Primer: Decentralized Identity

History of Identification and the Rise of Digital ID

Forms of identification have evolved over time, from official papers verified by watermarks to personal ID numbers and photo identification. With the advent of the internet in the 1990s came the rise of digital IDs. These IDs are often in the form of a username and password that provide entry to a particular website, thus granting access to critical information like your bank account or healthcare information. Digital IDs can also be used offline, such as in the form of a digital driver’s license.   

Digital IDs are convenient because they can be authenticated online, and therefore make it possible to access services remotely. But simply digitizing a business process or physical ID does little to improve user privacy or security, and in many instances introduces additional risks from hacking and cybercrime. This is true whether digital IDs are stored and managed in discrete “silos” by different organizations, or stored and managed by a “federated” cloud service.  

Siloed: Under the initial “siloed” digital ID approach, each website or organization issues its own ID to users in the form of username/password combinations. This approach requires users to remember many unique usernames and passwords. It also leads to extensive data duplication across multiple websites and databases, all of which are prime targets for hacking and identity theft.  

Federated: In response to shortcomings from the siloed model, organizations developed a “federated” approach, where big tech companies like Google and Facebook issue digital ID credentials that work across a variety of websites and services. This model makes online identity verification more convenient. But it puts even more personal data in the hands of central authorities that operate the federated entry point, raising additional concerns about privacy and security. 

Services that issue a federated digital ID compromise privacy through their need to collect, store, and share large amounts of user data. Some data is collected directly from the user, like name, birthdate, address, and sensitive answers to security questions. Other information, like geolocation data and browsing history, is tracked and collected by the organization, often without the user’s knowledge. All of this data is ultimately stored and replicated hundreds of times in different databases, one for each website or service where a user has registered. Even more, this data can be shared with other companies for profit, without the user’s consent. 

Both the siloed and federated approaches raise serious security concerns. Storing personal information in countless different silos inherently increases vulnerability to hacking and cybertheft. Different websites have varying password and authentication requirements, and as security and identity protocols change over time, it’s nearly impossible to consistently update disparate identity silos in unison, thereby increasing security risks. 

Decentralized ID

Decentralized ID offers a new form of identity management that relies on blockchain technology to solve the security, privacy, and consent issues presented by paper and digital IDs. DiD gives individuals control over their identity, rather than outsourcing identity management to a single centralized authority like the government or big tech. 

DiD works by relying on trusted third parties, called “issuers,” to verify key identifiers. These issuers could include government agencies, universities, employers, and banks. The process of creating a DiD begins when an issuer distributes an identifying credential, such as a digital birth certificate or proof of employment. That credential is stored on a blockchain and the user’s digital wallet. When a third party needs to request identifying information, like proof of good credit in the context of making a major purchase, the user presents the credential to the requester by accessing the information stored on the blockchain. This proof can be generated in a number of easily accessible ways, including as a QR code on the user’s phone. 

Because the credential is stored on the blockchain and the user’s wallet, and controlled by the user, there is no need for the government, merchants, employers, or others to keep a record of that credential in their own, siloed databases. There is also no need for tech companies to provide federated login solutions. DiD therefore shifts the source and management of verification from centralized institutions to a decentralized ledger, while ensuring that identifying information stays fully within the control of the individual, stored securely on his or her digital wallet.

Key Terms

Blockchain: a software system that records and verifies transactions on a distributed network secured by cryptography. Blockchains operate like an open, append-only ledger, meaning data can only be added, not removed or altered. Transactions on the blockchain are recorded according to a predetermined set of rules known as a “consensus mechanism.”  

Verifiable credentials: digital credentials that represent physical documents such as a driver’s license or passport, or attributes such as ownership of a car or house. They are tamper-resistant and instantaneously verifiable on the blockchain. 

Zero-Knowledge Proof: a method by which one party can prove to another that a given statement is true, without needing to convey any additional information.

How DiD works  

• Hal asks his employer to verify certain credentials belonging to him, such as his employment status and salary. 

• Hal’s employer issues the credential, which Hal stores in his digital wallet. The employer also publishes the encrypted credential on the blockchain.  

• When Hal applies to rent an apartment, the landlord asks Hal questions like “are you employed?” and “do you have sufficient income to pay monthly rent?” 

• Hal’s wallet generates proof that Hal is employed and has sufficient income – without revealing further details of his employment (such as his position or start date) or finances (such as his bank account number or exact amount of income or savings). The landlord verifies this proof by checking it against the credential on the public blockchain.  

This process can be repeated in numerous, everyday transactions. For example, credentials stored in a digital wallet could be used to: 

• Verify identity when opening a bank account; 

• Build and share a financial record with a lender; 

• Prove age when renting a car or buying a beer; 

• Verify education history when applying for a job; 

• Access means-tested public benefits; and 

• “Sign in” to numerous websites and applications. 

In short, DiD creates a “portable identity” that can be used for “almost all online processes, from simple authentication requests with one credential . . . to some of the most complex tasks” online, such as the completion of digital forms.¹

In each of these examples, the user presents the credential itself – such as “I meet the income requirements for this benefit” or “I am old enough to rent this car” – without revealing personal information such as account numbers and birthdate, and without answering numerous “security questions” that further compromise privacy. This approach makes the sharing of identifying information and credentials more secure, seamless, and private. It also eliminates the need for endless username-password combinations.  

Potential Benefits of DiD  

Privacy and Control. Users control their own identifying data because they store it in their own digital wallet. They determine when to share their data and with whom. Consent is never an issue. Further, users can selectively share necessary information without disclosing personal details, and can revoke access to specific data at any time. 

Convenience. Individuals can use their standardized credentials for many different transactions without the need for different usernames and passwords. For example, DiD can greatly simplify compliance with financial regulations: once Hal is a verified user of one financial institution, he can show proof of that verification to other banks or exchanges. This reduces sign-up times and eliminates data duplication throughout multiple databases. 

Portability. Individuals can take their ID and data with them when they move to a new state or switch to a new service provider, whether it be a social media platform, bank, or doctor’s office. Because data is portable, it reduces “lock-in effects,”² or the tendency to keep using certain services simply because the website manages your data or controls your login information.

Security. Because DiD relies on the encryption of decentralized ledgers, it greatly increases data security. Not only is encryption incredibly resistant to tampering, but identifying information that is easily linked to the individual is no longer stored en masse in large databases, reducing the payoff for would-be hackers. DiD can also reduce fraud by helping create online communities that are “free of fake accounts.” Such communities could require users to verify their identity using a blockchain-based identity system that would reduce the number of bots.  

Expanded Access. The World Bank estimates that over one billion people worldwide lack any formal identification, limiting their access to health care, finance, and other key services. In particular, many migrants and refugees lack IDs, which can easily become lost or invalidated in times of war or natural disaster. DiD would allow anyone with a phone or access to a computer to provide proof of her name, birthdate, work experience, and more, quickly facilitating access to employment and education. 

Institutional Benefits. With DiD, entities no longer need to maintain large repositories of login and identifying data; instead, they can access necessary information from a user’s wallet and verify it on the blockchain. Many organizations are subject to strict regulations governing the collection and storage of user data. By maintaining less data, they can simplify their compliance responsibilities and lessen their exposure to cyberattacks. Further, the ability to quickly verify credentials can significantly reduce the time and costs of everyday processes like employee onboarding. 

Limitations of DiD

DiD development and adoption face several challenges. First, without expanded access and education, digitization of identity may further deepen the digital divide. DiDs must be usable by everyone, regardless of their economic status or technological know-how. While DiDs offer more privacy and control, they also place more responsibility on individual users to manage their credentials. Some users, even those quite comfortable with technology, might not want this responsibility, where recovering a lost key to a digital wallet is more difficult than clicking a “forgot my password” button. In sum, facilitating ease of use while maintaining user control and privacy is a priority.  

DiD developers also must ensure that ID systems can work together seamlessly, a concept known as “interoperability.” There are currently over 100 DiD systems in development, each with its own architecture and digital wallet. It is crucial that systems develop a seamless protocol for exchanging credentials, so that people like Hal can interact freely with the employers, vendors, healthcare providers, and others that both issue and verify credentials. To do this, DiD systems must agree on standards for foundational elements of DiD architecture. 

DiD Today

DiD technology is growing rapidly, with public and private innovations poised to integrate DiD into our everyday lives. For example, the Ethereum Name Service (ENS) provides the convenience of current cloud-based login services, while letting users retain total control over the information they share with other websites. ENS makes it easy to read and share crypto addresses by mapping an easily recognizable name, such as “hal.eth,” onto a machine-readable identifier like an ENS address, which is a 40-character string of numbers and letters. ENS has many potential uses in the new, decentralized model of the Internet known as “web3.” For example, start-ups have developed a “sign in with Ethereum'' feature that people can use to access multiple web-based services using their Ethereum wallet address.  

Governments are also starting to embrace DiD. A project sponsored by the European Commission is developing interoperable DiD solutions that would facilitate faster and more reliable security checks for EU citizens.³ And as part of its national blockchain strategy, India is building a decentralized, digital platform that will host IDs and documents related to education, healthcare, and agriculture. Cities like Buenos Aires are also spearheading efforts to construct DiD platforms designed to give residents access to city services and financial service providers. 

Other innovative projects include:  

• Using DID to improve financial compliance programs at banks and virtual asset service providers. Once a customer undergoes a “know your customer,” or KYC, evaluation at one financial institution, the institution can issue an attestation token that lets other banks or service providers rely on that same verification. These KYC analyses have the potential to be significantly more effective because they use data stored on the blockchain that is available immediately and shows a complete, constantly updated record of financial transactions.    

• Humanitarian uses, including the use of digital credentials and biometric data to prevent the trafficking of vulnerable children, specifically by eliminating the forgeability of Power of Attorney documentation and identity documents that typically enable illegal border crossings. Another project is providing a blockchain-based platform to support drivers’ licenses and land titles for the 400 million people in Africa who lack paper identification.

• Using blockchain technology and machine intelligence to build individual profiles, called “LifeGraphs,” that let individuals and healthcare providers securely share data such as medical records, employment history, and other personal information while complying with privacy and data-sharing laws. 

• In the “identity of things” domain, building a trusted vehicle data source to confirm the accuracy of used car data, and using the blockchain to track parts on the supply chain and record information on vehicles over time, including repairs, mileage, and ownership. 

Policy Considerations and Future Research 

Despite the many potential benefits of DID, its full adoption is limited by a lack of regulatory clarity. For example, it is unclear whether financial regulations permit money service providers to rely on DID as part of their compliance obligations, specifically when vetting and onboarding new customers. Although key regulations such as the Customer Identification (CI) rule permit banks to verify a customer’s identity using “non-documentary methods,” it is not clear whether this includes DID methods. Similarly, while the CI rule allows banks to rely on verifications provided by other financial institutions, it strictly limits which kinds of other financial institutions qualify. By restricting verifiers to a limited class of institutions, the rule excludes many money services businesses and other firms that could provide DID services. 

The result is that private industry has been hesitant to take the necessary steps to more fully embrace DiD. Until the underlying regulations are modified, or guidance clarifies how firms can use DiD, it is unlikely that financial service providers will be able to fully integrate DiD into their compliance programs, which would enhance overall efforts to disrupt illicit activity.

A good DiD system will prioritize user control, consent, and privacy. Specifically, open associations such as the Worldwide Web Consortium and Decentralized Identity Foundation have identified several principles seen as essential to DiD. First, decentralization is key. No single issuing agency should control the issuing or verifying of credentials. Second, identifiers should continue to be valid even if the underlying organization goes out of business or fails to maintain its ID systems – critically, a person’s use of an identifier should never require a “call home” to the issuing entity. Rather, verification takes place via the blockchain, without any continued involvement by the original issuer. Finally, it is important that identifiers be unique to each individual globally, and can be updated as technology continues to mature.

¹ Decentralised Identity: What’s at Stake? at 10, INATBA Identity Working Group (“INATBA Report) (Nov. 2020).

² INATBA Report at 11.

³ The selective sharing capability of DiD is especially useful for federated governments like the EU, United States, and others, where personal information is often stored by multiple countries or states with varying security infrastructures.

Note: The views and opinions expressed herein are those of the authors and do not necessarily reflect the views of Coinbase or its employees and summarizes information and articles with respect to cryptocurrencies or related topics that the author believes may be of interest. This material is for informational purposes only, and is not (i) an offer, or solicitation of an offer, to invest in, or to buy or sell, any interests or shares, or to participate in any investment or trading strategy, (ii) intended to provide accounting, legal, or tax advice, or investment recommendations or (iii) an official statement of Coinbase. No representation or warranty is made, expressed or implied, with respect to the accuracy or completeness of the information or to the future performance of any digital asset, financial instrument or other market or economic measure. The information is believed to be current as of the date indicated on the materials. Recipients should consult their advisors before making any investment decision.