a certain age. Before you enter a country, you have to prove that you have the permission to enter the country.
We’ve had centuries to build trust over these exchanges of value in the real world. In the digital world however, trust is broken and identity is the missing layer of the internet. You could take a picture of my University degree and send it to your employer but they wouldn’t trust you. You could pay your deposit and rent online but you’d have to physically show your ID to prove you have the ‘Right to Rent’ before you can move in. It goes without saying that being able to establish trust in the internet will open access to new marketplaces and enable exchange of value which is cheaper for organisations with increased convenience for consumers.
Centralised Identity/Internal Identity Management
In order for someone to provide you a service in the internet, this has been the most common way of solving the problem. Everyone who uses the internet is familiar with a centralised identity model. This is the ‘account’ you have with each organisation. You have an email/username, which is a unique identifier and you can combine this with a password. Whilst this is fairly easy for organisations to set up and is common practice, this comes with it’s own set of problems -
- An individual can have up to 70–80 passwords. Remembering them is impossible unless you’re a genius!
- Data leaks are becoming increasingly common, and can have devastating impact on individuals which ranges from stolen identities to sharing of personal data.
Note: A quick way to check whether your password has been stolen is by visiting https://haveibeenpwned.com/.If you’ve been unfortunate enough to be pwned, change your passwords immediately.
Example: Your bank account
Think of “Sign up with Facebook/Google”. In this case, Google or Facebook can hold your information and they can share this information with other online retailers on your behalf.
The biggest benefit of Federated Identity is that you don’t need to remember your email/password combination for every single account you own. Organisations also don’t have to store your password which reduces the risk of data leaks.That’s nice!
However, if someone takes over your account they can steal access to other services. Otherwise, what if you decide to deactivate your Facebook account? You’ll lose access to everything! And nowadays who knows what Facebook or Google does when they find out where you shop and what you’re browsing on the internet? Even if you don’t want to share your data with the big companies, you’re almost left with no option because it’s just more convenient than having to remember your password.
In an external authentication model, usually you can access access a service by using an existing account. For example, you can login to gov.uk Verify scheme using your Post Office or Experian account. In this case, there are multiple ID Providers who are providing a service to a single organisation. This model doesn’t change the user experience, as users don’t have to worry about passwords and they can use an existing account to login to another service.
In a Federated Identity model, usually a few ID providers provide services to many organisations who rely on the ID provider’s information. In an external authentication model, multiple ID providers share their service to a single relying party. Personally, I would love to use my bank account/credit reference agency instead of Facebook to login to Asos. I’d trust them more. However, there isn’t a widespread adoption of an external authentication model.
In a decentralised identity model, your identity just doesn’t exist in the context of a single account. The idea is that you can for example, create an account with Facebook. After you’ve created an account with Facebook, you can register for another service (Let’s say Google) using your Facebook account. Google would rely on Facebook to create an account for you, but then you could still have a separate account with Google. You could then use your Google account to sign a service with another company and so on.
That’s all great, but you’re probably thinking why in the world this makes a difference to you? You’re right, there is absolutely no point in creating decentralised identity systems where you login to companies in Google or Facebook. There simply aren’t use cases for login/registration features when it comes to your identity. Identity doesn’t just come down to one piece of document. It can also be a combination of a bunch of different things. Imagine your government issues you a digital passport. You use this to verify yourself digitally to your University and start your course. At the end you get a digital degree certificate and you can show this to your employer. Your employer can verify you and share a referral with your next employer, and so on.
There are different identity models in the decentralised identity model, which I will cover in my next article.