How Decentralized Identity Differs from Less Secure Approaches

How Decentralized Identity Differs from Less Secure Approaches

Identity management isn’t a new requirement, especially for government organizations serving residents and educational institutions serving students. But the most common methods fall short in many ways. They demand too much manual effort, involve too many duplicated processes, and aren’t secure enough to protect against today’s proliferating cybersecurity threats.

To recognize the advantages of decentralized identity, it helps to compare with existing approaches.

Identity Proofing

Identity-proofing aims to verify and authenticate the identity of users accessing a service, an application, or data. It attempts to achieve this goal through a combination of factors:  ID verification, document verification, digital wallets, government identity systems, and so on.

Identity-proofing can also be offered as a service. Identity-proofing services use historical transaction data aggregated from public and private sources to verify identity. Such services intend to provide a layer of assurance when authenticating an individual who wants to access sensitive data or funds.

But identity-proofing fails to solve elemental challenges of identity management. Even if consumed as a service, it involves significant behind-the-scenes manual effort, and it must be repeated in every data-access context. In fact, identity-proofing is sometimes described as a journey, applying additional verification checks as the user accesses different levels of data or services. Such an approach can quickly become redundant and inefficient.

Single Sign-on

Most people are familiar with single sign-on (SSO), an authentication method that permits users to employ a single ID to log into multiple independent systems. The idea is to allow individuals to log in once to use a variety of services without having to re-authenticate themselves.

In a government context, SSO certainly offers greater convenience to residents, who can log in once to perform a variety of tasks: access government data, apply for permits and licenses, apply for and consume services, and so on. And it arguably reduces work for agencies, which need to manage fewer usernames and passwords.

But SSO has several shortcomings. First, it does nothing to strengthen or streamline initial verification of a resident’s identity. If a malicious actor steals or fabricates an identity to successfully establish an SSO account, the attacker then has access to every system that participates in the SSO. Put another way, a breach of one system or agency can quickly become a breach of multiple systems and agencies.

Second, SSO applies only to the agencies and programs that opt into the SSO. Resident might be able to use SSO to access services from a state’s Department of Transportation and Department of Health, say, but they might still require separate logins to access services from other agencies.

At the federal level, the U.S. government established an SSO program through login.gov. The service enables the public to use one account and password to access services from participating agencies. But its use is fairly limited, primarily allowing applications for federal jobs, Department of Homeland Security trusted traveler programs, and Small Business Administration loans and disaster assistance.

In addition, the verification process behind login.gov relies on an identity-proofing service provided by LexisNexis. This approach essentially combines the limitations of SSO with the shortcomings of identity-proofing. It also means PPI is stored in a centralized database – making it a prime target of cyberattacks involving ransomware or data exfiltration.

Centralized Identity

Centralized identity is exactly what it sounds like. It aggregates residents’ data in one place. With traditional centralized identity:

  • PII is stored and managed in government databases.
  • Every interaction with an agency or program requires back-and-forth communication and redundant paperwork.
  • Manual identity verification becomes costly and highly susceptible to fraud and theft.

In contrast, with decentralized identity:

  • Data is never stored by agencies. Residents own and control their own data.
  • Credentials are verified instantly, can be trusted indefinitely, and are usable across agencies.
  • Verification occurs in a blockchain distributed ledger, making identity theft virtually impossible.

One form of centralized identity that gained recent interest is ID.me, a service that enables individuals to prove their legal identity online. The IRS and multiple state unemployment agencies have used the service. But in June 2022, Business Insider reported that the company had engaged in lax security practices resulting in exposure of PII. Data from passports, driver’s licenses, and other documents were shared on corporate messaging channels and visible to customer service reps.

These lapses point to the fundamental flaws of centralized identity, whether it’s managed internally in an agency or consumed as a service from a vendor. When PII is stored in a single database, it becomes prone to security breaches from both faulty internal practices and external attacks. And with multiple pieces of data in a single location, an individual’s entire identity can be stolen, potentially leading to significant financial and legal hardship.

Decentralized identity, in contrast, is protected by the inherent security of distributed ledgers. Data is never stored in a single location, so agency databases don’t become the target of cybercrime or victim of internal breaches. Cryptography ensures that distributed ledger records are permanently secure and immutable.

Just as important, residents retain control over their data – who owns it, who has access to it, and what it’s used for. And, they don’t need to resubmit their data every time they want to access a new service – improving their experiences with and building their trust in government.