The history, current status, and prospects of Web3 decentralized identity management systems

Original Author: Felix Hildebrandt

Compiled by: Heimi @ Baize Research Institute

The mapping of identity, digital assets, and online profiles has recently gained significant attention in the blockchain industry. New technologies are forming architectures that will further pave the way for decentralized and user-centric mechanisms.

This article will discuss the following topics:

1. The evolution of the internet in identity management
2. The problems that have arisen in identity management
3. How Web3 decentralized architecture helps build applications on top of privacy rights

To determine the privacy, accounting, and user data required for upcoming decentralized services, we consider current technological and ethical perspectives as well as lessons learned from past identity systems.

Traditional Internet Identity Systems

The internet is a global network of servers that focuses on data transmission between specific device addresses using protocols such as TCP and IP.

With the emergence of the internet in the late 1980s, the early web pages can be seen as "windows into a new world." By today's standards, these pages were primitive, read-only, lacked user management, and were primarily used for sharing technology and knowledge. At that time, communication was mostly dominated by phone or mail, although the use of email was also beginning to grow.

Users quickly embraced the internet as a new phenomenon, and as interactions between users and the internet increased, an era of online connectivity emerged, known as Web2. This was a front-end revolution with browser functionality, maintaining a server-centric structure and database (back-end).

As the internet matured, the demand for website analytics also increased. Due to technological limitations at the time, administrators could only determine how many devices accessed certain pages and the time they spent viewing content; tracking user interactions was impossible. This indirectly led to the current technology being able to access user information about devices. IT (Information Technology) security and backup systems were further upgraded to manage the throughput and security of user data.

However, with the increase in fraud, companies established large server centers to protect user files from unauthorized access. Engineers developed cookies and APIs to track user behavior, and one service could even store traffic data or user information in the browser.

As a result, "user behavior analytics" became increasingly popular, eventually evolving into a standalone business. Collecting data about users' shopping cart contents, interests, browsing history, and previously viewed ads is crucial for improving sales. Companies can infer users' thoughts from this information.

The surge of new use cases, such as social media, e-commerce, and interactive knowledge platforms, encouraged digital socialization by companies like Facebook and Google, while platforms like Wikipedia saw significant content growth, and Amazon became the largest online retail market.

The emergence of these new use cases also stimulated a huge demand for detailed user data. "User behavior analytics" evolved from initially optimizing profits through user tracking to directly profiting from user information.

In summary, data analytics has become a crucial factor in how digital products gain value.

Currently, identities on the internet are primarily composed of multiple user accounts created for almost all software products or services in use. When a device logs in, access to the information contained in the account is granted. In this system, service providers are the custodians of the accounts, having complete control over all user data.

Users can log in directly from the service provider or through existing login names linked to other providers. The latter method allows for logging into multiple services using a master account, generally developed by IT giants with billions of users, including Google, Facebook, and Microsoft.

While this method adds convenience for users, they risk losing access to every account associated with the provider if a password is lost, an account is hacked, or the service provider shuts down.

Image: Conventional Web2 login scheme

New methods for securing authentication have developed, with 2FA and OAuth 2.0 being two current standards. 2FA adds a layer of security to the traditional username and password method by requiring users to provide additional proof of authenticity, such as a code from an authenticator app.

OAuth brings higher security for transmitting credentials linked to other services and allows users to control where their data is shared. However, the principle of the middleman still exists: intermediaries can always monitor users' interactions with accounts associated with their services. Linked logins pose significant privacy risks and are vulnerable to attacks that affect all connected services simultaneously.

Fundamentally, the challenges faced in creating digital identity solutions can be traced back to the architecture of the internet. It was designed around machines with unique device addresses rather than individuals with unique identities. There is no built-in system for verifying identity, only systems that can prove devices.

Initially, the internet was a read-only source of information. Developers created username and password verification methods during the Web2 era. These methods were built on the original device-based architecture, making data manipulation and interception easy. The lack of a complex identity layer on the internet is one of the main factors contributing to cybercrime and identity theft.

This global threat can cause significant economic and personal losses. IBM's president Ginni Rometty described identity theft as "the greatest threat to every industry, every sector, and every company in the world."

Users must place a high level of trust in the service providers holding their data and identity information. Personal data is stored on servers operated by companies. Even with regulations allowing users to control their data, this information technically still belongs to the companies.

Users are gaining rights to manage the data collected about them, but this does not prevent companies from processing data that has already been collected. The speed at which companies can analyze data for the desired advantage is merely a matter of computational power.

Implementation of Data and Security Laws

As ethical questions regarding the collection of personal data have been raised, this led to the introduction of the General Data Protection Regulation (GDPR) by the European Union in 2018 (a new data privacy and security law). The GDPR states that "anything that helps identify a person, whether related to their professional, private, or public life" counts as personal data.

The General Data Protection Regulation is used to protect data collected from EU citizens. Data sovereignty must be a fundamental right guaranteed by all companies. It should apply to all citizens, constitutions, and businesses within the EU. The goal of the GDPR is to protect individuals' fundamental rights and freedoms when processing and freely accessing their data. To protect citizens, companies need to clearly define the specific personal data stored and the processing methods used.

Over time, users will gain more rights to erase data and view where and when companies store data. Companies will face higher fines and the obligation to notify users in case of infringements. Regulations must be comprehensive, meaning they must apply to servers operating outside the EU.

The most basic considerations are where the data comes from and where it flows. Verification may also pose a challenge, as the EU must conduct regular assessments and spot checks on the code and algorithms used in certain services. Implementing systems to monitor compliance with regulations is a daunting task that could lead to a long-term restructuring of the digital ecosystem.

Every business, healthcare system, government entity, e-commerce platform, and future IoT device requires identity management. From small companies to IT giants, rethinking and changing the way data is stored and managed is crucial.

According to the GDPR's definition, companies must comply with the data protection rights displayed in its terms. As users' rights to manage personal data continue to grow, this compliance demand will also increase.

Users already have the right to prevent the collection of specific data and enforce deletion. The GDPR clearly defines that the data collected belongs to the user, and they can access it at any time if they wish. Despite existing data protection regulations, not all companies can fully comply with the rules.

However, when we must remain within a centralized system, new regulations are an important step toward achieving fairness and respecting human rights. Companies will still hold user data and control identities, but users will gain more management rights. These improvements can simultaneously enhance customer trust and the significance of data analytics.

New Approaches to Digital Identity

Web3 can be seen as the next evolution of the internet, defining a more decentralized way of processing data. This shift encompasses a fair and equal relationship between users and services. Part of the evolution involves using blockchain networks as the underlying infrastructure. In this context, blockchain can be described as a public network that is globally connected and distributed.

Blockchain can operate without servers controlled by centralized entities. The technology guarantees security and immutability through complex cryptography, making it nearly impossible to forge information being written or alter stored data. It is akin to digital engravings, allowing users to truly own information and enabling that information to create more valuable outcomes.

Unlike the transition from Web1 to Web2 (where software engineers made improvements for interactivity), the new Web3 era addresses fundamental back-end technologies. The current internet consists of copies of all the data we create and transmit, leaving data traces from various devices submitted to multiple service providers, which store the information on servers they control.

This data cannot be verified and is not owned by us. It lacks fingerprints or signatures, and we do not carry it with us. The significant advantage of blockchain is its ability to allow users to sign, transmit, and verify data between individuals and organizations without granting them ownership. Operations on the blockchain refer to the actual address of the account you own, rather than just the device connected to the service provider. Through blockchain accounts, multiple parties can request and verify the same data about a person without needing to delegate that data. The goal of decentralized networks is to return the power of data to the people.

The advanced security provided by cryptography enables us to abandon centralized servers that offer insufficient protection, leading to safer, user-centric technologies. Instead of usernames and passwords, digital wallets use public keys and private keys. Everything users do online will revert back to their wallet address. The public key represents a human fingerprint, leaving traces of where you go and what you do. The private key represents your handwritten signature, allowing you to decide when to use it to verify your identity.

In the Web2 era, companies and certain services facilitated relationships between individuals by connecting data. Users could at most gain more permissions to access certain data functions representing them. Compliance with regulations and checking the integrity of personal data is a challenge for both users and services. With blockchain, users only need to provide verifiable credentials to independently verify the data of other participants. With cryptographic applications like zero-knowledge proofs, we can even prove data offline without directly revealing it.

Peer-to-peer blockchain also introduces a more resilient and secure network, where individuals can simultaneously run software and verify information, unlike companies running servers. Such networks can reduce the system management and security costs for companies, as users independently hold their identity data.

When running decentralized applications on the blockchain, open-source is also a significant trend, allowing everyone to adopt and build it, increasing transparency and trust among participants in the application. Open-source is particularly important for public blockchain networks, as their governance relies entirely on recognized protocol consensus, and everyone has the right to verify its code.

Just like ownership in the real world, blockchain brings more responsibility to users. Therefore, over time, there is a need to develop more user-friendly concepts for a seamless transition to blockchain technology. As described by Alex Preukschat and Drummond Reed in their book "Self-Sovereign Identity," the concept of self-sovereign identity (SSI) is "how we prove our identity in the real world: by taking out our wallets and showing the credentials we have obtained from other trusted parties. The difference with decentralized digital identity is that we do this using digital wallets, digital certificates, and digital connections."

Image: Web3 Identity

There are three prominent roles in Web3: issuers, verifiers, and actual users. Similar to the real world, users have wallets and request credentials from issuers. Once the request is completed, the issuer signs a certificate for the user's wallet address on the blockchain, proving that the new identity data is authentic. The holder can then use services that require these credentials.

For example, they can use their passport before a transaction. The verifier (usually an exchange provider) will request the newly obtained credentials and verify the issuer's signature before the transaction takes place.

As mentioned earlier, blockchain technology provides digital value exchange through signatures from one wallet to another. Nevertheless, it also allows applications to be integrated above the blockchain network. The value exchanged can be anything from cryptocurrencies to credentials in the form of NFTs, artworks, documents, and more. For instance:

In the e-commerce industry, user registration and payment can bypass passwords and accounts, directly using SSI. All receipts can be distributed as credentials and written to the blockchain.

In the financial sector, users can access any banking service at any time, eliminating complexity. If both parties support the SSI interface, they can exchange the credentials they need, and even use multi-signatures for important documents and high-value transactions.

Health records can also be shared instantly, providing convenience for medical procedures. A person's lifetime medical history could be stored on the blockchain, verifiable and ready to be shared with other providers.

When traveling, individuals can record tickets to verify places they have been. Even airline, hotel, train, or concert tickets can automatically connect to someone's wallet, along with any rewards programs associated with those tickets.

SSI can also be used to fully digitize certificates, transcripts, or student IDs from schools and universities.

Drawbacks

Just like in the real world, both parties will always display their verifiable credentials to ensure authenticity. As expected, users can manage each credential directly from their smartphones, completely autonomously, provided that all participants accept the same blockchain or distributed ledger system.

The adoption of decentralized identity solutions is always associated with network effects, and getting most service providers to use a single SSI standard may be a barrier. Another obstacle is the availability of internet access, as data cannot be verified offline. One solution is satellite grids that can provide internet access to every corner of the world. Early versions of SpaceX's Starlink currently include such a solution.

Another issue is scalability. Fully decentralized blockchains are affected by limited throughput and very high utilization, leading to increased operational costs. Ultimately, we may solve this problem through complex cross-chain technologies or by splitting different branches into different networks.

The last issue is managing the keys for wallets, which is a single point of failure, but requires operating SSI software. The solution to this problem will be addressed in the next section.

Smart Contract-Based "Accounting"

In the future, users will be able to freely manage a wealth of digital information about themselves. Nevertheless, the current systems that use private keys to protect this information still have some issues. For example, an account can only have one private key, and if the private key is lost, the assets held in the account can only be recovered through a specific backup phrase.

No one should build their entire identity on a password, nor should they do so with their assets. Furthermore, conventional blockchain accounts cannot store data at their key addresses, meaning that no one knows the true identity behind them until they expose themselves.

Proper accounting is needed to organize all verifiable identity credentials, which is why traditional key-based accounts on the blockchain are transitioning to more advanced methods.

We previously discussed running applications on the blockchain. The functionality of these applications, combined with the user's wallet key, can enable user profiles, making identity solutions easier to maintain. Users can store additional information and connect multiple keys and devices to the same account. Having interchangeable keys is valuable for users, as they can now have backups to access their digital identity.

Blockchains based on the Ethereum Virtual Machine have programmable capabilities known as "smart contracts," which users can execute by sending transactions from their wallets. Through these smart contracts, a fully manageable identity ecosystem can be developed. All devices or wallets connected to one account can be used as a single identity combination. By adding key managers, individuals can even grant permission to control identity data to multiple devices, individuals, or services.

Image: Smart Contract-Based Accounting

Then, this single contract account can manage digital assets like conventional key-based addresses. The initial idea of smart contract-based accounting was proposed by early blockchain developers during discussions about the Ethereum blockchain in 2014. However, due to the complexity of early smart contract functionalities, they abandoned it.

In 2017, identity was first standardized on the Ethereum blockchain as ERC-725 and further developed by Fabian Vogelsteller. Due to the use of the Ethereum blockchain, the current implementation of smart contract-based "accounting" is still too costly. Complex contracts generate a large number of transactions, increasing demand on the blockchain and leading to high fees. Even scalability solutions like sharding cannot provide the throughput needed to manage everyone's or every device's identity on a single blockchain.

Considering these issues, the LUKSO project was established in 2018. The main goal of this project is to create a new ecosystem of smart contract standards that enables users to autonomously create economic roles. LUKSO is bringing the profile structures known in social media into the blockchain world while providing usability on top of the blockchain.

It differs from the personal identities typically included in SSI by creating public accounts with easy participation and extensible asset management features. Users can freely add personal information to their profiles, gain reputation, add credentials, assets, and many other types of information.

With the functionality of profiles, external applications can even be attached to store data in their connected vaults. This structure can be seen as a new era of lightweight identity management systems and autonomy platforms.

Unlike centralized Web2 systems, if LUKSO's nodes are sufficiently decentralized, it can even eliminate data loss or downtime in the blockchain network. At some point, personal identities can be linked to universal public profiles as hybrid SSI solutions, while personal off-chain data can only be accessed through on-chain logins.

With the ERC-1056 standard, the Ethereum ecosystem already has solutions for personal off-chain SSI data, connecting users' public keys.

Current Status and Outlook of SSI

The significant advantages of Web3 being user-centric represent the interaction between users and digital software services. When connected to the blockchain network, SSI can realize its true potential. They are more secure, decentralized, and can serve as a store of value.

That said, the cost of decentralized identity management is not as fast, cheap, and scalable as centralized services. Creating complex systems based on SSI components requires a blockchain capable of handling much larger transaction volumes to be adopted.

Secondly, identity standards have not yet been widely adopted. Nick Poulden first released a fully functional prototype of the ERC-725 identity standard on Ethereum in 2018. Seeing the tremendous success of putting the technical concept into practice, multiple blockchains are currently attempting to integrate such login functionalities.

The key is interoperability, which is difficult to determine because standardization must come first. Organizations like W3C are trying to standardize identity across all possible functionalities across industries. While this will be the ultimate goal, it may take large tech companies a long time to develop and reach consensus on the final solution and back-end technologies.

Projects like LUKSO are taking a more lightweight approach, establishing a smart contract standard ecosystem directly for public profiles, where various businesses can adjust, extend, or interface their standards, making mainstream decentralized services a reality for the younger generation.

Widespread adoption is likely to be gradual, as existing solutions are convenient and still usable. The downside is that mature SSI technology needs to be made available to developers across all industries, primarily governments and traditional institutions.

Transforming industries will require outstanding new products and their ease of use. Overall, we are at the beginning of a new era in how to manage digital identities. Let’s fasten our seatbelts and head into the future together.