Centralised or decentralised identity?
In recent years, the term “decentralised identity” has appeared more and more frequently in discussions about electronic identities. This is also the case in the currently published “Target Image E-ID”, which is intended to publicly discuss the vision for a state electronic identity in Switzerland. What is hidden behind the term? What are the advantages and disadvantages compared to a “central identity”?
The main distinction between centralised and decentralised identities is based on two questions:
- Who creates the identity of a user (subject)?
- Who is involved in the use of this identity?
At central or externally administered Identities, the identity of a subject is created by an external entity. This can be an organisation, an authority or some other service. The following is important The subject cannot use its identity independently of this entity. A decentralised identity is an electronic identity that is not managed by and can only be used through a central identity management system (IdMS), but is stored decentrally with the user, e.g. on a smartphone or in a browser plug-in, and can be used without an intermediary. We all know this principle well from social networks. An identity from Google or Facebook can be used in many applications. The identity, once created, is managed by the provider and the provider is involved in every login process, even if you don’t necessarily notice this as a user. This is convenient for users because they can use one identity “for everything” and do not have to manage many “isolated” identities that only work for one application. The price for this service is usually paid by the user with their data.
Figure 1: One central identity for multiple organisations
The decentralised or user-centred Approach follows a completely different concept. Users store their identities locally on their own devices. This can be in a wallet app on a smartphone or in a special browser plug-in. The advantage of this approach is that the user can use his identity independently of the creator (see figure)This concept corresponds to the physical reality of the “wallet” or the principle we know very well: “issue-receive-possess-show-verify”. The physical identity documents are kept in a wallet and are taken out and presented when needed.
Figure 2: Decoupling the creation of an identity and its use
In the decentralised approach, the creation and use of an identity are thus completely decoupled. This modern approach knows two facets: a subject can create its identity itself(self-managed) or receive it in advance from an external entity(self-controlled).
In a self-controlled identity, it is created in a first step by an identity service and then handed over to the user for use, control and retention. The advantage is that the identity service is only active when issuing (and updating). However, the user has little influence on the creation process and must fully trust this identity service. When accessing an application, the user then presents their identity information in a requested form (e.g. as a QR code). The application can then check the origin and validity of the identity information. Depending on the design of this identity information, it could also be used offline. If the electronic identity is lost, the user can contact his identity service to have it restored or, if necessary, revoked in a first step. A typical example is the German nPA (new identity card).
In contrast to self-controlled identities, self-managed identities do not require an identity service. This concept is also known as “self-sovereign identity”. Here, the user creates and controls his identity(ies) himself. The subject can subsequently have attributes (individually or as a group) confirmed by authoritative sources (issuers). To do this, the subject must authenticate himself with an issuer and have his initially self-declared attributes confirmed. The subject thus “collects” confirmed attributes for its identities, which it then presents to an application in the required form. Besides great advantages in terms of self-administration and privacy protection, this concept has some unresolved issues of governance, retention and trust establishment. The user has a much greater responsibility to manage and maintain their identity in this approach; if problems arise, there is no central support to assist them.
Figure 3: Comparison of identity management systems from the user’s point of view
In summary, it can be said that the user-centred approach offers many advantages, especially for a state E-ID. International developments are moving in this direction, as are the efforts in the European Union for the EUid . However, since the concept of “decentralised identities” is not yet generally known and the infrastructure is still being developed, centralised and decentralised identity systems will still be found side by side for quite a while.