Organizations shouldn’t ignore the fast-evolving DDID ecosystem
Centralized digital identities are easily hackable and brittle – hackers only need to breach one social network’s user database or other centralized user store to gain billions of valid user credentials.
Yet given the near-monthly news of high-profile data breaches – think Facebook last year – users are also increasingly reluctant to trust all their identities to a singular identity provider (IdP). Yet the concepts, standards and solutions for decentralized digital identities (DDID) offer unique benefits to address several challenges. These include easily issuable, verifiable, and revocable digital claims and credentials; increased security and privacy of personal data attributes with better user controls. Multi-sourced identity verification and password-less authentication are also important benefits.
Established vendors are moving into the DDID ecosystem
To build on their existing security solutions and their identity and access management (IAM) product and process mapping capabilities, firms like IBM and Microsoft have made substantial investments into the emerging DDID ecosystem to address growing customer demand for distributed identity solutions.
At the same time, venture capital (VC) interest in DDID has noticeably spiked. Breaches like those suffered by Equifax, as well as antitrust focus on Facebook and Google have triggered interest in an identity model that’s not dependent on a centralized authority. In 2019, cumulative VC investment in DDID solutions reached $200 million to $300 million as VCs favor solutions providing an implementation of the blockchain, a complete onboarding and trust scheme for issuers and verifiers, and a user-friendly identity wallet for both iOS and Android.
The US, Canada, and, to a lesser degree, the UK are seeing the most momentum for DDID. Unlike countries where a centralized government scheme exists, these countries have no trusted digital identity models, but they have massively digital populations. Their economies are ripe for identity disruption, and they represent the strongest, near-term growth potential for DDID.
When it comes to DDID, pay attention to verticalization, user self-service, and security
Even though most DDID solutions are still immature and have only a few organizations as paying customers, it would be a mistake for CIOs – especially those in industries where identity proofing is a critical business function – to ignore this fast-evolving ecosystem. As providers begin offering viable user enrollment, strong authentication, and experiences to support business functions like marketing and sales, it’s recommended CIOs engage with their security and risk (S&R) teams to begin evaluating the ecosystem. Specifically, they should:
- Look to vendors that have vertical ties
DDID solutions are only as strong as their vertical-specific ecosystem. The more members (i.e. issuers and verifiers) the provider has in its DDID network, the more valuable users will find the DDID solution out of the gate. CIOs and S&R pros should prioritize DDID solutions with customer-centric use cases, such as eligibility verification, frictionless authentication, and reliable credentialing for their initial pilots.
- Prioritize solutions that solve the lost-wallet conundrum
If you ask a vendor what happens when a user loses access to their identity wallet, responses tend to be lackluster. This isn’t for lack of trying; it’s just a particularly thorny problem. Some vendors say users should create an encrypted, passphrase-protect backup of their wallet to the cloud or a local file. Others push for physical ID proofing, including presenting physical documentation to a trusted identity “notary.”
Any of these is a daunting task and offers no guarantee the user can recover their digital identity – and in the worst case, be able to revoke lost or stolen claims. These kinds of user experiences will be a differentiator in the DDID market.
- Get a full architectural and security briefing from vendors
Given the current wild-west nature of DDID solutions, there is no consensus on whether the ledger should be permissioned, or public or private. There also isn’t agreement on how verifiers and issuers establish trust with each other, and how the presentation of claims and proofs happen. That’s why S&R pros should require potential vendors to show architectural and sequence diagrams and standards base security features for at least identity verification, claim issuance and ongoing authentication use cases.
- Test proofs of concept that solve tactical business problems but be ready to scale
When you start solving identity problems for consumers in one area of a business, they will expect to use those identities more broadly. This is the kernel of what made social identities so compelling for users, before they became a liability. CIOs should create cross-function identity working groups to begin identifying areas where DDID could improve customer experience, reduce business costs, and create more trust in the identity ecosystem at all assurance levels. Digital advertising, preference centers, healthcare, and cross-device identity are all areas that need more trust and less user friction.