Challenges for Decentralized Identity

First the easy part — passwords are bad. The difficult part — Not many people realize it. Most of hacking-related breaches (over 80%) leverage either stolen, default, or weak credentials. Credential harvesting is on the rise and consumers, and even experts, cannot always predict how the stolen information will be used. Ransomware attacks can create havoc in Financial Industries, Healthcare, Critical Infrastructure including public utility companies.

Verifiable Credentials and Decentralized Identifiers provide a basis for consumers/ individuals to control their Identity, who they wish to share the information with and essentially “be in control” of their identity.

Very natural, right? Why is it not catching like wildfire?

My three reasons are here (there are more):

1. Lack of Incentives:

No meaningful business runs on charity and good will. Deep inside, these entities have been established to work for-profit and required by their shareholders to follow the money. I have not heard of a single business executive say that information — customer, product or services — be shared without understanding the monetization aspects.

Most enterprises, your banks, insurance companies, healthcare companies, retail and ecommerce sites and others, collect, tag attributes and segment you into categories for marketing campaigns. New customer Acquisition, Customer Retention and Customer Lifetime Value are extremely important for the survival of these companies.

A casual approach of an entity willingly releasing customer information via Verifiable Credentials cannot be complete without addressing the monetary value of doing so. We do have great references from recent times — Open Banking APIs, for example, shows that financial institutions can productize customer data, incentivize core banking, payment services, exchanges and partners to collectively grow and monetize.

Security teams have a lot of convincing to do with their managers. It is an opportunity but will not happen without understanding the business aspects.

2. Lack of Governance Framework:

Web3 is a buzzword that everyone seems to know these days. Just plug in a DLT node or create a wallet and you are in the game, right? Well it’s more than that. Identity and security organizations are driven by regulations and audit requirements. These differ by region, domain you operate in and so on. It is complicated, sometimes unnecessarily, but broadly in a meaningful way:

• Data: What is the information? How is it protected? Who has access to it? Where does it reside? How long is data stored? What happens after its removed?
• Network: Who can access resources? What protocols do they use? How to block unwanted requests? How to protect and respond unauthorized requests and programs?
• Identity and Access: Who/what are you? What roles do you play? What privileges do you have? Is there additional risk? Is there a need to ask for additional information? Was information really accessed?

The regulatory landscape doesn’t change overnight. Identity frameworks including Verifiable Credentials needs a Decentralized Autonomous Organization (DAO) that can define a Governance model and an Operational Model. I am aware of a few but more needs to be done in this area.

3. Lack of Education:

Technoblabber is real. Security teams talk gibberish without punctuations or pauses to outsmart one another. Edge cases are often quoted as primary use cases — a man stuck in the Australian Outback is asked to prove his identity by a cop riding a horse — this obviously cannot be the starting point for a conversation. This takes meaningful discussion off the table— How do I explain this to the consumer?

Consumers need to understand how the security landscape has changed. It is no longer the simple hackers stealing money from the bank but nation states employing sophisticated techniques to target enterprises and their partner network. These are honeypots of consumer identities and personal information and leakage puts the consumer at risk.

Device makers and Browser developers hold a lot of control on how users interact with the systems and often times limiting in explaining how the additional security measures are being added.

Decentralization is the key to the future but addressing some of the short comings and seeking inspiration from Bitcoin and other DEFI protocols will greatly help Identity based frameworks.

We do not have to agree on my top three. I am sure there is a lot of work to debunk what I have written here. I look forward to hearing these and learn from everyone who is adding to this cause.