By Ken Ebert
Everyone’s online life begins with a user account, a login, and a password, which combined, turns into an identity. I am my email address — or social media account login. For the past twenty five years, life online has evolved by accumulating these digital identifiers. The more we have, the more we can do online.
We don’t really own these digital identifiers: they’re lent to us on the assurance that we are who we claim to be, via the personal information we provide. This information is stored in a database along with lots of other people’s personal data so that they, too, can have a digital identifier.
This is how we identify each other on a network that was designed to manage computer identity rather than personal or organizational identity. It’s been amazingly successful at allowing billions of people to exist and interact online. Unfortunately, what it hasn’t been amazingly successful at is preventing all those people from having their identities stolen or faked.
One anecdote may be familiar: you get an email “from your bank.” Due to suspicious activity, your account has been locked and you need to log on to unlock it. You login (but not you, because you’d never be fooled by this, right?) and… it’s not your bank. Whoever it is you’ve just given your login details to can now access your real bank account. Ninety percent of successful data breaches are a result of successful phishing.
Or maybe it doesn’t have to be this sophisticated: your password is 1,2,3,4,5 — and Malicious Actors Inc guess their way into your account. Or you reuse the same password across accounts and a data breach for one of these accounts means multiple accounts are now accessible to hackers.
And not just you. Once into a database, every account is compromised. The whole defense collapses if one access point is compromised.
Identity fraud can also be sophisticated, such as someone using generative AI tools to create a deepfake of your biometrics or those of your boss — and you give them 25 million dollars, thinking you’re following legitimate directions.
Yes, there are security solutions like multifactor authentication, but they can only do so much, given that the underlying architecture of ‘account logins-passwords-databases’ is so hard to defend. And many people dislike the friction they add to online interaction, which is already burdened by an endless cycle of forgetting and resetting passwords. I recently joined a Teams meeting where I had to receive an email with a PIN code, experience two biometric checks, and supply a two-digit code from my authenticator app.
A digital transformation in how we share and verify data
Here’s what verifiable credentials and decentralized identity do: They remove the underlying problem of user accounts, logins, passwords.
Instead of authenticating a user account through a login and password, a user is authenticated with a verifiable credential and cryptography.
What is a verifiable credential? Think of it like an envelope for sealing and sharing digital information. The source of the envelope (the organization issuing the credential) can be cryptographically verified. The information in the envelope is digitally signed, which, in essence, means that any attempt to alter or tamper with the information breaks the seal and can be detected.
But this is only one of the elements in the new authentication ‘stack.’
You can accept and share a verifiable credential because the software in your digital wallet has created an address for it to be sent to. This address — a decentralized identifier or DID — is under your control and you can prove this control cryptographically when you interact with another DID.
The combination of a DID and a verifiable credential enable you to prove that you are in control of a specific identity, and you can now attach any data to that identity by writing it to a credential.
The upshot is that people hold their data, authenticate themselves and each other cryptographically, and share data that can be trusted because we can know it hasn’t been altered (assuming that we trust the original source of the data).
This is the instantaneous magic behind seamless digital travel. A person takes their physical passport and — providing it has a chip — reads the information from the passport and converts it into a digital credential. The software also requires the person to do a liveness check with a selfie and then compares the selfie with the digital image from the passport chip. The passport data is authenticated as having come from a legitimate passport-issuing authority and the person is issued with a Digital Travel Credential (DTC) by an airline.
When a DTC is presented (touchlessly), the source of the DTC is instantly authenticated, along with the integrity of the data in the DTC. Additional biometric authentication and, of course, biometric access to the device, provide further confidence that the person presenting the DTC is the holder of a legitimate passport.
The result is portable trust. Verifiable data can go from anywhere to everywhere — and so can you.
####