The lyrics to the 1937 song of the same title, "Me, Myself, and I" speak to individual identity – me, the whole person, and nobody else. In the context of the emerging paradigm of decentralized applications and services, often wrapped in the cloak of Web 3.0, one of the promised benefits for the individual is control over their personal data. Central to this anticipated benefit is the irrefutability and verifiability of a "digital self," comprising the "digital twin" of our actual person.
The central thesis of the decentralized future is that I should be able to demonstrate certain aspects of my identity in the digital domain that are manifest in the physical domain – for example, my valid passport, academic record, Social Security details, and financial transactions. These characteristics, or "claims," about my identity should be able to be verified, independently, by a relying party, to establish the necessary trust for some transaction between us. The change from existing federated identity methods is that I choose whether to disclose my personal data for a specific purpose and I retain control of the disclosure process under the concept of self-sovereign identity (SSI).
How do I gain this control over my identity? The answer is through the use of public key cryptography, where I provide a public key that others can use to verify my unique cryptographic signature, generated using a private key to which only I have access. This system of digital signature and verification is in widespread use today and is the basis for secure communications between the server hosting this article and your Web browser. To enable decentralized verification of credentials, public keys are written to a distributed ledger using a decentralized identifier (DID) that represents my uniqueness within the decentralized environment. DID standardization is currently being worked on by the World Wide Web Consortium (W3C), with the aim of establishing interoperability across discrete, decentralized networks.
Crucially, the public key associated with an individual or machine participating within a decentralized network forms part of the DID that all relying parties within a decentralized network use to validate my identity and my transactions. The distributed ledger provides irrefutable and immutable evidence of those transactions, based upon the use of my public-private key pair. In a decentralized world, your private keys become your identity. Your private keys are, therefore, not only a source of control, restricting who can access your data, they are also a source of acute vulnerability.
The consequences of either loss of your private keys or someone gaining unauthorized access to them are evident in several well-publicized examples of cryptocurrency theft, notably the separate attacks perpetrated against Mt. Gox, Bitfinex, and Coincheck. Once access had been gained to the private keys used to authorize cryptocurrency transactions, hundreds of millions of dollars in crypto-asset value were lost from user wallets. Ironically, in the case of the Bitfinex theft, it was a lack of adequate security to protect the alleged perpetrators' private keys that enabled law enforcement agencies to recover approximately $3.6 billion in Bitcoin assets that were stolen in 2016.
We are now witnessing a societal transition to the use of DID verification and associated ownership and custody of digital assets. As decentralized services proliferate, DID claims will also be enriched. Credentials issued by traditional identity providers, such as governments and banks, will be complemented by information from other sources. Not only will my digital persona reflect my activities and interests in the physical domain, but transactions made with my DID will be recorded across disparate blockchains, creating an immutable record of my life history.
With my private keys controlling the use of my identity in tomorrow's decentralized context, unauthorized access to those keys could be catastrophic. A malicious entity appropriating my private keys could not only gain access to wallets holding valuable cryptocurrencies and tokens, but they could also perform any variety of fraudulent transactions. In a worst-case scenario, my physical identity could become completely decoupled from my digital twin, rendering a demonstration of my identity virtually impossible in the digital domain. The problem being that where my DID is misused, the nature of distributed ledger transactions makes it extremely difficult to refute their authenticity after the event. How can I deny knowledge of a fraudulent application for a credit card or bank loan where my private key was used to sign the digital contract? How can I assert the continuity of my physical residence, after the use of my DID with a claim based on a fraudulent address?
Global initiatives such as the World Bank's Identification for Development (ID4D) project and the W3C's DID standardization activity are providing a framework for SSI management within a decentralized world. Secure management of private keys remains, however, the prerequisite for robust identity management and the integrity of decentralized applications and services. As the recent problems at Okta indicate, SSI can mitigate the risks associated with contemporary identity management services. Nevertheless, independent, secure, and available key management solutions represent the foundation of this new identity management model. While it is tempting to focus on the opportunities of the decentralized future, there is still much to resolve when it comes to securing our individual identities in this new ontological domain.