From Centralized to Decentralized Identity: Preparing for Web5
Identity can be defined as the qualities that make a person or organization different from others. In the digital world, identity is a set of attributes that uniquely identify a user online and differentiate one user from another. In most cases, digital identity is not necessarily personal information — it’s just a way to assert that a person accessing this or that service is the same person as the last time.
With the development of Web5 and blockchain technology, the issue of identity has the possibility to transform the internet as we know it. The ambition for anonymity — or rather, a nice balance between identification and privacy — has led to more discussions around decentralized identity. In this article, I will define what decentralized identity is and how companies should prepare for the change it will usher in.
Before Web5: TLS, OAuth 2, OpenID Connect
When discussing identity in the digital world and its development, it is important to remember that the internet was not originally built with an identity layer per se. When using various apps, sites and services, users were able to remain anonymous. But, as the web evolved, new technologies were introduced to determine who was interacting with websites and services.
Secure Socket Layer (SSL), which paved the way for the Transport Layer Security (TLS) protocol, ensured secure communication with websites. For the authentication of users, probably the most critical technology innovation was the OAuth protocol, a generalization of TLS. Starting as a simple protocol to authenticate internet users, OAuth developed into version 2.0, which, together with OpenID Connect, provides an identity layer for the internet. These protocols are commonly used today during the various logins we all experience every day.
OAuth 2.0 is a framework that enables third-party applications to access resources on behalf of a user without needing to know the user’s login credentials. OpenID Connect is an extension of OAuth 2.0 that adds an identity layer to this process. OpenID Connect enables clients to obtain identity information about users, such as their name and email address, in addition to a token that allows those client applications to consume resources on behalf of the user.
Check out our resources to learn more about these standards:
Web5 and Decentralized Identity
The current state of the web is commonly referred to as Web 3.0 or the Semantic Web, which is an evolution of its predecessor, Web 2.0. Version 3.0 is characterized by a shift toward decentralized and distributed systems. The transition toward decentralized systems espoused in version 3.0 happens not only in the network per se, but also in the economy of the web.
The rise of blockchain, cryptocurrency and NFT technologies was purported to shift the balance between tech authorities and individual users. Yet many profess that gaining control over data has yet to be achieved in Web3. In an apparent acknowledgment of this, Jack Dorsey of Twitter and Daniel Buchner, then from Microsoft, coined the term Web5, which encapsulates technologies aimed at ensuring the transparency and anonymity of internet users.
What does Web5 mean for cybersecurity? In a sense, the web is returning to its original state, decentralized and highly similar to real life, where someone’s personal information doesn’t need to play such a big role. The requested data will be limited to non-PII (personal identifiable information), making it easier to comply with regulations and making security systems less intricate (but not less secure).
How Decentralized Identity Works
Decentralized identity doesn’t mean there’s no identity layer. An identity layer for the internet is required, but there is a need for methods to authenticate billions of users without relying on just a few databases. In the physical world, we have mechanisms for this, such as passports, ID cards, driver’s licenses and so on. When a person needs to prove they are who they claim to be, an identity card is presented to, for instance, a passport control clerk. This person trusts the issuer of the ID presented without having to check with the issuing authority directly.
How can this everyday occurrence be replicated online? There needs to be a framework of trust with several identity issuers and standardized digital identity wallets containing attributes that websites and apps will trust.
The trust in these credentials issuers must be established by a set of procedures and regulations that these institutions must go through and comply with. (There are already examples of such trust frameworks like Public Key Infrastructure.) The websites and apps should only be able to check the credentials relevant and necessary for their particular services, without sharing too much information. Users, in turn, would be able to present pre-issued credentials or a combination of identity assertions from multiple identity issuers if needed.
How to Implement Decentralized Identity and Accelerate Its Adoption
For Web5 and decentralized identity to become the status quo, active collaboration is required to make digital wallets as accessible as possible. Some work is already happening with many existing and new protocols to ensure that user data is safely protected.
One instance is the ongoing collaboration on specifications like W3C Verifiable Credentials, OpenID for Verifiable Credentials and ISO mDL in various foundations and standards bodies, for example the OpenWallet Foundation, OpenID Foundation, W3C and Decentralized Identity Foundation. The work on the legal framework for digital identities and wallets has also started. For instance, the European Union has recently moved into negotiations on EU digital identity wallets.
Decentralized Identity and the Progression of OpenID Connect
The established standards, like TLS, OAuth 2, OpenID Connect and others, are not the obstacles when it comes to decentralized identity — they serve as a foundation and enablers. With OpenID Connect in particular, its use allows businesses not only to provide safer digital services and protect their APIs but also makes them more prepared for the decentralized identity layer.
How Companies Should Prepare
Businesses should ensure they are ready to adopt the coming future of decentralized identity. The security systems of the new digital world need to be extra flexible to ensure that they cater to everyone. This can be accomplished using protocols, standards and technologies that give people choices and make it as easy to opt out as it is to opt in.
Decentralized identity technologies will facilitate user-centricity even more than previous methods. Start talking to your vendors now, and if they can’t support you with the right solution, look for new vendors that can easily integrate into your existing IT infrastructure.
At Curity, we are constantly on the lookout for new promising technologies that can advance privacy-preserving authentication, authorization and identity management, and ultimately help make the internet safer.
The developments toward Web5 and decentralized identity are one of those technological movements. We are excited to contribute to the effort by building a flexible and scalable identity server that can be used as a solid foundation for implementing decentralized identity management. We are also working on introducing new features allowing for verifiable credentials issuance, which will be included in the next release of the Curity Identity Server.