Self Sovereign Identity, a Paradigm Shift for organisations; May 2022
Alexander van den Wall Bake
The layer of trust in the digital world is a hot topic. So much needed when generation X and Z, considered to be digital native, forms almost 50% of our society. The buzz gets louder when technology matures and first implementations are emerging. Governments are preparing to take action, both on an European level as on a National level. But how prepared is the private sector to adopt digital trust? Are you ready to really serve the digital natives? Picking the fruits of Self Sovereign Identity requires a fundamental paradigm shift for your organisation.
The snags of progress
We are at the verge of the fourth industrial revolution where digital world will integrate with the physical world but we are still solving the problems arising from former revolutions. Climate change is a by-effect from the first, when we started to use fossil fuel at scale to drive steam powered industrialisation. And a remnant of the third revolution is the notion that data can be considered as oil to be drilled, stored and monetised. But much like using fossil fuel, this concept has a few snags:
Raw data lacks trust. Similar to crude oil which needs to be refined in order to be useful, data should be verifiable in order to be valuable. Trust is added to your data when it is issued with the appropriate level of assurance and once presented, it can be validated. Therefore, your collected data only becomes valuable, to all parties involved, when it can be shared in a qualified way.
What institutions know about you is part of your identity. Rampant hoarding of that data does not comply with how we value privacy, “the right to not getting bothered”. Privacy is a necessary foundation for a healthy society and managing interpersonal relationships. So, we made laws (GDPR, eIDAS) to restrain data hungry institutions making the effort to put you in control of your own data.
SSI helps tackling the data and identity challenges
Sharing verifiable data in a controllable way can tackle these snags. Fortunately, a concept for dealing with these impediments is already developed: Self-Sovereign Identity. There are many discussions on the exact meaning of Self-Sovereign Identity (SSI). But what most people agree upon is that SSI is the intended methodology to add trust to personal identifiable data , as such reduces counter-party risks (e.g. non-payment, non-delivery, unqualified work, …) and hence facilitating business decisions.
SSI: Verifiable Credentials decouple Verifier from Issuer
The party verifying these credentials can check authenticity and validity without informing or consulting the issuer of the credentials, hence safeguarding the sovereignty of the holder. Using governance frameworks, set by assurance communities, the appropriate Level of Assurance (LoA) can be achieved for each credential.
Integrating SSI changes the way you conduct business.
This might sound very promising to your organisation. For example Onboarding and Identity and Access management for both customers and employees will be a lot less cumbersome when they can present verifiable credentials. You might wonder how easy it will be to integrate SSI in your organisation. Unfortunately I cannot comfort you: adopting SSI is a fourfold paradigm shift, and wider than your IT department. It will change the way you conduct your business.
Store proof, not data
The first radical change is about storing data of your customers and/or employees. Currently most organisations store digitalised forms of credentials (for example a PDF of a passport) together with an activity log of an employee verifying its authenticity. That will happen no more. First organisations must determine what is really necessary. Do you need to store the date of birth, or only the proof somebody is over 18 years old? Do you really need to have insight in the your potential mortgage customers income statements over the last five years, or is an attestation it has been above a certain threshold sufficient to rely upon? In many cases storing the actual attributes will be obsolete. Organisations have to rethink their procedures with data minimalization in mind and adopt their systems to store verification proofs, not PDFs.
Forget about Passwords
Both your employees and your customers have a nasty habit in forgetting their passwords. Nowadays lowering the costs of calls to reset accounts seems an opposite with security demanding painfully difficult passwords. Self Sovereign Identity will put an end to this contradiction. By presenting a set of verifiable credentials a customer or employee can be authenticated at the highest level of security without having to remember separate passwords or use MFA for each relationship. The user only needs to authenticate himself towards its wallet, most probably using biometrics combined with PIN for high Level of Assurance transactions.
Be of value for your customers
Whilst issuing login credentials will become something of the past, you should consider which information will be of value to your customers when issued as verifiable credentials. SSI will change the relationship you have with your customer. It might be beneficial to a customer if he can present proof of going to the gym every week when onboarding for a life insurance; issuing experience certificates to gig workers is far more valuable than an unverifiable review; and an indisputable attestation that you’ve never defaulted in paying your rent, might give a mortgage company the additional trust to grand you that higher mortgage. Apart from verifying and issuing credentials, your organisation can also be a holder, since every party can have all roles in the triangle of trust. What credentials could be valuable for your organisation to hold? Conducting business transactions might become less cumbersome when being able to present verifiable credentials to facilitate customer due diligence at financial institutions. SSI will change the way you will handle data from all positions.
Collaborate with your competitors
Last but definitely not least is the shift in establishing the assurance of trust. Instead of interpreting legislation and choosing a risk balance in isolation, most companies will want to collaborate in defining trust in with other parties involved in the customer journey. You might even want to involve your competitors creating a level playing field of trust for customers. How do you set and safeguard the level of assurance of the needed credentials? By agreeing not only on syntax but also on semantics and the logistics. For example: how is the credential surname structured? Which issuers of that particular credential is trustworthy enough for my process? Which wallets do I endorse to present these credentials free of tampering? You might even want to consider involving regulators in this assurance community in order to facilitate or automate audits on the process since they will wield the same definitions on assurance as you.
As you can see, SSI requires some fundamental changes to becoming a fully decentralized architecture re-establishing the relationship with your customers and regulators. And whilst society is not demanding to use SSI solutions at the gates of your organisation yet, this might change soon. eIDAS 2 regulation will become in effect later this year, requiring all member states of the EU to point out which eID wallets they endorse by 2023. Governmental institutions are stepping in now, to research the digitalisation of citizen credentials. By 2024 the acceptance of eIDAS 2 endorsed wallets will be mandatory for larger organisations. If you want to experience the benefits of SSI and facilitate your customers, now is the time to prepare the fundamental changes needed in your organisation and start building your assurance community. TNO is building a consortium to tackle these hurdles for both the public as the private sector together. Team up!