Blockchain & Identity – How can Identities be Stored and Used on Blockchains?
When called upon to improve our customers’ Identity Management systems, or to build new systems from the ground up, we often look at the customers’ business requirements and attempt to fit them into the currently available management systems and services, based around centralized authorities like directory services and databases. We work our way down with the idea that we build those systems around or alongside the internal storage of end users’ data.
But the biggest shift in how identities can be created, stored, managed, and authenticated with Blockchain is best viewed from the perspective of the individual end user. We have to take a step back and look at the bigger picture. In our current worldwide digital landscape, small portions of users’ overall digital identities — let’s call these identity portions “identettes” — are stored across myriad disparate systems, directories, databases, etc., and the users have little to no control over how these identettes are stored, managed, or used. The potential new landscape of distributed digital identity on Blockchains promises to bring the entire digital identity together, as a whole, and give back control of that personal data to the individual. Digital self-sovereignty. It allows individuals to choose which data can be accessed and by whom. For instance, if an employee needs access to a particular resource, a hash can be created with their first name, last name, Social Security number, and date of birth. That single hash can then be used to uniquely identify that individual and grant them access to the resource. The user need not expose their personal information, the hash provides their cryptographically secure unique identette.
So how are identities stored on blockchains?
The W3C and other groups are working on standards that define the format for how these records are stored. The W3C defines a data model and syntaxes for Decentralized Identifiers (DIDs).
As stated in the W3C specification: “DIDs point to DID Documents. A DID Document contains a set of service endpoints for interacting with the entity. Following the dictums of Privacy by Design, each entity may have as many DIDs as necessary, to respect the entity’s desired separation of identities, personas, and contexts.”
These DIDs can be stored on Blockchains, or Identity Hubs (encrypted identity datastores for identity-specific endpoints). And accessed using DID resolvers to resolve the identities, and handle attestations, across Blockchains.
While there are other groups and companies developing other proprietary methods of storing identities on Blockchains we believe the true potential of distributed digital identities is best served by the development of, and adherence to, industry standards. Therefore we’re focusing only on the W3C specifications in this post.
Ok, but how do we know DIDs on Blockchains can be trusted?
The immutable nature of Blockchains guarantees that the data stored therein, once confirmed, will be authentic and unchanged forever. Once confirmed data is stored in a block and hashed, no entity can change that data, in any way, without changing the hash of that instance of the Blockchain. If the hash of one instance of the Blockchain doesn’t match the hashes of the other instances on the network, the other network participants know it has been altered, and that altered instance would be rejected by the rest of the network, or consortium. Although, we would be remiss not to acknowledge the potential for an attacker to defeat the immutability of a Blockchain if they were able to gain control of a majority of computing power on the network. Also known as a 51% attack.
With the verifiable claims data model, as defined by the W3C, we can quickly and automatically verify identities in a cryptographically secure manner.
But keep in mind…
In order for the use of decentralized digital identities on Blockchain to mature and provide widespread value, a broad acceptance and adoption of agreed upon standards at industry and/or governmental levels is required. Otherwise, we could end up with the same kind of scattered patchwork of digital identettes on disparate systems that we have now, only in a different format.