On our last webinar, we were joined by a panel of digital identity experts for a conversation on self-sovereign identity (SSI) and the future of authentication. Our panelists were Chris Eckl, CTO at Condatis; Andy Tobin, EMEA Managing Director at Evernym; and James Monaghan, VP Product at Evernym.
In what turned out to be our most popular webinar yet, with a staggering 450 registrants tuning in from around the world, these three panelists shared their thoughts on how SSI and portable credentials can improve the security of, and reduce friction in, today’s authentication processes.
(If you missed the webinar, you can find the full recording on our YouTube channel.)
Here are the takeaways:
1. We’ve long sacrificed security and privacy for convenience—but it doesn’t have to be that way.
Authentication has long been synonymous with the concept of “logging in” through a shared secret, in the form of a username and password combination. It’s a centralized model, where each account is designed to be designed within a single service, website, or app.
It worked relatively well in the early days of the Internet, yet as web usage exploded, the shortcomings of this authentication model started to surface. Individuals were forced to create, manage, and remember an average of 191 username and password combinations. As a result, many resorted to commonly re-using passwords and/or opting for easy-to-remember, yet less secure passwords.
Still, the inconvenience factor is minor compared to the security ramifications. Through automated brute force methods, hackers can guess the average six-character password in as little as five minutes and, should an oft-repeated password get exposed in a breach, one’s entire online identity could be at stake.
On the webinar, Andy Tobin talked about federated authentication models (such as the ability to log-in through Facebook or Google) as an improvement toward the centralized model, but it comes at a cost: Letting a third-party sit in the middle of all of your interactions.
“It’s like going to the immigration counter after an international flight and handing all of your travel documents to a Facebook employee who is standing there, copies them all, and then hands them to the border officer,” Andy related, “You simply wouldn’t agree to that in the physical world.”
This federated model requires both the service and the individual to trust the intermediary and poses the very real risk of a “super cookie” scenario, where one party logs everything you do in the digital world.
2. Decentralized identifiers and cryptographic keys are far more secure, and far more privacy-protecting than usernames and passwords.
So if passwords aren’t the answer, what is?
On the webinar, James Monaghan explained how self-sovereign identity was the true “password killer” and how SSI’s notions of decentralized identifiers and private keys can be thought of as the next evolution of usernames and passwords, respectively.
Usernames (often email addresses or Twitter handles) are convenient and easy to remember, but you never actually control them, James explained. They belong to the service provider, which reserves the right to terminate your access at any time. In essence, you are simply “renting” these identities.
In contrast, decentralized identifiers (DIDs) are created and fully managed by the individual, through digital wallet software (like Connect.Me) under their control. Individuals can create an unlimited number of DIDs without needing to rely on a third party. These DIDs, furthermore, aren’t designed to be re-used, so individuals don’t have to worry about remembering them or even making them human-readable. DIDs are truly secure and unique to each of your digital relationships, meaning each of your “accounts” can be independently secured with little effort from the individual.
Similarly, replacing passwords with private keys dramatically increases security, both in terms of the individual knowing their digital relationships are secure and for service providers to ensure that the person they’re interacting with is truly their customer.
“Not only are cryptographic keys prohibitively hard to guess or crack,” James elaborated, “but if one of the service providers you interact with was to get compromised, the one verification key they store for you would be useless to malicious parties, as it can’t be used to impersonate you or log-in on your behalf. It’s only valid for logging in to specifically that one service provider. Even if one was trying to compromise your private key, because you use a different one for each relationship, they still wouldn’t be able to access your other accounts.”
3. Multi-factor authentication gets a new meaning.
Fortunately, many digital services have moved beyond only usernames and passwords by requiring or encouraging two-factor authentication. In this model, the shared secret of a username and password (“something you know”) is paired with either the ability to prove you own and control a device or access card associated with the account (“something you have”) or a biometric (“something you are”). This second layer of security renders your password meaningless to a hacker, unless they also have your phone or can spoof your biometric.
With SSI, however, two-factor authentication can become three, four, or even five factors, increasing in security with each increment:
- The connected device becomes not only a physical authentication factor, but also a mechanism for providing real-time consent.
- The cryptographic keys associated with your DIDs enable you to prove ownership of a particular account.
- The digital credentials let you prove things about yourself (such as your name or date of birth), in a way that can be verified using mutually trusted third parties.
- The digital wallet, complete with a camera or fingerprint scanner, can offer real-time assertion that the person holding the device is the same as the person originally enrolled or issued the credential.
SSI and user-controlled digital wallets bring all of these factors together into a very powerful package.
4. Safe credentials enable cross-domain trust.
We’ve written quite a bit on the topic of safe credentials, as a way to minimize the likelihood of others being able to correlate your digital data.
When used for authentication, safe credentials are the polar opposites of single-sign-on (SSO) solutions, through federated parties like Facebook, Google, or Apple. With SSO, you use the same identifier everywhere you go, trading convenience for privacy. With SSI’s notion of unique pairwise DIDs and zero-knowledge signatures, you can get the best of both worlds—convenience and privacy.
At the same time, self-sovereign identity represents a significant improvement over traditional SSO, in that any sort of data (not just social profiles and emails) that has been verified by one organization can be ported and used with another. Verifiable credentials can be used not only to cross silos internally, but also to cross silos between distinct organizations. For example, one can have a proof-of-income issued by a bank and a proof-of-education issued by a university, and both of these verified credentials can be used to apply for a loan with a mortgage lender.
SSI frees you from the “all or nothing” framing of authentication, where you’re either trusted or not. Instead, by being able to selectively share only the necessary attributes needed for each relationship, SSI lets you establish context-appropriate trust.
Chris Eckl discussed this distinction through the dual roles of algorithmic and human trust. Human trust means the verifier trusts the issuer. They can choose whether or not they accept a credential as proof, based on their relationship with, and perception of, the issuer. Yet, while the verifier knows and trusts the issuer, algorithmic trust means that the issuer doesn’t have to know the verifier. This means that the verifier doesn’t have to “phone home” to manually check your credentials with the issuer, and the issuer doesn’t keep a record of each time you use a credential.
In the above example of applying for a mortgage lender, the lender can trust the credentials, due to a combination of their cryptographic security protocols and the reputable signatures of a bank and university. This cross-domain trust means they do not have to spend the resources to manually verify those records, and neither the bank nor the university have to know when, how, or with whom you shared the credentials.
5. The technology is ready, and implementation doesn’t have to be a big lift.
Concluding the webinar, Chris reminded the audience that the “future of authentication” is neither a far-off future nor a cumbersome implementation.
On the contrary, the technology is ready today and designed in a way that it can be integrated with existing IAM systems, rather than requiring an extensive rip-and-replace. Both Chris and Andy covered some implementations of this technology today, in the form of digital staff passports and CULedger’s MemberPass initiative, and hinted at the announcement of a high-profile Evernym/Condatis joint project in the coming weeks.
Chris also shared an update on a new “OIDC bridge” that makes it easier than ever for organizations to implement SSI:
“What we at Condatis did is build an OIDC-bridge that combines the old and the new worlds. To the relying party, this is a standard connection or an identity provider that others can use as a trust anchor. That identity provider then does all the clever stuff that Evernym provides, or that other SSI providers offer, behind the scenes to connect to a wallet, connect to credentials coming from some issuer, ask the right information about those credentials, know which issuers to trust, and verify the data and the access rights that come with it.”
Toward a portable, interoperable, and self-sovereign future
It’s hard to imagine a world without usernames and passwords, but we expect few will miss them once they’re finally replaced.
Self-sovereign identity, the “password killer,” represents not just a better, frictionless user experience, but the promise of better security, privacy, and trust for all parties. And the best part? The technology is here, and thousands are already using verifiable credentials to authenticate online, over the phone, and in-person.