SSI: self-sovereign identity explained

Co-authored by Ross Power and Elina Yumasheva

Imagine, you need to open a bank account. Instead of bringing a ton of paper documents, you can simply show your digital identity (ID) to prove your identity in a matter of seconds, and the bank accepts it.

Sounds like a dream?

Nope, self-sovereign identity (SSI) makes it possible already. To understand how to let’s delve into the concepts of identity and credentials first.

Identity and credentials

Identity literally means the quality of being identical. To what? To yourself. According to the Mirriam-Webster dictionary, identity is “the condition of being the same with something described”.

A credential, in an everyday sense, is an attestation, evidence or proof of qualification, competence or authority issued to an entity, either individual or person, by a third party with relevant authority or assumed competence to do so. This may be evidence of authority, status, rights, entitlement to privileges, or the like, usually in a written form.

Essentially credentials are a means to verify identity.

Historically we have relied on public issuing bodies to verify our identities — i.e. passports, driving licence, birth certificates, etc. These credentials go on throughout our lives, being Issued to us or requested by us at times we need them. We provide them to others regularly, without ever wondering what happens to them, where they now sit, and how long they’ll be retained.

Why the current model of identity doesn’t work

Digital trust is currently predicated on constant check-ups. In order to prove an attribute or claim, a third party is needed to certify or verify that claim. This means that the bank you want to open a bank account with will outsource your identity verification process to a vendor. Practically, this means your data is being shared with a third party and you have limited knowledge of how this will be used and stored. This results in potentially compromised security.

The data subject (i.e. an individual or a company) at best has to directly pay (sometimes prohibitive) fees to acquire documents, and at worst, often have no control over their own data (as often in targeted advertising).

This identity model is fundamentally broken as it’s all built and controlled by companies rather than individuals. It is in many ways a paradise for threat actors, as they can target organisations’ data silos and individuals. Over time, data subjects can easily lose track of what data is being stored and by who. Or which data has been compromised, as there is no notification of this event.

Plus, there is an argument for oversharing the information — what verifiers usually need is proof that you are who you’re claiming to be. They don’t need to know any additional details, but given the current system, they’ll get access to additional info they don’t require. The most clear-cut example of this is using a utility bill or bank statement to prove your address. These documents, especially the former, may contain huge quantities of sensitive data that is completely unnecessary to show to prove an address.

Finally, it doesn’t protect from forgery, which is becoming easier and more common. In addition, as new rules have come into play over the past year due to COVID-19 and a whole new wave of attestations has been required to travel abroad, attend events or visit loved ones, more sophisticated forgery and scams have occurred. These could include fake COVID-19 results and proofs of vaccination.

Self-sovereign identity as a user-centric identity model

The problems of current identity models make an argument for digital identity. According to gov.uk “digital identities are an easy way to help us prove who we are without the need for physical documents. They can also help us prove things about us, such as our age or our qualifications.” However, much of what has been developed within digital identity has ported existing problems with the paper-based system into the digital realm.

To combat this a more user-centric, trustworthy and privacy-preserving digital identity paradigm can be made possible through self-sovereign identity (SSI).

SSI is a method of identity that centres the control of information around the user. It safeguards privacy by removing the need to store personal information on a central database and giving individuals control over what information they share.

To make this work, there are at least three participants involved;

• The holder is an individual in the scenario, although it can also be an organisation/company. The holder is the entity that the information attests to (i.e. you)
• The issuer is the organisation, be it a company, certifier body, or governmental organisation that has been awarded a level of trust to provide information (i.e. a public body that issued a passport)
• The verifier is the individual, organisation, company, government, and so forth to whom the holder needs to prove the legitimacy and trustworthiness of information (i.e. a bank that you want to open a bank account with).

Unlike the existing system, it’s a user-centric and user-controlled approach to exchanging authentic data in a much more secure way. Authentic data is information that’s source can be proven.

Image credit source

In the above diagram, the following steps take place:

1. The issuer writes a public identifier to a Verifiable Data Registry;
2. The Issuer issues a Credential to the Holder, signed by their public identifier;
3. The Holder can manage its credentials in a digital wallet it holds;
4. The Holder presents a Credential to a Verifier’;
5. The Verifier can trust this data by reading and resolving the public identifier on the Verifiable Data Registry.

According to McKinsey Global Institute research, SSI could be key to unlocking access to banking, government benefits, or other services. Research suggests it could boost economic growth by 3% in the UK in 2030.

The technical building blocks of widespread SSI adoption

Core to SSI’s success is the combination of a number of building blocks. These terms have been standardized by a W3C Working Group focused on SSIs widespread adoption:

A claim is an assertion made about a subject.

A credential is a set of one or more claims made by an issuer.

A verifiable credential is a tamper-evident credential that has authorship that can be cryptographically verified. These verifiable credentials can be used to build verifiable presentations, which can also be cryptographically verified.

A verifiable presentation is a tamper-evident presentation encoded in such a way that authorship of the data can be trusted after a process of cryptographic verification.

These Verifiable Credentials (VCs) are needed to be expressed on the web in a way that is cryptographically secure, privacy-respecting, and machine-verifiable. The Working Group further outlines guidance for how this is to be achieved through the use of decentralised identifiers (DIDs) and decentralised identifier documents (DID Docs):

A decentralized identifier is a portable URL-based identifier, also known as a DID, associated with an entity. These identifiers are most often used as trusted identifiers, written into verifiable credentials and are associated with subjects such that a verifiable credential itself can be easily ported from one repository to another without the need to reissue the credential. DIDs resolve to DID documents which provide information on the DID controllers and DID subjects. An example of a DID is: did:example:123456abcdef.

A decentralized identifier document is a document (DID Doc) that is accessible using a verifiable data registry and contains information related to a specific decentralized identifier, such as the associated repository and public key information.

This is just scratching the surface of the technical elements of SSI however offers an initial insight which we will expand on in the future.

SSI application and use cases

While self-sovereign identity (SSI) sounds like an unfamiliar concept for some, others are actively leveraging the technology to address industry-specific challenges — take the Financial Conduct Authority or the IATA Travel Pass. Overall the shift to the SSI paradigm is beginning to rally more support, and 2022 is poised to be a poignant year for global SSI adoption.

Arguably one the most known within the Banking sector is Know Your Customer (KYC). SSI enables a reusable KYC concept that offers a much more seamless way of ID verification. When an ID verification is needed more often due to compliance or regulatory pressure, SSI can significantly reduce the friction for users improving a customer experience while providing a compliant service. In short, current KYC is ‘single-use’ while KYC’d SSI makes KYC ‘recyclable’.

Moving beyond traditional banking, the Centralised Decentralised Finance (CeDeFi) also sees a robust application for SSI.

The travel industry probably shows one of the most relatable SSI applications enforced by the pandemic developments. In the age of COVID-19, this has been made even more complex as another layer of health certification has been added. One of the projects in this space is the Covid Credentials Initiative, which aims to develop ‘privacy-preserving verifiable credentials’ to mitigate the spread of the virus through the use of SSI.

Within the Non-fungible Tokens (NFT) space, self-sovereign identity helps to prove who created, owned and/ or currently owns NFTs across their lifecycle, as well as providing ownership of fractions.

While the list can go on, especially as various industries join the bandwagon and pick up the technology, there are a few notable examples. Decentralised storage is getting more traction as SSI can be implemented to manage participants’ data and store distributed files with decentralised access control. Decentralised identity and the technical standards involved (Verifiable Credentials and Decentralised Identifiers) can also be used for e-commerce, Corporate or organisational identity and product or package identity. Read more about SSI use cases here.

Conclusion

SSI is certainly a future-proof concept that addresses issues that are universal and applicable across industries. With more and more companies leveraging SSI, the snowball effect of adoption will increase — making widespread SSI a reality soon.

We, at cheqd, help companies leverage SSI. cheqd’s network is built on a blockchain with a dedicated token for payment, which enables new business models for verifiers, holders and issuers. In these business models, verifiable credentials are exchanged in a trusted, reusable, safer, and cheaper way — alongside a customisable fee. Find out about our solution here.