Self Sovereign Digital Identity

Before we explain what is self sovereign digital identity, let us first define identity, then elaborate on digital identity which inherently leads to the final form of digital identity management where each user controls their own digital identity.

  • Identity is a uniquely human concept. It is that ineffable “I” of self-consciousness.
  • We all have a Social identity – the qualities, beliefs, personality, looks and/or expressions that make us a person

But how do we proof our identity when interacting with others? Lets look at an example:

You interact with a person who claims to be John Smith and wants to do some transactions with you. John gives you his passport (or a in some countries his driver’s license) as a proof of his identity claim. You attest John’s claim by looking at the passport, determining whether that it is authentic and then comparing attributes captured in the passport with the person in front of you.

This process includes the following concepts:

  • claim – a claim that an actor would like to consider true
  • proof(s)- evidence that something is true, often based on a trusted certificate
  • attestation – verification by an independent party that a claim is true

You may now create a record in your system with a customer identifier, a copy of the passport and additional attributes such as address, date of birth by further verification either through utility bills or other formalized evidences. This record is a digital identity and represents relevant aspects of the social identity and is now the basis for your business interactions with John.

This may all sound simple and rather straight forward, but

  • Attestation is typically a manual process where unstructured data is captured and verified against the available proofs which must be collected and stored
  • Only a subset of the captured information is constant. The captured attributes may get out of sync with reality
  • The presented proofs may be faked, and the quality of the attestation depends on your skills to identify such issues
  • Wherever John wants to have additional interactions, a similar process is required leading to the creation and attestation of another digital identity
  • Whenever information changes, John must provide updates to all relevant parties
  • John has no control what happens with his data and who is accessing it

Juridical persons and things can also have a digital identity – however in this post, we will continue to only focus on natural persons and look at ways such digital identities can be managed.

Identities

Digital Identity Management started with centrally managed approaches. The authority, of such approach, that manages the digital identity data becomes the guardian and qualifies the digital identities. As networks evolved, federated approaches were adopted where multiple authorities jointly manage digital identities. User-centric identity is expanding where a user has more control over his digital identity and decides whether to share an identity from one service to another. Such sharing capability is based on standards like OpenID (2005), OpenID 2.0 (2006), OpenID Connect (2014), OAuth (2010), and FIDO (2013). It’s important to note that all these approaches are centralised but the user has more influence as to how the information is shared.

The concept behind self-sovereign digital identity is to give the user full control over his/her digital identity. It is a distributed identity management approach where a person creates a unique identifier for their digital identity, places claims and asks others in the network to perform attestation. Claims and attestations can be secured using cryptography with the public and private keys of the involved parties.

  • An actor can encrypt a claim with his private key
  • The actor can use the public key of the attestation authority to keep attestation private
  • The attestation authority can decrypt the message with its private and the users public key
  • The attestation authority can verify the presented proof and sign if using its own private key
  • The attestation is then sent securely back to the user

The user now has an attribute with a digitally secured attestation and with proof of a verified authority claim(s). Over time network of users builds up, where identities are maintained and trusted through attestation of proofs given by others in the network. Attestation authorities can be official authorities, organizations and other users. The quality of an identity in such a system depends on the quality of the involved authorities. Ideally this approach will introduce a single user-managed digital identity which can be used in the network when required and becomes the core of the genuine digital self (please see Be your digital self)

Christopher Allen has defined ten principles to ensure the user control that’s at the heart of self-sovereign identity

  1. Existence – users must have an independent existence
  2. Control – users must control their identities
  3. Access – Users must have access to their own data
  4. Transparency – Systems and algorithms must be transparent
  5. Persistence – Identities must be long-lived, ideally last forever
  6. Portability- Information and services about identity must be transportable
  7. Interoperability – Identities should be as widely usable as possible
  8. Consent – Users must agree to the use of their identity
  9. Minimalization- Disclosure of claims must be minimized
  10. Protection – the rights of users must be protected

It is important that the private keys need to be well protected as they grant full control of the digital identity.

So far, this post discusses the creation of a digital identity. In a future post we will look at how do we bridge between the real and the digital world. How can a system verify the user is who they claim to be?

Conclusion

As the world becomes hyperconnected (please see “No ‘OFF’ Switch“), digital identity and security will continuously gain importance. As there will be, in the foreseeable future, no worldwide authority to manage digital identities, the world will converge towards a self-sovereign identity system where users own their data and various actors perform attestation in a mutual way. The system, in its nature, follows paradigms of earlier times where trust was the result of a social network. The introduction of Digital changes the proximity requirements allowing applicability of such system on a global scale.

References:

Be your digital self …

We all have at least one digital self, something representing us to engage in the technological world. Initially this may just be information about us and related data. But at some point, in time this digital footprint will learn and adopt our behaviors and become active.
We may have multiple digital selves – genuine and facades. The genuine self is the one which learns directly from our behaviors and mirrors our social identity. The facades are tailored for specific situations or may try to protect the genuine self.
The genuine digital self will become a mirror of you – most likely knowing more about you than you do yourself.
Is the genuine digital self a legal subject or just acting on behalf? Our genuine digital self will be able to act much faster considering more information than we can – if allowed. We must consider the level of responsibility and accountability on our physical self for what it does. Should this begin with a form of parent child relation and to evolve becoming a legal subject over time.  This evolved relationship enables the digital citizen to grow and learn over time to become of full legal age at some point.
Ethical standards for digital selves will become increasingly important – humans have ethical basic patterns which are inherited and part of the DNA. Before digital selves become widely adopted and increasing active, digital self will require such standards.
We will, as part of the evolution, need to revisit our standards of privacy. Are we able to pause our digital self and what would be the impact and disruption to our digital ecosystem?  Digital self-editing may sound funny but may soon become a serious issue when others detect discrepancies and lead to distrust. Observed digital selves – you observed by others – can be used to validate information or complement it. So, you need to become more yourself – which for most people is not a big issue.
We need to evolve our perspective of what we treat and define as sensitive information during this journey. Fundamental attributes such as name, birth date or social security number will be increasingly hard to protect. So, we will need to change the way how we see personal information during this journey. Many legacy constructs like credit card numbers are not suitable for the digital age and must be replaced – this is the essence of the ‘digital transformation’.
Obviously, the digital self needs to be well secured and protected. This includes integrity, availability and confidentiality. Initially you will be responsible to keep your true digital self secure. But at some point, this will change and your digital self starts to protect you – two evolutionary states of digital self defense.
Links:

Digital Tur Tur

Be aware of signs of Mr. Tur Tur

Let me begin with a German children’s novel written by Michael Ende. Lummerland is the home to Jim Button and Luke the engine driver. On one of their adventures Luke and Jim gain a new friend, the giant Mr. Tur Tur. He is an apparent giant and only appears giant in size from far away but is normal when being close.

The apparent giant is of course an allegory – one that often comes to my mind when having discussions or reading about digital transformation. Many of the declared digitization strategies seem like Mr. Tur Tur in nature. The way things are presented and promoted as part of digital transformation initiatives seem impressive from a distance – labs established, digital officers nominated, technology declared to be multi speed, problems to be solved via agile and innovation formalized. But upon looking closer, not so much has really changed.

Digitization is about rethinking value propositions from the core based on digital paradigms with the clients in focus. The generated revenues reflect the result of excellent value propositions. These value propositions must fit not just into any but into the client’s networked world. Digitisation necessitates the redefinition of the core value propositions and transformation of the business model. A high degree of automation and digital assets are qualities of such a model, but a high automation of processes or the replacement of paper with web forms do not imply successful digitisation.

Many value propositions will become ubiquitous as they happen behind the scenes transparently integrated to create the outcomes desired by the client. This will happen though the integration of interfaces to services into user journeys or skills into client’s personal smart assistants. Highly scalable and continuously available interfaces, also known as, APIs are key building blocks to enabling these impending capabilities.

To brace the digitisation journey, a company must encompass all dimensions of skills, organization and technology (see Next stop – FinTechGiants ?). To date only a few incumbent companies have approached the challenge and adopted its fundamental way. Rule of thumb indicates that incomes erode by 50% while a dominating player emerges during the digital transformation of an industry. The question for digital laggards becomes how long they can sustain against the trend in the market – trying to catch up does not work. Agility and scalability are imperative and key to survive in the digital world – qualities that must be regained or even re-learned by many organizations.

Look out and be aware of signs of Mr. Tur Tur in your environment. Digitisation requires fundamental changes and cannot be achieved incrementally – underestimating them or creating a perception through marketing campaigns will impede and be detrimental to your business.

Next stop – FinTechGiants ?

Next stop – the collaboration and integration of FinTech and Tech Giants provisioning of classical banking services to their large user base?

FinTech in its broadest definition stands for technologies used and applied in the financial services sector. Progressively, FinTech has started to represent technologies that disrupts traditional financial services. There is a lot of debate about Fintech diminishing typically based on success criteria coming from incumbent companies. Let’s take an unfamiliar perspective and look at companies from a structural context. All companies can only choose to change in limited dimensions when adapting to the environment or when deciding to shape the future. Ultimately it is the users who decide if such changes are successful or even disruptive when they start to massively consume new services or products in preference over others.

Company Structure

Each company has three core dimensions available to implement change:

  • skills
  • organization
  • technology

The first dimension is skill(s) available to the company. The applied skills, not knowledge, are valued and becomes the decisive factor. Knowledge is increasingly easy to access while skills are hard and time consuming to build up. An example, chess – lots of people have an excellent knowledge about chess and its rules but only a few can play it exceptionally well. Gaining expert level skills requires time and practice. Many things will go wrong on the journey to mastership. The ambition and journey to become a master requires passion, persistence and an environment which allows to practice, fail and learn. These are essential to make progress.

The second dimension is the organization a company has composed. It defines how the individuals work together and apply their specific skills as a team. Many will immediately think about titles, positions and careers in a hierarchical structure. Within each organization there is not just one but three structures:

  •  a formal structure of power, required to perform business and ensure regulatory compliance
  •  an informal structure of social networks and communication paths
  •  a value creation structure which solves problems and produces the value for clients

Unfortunately, there is no choice and it exist in every company. The challenge of each company is to balance them in a clever way to create the maximal value for the clients, shareholders, employees and the society. Most companies focus on the formal structure, the hierarchy of power a paradigm left over from the industrial age. Employees compete in the company to make career and gain position power over other employees while the true competition of the company happens at the boundary where the interaction with the environment takes place. The value creation structure, where the income, but more importantly trust and reputation, built up for the company is not well understood.  The highly dynamic informal structure where influence takes place, is often underestimated or even ignored. The company’s culture is a result of the experiences the employees define in these structures.

The third dimension is technology – the available technology was always a decisive factor throughout human history. Now it has become essential, as the technical progress has exponentially increased. Today the need to unlearn outdated practices and learn new ways is challenging the workforce, especially the formal structure. The technology progress demands paradigm changes for things which worked well in the past leads to the opposite effect tomorrow.

The Tech Force

Now let’s revisit the term FinTech. It is an amalgamation of Financial Services and Technology. Financial Services companies have always used technology to improve service efficiency and convenience and will continue to do so. But many incumbents have the problem that they cannot focus on technology as a differentiator. They need to manage a landscape of accumulated technical organizations as they are not used to replacement ng the technology base regularly. The heterogeneous landscape binds a lot of resources and increases complication in an already complex business.  FinTech companies typically look at a few well selected value propositions and then seek for solutions using the best available technology. They may not yet feel competitive from a career and salary perspective, but offer fascinating challenges, the possibility to become a master in modern technology and to have impact in the industry. This makes them attractive for talents creating highly skilled teams and high degree of automation using modern infrastructure enabling an efficient and agile work style.

The is a significant difference between incumbents and Fintech companies in technology- the biggest difference being the organizational dimension.  Large incumbent organizations with a focus on complex formal and hierarchical structures were ideal for large labor-intensive projects which required the coordination and top-down management of big teams. The complicated landscapes forces incumbents towards centralization aiming for scale effects to achieve efficiency gains. But the future is likely to follow the structure of the internet – it is distributed, technology driven and an interconnected mesh of services. Building and running such services can be done by small teams which efficiently combine the skills to reach a shared vision. A network of smaller loosely coupled but interconnected units, each producing a specific value, fits better in such an environment than big, monolithic and complicated organizations. Such a network of self-contained units is also more flexible to adapt to the environment, to deal with complexity and to survive changes where some of its units may lose value and disappear.

Many of today’s highest valued companies – the so-called tech giants – have assumed an organization which leverages the combined power of the formal, informal and value structure by shifting focus to client value creation and offering space to cultivate the informal structure. These companies may lack the skills of financial services companies now – but they can build on a modern technology base, an extremely high degree of automation and a dynamic and empowered organizational culture. These companies also have immediate access to a vast number of users which may become clients of new service offerings.

The argument, that these companies do not want to become banks, is misleading. These companies have their customer in focus and will do what helps them to achieve their goals. They will not become banks in the classical sense but are integrating and offering financial services. When financial services are required by their customers they have or will apply for a banking license and its services are regulated like an incumbent bank. Their core focus is client value reach and each service are integrated and offerings are immediately widely available. The broad valued offerings and usage results in accumulation of valuable data insights which can be directly using to evolve their business – an example considering a platform company running shops and logistics for clients’ companies. It has deep insights and can grant credits in a much leaner and efficient way. It can choose the most promising client companies and leave the others to the wider market. If the client company grows, it benefits participating in the success of the shop and its logistics.

Conclusion

Financial services incumbents will need to perform a significant step change in more than one dimension to adapt to the new normal. A difficult transformation for status quo environments of those who currently have the power and are the ones who fear to lose most. An alternative to consider is the collaboration and integration of FinTech and Tech Giants provisioning of classical banking services to their large user base. Clients may be used to attaining certain services from companies today – but this can change very fast at any moment.

Links:

Conway’s Law – Change or Fail?

We were recently discussing Conway’s Law in the context of the ongoing transition towards solutions which are digital in their core. The law is named after programmer Melvin Conway who first introduced it in 1967 and said: ‘ organizations which design systems … are constrained to produce designs which are copies of the communication structures of these organizations.’  If Conway is right, then this means that implementing a new inherently digital solution requires organizations to change structures or at least their ways to communicate.  Sounds like change is inevitable … 
Related:

Change is inevitable ….

Evolution, tranformation or beginning revolution – open your mind, think and act!

Change is the only constant. Have you thought about the types of changes we are experiencing now? Is it evolutionary, transformational or even the coming of a revolution?
  • Evolution – the gradual development or formation of
  • Transformation – a dramatic change of state of being
  • Revolution – a dramatic and wide-reaching change in conditions, attitudes, or current establishment
Today many use the term ‘digital transformation‘ to mean the transformation of the current state into a state which is digital in its core. A state where information is continuously collected, exchanged and analyzed allowing to create smart and interconnected products which adapt and learn.
Some refer to the ‘4th industrial revolution‘ and mean a fundamental and wide reaching change affecting the life of all of us, the society and its values. What happens when smart machines perform the work and humans have time? Do we then focus on our intrinsic motivation? It is clear that many of the paradigms and trained thinking patterns we are used to immediately become invalid.
If you look around and open up your mind – enabling you to notice what you belief is possible – thus you then sense that we are probably quite close to a revolution where many things we consider as naturally given today will be replaced by a new normal.
  • Start by looking at a one example: self-driving electric cars and its implications. Soon we will transition from car ownership to co-sharing where you pay per use via a simply request which matches your current needs. There is no need for personal parking spaces or garages; With connected self driving cars, there will be substantially transformation of current governance and road infrastructure, less cars and accidents; insurances business model will need to be different.
  • Other additional examples to ponder upon such as the increase in automation or the on-demand replication of goods and imagine how the implications of these scenarios interfere and influence each other.
The changes are combinatorial and the consequences are profound and complex. They will most likely happen much faster than expected once its trigger point is reached.
Are we really in a transformation or at the beginning of a revolution?   Are you ready for the change? Are we ready for the change? Is your company making the future happen or busy running a red queen’s race?

 

Change happens …. change is happening …. progress in optional