Identity underpins virtually every aspect of your life today. Using online services, opening a bank account, voting in elections, buying property, and securing employment requires proving your identity.
However, traditional identity management systems have long relied on centralized intermediaries who issue, hold, and control your identifiers and attestations. This means you cannot control your identity-related information or decide who has access to personally identifiable information (PII) and how much access these parties have.
We have decentralized identity systems built on public blockchains like to solve these problems. Decentralized identity allows individuals to manage their identity-related information. With decentralized identity solutions, you can create identifiers and claim and hold your attestations without relying on central authorities like service providers or governments.
Identity means an individual’s sense of self, defined by unique characteristics. Identity refers to being an individual, i.e., a distinct human entity. Identity could also refer to other non-human entities, such as an organization or authority.
An identifier is an information that acts as a pointer to a particular identity. Common identifiers include:
NameSocial security number/tax ID numberMobile numberDate and place of birthDigital identification credentials, e.g., email addresses, usernames, avatars
These classic examples of identifiers are issued, held, and controlled by central entities. You need permission from your government to change your name or from a social media platform to change your handle.
An attestation is a claim made by one entity about another entity. If you live in the United States, the driver’s license issued by the Department of Motor Vehicles (one entity) attests that you (another entity) are legally allowed to drive a car.
Attestations are different from identifiers. An attestation contains identifiers to reference a particular identity and claims an attribute related to this identity. So, your driver’s license has identifiers (name, date of birth, address) but is also the attestation of your legal right to drive.
Traditional identifiers like your legal name or email address rely on third parties — governments and email providers. Decentralized identifiers (DIDs) are different — they aren’t issued, managed, or controlled by any central entity.
Decentralized identifiers are issued, held, and controlled by individuals. A wallet account is an example of a decentralized identifier. You can create as many accounts as you want without permission from anyone and without the need to store them in a central registry.
Decentralized identifiers are stored on distributed ledgers (blockchains) or peer-to-peer networks. This makes DIDs globally unique, readily available, and cryptographically verifiable. A decentralized identifier can be associated with different entities, including people, organizations, or government institutions.
Public-key infrastructure (PKI) is an information security measure that generates an entity’s public and private keys. Public-key cryptography is used in networks to authenticate user identities and prove ownership of digital assets.
Some decentralized identifiers, such as wallet accounts, have public and private keys. The public key identifies the account’s controller, while the private keys can sign and decrypt messages for this account. PKI provides the proof to authenticate entities and prevent impersonation and use of fake identities, using cryptographic signatures to verify all claims.
A serves as a verifiable data registry: an open, trustless, and decentralized repository of information. The existence of public blockchains eliminates the need to store identifiers in centralized registries.
Anyone needing to confirm a decentralized identifier’s validity can look up the associated public key on the . This is different from traditional identifiers that require third parties to authenticate.
Decentralized identity is the idea that identity-related information should be self-controlled, private, and portable, with decentralized identifiers and attestations being the primary building blocks.
In the context of decentralized identity, attestations (Verifiable Credentials ) are tamper-proof, cryptographically verifiable claims made by the issuer. Every attestation or Verifiable Credential entity (e.g., an organization) issue is associated with their DID.
Because DIDs are stored on the , anyone can verify the validity of an attestation by cross-checking the issuers DID on the . Essentially, the acts like a global directory that enables the verification of DIDs associated with certain entities.
Decentralized identifiers are the reason attestations are self-controlled and verifiable. Even if the issuer no longer exists, the holder always has proof of the attestation’s provenance and validity.
Decentralized identifiers are also crucial to protecting the privacy of personal information through decentralized identity. For instance, if an individual submits proof of an attestation (a driver’s license), the verifying party doesn’t need to check the validity of the information in the evidence. Instead, the verifier only needs cryptographic guarantees of the attestation’s authenticity and the identity of the issuing organization to determine if the proof is valid.
How attestation information is stored and retrieved in an -based identity ecosystem differs from traditional identity management. Here is an overview of the various approaches to issuing, storing, and verifying attestations in decentralized identity systems:
One concern with storing attestations on-chain is that they might contain information individuals want to keep private. The public nature of the makes it unattractive to store such attestations.
The solution is to issue attestations held by users off-chain in digital wallets but signed with the issuer’s DID stored on-chain. These attestations are encoded as JSON Web Tokens and contain the issuer’s digital signature, allowing easy verification of off-chain claims.
Here’s a hypothetical scenario to explain off-chain attestations:
A university (the issuer) generates an attestation (a digital academic certificate), signs it with its keys, and issues it to Bob (the identity owner).Bob applies for a job and wants to prove his academic qualifications to an employer, so he shares the attestation from his mobile wallet. The company (the verifier) can then confirm the validity of the attestation by checking the issuer’s DID (i.e., its public key on the ).
Under this arrangement, attestations are transformed into JSON files and stored off-chain (ideally on a decentralized cloud storage platform, such as IPFS or Swarm). However, a hash of the JSON file is stored on-chain and linked to a DID via an on-chain registry. The associated DID could either be that of the issuer of the attestation or the recipient.
This approach enables attestations to gain -based persistence while keeping claims information encrypted and verifiable. It also allows for selective disclosure since the private key holder can decrypt the data.
On-chain attestations are held in smart contracts on the . The smart contract (acting as a registry) will map an attestation to a corresponding on-chain decentralized identifier (a public key).
Here’s an example to show how on-chain attestations might work in practice:
A company (XYZ Corp) plans to sell ownership shares using a smart contract but only wants buyers that have completed a background check.XYZ Corp can have the company perform background checks to issue on-chain attestations on the . This attestation certifies that an individual has passed the background check without exposing personal information.The smart contract selling shares can check the registry contract for the identities of screened buyers, making it possible for the smart contract to determine who is permitted to buy shares.
Soulbound tokens (non-transferable NFTs) could collect information unique to a specific wallet. This effectively creates a unique on-chain identity bound to a particular address that could include tokens representing achievements (e.g., finishing some specific online course or passing a threshold score in a game) or community participation.
Decentralized identity increases individual control of identifying information. Decentralized identifiers and attestations can be verified without relying on centralized authorities and third-party services.
Decentralized identity solutions facilitate a trustless, seamless, and privacy-protecting method for verifying and managing user identity.
Decentralized identity harnesses technology, which creates trust between different parties and provides cryptographic guarantees to prove the validity of attestations.
Decentralized identity makes identity data portable. Users store attestations and identifiers in mobile wallets and can share them with any party. Decentralized identifiers and attestations are not locked into the database of the issuing organization.
Decentralized identity should work well with emerging zero-knowledge technologies that will enable individuals to prove they own or have done something without revealing what that thing is. This is a powerful way to combine trust and privacy for applications such as voting.
Decentralized identity enables anti-Sybil mechanisms to identify when one individual human is pretending to be multiple humans to game or spam some system.
Decentralized identity has many potential use cases:
Decentralized identity can replace password-based logins with decentralized authentication. Service providers can issue attestations to users, which can be stored in a wallet. An example attestation would be an NFT granting the holder access to an online community.
A Sign-In with a function would enable servers to confirm the user’s wallet account and fetch the required attestation from their account address. This means users can access platforms and websites without having to memorize long passwords, improving the online experience for users.
Using many online services requires individuals to provide attestations and credentials, such as a driving license or national passport. But this approach is problematic because private user information can be compromised, and service providers need to verify the authenticity of the attestation.
Decentralized identity allows companies to skip conventional Know-Your-Customer (KYC) processes and authenticate user identities via Verifiable Credentials. This reduces the cost of identity management and prevents fake documentation.
Online voting and social media are two novel applications for decentralized identity. Online voting schemes are susceptible to manipulation, especially if malicious actors create false identities to vote. Asking individuals to present on-chain attestations can improve the integrity of online voting processes.
Decentralized identity can help create online communities that are free of fake accounts. For example, users might have to authenticate their identity using an on-chain identity system, like the Name Service, reducing the possibility of bots.
Sybil attacks refer to individuals tricking a system into thinking they are multiple people to increase their influence. Grant-giving applications that use quadratic voting is vulnerable to these Sybil attacks because the value of a grant is increased when more individuals vote for it, incentivizing users to split their contributions across many identities. Decentralized identities help prevent this by raising the burden on each participant to prove that they are human, although often without revealing specific private information.
The decentralized identity space is still in its infancy; however, it is clear that it has the potential to change existing identity management for the better.
The world is moving toward Web3, the next evolution of the internet. Through decentralization and technology, an increasing number of people are taking back control of their data.
The digital identity space is still in its inception; however, from all the above discussion, it is evident that decentralized identity with has the potential to make identity management decentralized, simplified, and seamless, completely transforming the landscape.
While startups and DID initiatives continue to develop proofs of concepts for decentralized identity in government, finance, healthcare, and other fields, the opportunities for decentralized identity continue to grow.
Overall, the goal is to empower users online and build up and share a verifiable reputation and proof of existence. Analysts predict that one of the latest hottest trends in the tech industry — the Metaverse — may become a key initiator for decentralized identity spread.
With the advancement of avatars in the form of nonfungible tokens serving as users’ digital identities within virtual spaces, soulbond tokens, , biometrics, and related cutting-edge technologies, decentralized identity will soon reach the masses in the flourishing Web3 ecosystem, which will boom in the coming years.