Compare and Contrast — Federated Identity vs Self-sovereign Identity
Identity is a unique characteristic, value, or document that has a one-to-one relationship with only one entity. For individuals, identity is biometric information, a unique number such as a driver’s license number, etc. However, the key aspect is that this information must be owned solely by the individual.
This discussion brings up a pertinent question. What are the forms of identity that an individual can have?
In this context, we can say physical and digital identities.
What is a Physical Identity?
A physical identity is typically a card that is issued by a relevant authority such as the government, university, employer, store, etc, as the case may be. This card contains a unique value or a code that helps a verifier identify a particular entity. In the case of individuals, this card will most likely have a photo as well.
What is a Digital Identity?
A digital identity, as the name suggests, is a form of identity where there are no physical cards, photos, or objects. Rather, these are pieces of information online that can be traced to an entity. It can include photos you have uploaded, username/password combinations, your details stored in a third-party database, and just about anything else that can uniquely identify you. It can be a single piece of data or a combination of digital identity credentials.
Evolution of Physical to Digital Identity
Physical identities were a good starting point of identification, but they came with many shortcomings.
- Obtaining a physical ID is not easy, especially when stringent and bureaucratic processes are involved. This gets worse if the ID is lost and a new one has to be obtained.
- There’s always a possibility for theft or loss, both of which can have serious ramifications
- The information is not private, Anyone who accesses the physical card can know your name, unique ID,
- address, date of birth, and other personally identifiable information
- It could be hard to identify an entity if the central repository or database that contains an entity’s information is destroyed due to natural/man-made calamities.
These shortcomings led to the emergence of digital identities.
The earliest form of digital identity was a siloed model where every organization had a unique username/password for every user. This led to an explosion of usernames and passwords that became hard to remember. Also, maintaining these unique usernames and passwords became cumbersome for both individuals and organizations, and it also led to security issues such as thefts and breaches.
The next step was a federated form of identity where third parties issued digital identity credentials using which users could log into other websites or services. Typically, these were your Google and Facebook logins. In the process, these third parties that issued federated identities became the middlemen.
So, what are the disadvantages of this form of digital identity?
- Third parties need a financial incentive to store your data and provide a federated login, so the data owner becomes a potential target for advertising. In all, the privacy of the owner was compromised.
- There were many security issues because all the data was stored across central servers, so a hack or breach greatly increased the chances for a PII of an entity to fall into the wrong hands.
- The verification depends on the availability of the service. For example, if Facebook is down, you can’t use its federated login.
- You have very limited control over how your data is stored or shared.
As you can see, the existing physical and digital identities are not foolproof and safe.
The good news is that digital identity is moving to its next stage of evolution where the existing drawbacks are being addressed. The emergence of technologies such as the Distributed Ledger Technology and cryptography has led to the emergence of a new form of digital identity called the Self-Sovereign Identity.
Self-Sovereign Identity (SSI) — A New Form of Digital Identity
Self-sovereign identity is a digital identity philosophy where an entity owns and controls its information completely. The individual is able to control who has access to his/her personal data, and has the ability to control the amount of data that is being shared.
At the most basic level, SSI eliminates third parties in a transaction. So, it is just you and the organization/individual (peer) with whom you want to share your data.
In SSI, the credentials of an individual such as the date of birth and other PII may be stored in a digital identity wallet. This is similar to a physical wallet, except that the credentials are stored in a digital format. Also, these credentials have the digital signature of the issuer to prove their authenticity.
So, each of these digital credentials describes
- Who issued it? Could be a government organization, university, employer, a startup company, etc.
- Who is the subject of each credential? Could be an individual, group, or organization
- Validity. Establishes if the credential is still valid or whether it was revoked or has expired.
Above everything, the holder of a credential can decide what, how, and with whom it has to be shared. For example, if an individual (John) has digital credentials of his date of birth, employment, degree, and driver’s license, he can choose to selectively disclose just his date of birth with an organization that wants to know if he is more than 21 years old to make him eligible to buy alcohol. Similarly, John can choose to share just his past employment details with a prospective employer without revealing any other information.
All these give the entity complete control over the credentials and how it is shared. Further, it is highly secure, thanks to the underlying private-public key cryptography. The digital signatures present in the credential make it authentic while the Public Key Infrastructure (PKI) makes it tamper-evident.
Another advantage of these verifiable credentials (VCs)is that they are highly interoperable. Extending the above example, John can send his date of birth for a loan application or for any other purpose and the underlying data model doesn’t change.
Federated Identity vs SSI: A Quick Glance
The above comparison leads us to the next question. Which is better?
In reality, there’s no straight answer to this question because it depends on the situation. For example, federated identity may be the easiest way for an organization to give its employees a single click access to third-party applications like Slack and Salesforce.
However, in transactions that involve the sharing of PII with third-party entities, SSI is a better option. Affinidi provides the building blocks for an open and interoperable Self-Sovereign Identity ecosystem.
Follow us on LinkedIn, Facebook, or Twitter. You can also join our mailing list to stay on top of interesting developments in this space.
The information materials contained in this article is for general information and educational purposes only. It is not intended to constitute legal or other professional advice.