Digital Identity: Centralized or Decentralized Futures — Technicals (2/3)
Software is eating our world, including our identities. What does the future of digital identity look like when web3 takes over?
gm, ga, gn, wagmi.
In case you missed the intro, you can go check it out here.
note: mainly non-jargon version, conversational/story telling, & long af.
Welcome back and lets get diving into rabbit holes..
Identity Structure
We’re going to break down the layers of identity into three parts:
- own
- read
- write
How do two parties prove that they own something? They come together, give each other read access to confirm the ownership of something written by a centralized body or agent.
(there are other combinations and framings that fit these 3 narratives, for the sake of web3 I want to present it like this and in no particular order)
Own
In identity, ownership resembles that you are in possession of information that confirms you are who you say you are.
Ownership of what?
web2: (analog) government issues ids & docs, corporation issued docs. (digital) username & password.
web3 as it stands today, a randomly generated private key when you initiated a wallet on MetaMask, Phantom, Coinbase Wallet, or some other (also can be layered with a password).
The ownership of each corresponding datapoint is always hidden behind a wall. This wall can be the physical possession of the item (preventing anyone from stealing it) or behind a password that only you know. Hint, you don’t really own it, more on that later. In the web3 world, it’s encrypted between a private/public key pair. Only you have access to the private key, like your password (except impossible to guess and not “password”).
Read
For reading, you are giving access for a counter party to confirm the details of who you are, or that it’s you, (they are two different things), essentially the security layer of identity.
What does reading look like?
web2: (analog) physical exchange of an item. (digital) username & password, SSO, SMAL, OAuth, MFA, the exchange of identity details through these methods.
web3: cryptographic exchange to confirm/match between the public/private key.
When reading is occurring there is always a permissions process (security layer) that needs to take place. In the physical world, it’s you physically permitting the transfer from you to another person. In the digital web2 world, it’s the fact that you entered a given password to login into the site, or any of the other methods mentioned. In both of those cases, one would say that the authentication is pushed away from the person that is trying to assert their identity to the verifier.
Pushing your ID to another party, or pushing your password to a website e.g. facebook.com, gmail.com, twitter.com.
In web3, someone else pushes their request to validate you and you grant permission to read and do a key-pair match. As mentioned earlier, it’s the ability to read that you are in possession/own something unique that only you should know or have.
We can also summarize this with, read something you know or own.
Write
Last one, something written:
Here it gets a bit confusing. The notion of writing your identity is messy in the conversation of centralized vs. decentralized. In truth, identity is always written from a central body, the real question is which central body and who has permission to write it to a database/artifact?
Who writes it?
web2: centralized government or corporations write it or grant permission to write.
web3: decentralized protocols that are permission-less, everyone can write.
Also, what is the information to be written?
In the analog world we would say what’s written is first name, last name, an address, a birth date, a centrally assigned identifier & more. In the web2 digital world, I’d say the same information, adding all your ‘digital exhaust’. Tying your personal identifiable information (PII) and banking details to a phone number, email, location, activity, and more; all digital activity.
In the web3 world, well, we haven’t really determined that. There are many ideas circulating around but as of now, you can either be represented publicly like this.
0x43F711E89ACA714DB70dF6a3EF8F580db1202638
Or like this, android6024.eth. (if you want to learn about ENS names go here)
Or, can go the boring route and use all the web2 data tying it to an NFT or metadata on-chain (this will likely be the route that occurs once we solve anonymity and privacy concerns).
QUICK ANNOUNCEMENT
NEVER SHARE YOUR PRIVATE KEY (or SEED PHRASE), NEVER!
Private keys are equivalent to your most private personal data. It’s the thing you own and know in web3. Don’t give it to anyone.
By now you should see there is constant overlap between all of the concepts. That’s because it’s the interaction between all of them that is important. Also, we haven’t discussed the overarching idea of what does centralized vs decentralized look like.
Let’s go there next.
Centralized Identity (Web2)
In this space, the write portion of identity is solely owned by the government bodies or corporations. You can physically own your identity, but if you lose it you don’t have permission to reissue it. Digitally, you definitely don’t own any of it. To read the database, well, I don’t think Big Data is looking for everyone to read their data so easily, hence APIs, paywalls, ads. Also, if they were to shutter their windows & burn all servers & docs (probability <1% atm), our identities would essentially be thrown back to the Stone Age.
In other words, you own a document for as long as it’s in your possession in the analog world, the instantiation of identity is behind big walls. In the digital world, you can instantiate and persist the identity but don’t own a single piece of it (yeah, you can download it and do what with it? show your bank your terrible twitter engagement rate?).
Ultimately, our identities that represent us in every aspect of society, is owned by someone else besides the person it represents. We can read & write (with limitations) but own none of it.
To be clear, this is not a TERRIBLE thing. It’s just a fact. We may never have 100% decentralized identity, maybe close. Moving along.
Decentralized Identity (Web3)
In this corner, we have the open-source king. Open-source is also the problem child we face with decentralized identities. The individual person the data represents can read, write, and own their identity in its entirety. The issue lies in 2 extremes, the always publicly available on-chain activity and meta-data (identity attributes can be meta-data) or the difficulty in cryptographically confirming your IRL identity attributes on-chain.
Most of us would agree that we rather not have everyone know our exact PII, location, bank details, etc. Identity rightfully should exist behind a wall of sorts. A wall that is managed by the real and true owner of that identity.
Another concern with web3, anyone can write anything to the ledger. Meaning identity can literally take any form. Anonymous, pseudo-anonymous, or known (fully-exposed identity). How do we confirm that the identity written behind a given private key is truly the person it’s claiming to be?
This is where some very interesting conversations and problems are attempting to be solved.
IMO, part of this solution will be building bridges between web2 technology and data attributes with web3 protocols. There will be on-ramps between the 2 layers to interact at most seamlessly.
What does the interaction of all these look like? (reading, writing, owning identity)
Identity Management
Let’s begin summarizing and layering in some technology i.e. jargon. Introducing our first diagram. Presented differently than what I write above (read, write, own).
Here we are going to look at the handshakes or interactions between the different parts of authenticating, validating, or managing an identity. This is more representative of models in web2 but has some comparisons to web3 .
A bit of an explanation (feel free to skip below if you understand the above diagram).
Identity authentication is the user pushing their ‘username’ & ‘password’ to the verifier, verifier is the organization/protocol, for permission to gain access. You will either be rejected access for not having the right ‘identity’ or will have to register a new identity, writing a new identity to the centralized database (interestingly this new identity mostly resembles a past identity but not always). In a decentralized version of this, everyone will have initial write access but we don’t have a formal verifier consensus protocol (identity verification) that is privacy preserving.
If you are granted access, in web2, you either manage or persist your identity within a centralized database. Always reading & writing to a central body all your information and identity details. In web3, access means someone is reading YOUR database and you are granting someone else access inside your home — imagine leaving someone your house keys. The authentication method here is cryptographic in nature (I’m not a cryptographer but i’m reassured it’s very secure).
Another thought I want to explore but will leave for another time, how does the process of identity become instantiated, persisted, and controlled within the decentralized environment? For that we will leave this image below.
Lastly, we can abstract the majority of the things I describe above by this nicely put together table (figure 1). Centralized & Federated models are both centralized frameworks within our discussions. Since this is mainly a conversation about centralized or decentralized, I leave breaking down each layer of the technology for a later time.
What we will do is breakout the problem sets within the 2 spaces and see how the technologies fit into building specific futures.
The main take away here is, all of these mechanisms are essentially handshakes between different components of identity to make an ultimate determination on, you are who you say you are, securely and accurately.
Identity management is literally a massive chain of handshakes with the intent to create an equitable, representative, robust, secure, and prospering marketplace.
Those handshakes look drastically different in web2 vs web3.
Next, we’ll wrap up the series with our call to action. Defining the problem sets, fitting the technologies into their use cases, and seeing what comes next.
All errors and typos are my own.
If this topic interest you, considering joining the conversation Thursday, Jan 13th: click here
About the author
Les is a Data Scientist at Prove, he’s constantly noodling how data represents us in the digital world and how we can be better represented and safer when transacting in the economy, now and in the future.
He’s also a punk in the @BladeRunnerPunk community.
Prove, is the modern way of proving identity with just a phone.
