Indicio Logo
Get a Demo
Indicio Logo
Contact us

From federated to decentralized identity: Why Verifiable Credentials are the next step in identity management

by | Sep 10, 2024

By: Helen Garneau

In today’s digital world, identity is at the core of how individuals interact with online services. From accessing email to making online purchases, proving who you are is fundamental.

There are two methods for managing online identities, federated identity and decentralized identity —one legacy, one new — and each takes a different approach to where personal data is stored in order to authenticate an identity. Federated identity, which has dominated identity management for years, relies on centralized data management: personal data is stored in a database and checked against a login and password from a user account, whereas decentralized allows people, organizations, and things to hold their own personal data, and the source and integrity of this data is cryptographically authenticated for identity verification.

We’ll explain this in more detail in a moment, but this distinction — centralized vs decentralized — has profound implications for data privacy and security, and user experience.

Federated Identity: A Step Beyond Centralized Identity

Federated identity systems improve upon traditional centralized digital identity by allowing a single sign-on (SSO) across multiple platforms. Instead of creating separate accounts for each service, users can log in once using a trusted identity provider (IdP) like Google, Facebook, or Microsoft, and access various services. This system offers convenience for both users and service providers, reducing the friction of managing multiple identities.

Federated identity providers get their information directly from users during account creation or from external sources like social media, public records, and other databases. In many cases, businesses rely on these providers to authenticate users, paying for verification services or receiving data in exchange for marketing insights. While this model offers convenience, it has significant drawbacks.

The Drawbacks of Federated Identity

  • Centralized Control: Even though federated identity reduces the need for multiple login credentials, it still relies on centralized identity providers. These providers act as gatekeepers to online services, standing in the way of an end user and the service they are accessing. This creates a system where a few large enterprises control a vast number of digital interactions.
  • Lack of Privacy: Federated identity providers typically gather extensive amounts of user data, which is then monetized. Users may not be aware of how much data is being shared across services or sold to third parties, leading to privacy concerns. As more services link to federated identities, the amount of shared data can grow exponentially.
  • Single Points of Failure: The reliance on one or two major identity providers can also introduce risk. If a federated identity provider goes offline, or if an account is locked or hacked, users lose access to all associated services. This concentration of control makes federated systems prone to major disruptions when something goes wrong.
  • Data Breaches: Federated systems, though more distributed than centralized identity models, still centralize sensitive data within the hands of a few large corporations. As history has shown, these providers are frequent targets for hackers, making them vulnerable to large-scale breaches that compromise millions of users at once.

Decentralized Identity: A User-Centric Solution with Verifiable Credentials

Decentralized identity, flips the traditional centralized model on its head. Instead of relying on centralized authorities to manage identity collected from third-parties, decentralized identity systems give individuals control over their own data.

How does this work? It’s a two-step process. First, a global standard from the World Wide Web Consortium (W3C) allows people and organizations to create decentralized identifiers (DIDs), which they can cryptographically prove they control. Then, using these DIDs, they can add digital credentials that contain relevant identity information—like a government ID, bank account, or passport which make it easy to present their information digitally to be verified by other entities, independently, without intervention from federated systems.

Verifiable Credentials are a special type of digital credential that offer a powerful and efficient way to issue, share, and verify important data. What sets them apart is that the data is digitally signed by the trusted issuer, ensuring its origin and authenticity can be instantly verified using simple software—without needing logins, passwords, or checking against a database. Since you hold your own data, you can choose when to share it, solving a key issue in data privacy regulation: lack of consent. Plus, some Verifiable Credentials let you selectively share only the necessary information or use privacy-preserving features. And if anyone tries to alter the credential after it’s issued, the change is easy to spot during verification.

The combination of DIDs and Verifiable Credentials means that you can always be certain of the source of a credential and that the data in the credential hasn’t been altered.

The Advantages of Decentralized Identity with Verifiable Credentials

  • User Control and Privacy: In a decentralized identity system, individuals have full control over their credentials. They decide which pieces of information to share and with whom. This is in contrast to federated identity, where large identity providers mediate these transactions. Decentralized identity systems enable self-sovereign identity (SSI), meaning users have complete autonomy over their personal data.
  • Improved Privacy through Selective Disclosure: Verifiable Credentials allow for selective disclosure, where users can prove certain facts (like being over 18) without revealing unnecessary information (like a full birthdate). This significantly enhances privacy and minimizes the sharing of personal data compared to federated identity systems, where often more information than necessary is shared across services.
  • No Single Point of Failure: Unlike federated identity, decentralized identity doesn’t rely on any single provider. This dramatically reduces the risk of losing access to services in the event of an account compromise or a provider outage. The use of distributed ledger technology means there is no central database that can be breached, making decentralized identity systems inherently more secure.
  • Persistent Identity: When a credential issuer writes the metadata for a credential to be read to a distributed ledger, the actual identity it supports cannot be taken away. The immutability of data written to a distributed ledger means that a Verifiable Credential can always be verified. Important to note — only metadata for the credential, the data to perform cryptography, is written to the ledger. No personal data goes on the ledger.
  • Added Security: When you don’t have to store personal data on a database to manage identity authentication and access, it can’t be stolen. It’s as simple as that. Another huge benefit — you can access accounts or systems without having to use passwords. And if you want the ultimate in security, you can issue biometrics as Verifiable Credentials. This means that when a person performs a biometric scan, they simultaneously present a biometric template in a Verifiable Credential, and the scan is compared with the template. This effectively binds biometric data to a person and can be used to prevent generative AI deepfakery.
  • Efficiency and Convenience: While federated identity simplifies login processes by allowing users to access multiple services with one account, decentralized identity goes even further. Once verifiable credentials are issued, they can be reused across different services without having to rely on a third-party identity provider for each transaction. This speeds up verification processes and reduces reliance on external parties.

Why Decentralized Identity and VCs Are the Future

Decentralized identity, powered by verifiable credentials, represents a paradigm shift in how we manage identity online. By addressing the security, privacy, and efficiency challenges inherent in centralized and federated systems, decentralized identity offers a more robust solution that traditional identity systems cannot match. By eliminating the need for centralized identity providers and reducing the risk of data breaches, decentralized identity systems offer a more secure and private way to manage digital identities. Moreover, they deliver a more seamless and user-friendly experience by enabling users to reuse credentials across services without intermediaries.

In an increasingly interconnected world, decentralized identity and VCs pave the way for a more secure, private, and user-centric digital future.

Visit Indicio for more information on decentralized identity and verifiable credentials. Or contact us to find out how your organization can boost your digital identity programme.

###

Suggested reading:

Beginners guide

What are Verifiable Credentials? (With Pictures!)

What is DIDComm? (With Pictures!)

How verifiable credentials disrupt online fraud, phishing, and identity theft

 

 

 

Sign up to our newsletter to stay up to date with the latest from Indicio and the decentralized identity community