(Hint: It’s not to store personal information.)
When people hear that companies want to use blockchain to provide digital credentials, their first reaction tends to be skeptical: “How can it be safe to put personal information on a public ledger where anyone can see the information?” This is a common misconception we’ve grown accustomed to hearing, and it’s one that we’re happy to lay to rest.
The role of blockchain in self-sovereign identity
It’s not that blockchain doesn’t play a critical role in decentralized, self-sovereign identity. It’s just more of a supporting actor than a lead.
To understand this role, let’s take a look at something a little more familiar: Verifying the authenticity of a driver’s license.
When we hand over a driver’s license to prove some kind of claim about ourselves, the license provides a number of safety features (barcodes, watermarks, etc.) to help whoever’s checking the license tell that it isn’t a fake. Having these safety features makes it so that the person checking the license doesn’t have to call the licensing office every time they need to confirm that a card isn’t fake.
It’s relatively easy to confirm the validity of paper credentials, but current models for providing digital credentials don’t offer a way for anyone to validate the authenticity of a claim without having to contact the issuer.
Enter blockchain.
Protocols for decentralized identity use a blockchain or some other form of distributed ledger technology to store a unique reference that can be shared with a credential to let the person checking it validate its authenticity. No private information is recorded to, or accessible from the ledger. The information recorded on a public ledger only provides a reference the holder can share to let others validate the authenticity of their credentials.
Let’s go through an example to help clarify how a distributed ledger like a blockchain can be used to let people verify the authenticity of digital credentials. We know that previous models of digital identity involve creating agreements with service providers and using whichever methods those service providers give us to prove their authenticity. This example will follow Becky as she obtains a credential from the department of motor vehicles (DMV) and uses attributes from that credential to register for car insurance–without requiring the insurance company to call the DMV to verify the credential.
Becky starts by going to the DMV and provides the usual information. The DMV asks her how she would like to receive her new credential. For the sake of convenience, she has an app on her phone (like Connect.Me) for managing credentials. She asks the clerk to show her a QR code, which she scans with her phone to download the credential to her app. The credential includes attributes about Becky that have been certified by the DMV.
Once she has secured the new credential, Becky does some shopping around and finds an agency she wants to buy insurance from. Becky selects the insurance plan she wants and the website asks for her information.
If the insurance agency didn’t accept credentials made using protocols for decentralized identity, Becky would need to go to an insurance agent’s office to show them her license or upload a picture of it along with other sensitive information the agency could use to confirm her identity.
Fortunately, this agency is ahead of the curve and does accept digital credentials. Instead of being asked to upload her license and manually typing in her personal information, Becky is greeted with a message on the insurance agency’s website requesting the specific attributes it needs to get her new insurance plan set up.
With her new credential, Becky can select which attributes to provide and share them with the insurance agency instead of having to retype all of the information. When Becky shares her information, the insurance agency also receives a reference they can use to verify that the DMV has certified Becky’s information.
The reference provides four critical pieces of information:
- Who issued the credential
- Whether or not the holder is the only one with the credential was issued to
- Whether or not the attributes in the credential have been tampered with
- Whether or not the issuer and/or holder has revoked the credential
The insurance company doesn’t need to contact the DMV to verify information about Becky; it simply searches for the address on the distributed ledger referenced in Becky’s credentials.
Sharing her data in this manner also means that Becky doesn’t have to share any of the extra information on her license, like her license number or organ donor status. The insurance agency also doesn’t have to take on the liability of maintaining sensitive information about Becky, and Becky doesn’t have to worry about what the agency will do with her information after she’s provided it. Now that the insurance agency knows who she is, Becky can use a zero-knowledge proof to securely log in to the insurance agency’s website and mobile app without needing a username and password. When she wants to log in, the platform will be able to authenticate her by referencing that unique address on the distributed ledger.
Decentralized identity creates a win-win situation by limiting the amount of sensitive information a business needs to onboard and authenticate customers and giving customers power over the management of their credentials and the use of their data.
Conclusion
Previous models for digital identity offer convenient improvements that leave individuals and businesses vulnerable to data breaches. As the example demonstrates, using a blockchain instead of relying on third-parties to validate credentials improves both the safety and convenience of digital credentials. Decentralized identity removes friction from onboarding and authentication while reducing the need for as many data silos containing valuable, redundant information accessible to hackers.
The next time someone mentions blockchain for digital identity, don’t worry about putting your personal information where anyone can see it. Instead, get excited about having complete control over the management of your digital identity.
