Currently, centrally managed accounts limit the potential of digital identities. The W3 consortium has therefore long wanted to enable “decentralized identifiers (DIDs)”. With the ION network, Microsoft is launching a promising candidate for the longed-for decentralized identities – and based on the Bitcoin blockchain.
Nothing works without identity, even on the Internet. If you want to have a say on Twitter or Instagram, blog through WordPress, store on Amazon or watch series on Netflix – then you have to sign in.
Each login creates a digital identity, usually consisting of a username or email address in conjunction with a password. Such an identity is atomic: it is valid only on a single site. For users, this means that they create dozens or hundreds of identities over the course of their online lives.
- Platforms such as Google, Facebook or Amazon offer to make it easier by allowing users to log in to other sites with their account on Google, for example. PayPal plays a similar role, sending the buyer’s address data with a payment and thus constituting the identity required for the transaction.
- What these “platform identities” have in common is that they simplify the user experience on the Internet – but also that they centralize the user’s data on corporate servers. Google, Facebook, PayPal and so on become the owners of their users’ identities.
- This works in many cases, but not all. Often, data or properties of identities are needed that are missing from accounts with these platforms. For example, Google does not know the age of its users. Most importantly, society pays a high price for simplifying identity management through platform accounts: it further increases dependence on the large Internet corporations.
Microsoft and digital identities
Microsoft is also playing this game: The software company sometimes aggressively makes the Windows identity a condition for fully using Windows 10, and repeatedly asks you to attach further data to this identity during updates.
In parallel, however, Microsoft has been developing a system for “decentralized identities” or “decentralized identifiers (DID)” for years – and is now going live with it. Of particular interest to us is that Microsoft’s system is based on Bitcoin. Not theoretically or by importing technologies – but practically and on the Bitcoin blockchain.
Project manager Daniel Buchner introduces the launch on Twitter like an epochal shift: “Last night, after we pushed in the final updates, I just sat there for a while while the gravitas of what’s possible hit me. I don’t have the words to express the gratitude of having the chance to do something for others that is so much bigger than me.”
Released under the title ION, Microsoft’s system is “the culmination of ten years of work that began in 2011 when a few of us at Mozilla took the time to explore the core concepts of decentralized identity. Microsoft ended up creating the opportunity to make that dream a reality, and I will remain forever grateful for that.”
What are DIDs?
“Decentralized identity is a trusted framework,” Microsoft explains on its website, “in which identifiers like usernames are replaced with IDs that you own, that are independent, and that enable the exchange of data using blockchain and distributed ledger technology while protecting privacy and securing transactions.”
That sounds more abstract than it is. Especially for users of Bitcoin and Ethereum, the idea should be pretty easy to understand. After all, in principle, you already have and live Decentralized Identities.
A Decentralized Identifier (DID) is the core of the method proposed by the W3 Consortium to identify people or entities like companies on the Internet. A DID is more or less a file that contains arbitrary information about the user’s identity. It can merely constitute a pseudonym, but can also represent the status of an identity card with government confirmation. Most importantly, a DID is decentralized: it resides not on the servers of Google and so on, but on the hard drives of the owner.
Decentralized identifiers, the W3 Consortium explains, “should allow individuals and organizers to generate their own identifiers using systems they trust. Users can prove control of these identifiers by authenticating themselves with cryptographic proofs such as digital signatures.” Each entity can have “as many DIDs as it needs to maintain the desired separation between identities, personas and interactions. The use of identifiers can be customized based on context.”
In short, DIDs are the identification method that the Internet currently lacks. If you want digital identities to reach their potential, you should want DIDs. And if you want to prevent our digital identities from falling completely into the hands of large corporations – you should want DIDs, too.
For users of Bitcoin and Ethereum, this is a home run: each Bitcoin address for which you have the private key is a decentralized identity that gives you permission to perform a specific action – a transaction through the Bitcoin blockchain. You don’t need a username or an account to do this, which is perhaps the most important difference between Bitcoin and PayPal. The key to the identity is on your own hard drive. For those of you who are now interested in buying BTC, just visit Binance and open an account. It is one of the biggest exchanges and they also offer coupons.
Ethereum goes even further: if you’ve ever used DeFi apps in your browser with a wallet like Metamask, such as Uniswap, you know that the address on Ethereum, for which the keys reside only on your own system, is an almost ultimate identifier for numerous applications. Logging in without a username has long been the norm in the DeFi universe.
Microsoft’s ION project for decentralized identities
Microsoft’s aspiration now is to be the party that realizes DIDs and brings them to the masses. This is the goal of the ION project. “ION is not based on central parties, nor validators that must be trusted, nor specific tokens for a protocol,” according to the announcement. Instead, ION is “an open, permission-free system. Anyone can run an ION node.”
ION is based on Bitcoin: each identity is anchored on the Bitcoin blockchain, and thus on the most secure decentralized database possible. The price for this security, however, is limited scalability and, in some cases, high transaction costs. Therefore, in order to scale far enough for meaningful applications, ION requires a layer on top of Bitcoin: the Sidetree protocol.
The Sidetree protocol was written by Microsoft, Transmute, SecureKey, Consensys, and Mattr. How it works specifically is difficult to explain and understand. There is a detailed specification, but it is very technical. It mainly deals with the format of the DID files, the signature and hashing methods, and the possible operations around DIDs. The syntax here corresponds to the specification of the W3 consortium.
The blockchain is understood at Sidetree as an “underlying anchoring system”. The “scalable network for decentralized identifiers” built on top of it is a higher layer, similar to the Lightning network, but specifically and exclusively for DIDs.
The “Layer-2” for decentralized identities works something like this: Everyone who works with the DIDs – who creates them, changes them, deactivates them – passes that data to an ION node. These nodes collect the data and store it both locally and in the Interplanetary File Network (IPFS). They then build the hash of a certain number of the records and store it on the blockchain through a transaction. When other ION nodes discover this transaction on the blockchain, they request the source data.
Like a Lightning node, an ION node is built on top of a Bitcoin node running as a server. Anyone who has set up a full Lightning node knows how this works. However, such a node is only necessary if you want to validate the DID data yourself and independently. It is also possible to fetch the data from other nodes, for which Microsoft provides both an SDK and an API. Users can manage the DIDs through a kind of wallet, websites validate them through an API.
Why a blockchain – and why Bitcoin?
Of course, the question is obvious: As great as you might think decentralized identities are – why do you need a blockchain? Couldn’t you just store a key on your smartphone and log in with it?
Microsoft’s Daniel Buchner explains on the blog: “There are many different approaches to creating DID protocol, but they all revolve around the same concept: users own identifiers tied to a set of cryptographic keys and routing endpoints.” It’s not hard to create such a protocol, he said, and that in itself doesn’t require blockchain. But if you manage DIDs through a central server – you might as well stick with the old model.
So a DID system worthy of the name needs a reliable decentralized network. And it’s this, he says, that’s the biggest difficulty: “It’s incredibly challenging to create a robust decentralized network without falling back on validator nodes that you have to trust, utility tokens, or other mechanisms.”
Fortunately, Bitcoin and other blockchains already provide such a network. But why Bitcoin in particular? With Ethereum, for example, DIDs would have opened native access to a wealth of smart-contract applications.
The FAQ on ION’s Github page answers this question: you need an open and permission-free system where there is no “cabal of authorities that can exclude or remove participants.” This system must be well tested and secure against attack for a long time. It must also provide a single, independently verifiable and immutable record and be widely distributed with an abundance of nodes around the globe securing the system.
These criteria exclude private blockchains and weakly tested or insufficiently decentralized altcoins. Among the remaining candidates, Bitcoin meets the requirements “so much better that others don’t even come close – Bitcoin is the most secure option by an absurdly wide margin.”
The vision of decentralized identity
Little is yet known about the practical application of Microsoft’s ION. It’s live on Blockchan, but I don’t know the transactions yet; there’s an explorer on the ION website, but I don’t know what you can enter there; the example it spits out at least shows the data structure of a DID.
I also don’t yet know what you have to do as a user to generate a DID, nor do I have any idea where to put it. A start would probably be to be able to do that with Windows 10 and then log into Skype with the DID. But I’m not aware of anything like that yet.
The vision behind it is clear, though: Once the DIDs become standard, a government agency could issue you an ID card DID, an insurance company an insurance DID, a bank a liquidity DID, a university an exam DID, and so on. That way, you have a bunch of DIDs on your PC or smartphone that you can present as needed to sign up for stock exchanges, buy cars, or take out a loan – all without revealing any more private data than you’d like, or involving anyone who doesn’t have to be.
Completely new models of identity are also conceivable: a forum can issue a certificate to a user that he has been participating decently and diligently in discussions for years, which immediately unlocks him in other forums; a newspaper, say the Süddeutsche, can issue a subscriber a voucher for free articles at another newspaper, say Zeit. And so on. The identity that accounts currently constitute is only a blurry shadow of what is possible.
Of course, ways will have to be found to deal with the theft of the data. If my DIDs are stolen, I can probably invalidate them – if I have a copy of them. But what if I don’t? You’ll probably need a social layer through which DIDs are invalidated, and which then communicates that to all actors or writes it to the blockchain via master key. After all, neither the Bitcoin blockchain nor the IPFS allow data to be changed without having the corresponding keys.
Presumably, a successful system of DIDs will lead to the emergence of fiduciary custodians: middlemen who take over the generation and custody of DIDs completely and thus act as a metaaccount, but possibly also custodians who only keep a (possibly encrypted) backup. All of this is still emerging. It is a technology that does not yet exist, which is why the entire socio-economic system that requires it is not there yet. But it could be enormously important for society that the system actually emerges.