In March 2019, I received an email from the Securities & Exchange Board of India (SEBI) – the regulatory body which oversees all investment related activity in India. Apparently, one of my investment advisory clients had lodged a formal complaint against me for swindling him by making false promises of assured returns on stock market investments. I had never even heard of the guy.
It turned out that someone else was using my SEBI registration number (which is available in a public directory maintained by SEBI on its own website) and running an investment advisory racket. It was a case of identity theft. I filed an FIR of malafide impersonation with my local police station and submitted a copy to SEBI, and thankfully the complaint against me was closed but I don’t think the defrauded victims ever got their money back.
According to an FTC report, there were 2.4 million reported cases of identity theft and imposter scam and more than $5.8 Bn was lost to fraud in the US in 2021. In India, identity theft cases make up the largest chunk (20%) of computer-related crimes registered in the country. On the flip side, managing identity is a big business. Okta, an American identity and access management company which builds software that helps companies manage and secure their user accounts, pulled in over a billion dollars in revenue in 2022 and is valued at $7.8 Bn.
What is identity and how has it evolved over time?
Broadly speaking, identity is how a group member or a system user is represented within the group/system. A basic requirement of identity is that it needs to be unique within that group/system hence your name, while commonly used as an identifier in everyday conversations, does not get used as an identity when it comes to your workplace or city or country.
Examples of identity would be your employee id, government-issued identity (e.g., Aadhaar or Social Security Number), bank account number, phone number or Twitter handle.
Note that identity by itself does not embed a means of authentication. For example, using my SEBI issued registration number (an identity) did not require any authentication from me or SEBI. Similarly, anyone can send money to your bank account or an SMS to your phone number without your permission. The former can make your account look suspicious while the latter results in spam.
Over time, identities that embed some sort of communication channel with them became more widely adopted over those that don’t. During the early days of the internet, the three-field form for sign-up proliferated – user name (identity), email (communication) and password (authentication). Gradually we dropped the user name and adopted email itself as the identity and then with the mass adoption of a few consumer apps like Gmail and Facebook, we even got rid of the password and allowed these services to authenticate the user on our behalf (in exchange for higher conversion rates). A slightly less obvious example of the same for government services is Aadhaar with its linked mobile number where UIDAI provides the ‘Aadhaar-OTP’ authentication service.
Another relevant observation around the adoption of a specific version of identity is that it is either mandated (by your workplace or government) or it happens as a by-product of mass adoption of some other consumer utility, e.g., login with google only came about after their email application Gmail’s mass adoption. It is unlikely that a standalone identity solution will gain mass adoption by consumers by itself.
In web 3.0, the current de-facto identity is your wallet address. Each wallet address is unique; one can use the same wallet address to interact with multiple apps if they are built on the same blockchain.
However, using a wallet for identity has a complicated user experience, is not easy to recover if you forget the seed phrase and, more importantly, it results in oversharing of information with the app as all the information contained within the wallet i.e. all your tokens and transaction history are visible to the app.
This has led to the development of the concept of Self-Sovereign Identity (SSI) in web 3.0. It refers to an approach where users own and manage their identity related information (credentials) and can share them with applications how and when they desire.
These credentials can be implemented in a tokenized or non-tokenized way. Examples of the tokenized approach would be Soulbound Tokens (SBTs) which are non-transferable NFTs that can represent credentials like a diploma issued by a university or a membership to an exclusive club. While the non-transferable nature of SBTs makes them highly reliable as unique identifiers to an on-chain address, they are inherently transparent, making them difficult to use when privacy is required. POAPs are another example of tokenized credentials where organizers of an event issue NFTs to attendees as a kind of proof of attendance.
A non-tokenized approach to implementing SSI is via Verified Credentials (VCs) and Decentralized Identifiers (DIDs), two W3C standards that enable a common interoperable layer for user identification and verification. VCs are tamper-proof statements about a user that are cryptographically signed by an issuer, e.g., a driving license or an assertion that the holder is above age 21. The credential will then typically be presented by the holder to a verifier (e.g., a car-rental company or a drinking bar) who wants to verify a claim made by the holder (of being eligible to drive or drink) before they allow the holder to avail their services. The verifier can then authenticate the credential through DIDs to verify that the hashed credential belongs to the specific user and was indeed issued by the relevant issuer.
DECO – short for Decentralized Oracle – is a privacy-preserving oracle protocol currently under development that leverages zero-knowledge proof technology to enable users to prove statements about themselves to applications without revealing that information to the public or even the oracle itself. DECO can be used to attest to data about a user’s identity on-chain that was originally stored or generated off-chain. Teller – a DeFi lending marketplace that supports undercollateralized loans – used the DECO protocol in a proof of concept to prove that the sum of a user’s off-chain bank accounts had a balance exceeding the requested loan amount, thus allowing for significantly lower collateral requirements for loans.
Project Guardian, a program under the Monetary Authority of Singapore, recently completed its first pilot dubbed as ‘Institutional DeFi’ wherein transactions involving foreign exchange with tokenized deposits and tokenized government bonds were carried out on a public blockchain network (Polygon) using Verified Credentials-style digital identity solutions built in-house and logic adapted from existing DeFi protocols.
Polygon recently launched Polygon ID – an SSI solution which claims to improve upon the expressibility and composability of verified credentials while preserving privacy via advanced zero-knowledge proof technology.
The opportunities ahead
An inter-operable privacy-preserving on-chain identity has several applications.
On-chain attestations of work done can replace traditional CVs and LinkedIn profiles and make it much easier to locate domain knowledge experts and match talent to organizations. They can also enable quick and cheap employee background verification, thus avoiding recent incidents where Cognizant had to layoff 6% of its total workforce over failed background checks. The concept can be generalized to an on-chain reputation accrual and management system where even non-work related information, e.g., about a person’s hobbies, interests, social work etc, can be captured and made queryable (with consent).
Combining off-chain data with on-chain identity can also lead to new types of proof, such as proof of fandom, where users can prove that they were following an artist way before she became popular and hence become eligible for special privileges or gain access to their artist’s fan club without having to pay for it (thus preventing hyper-financialization).
Another related area of opportunity intertwined with identity, as noted earlier, is the communication rails linked to it. Currently, wallet-to-wallet or dApp-to-wallet communication remains broken and while there are several projects tackling it, a mainstream solution is yet to emerge. Also, as in web 2.0, we see value in building B2B solutions for dApps to help them onboard new users and manage their accounts securely (e.g., Web3auth).
The design space of Self-Sovereign Identity is nascent even when compared to the broader blockchain ecosystem and hence fraught with several unknowns but it is worth pursuing as it holds the promise of giving us back the control of what rightfully belongs to us – our identities.
Author – Ankur Choudhary, Research Partner, Woodstock