Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Huzefa Olia of 1Kosmos takes us through why decentralized identity is the key to self-sovereign access in enterprises.
Identity fraud has reached crisis levels, at both the consumer and the business levels. The Federal Trade Commission says losses due to impersonation fraud spiked 70 percent in 2021, and there is no reason to think scammers are pulling back. The FTC called impersonation fraud “a pernicious and prevalent problem” when it announced new rules to fight its spread.
The traditional approach to validating identities online is simply not up to protecting users or enterprises from impersonation fraud and other related cyber-crime. Every annual issue of the Verizon Data Breach Investigations Report seems to lead with the news that credentials remain the weak spot in network security. According to the 2022 edition, stolen credentials were the cause of almost half the data breaches observed.
Having a valid digital identity is a must in today’s environment, where every possible transaction can be done online. But the identity management systems in use today are full of issues that make them hard to trust. Identity needs a new model.
Why Identity is Broken
The biggest problem with identity and access management (IAM) is the many bits and pieces of identities that are spread across cyberspace. Any user’s identity can be atomized across multiple networks and siloed by providers, who often store users’ data in networks accessible by using username and password combinations that are catnip for scammers mining that data.
One lone user can have dozens of distributed identity data points, from their driver’s license to social media profiles to online shopping and government accounts such as a DMV login—and none of these is under their control. This fragmented environment prevents users from having control or even a single-source view of their own identity, and the number of intermediaries involved—cloud service providers, mobile operators, financial services providers, etc. —multiplies the security risk and the inconvenience to users.
Traditional identity systems are inefficient and redundant by nature, adding friction to the user experience and handicapping enterprises as they try to improve it. This legacy approach of centralizing identity across disconnected identity silos is broken, but a decentralized identity model offers some relief. Decentralized identity, also known as “self-sovereign identity,” is an approach that lets users manage their own personally identifiable information (PII) to create a secure identity independently of any service provider and store it in a digital identity wallet to produce proof of identity or share PII to a third party when necessary. A decentralized identity puts the user back in the driver’s seat, holding a secure identity that can be used across silos with a degree of confidence that the user is whom he or she claims to be.
How Decentralized Identity Works
Decentralized identity depends on two components: a secure digital wallet that can be provided to third parties on request, and a level of assurance that the identity is proofed up to the standards of organizations such as the National Institute of Standards and Technology or FIDO Alliance.
The process starts with the user scanning a government or other institutional IDs, which are then verified and validated either by biometrics or a third-party source, such as The American Association of Motor Vehicle Administrators for validating a driver’s license. Once an identity is verified, the user can generate public/private key pairs with the private key stored in the digital wallet and the public one shared on a blockchain, which generates a unique identifier against the user’s wallet. The private key stays with the user for validation and verification; as other issuers such as government, educational and financial institutions verify that user’s identity, they add digital identity data to the wallet in a process similar to issuing certificates.
Decentralized identity lifts much of the friction from credentials and enables the use of biometrics for authentication, adding a layer of security. A biometric marker replaces the use of usernames and passwords for access. This makes it easier to authenticate a user across services and adds an immutable audit trail, if needed, for security purposes.
Implementing Decentralized Identity
Adopting decentralized identity requires making several architectural changes to traditional identity management systems. A few best practices can help:
- A private blockchain: Protect personally identifiable information (PII) in a private blockchain and encrypt digital identities so they are only accessible through biometric verification. This leaves no databases or honeypots for hackers to target.
- Identity Proofing: Adding identity assurance that matches NIST standards can detect fraudulent or duplicate identities, and establishes credential verification.
- Integrate MFA: Using a standards-based API that can integrate multi-factor authentication (MFA) into the distributed ledger protects against attacks that try to get around MFA, a rising concern.
- Improve user experience: A distributed ledger makes it easier for users to onboard digital IDs by uploading biometric identification and any identity-proofing documentation. The blockchain streamlines the authentication and gives users control over their digital ID.
Decentralized identity eliminates redundant central repositories and databases that make attractive targets for hackers. Meanwhile, it gives users control over their own identities without sacrificing usability or effectiveness. The good news is, standards like FIDO and NIST, and technology like mobile devices, biometrics, and public blockchains, have placed decentralized, self-sovereign identity within reach.
- Decentralization Holds the Key to Self-Sovereign Identity - January 6, 2023