{"id":19754,"date":"2023-10-13T00:28:00","date_gmt":"2023-10-12T22:28:00","guid":{"rendered":"https:\/\/magazine.swissinformatics.org\/?p=19754"},"modified":"2023-10-13T00:36:11","modified_gmt":"2023-10-12T22:36:11","slug":"self-sovereign-identities","status":"publish","type":"post","link":"https:\/\/magazine.swissinformatics.org\/en\/self-sovereign-identities\/","title":{"rendered":"Self-Sovereign Identities: Challenges and Chances"},"content":{"rendered":"\n

Self-sovereign identity (SSI) is a new concept for identity management that shall be used in the Swiss E-ID which is currently under development. The main advantage of SSI is that it better protects the users\u2019 privacy than classical identity solutions do.<\/em><\/p>\n\n\n\n

\"Swiss<\/figure>
\n

In September 2021, the Federal Council defined the principles for the design of a future Swiss E-ID. The corresponding law is currently being drafted. With the planned E-ID, users will be given control over their data. The principles of privacy by design, data economy\/minimization and decentralized data storage shall be guaranteed.<\/p>\n<\/div><\/div>\n\n\n\n

The concept of \u201cself-sovereign identities\u201d to be implemented in E-ID is a new technology that is known to only a few experts and still leaves many questions unanswered.To understand the benefits of self-managed identities, you need to compare them with classic concepts, based on the\u00a0Security Assertion Markup Language (SAML)\u00a0[1]\u00a0or OpenID Connect\u00a0[2]\u00a0.<\/p>\n\n\n\n

Classical identity solutions<\/strong><\/h3>\n\n\n\n

Classical identity solutions rely on a central identity service to which a user logs on. The identity service, also called Identity Provider (IdP), knows the user, and authenticates them. For this purpose, each user must provide a username (identifier) and at least a password. More sophisticated IdPs require a two-factor authentication, typically using  an SMS code or an authenticator app on the smartphone. As the IdP is involved every time when the user wants to access a service, the IdP exactly knows the user behavior and can form so-called profiles. The IdP will know the typical behavior of both user groups and individuals. In addition, identity services usually store a lot of user data centrally, which creates  a potential target for hackers.<\/p>\n\n\n\n

These classical solutions work well, offer the best user comfort, and are usually sufficiently secure. But as the IdP is the central element in the architecture, there can be issues with data protection and privacy. There are only regulatory means \u2013 and rarely technical ones \u2013 to prevent this.<\/p>\n\n\n\n

SSI \u2013 Self-sovereign identities<\/strong><\/h3>\n\n\n\n

According to the principles of so-called\u00a0self-sovereign identities<\/em>\u00a0(SSI)\u00a0[3], the user is at the center. Therefore, SSIs belong to the user-centric identities, like X.509 certificates or the German identity card with e-ID functionality\u00a0[4].<\/p>\n\n\n\n

The main difference of user-centric identities to classic solutions is the separation of the issuance and usage processes. In the issuing process of SSI, users usually receive their identity in form of verifiable credentials (VC)\u00a0[5]\u00a0in a smartphone wallet. Now, users have full control and responsibility of their VCs. Only the users decides when and to whom to present their VCs. The identity service (issuer) that gave the VCs to the users is not involved in this presentation process and therefore can no longer track the users nor collect information about where the VCs are being used.<\/p>\n\n\n\n

\u00a0The better protection of privacy is the main reason<\/em> why
user-centric identities, like SSI,<\/em> are preferred today<\/em>.<\/h4>\n\n\n\n

This allows the users to better protect their privacy and gives them more control and responsibility over their identity. The biggest advantages are:<\/p>\n\n\n\n