We all know internet was a very niche place back in late 1960's. A small elite clubs from government, engineers or people who worked for NASA, CERN etc had access to the internet. As a result of limited and known users there was no layer of identity and authentication in the design of internet framework. It was created without a standard for clear identification of its users. In 1990,  Tim Berners-Lee and his colleagues at CERN develop hypertext markup language (HTML) and the uniform resource locator (URL), giving birth to the first incarnation of the World Wide Web. With the invention of WWW, it became a common platform for information sharing by the providers. Various sectors of society like health and finance have started using the internet for their services. And that resulted in a very high growth of internet usage. With the dotcom bubble in 2000, the number of internet users grew exponentially.

Need of identity

Because of high growth in number of users, there was certainly a need to identity. The service providers can not let users use their system with out identifying them. Also from user point of view, a user wanted to know the authenticity of the service provider. Let's take a look at some of the question might arise in their mind:

These questions had given indication of an identity layer (a digital identity) on top of internet. The next question was, how to implement that?

Before we go into identity models, its worth taking a look at what identity means?

An identity can simply be told as the representation of who you claim to be and who you are. For example, you can be represented by your Name, Age, Profession, Address etc., these claims about you are called identities.

Evolution of Identity Management Models (IDM)

Disclaimer:

Although, for sake for understanding, I will compare and contrast the different models of identity management systems, but my intention is not to "declare" or tell people that there is the ONE model suitable for all!

Let's get started...

To prove our identity, in physical world, we generally use authorised documents like Passport, Aadhaar Card, Office/Student ID card etc., but in digital world, it is very hard to prove who you are. I am sure you might know about this famous cartoon by Peter Steiner

Anyways, so they started with something called, Silo model. Where a user manages as many as identifiers and credentials as service providers.

Silo model

The problem was memorising large number of logins and passwords was hectic. People may tends to use same credentials in different service providers which reduces the level of security.  Hence, Centralised Digital Identity system came into picture which brought the concept of Identity provider (IDP).

  • The centralise authority, IDP, becomes the issuer and verifier of user identity attributes.
  • User can authenticate themselves with SPs with the same identity, the same credential and all this without having to repeat authentication for each new SP requested - the concept of Single Sign On (SSO).
SSO

This certainly helps to solve the problem of handing multiple credentials with some level of security but a user has to fully trust on the IDP to not to misuse his identity. IDP retain the complete control and user has limited control over his attributes which is being shared between SPs. Further, user also suffers from lack of cross organisation accessibility.

The lack of cross organisation accessibility, brought the concept of a federation, The Federated Digital Identity system.

The federation is a type of SSO where the actor span multiple organisations  and security domains. The goal is to allow security principle identities and attributes to be shared across trust boundaries. To do that common standards and protocols (SAML, OIDC) were developed to manage and map user identities between IDPs across org via the help of trust relationships. Look at the fig below.

fsso

Further, the same idea can be extended to a dedicated org which takes the responsibility of managing identities and federation across different org. Checkout at the fig below:

Though, it achieved its goal of cross-organisational access, the control of identities is still not with the user. This breaks the privacy principle as the identity parameters are exposed to multiple organisations. We have observed that the root cause of digital identities not being able to provide privacy and security is the involvement of the intermediate authorities and the control of the identities.

That brought us to the concept of User Centric Digital Identity system. The best example of this would be social logins, where you would see login with Gmail or Facebook while registering with a new application. Before you login to the application using your gmail identity, Google requests your consent before allowing the new application to access your data. Therefore, providing users with the right to restrict the exposure of their information. This system ensures users to be placed in the middle of the identity process. At the request of the SPs, user can determine to what extent he wants to share his data. Let's take a look at the fig below:

Facebook login

But the problem still persists, the user details are stored at the trusted identity providers. The question is very simple:

As a user I want to login into the service provider, which means that there is going to be contract or agreement between me and the service provider, but why the IDP is holding my data? It should be merely the facilitator in the whole system and not the fully trusted authority.

Hence, the user centric identity system suffers from many shortcomings like minimal exposure of credentials, elimination of central authority etc., that need to be fixed before it can be considered truly secure, privacy-friendly and usable.

Where are we right now?

Before we go any further, let's see where we are by putting all these models into timeline to take a bird eye view; We stated with Silo model, then talked about Centralise model, then looked into Federated model and finally end up in User centric model.

Self Sovereign Identity (SSI)

SSI aims at giving back the user full control on its identity and adds a layer of security and flexibility by allowing the identity holder to reveal only the necessary data with any service provider. Unlike other systems, it provides a trusted communication between the users and the organisations by taking away the trust from the central authorities like IDP.  Under self-sovereign identity model, individuals and organizations (holders) who have one or more identifiers can present claims relating to those identifiers without having to go through an intermediary.

SSI starts with the notion that individuals and organisations have real world or offline, context-dependent identities that no one else can take away. Users and organizations can secure digitally signed claims related to them in a digital wallet instead of the central storage. A digital wallet resembles our physical wallet that holds a stack of identity documents. These claims stored are cryptographically signed to make them verifiable. Look at the fig below:

Guiding Principles of SSI

Self-sovereign identity is the next step beyond user-centric identity and that means it begins at the same place: the user must be central to the administration of identity. That requires not just the interoperability of a user’s identity across multiple locations, with the user’s consent, but also true user control of that digital identity, creating user autonomy. People have came up with these 10 principles with respect to SSI

  1. Existence — Users must have an independent existence.
  2. Control — Users must control their identities.
  3. Access — Users must have access to their own data
  4. Transparency — Systems and algorithms must be transparent.
  5. Persistence — Identities must be long-lived.
  6. Portability — Information and services about identity must be transportable
  7. Interoperability — Identities should be as widely usable as possible.
  8. Consent — Users must agree to the use of their identity.
  9. Minimization — Disclosure of claims must be minimized
  10. Protection — The rights of users must be protected

I won't go into details of SSI since this blog post has already become long. May be in the next blog, I will only talk about details of  SSI, how it is being implemented? and how block chain (because I advocate blockchain :p) as a tech can help to implement SSI? I recommend to watch this talk by Christopher Allen who is known to be the father of SSI.  

I would like to close this discussion with a question to help you understand why we are worrying so much about user having control of his identity:

Can you spell Identity without an “I”?

I hope you have got some learning from this blog hope to see you in the next blog. Happy learning!

References