“The Path to Self-Sovereign Identity” by Christopher Allen

In his article, “The Path to Self-Sovereign Identity,” Christopher Allen identifies the following four phases in the evolution of digital identity:

PHASE 1 — CENTRALIZED

Most online identities are currently centralized, which means that they are controlled by a single entity (like an online service or website owner). This model results in identity data being siloed and fragmented across disparate online services, websites, and applications. Additionally, in the Centralized model of digital identity, a user does not own his or her digital identity, and exercises little control over how his or her digital identity is used or with whom his or her data is shared.

PHASE 2 — FEDERATED

This model allows a person to use the same credentials to log in to multiple services. However, this model did not resolve the underlying issue that a person’s digital identity is still controlled by, and can be revoked by, the service provider that created that person’s account, which then can result in a user losing access to other services that rely on the federated identity maintained by that service provider. This can be especially problematic for users as more and more services rely fully on federated identity services.

PHASE 3 — USER-CENTRIC

The idea of a fully portable, user-controlled, secure digital identity is not new. In fact, programmers sought to achieve this vision through methods such as OpenID (2005), OpenID 2.0 (2006), OpenID Connect (2014), OAuth (2010), and FIDO (2013). Unfortunately, these attempts fell short because even though people were not under the control of a service, application, or website provider, their digital identities were still maintained and controlled by the entities that provided the digital identity services.

PHASE 4 — SSI

With SSI, digital identity is progressing from a non-user controlled and centralized model to a fully user-controlled and decentralized5 model of digital identity. An SSI is intended to fulfill three basic
requirements:

  1. Control: People must have control over their identities, including control over who has access to what aspects of their identities. As discussed below, this enables businesses to reduce the amount of personal data they acquire from their users, which reduces their privacy compliance burden and shrinks the size of any vectors of attack that could be exploited to compromise data that they do hold about people.
  2. Security and Integrity: People’s digital identities must be protected from unauthorized access, use, disclosure, or modification. Additionally, people must be able to trust that the integrity of their data is maintained throughout its lifecycle. In other words, people must have confidence that their data will remain accurate and not be modified or changed without their authorization.
  3. Portability and Sovereignty: People must be able to use their digital identities to identify themselves without seeking permission from, or being tied to, a service provider and must be able to transfer their digital identities freely. Additionally, their digital identities must be “sovereign”; in other words, their digital identities cannot be taken away from them.

An SSI can be thought of as a repository of identity data about a person, entity, or thing — often called an “identity container” — where data in that container offers proof of that person’s, entity’s, or thing’s unique identity and can be added there by the identity owner or by others at the identity owner’s request. It should be noted that since entities and things (e.g., Internet of things devices) cannot independently verify their identities, their SSIs are ultimately under the control of a person or organization, sometimes referred to as a “guardian.” In a world where SSIs and protocols that allow entities to exchange SSIs are widely adopted, businesses, service providers, governments, and other entities will be able to verify and authenticate people, entities, and things through their SSIs rather than having to establish, maintain, or rely upon their own proprietary or federated databases of user identity and authentication information.