A proliferation of devices, systems and platforms has unleashed remarkable advances in digital technology, and opened the door to capabilities that were unimaginable only a few years ago. Like the emergency SOS feature that can detect when an Apple Watch user has taken a hard fall, and automatically call emergency services if the person doesn’t dismiss the alert.
Yet, as organizations wade deeper into digital business a nettlesome problem often appears: how to manage identities and how users authenticate themselves across dozens, hundreds or even thousands of physical and virtual assets.
Regardless of the specific situation, there’s a common requirement: establish an informational or algorithmic representation of a person or device within any given digital system. While the specifics of what’s stored in this representation may vary depending on various requirements and circumstances, it’s critical to ensure that identities are authentic and private.
As a result, the idea of decentralizing identity data has gained momentum. This approach —often built atop a zero-trust approach to security — incorporates distributed digital technology, typically through a private blockchain. This approach ensures that valued data isn’t stored in a central repository, and it serves as an immutable verification system. It also enables users to control how much or how little entities can learn about them.
Remember that the early internet protocols had no public and open-source identity layer. Web3 was based on the concept that users should own their own identity online and reveal parts of that identity only when they decide to do so. For example, a distributed identity on a private blockchain can serve as a container that allows claims to be associated with it.
Using this model, a government agency could attest to a user’s age and place of birth, but could not know anything else about the user’s digital identity, such as the actual birthday without user consent to sharing additional information. Similarly, a distributed digital identity could include a user’s transaction history that a financial service could query without knowing where the user was born. In addition, digital identities developed on one network could be ported to other networks.
A question of identity
At the most basic level, the concept of a digital ID isn’t a whole lot different than a physical ID. Both hinge on the ability to verify a user of a given digital device or system. In the physical world, this may take the form of a digital badge or key card used to enter an office building for example. In the virtual world, equivalents are biometrics or tokens.
Yet, physical and digital systems differ in important ways. In the former world, it’s possible to protect assets in a secure place with walls, doors, keys, cameras and alarm systems. The concept revolves around securing a perimeter. However, in today’s highly interconnected digital world—where perimeters across hosted and virtual services are hard to define—a central data repository frequently increases risk. If criminals get through the defense system, by stealing access credentials from a privileged user via phishing or social engineering they can access sensitive assets. This approach also requires users to create and remember multiple passwords.
The complexity of storing, managing and securing identities continues to grow. Today, a typical person has dozens, or even hundreds of accounts and passwords while businesses must protect both employee and customer identity data, and ensure that users have convenient access to systems. This complex and fragmented framework causes security problems, and in no small part because it places significant responsibility on end users to behave in ways that do not compromise their login credentials.
A better way to authenticate
Decentralized ID and Web3 address this challenge. It revolves around a concept called self-sovereign identity. Rather than juggling numerous IDs across various sites and platforms or trusting everything to a third-party provider, an individual uses a digital wallet to hold credentials and authenticate with desired entities. This framework simplifies identity management while adding protection and giving users greater control over their identity and how they authenticate with various service providers such as financial institutions and employers.
Blockchain technology, which originated in cyber currency platforms, offers one way to implement decentralized ID frameworks where users control their identity data. It delivers an immutable, secure and flexible private ledger to support identity protection. With an identity stored in a digital wallet rather than on a central server or other authority, it’s possible to lock down data while preventing the traceability of sensitive data.
Decentralized ID delivers significant benefits. The framework reduces data fragmentation and password reuse; it cuts third parties out of the picture through sovereign identity; it’s typically easy to use (think Apple Pay or Google Pay); and, most importantly, it offers far better protection from hackers while delivering a more convenient user experience.
Even though users can still leak data through poor behavior, the underlying authentication of user identity is incredibly secure, since it uses live biometrics along with advanced encryption and cryptography to lock down authentication and transaction data.
The concept continues to gain momentum. Over the last few years, Microsoft, Verizon, Mastercard, and others have begun to incorporate Decentralized ID technology into various applications, systems and standards. What’s more, organizations such as the Decentralized ID Foundation, The World Wide Web Consortium and Hyperledger, a community in the Linux Foundation, have embraced the concept, including supporting and building new tools.
Decentralized ID gets real
Decentralized ID continues to evolve—and adoption has grown. By 2023, an estimated 35% of enterprise permissioned blockchain applications will integrate with decentralized applications and services, according to a Gartner report.
These organizations increasingly recognize the value of the technology for private identity management blockchains that incorporate biometrics; identity proofing used for credential verification; multi-factor authentication (MFA without clumsy one-time codes); and a more streamlined experience that distributed ledgers and blockchain deliver.
Decentralized ID and Web3 aim to deliver a single source of truth where the user, the consumer for example, is the authenticator. Using blockchain, identities can’t be tampered with, but the system can audit it. What’s more, the framework introduces new opportunities to innovate, including enforcing contracts across organizations and supporting new and different types of digital transactions.
This zero-trust and “always verify” approach delivers a level of transparency, usability and security desperately needed in the digital world.
Hemen Vimadalal, CEO of 1Kosmos
SC StaffMarch 15, 2022
The nonprofit group Cloud Security Alliance announced that it is launching a new initiative called the Zero Trust Advancement Center, which will serve as a hub for research and education centered on zero trust security.
Derek B. JohnsonFebruary 23, 2022
An official at the Cybersecurity and Infrastructure Security Agency told a White House industry advisory panel that the agency was working on guidance for federal agencies around how best to adopt “Zero Trust” security strategies.
Steve ZurierFebruary 22, 2022
Despite market fluctuations and tensions in Europe, investors are still pumping money into the security market in hopes of addressing the most notable gaps.
Copyright © 2022 CyberRisk Alliance, LLC All Rights Reserved This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.