Search
Close this search box.
Search
Close this search box.

Self-Sovereign Identities: Challenges and Chances

Self-sovereign identity (SSI) is a new concept for identity management that shall be used in the Swiss E-ID which is currently under development. The main advantage of SSI is that it better protects the users’ privacy than classical identity solutions do.

Swiss E-ID Illustration

In September 2021, the Federal Council defined the principles for the design of a future Swiss E-ID. The corresponding law is currently being drafted. With the planned E-ID, users will be given control over their data. The principles of privacy by design, data economy/minimization and decentralized data storage shall be guaranteed.

The concept of “self-sovereign identities” to be implemented in E-ID is a new technology that is known to only a few experts and still leaves many questions unanswered.To understand the benefits of self-managed identities, you need to compare them with classic concepts, based on the Security Assertion Markup Language (SAML) [1] or OpenID Connect [2] .

Classical identity solutions

Classical identity solutions rely on a central identity service to which a user logs on. The identity service, also called Identity Provider (IdP), knows the user, and authenticates them. For this purpose, each user must provide a username (identifier) and at least a password. More sophisticated IdPs require a two-factor authentication, typically using  an SMS code or an authenticator app on the smartphone. As the IdP is involved every time when the user wants to access a service, the IdP exactly knows the user behavior and can form so-called profiles. The IdP will know the typical behavior of both user groups and individuals. In addition, identity services usually store a lot of user data centrally, which creates  a potential target for hackers.

These classical solutions work well, offer the best user comfort, and are usually sufficiently secure. But as the IdP is the central element in the architecture, there can be issues with data protection and privacy. There are only regulatory means – and rarely technical ones – to prevent this.

SSI – Self-sovereign identities

According to the principles of so-called self-sovereign identities (SSI) [3], the user is at the center. Therefore, SSIs belong to the user-centric identities, like X.509 certificates or the German identity card with e-ID functionality [4].

The main difference of user-centric identities to classic solutions is the separation of the issuance and usage processes. In the issuing process of SSI, users usually receive their identity in form of verifiable credentials (VC) [5] in a smartphone wallet. Now, users have full control and responsibility of their VCs. Only the users decides when and to whom to present their VCs. The identity service (issuer) that gave the VCs to the users is not involved in this presentation process and therefore can no longer track the users nor collect information about where the VCs are being used.

 The better protection of privacy is the main reason why
user-centric identities, like SSI, are preferred today.

This allows the users to better protect their privacy and gives them more control and responsibility over their identity. The biggest advantages are:

  • local storage of the users’ data on their smartphones instead of a central identity service
  • the decoupling of issuance and usage. 

However, besides those benefits, there is also a downside of SSI. SSI is a technology with a high level of complexity: the infrastructure reaches from blockchain over central components to cloud agents which are connected to smartphones. Many of these components use new technologies and protocols that are not yet mature and are only in the initial standardization phase.

In addition, some concepts that are widely cited, such as zero-knowledge proofs or selective disclosures, exist only on paper so far or may have just made it into the first prototypes. There are also still a couple of unresolved research questions [6], e.g., concerning signature blinding, user binding or privacy-aware revocation. Some say that SSI will probably reach a sufficient maturity only in the next five to ten years before it can be expected to be used by ordinary citizens. Accordingly, implementation efforts and costs are difficult to estimate.The greater control by the users also comes with greater responsibility. The users must not only store their identity and digital credentials securely, but also protect them from misuse, keep them up to date, and possibly back them up.  In a digital ecosystem, where a user receives VCs from multiple issuers, there is no longer a central point of contact to consult in case of problems or loss. Whether an ordinary citizen, who is not necessarily digitally savvy, can handle this remains to be seen. Not to mention the emerging questions about digital inclusion and ethics…

Conclusion

SSI has the potential to change today’s paradigm that users pay with their data for the services they use. It can help to bring the user more in control and to better protect data and privacy.To achieve these ambitious goals and solve all the problems that a new technology brings, the concepts of SSI must be further developed. Components and technology must be brought to maturity, and all stakeholders from academia to IT providers, government institutions and citizens should work together. Neither time constraints nor monetary interests should cause SSI solutions to be deployed too early and thus prevent the full potential from being realized.

References

  1. OASIS, „Security Assertion Markup Language (SAML) V2.0 Technical Overview,“ 25 March 2008. [Online]. Available: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html.
  2. OpenID Foundation, [Online]. Available: https://openid.net/developers/how-connect-works/.
  3. Sovrin Foundation , „Die Grundsätze von SSI,“ 16 Dezember 2020. [Online]. Available: https://sovrin.org/wp-content/uploads/Principles-of-SSI-V1.01-German-v01.pdf.
  4. Wikipedia, [Online]. Available: https://en.wikipedia.org/wiki/German_identity_card.
  5. W3C, „Verifiable Credentials Data Model v1.1,“ Nov 2021. [Online]. Available: https://www.w3.org/TR/vc-data-model/.
  6. FedPol, [Online]. Available: https://github.com/e-id-admin/governance-sounding-board/discussions/45.

 

Dr. Annett Laube is a professor at the School of Engineering and Computer Science at BFH, the Bern University of Applied Sciences. Her interests are identity management, security and trust. She can be reached at https://www.bfh.ch/en/about-bfh/people/6db55klgpiwo/.

Swiss E-ID Illustration

SI Logo

The Swiss Informatics Society SI is the association of Informatics professionals in Switzerland.

Die Schweizer Informatik Gesellschaft SI ist der Verband der Informatikfachleute in der Schweiz.

La Société Suisse d’Informatique SI est l’association des professionnels de l’informatique en Suisse.

La Società Svizzera di Informatica SI è l’associazione dei professionisti dell’informatica in Svizzera.