Who Controls Your Digital Identity?
How Self-Sovereign Identity Brings Personal Data Back Under the Control of the User
Originally published to the SAP Blog, by Alexander Schaefer, Principal Software Engineer at SAP.
Remember the last time you had to apply for something at the Department of Motor Vehicles or any equivalent government office? Remember how many documents you had to print and present and how tedious this process was? Now, imagine instead of doing that you could simply scan a QR code, click “Accept” on your phone and be done. That is what Self-Sovereign Identity (SSI) can do.
The current form of digital identities used online has a major drawback – the identities are not owned or controlled by the individual but by centralized corporations or governments. These typically fall under two buckets: (a) centralized accounts created for each individual website, secured by a username and password, that are only valid for that particular website (for example your eBay login), or (b) a federated identity that is more widely accepted but suffers from a centralized identity provider owning your data (think social media log-in via Facebook or Google).
All types of accounts, especially those of more important services and ones that contain personal data like social security numbers, represent a part of a person’s digital identity. However, the issue is that these identities can be lost, revoked, changed, or compromised without the individual’s permission or chance to take action. There are many examples of centrally stored personal information (honeypots of data) being compromised and stolen, such as the 2017 Equifax data breach affecting sensitive personal data of roughly 150 million Americans. Equally dangerous, these identities can also all be impersonated through phishing or brute-force attacks, making it a constant challenge to truly prove “who’s who” on the internet.
Social media logins, part of a larger category of federated identity management, are quite commonly used and offer a far better user experience than trying to keep track of countless username/password combinations. They allow using a single account with one provider to login with third-party providers. This has the benefit of simplifying the logon process drastically. Users only need to remember a single password, in order to authenticate with other providers. In combination with biometric authentication mechanisms, such as Face ID or fingerprint identification, both common features of modern smartphones, this can enable an entirely password-less login. However, since all of the personal data and the digital identity itself are controlled by a corporation, they are vulnerable to the same data breaches and impersonation risks that affect centralized identities. Additionally, such social logins, like ‘login with Facebook’, are generally only used when a weak form of authentication is acceptable, thus never for services of banks, governments, or alike.
Self-sovereign identity, on the other hand, brings the personal data back under the control of the user, while also having the convenience of a federated login. The user gets a seamless, password-less user experience and has full power and authority over their digital identity, personal credentials and data. All without any centralized components.
The identity data is represented as a collection of digital credentials, also called verifiable credentials (VCs). These credentials reside in a digital wallet which only the subject (individual owning the digital identity) controls. Such a wallet can be on a mobile phone, a tablet, or a laptop.
This digital wallet can be usable with a wide variety of services, ranging from simple logins with eBay to applying for a job or opening a bank account. That is also where the big challenge of decentralized identity lies – generating wide-spread adoption across different industries. A broad range of different credential types, issuers, and verifiers needs to be achieved to implement meaningful use cases. Examples of credential types would be university degrees, employment proofs, or government IDs.
To achieve this, ecosystems around verifiable credentials will be key. The good news is, they have already been formed and are growing rapidly.
But more critically, SSI will have to be integrated with large existing business processes – and therefore enterprise systems such as ERPs, HCMs, or SCMs to name a few. If this integration results in SSI being as easy to use as clicking a button or selecting a menu item, it will lead to rapid uptake and acceptance.
This is precisely what we set out to test and understand with our proof-of-concept, developed in close collaboration between the SAP Innovation Center Network, Evernym and ATB Ventures.
The prototype enables employees to generate an employment verification letter as a verifiable credential directly from within SuccessFactors, SAP’s cloud-based software for human capital management (HCM). This is as simple as selecting to email or print the verification letter. Once generated, employees can store this credential from the security of their own mobile device, using an SSI wallet such as Evernym’s Connect.Me app. In the future, an open ecosystem of different SSI-based wallet providers (uPort being another example) should allow the user to freely choose their wallet solution with full interoperability. They can then share the credential with organizations, like the bank ATB Financial, to instantly prove that they meet the employment and income requirements for opening a new bank account or loan. Finally, ATB Financial can issue an approved loan credential to the applicant, valuable for purposes of credit history.
( Disclaimer: All data, names, and persons in this demo are fictitious. )
This prototype demonstrated three things:
- Integrating SSI technology, such as Evernym’s Verity platform, with large enterprise systems can be light-weight and non-intrusive – both in terms of backend and UI integration. Loose coupling on the backend was achieved and frontend changes could be kept minimal and therefore remain intuitive for the user
- The overall user experience for application processes, such as applying for a loan at ATB Financial is greatly simplified via SSI. In fact, any type of UI interaction where the user previously had to complete several manual steps (e.g. uploading multiple documents, generating and organizing documents) could be reduced to a simple click of a button or QR code scan with an SSI wallet containing verifiable credentials. This will be a game-changer for any type of onboarding experience.
- The exchange of cryptographically verifiable credentials can drastically simplify business processes, in this case, Know Your Customer (KYC) for a loan application. A fully automated KYC check completed by the bank, without any third party or manual steps, could be envisioned. In the future, cumbersome underwriting processes like applying for a mortgage could be reduced from weeks to days, as applicants will be able to immediately and securely verify their identity, assets, and employment history.
Widespread adoption of SSI will put the control of digital identities back in the hands of the individuals. Through this collaboration and prototype, we’ve achieved a greater understanding of what our customers need, and how we can take steps toward a more secure digital future. We are currently working to grow our prototypes and are also looking toward larger scale use cases, as well as exploring other application areas such as object identities.
About New Ventures & Technologies
To future-proof SAP and our customers’ businesses, SAP the New Ventures and Technologies (NVT) organization drives transformative innovation through technology innovation and product incubation. NVT identifies commercial opportunities in the SAP ecosystem, explores and pioneers the business impact of emerging technologies and makes them enterprise-ready. For more information, visit their website.
