The Real World Is Not Ready For SSI

Self-Sovereign Identity (SSI)—in the pure form that its most ardent supporters promote—envisions a situation where every user controls their own digital wallets containing verifiable credentials (VCs). The contents of these VCs are stored in immutable public blockchains and are shared to service providers through zero-knowledge proofs (ZKPs). Unfortunately, the real world is not ready for SSI.

For a quick primer on the technologies, actors, and roles involved in SSI and how they interact, refer to _https://forgerock.connectedcommunity.org/blogs/david-luna/2021/09/13/self-sovereign-identity-glossary?CommunityKey=23e124f2-b1f8-4450-9266-e23477537f64[_this article].

The technologies that underpin the vision are evolving at a rapid pace, and there is already a burgeoning sector growing around their implementation and adoption. The fully decentralized view of identity—with users placed firmly in the centre of the ecosystem—enables a range of use cases, from applying for jobs with educational credentials through accessing adult websites having proved one’s age without disclosing any personally identifiable information.

So, why are we not all currently carrying these digital wallets stuffed to the brim with proof of our experiences, and presenting them at every opportunity? Surely, they would have aided in the rapid deployment of COVID vaccine passports, and can streamline everyday processes. The benefits seem obvious, but adoption doesn’t appear to be on the near horizon.

The story of digital identity since the dawn of the internet to the modern day is one where technological advancements have always outpaced significant public use. The number of times the "death of the password" has been announced is uncountable, and yet 50 years on, the vast majority of online services require nothing more than an email address or username, and a series of asterisks to access them.

It is only in the most recent years that multifactor authentication—through push notifications, OATH-based one-time password generation or security keys—has begun to permeate the public consciousness. Even then, oftentimes this is not driven by the end-user’s desire to enhance their own security, but rather required by the security-conscious service provider, or as a result of having been bribed into adoption through an otherwise unobtainable reward.

One of the key stumbling blocks I have encountered when talking about potential SSI use cases and investment boils down to having a critical mass of adoption from the get-go. Without this, service providers have to build hybrid systems that can understand both traditional identity presentations, as well as those implemented using the combined set of SSI technologies.

If a service or company decides to drive forward with an SSI implementation and begins to issue VCs to its users, it needs to ensure that the VC verifiers can trust and use the VCs. Their partners or members of their service’s ecosystem must also implement enough of the SSI stack to be able to request, receive, and validate these VCs—and also trust the issuers of those VCs. Unilateral deployments that do not exist within a fully self-contained system will be faced with the challenge of having to wait for the rest of their industry to catch-up.

How do we ensure that when this new stack is available that it will be utilized, without frightening away those who are not natural early tech adopters? Overhauling one’s identity infrastructure is no small feat, and investing in the wrong solution at the wrong time can have disastrous consequences both for the company and end-user.

Technologies take time to trickle down, and must be made accessible, widely supported, and user-friendly, before we can reach the inflection point where a life without them would seem unfathomable. In my opinion, before SSI will be ready for the mainstream, the underlying concepts will have to be proven in the eyes of the lay user before they can be iterated on together to bring forward its major benefits.

Already, the public understanding of blockchains is growing, albeit for sometimes dubious or unfathomable reasons, but the use of blockchain technology is only one part of the SSI vision. Far more significant, and the side of the technology that end-users will interact with, are Verifiable Credentials and the digital wallets in which they’re stored. These two pieces of the puzzle work together to let a user store and manage their digital credentials akin to the storage of their current physical identity documents carried around today. As their real-world counterparts are already well-understood by the non-technical community, they form the most straightforward point with which to begin engagement. Critically they can be implemented without the burdensome requirements of a fully-realized SSI ecosystem.

Apple Pay and Google Pay have placed the wallet concept firmly in the public’s hands, and their use has risen due to the Coronavirus pandemic. Recently, Apple announced its next step in their wallet’s evolution, allowing storage and presentation of copies of a user’s state IDs and driver’s licenses as a mDL (mobile driver’s license). The presentation of these credentials will be done via specific elements of the user’s mDL credentials being requested. Having this technology available out of the box on everyday consumer’s smartphones should be seen as a significant stepping stone in public awareness of digital credential technology.

I believe the next likely steps in the promotion of these technologies will see wallet components not only at the OS level, but built into individual apps. These apps will initially store VCs for use within a given corporation’s or government’s closed ecosystems, rather than aiming ambitiously for a globally-understood SSI deployment. Moreover, these deployments will likely not use a blockchain-based ledger - at least not a public one. Indeed, with the recent announcement of W3C’s rejection of Decentralized Identifiers (DIDs) it is now questionable as to whether or not blockchain will even be a part of the future of decentralized identity at all.

Imagine your vaccine certificate being an element within your healthcare provider’s app, or your achievements in a videogame being available in that game’s companion mobile app. These elements would be shared as VCs, but it may be an awkward experience for a user to have them sitting alongside their credit and debit cards. I believe it unlikely that we will see "one wallet to rule them all" emerge in the short term, but rather, a collection of micro-wallets with which users will gain experience and confidence in using these technologies, and as companies learn how best to present the user experience. They will be shared at first within a restricted ecosystem where deployers can ensure the implementation of a suitable collection of the necessary technologies. This will enable services to not have to gamble that being ahead of the curve will pay off and everyone else will quickly follow suit.

I’m also inclined to believe we are likely to see an emergence of web-based wallets for this purpose, rather than mobile ones. While storage of credentials on a physical device carried around is an attractive proposition for many internet natives, there remain a number of barriers: those who do not own smartphones, those who wish to swiftly use their digital wallets from a variety of devices without having to pull their phone out of their pocket, individuals with accessibility needs not met by mobile apps, etc. We must remember that if the desire is to entirely replace physical ID documents with digital ones, that the entire population must be along for the ride - not just the most able, the most tech-savvy.

With these concepts in place, the move from presentation of credentials to the use of ZKPs should be a fairly straightforward leap. The benefits of ZKP presentations will have to be demonstrated to the end-user through intuitive user interfaces and experiences which prioritise the privacy aspects of such presentations.

Finally, after developing familiarity and experiencing success with limited-scope digital wallets in closed ecosystems, true SSI may become possible. At that point, end users will be able to handle direct management of multiple credentials from multiple issuers, which are recognised across various ecosystem boundaries, and all within the same app. However, we must move there slowly and make sure everyone is along for the ride. Only once each of these component pieces have been in place for some time, will we be ready to step forward with the public’s eyes and arms wide open to the benefits to the fully decentralized world that some envisage.

Other Articles by This Author

Self-Sovereign Identity Glossary [.badge-category__name#CTO Lounge#]

Passkeys, and other announcements from the FIDO Alliance, Apple, Google, and Microsoft [.badge-category__name#CTO Lounge#]

define web3 [.badge-category[.badge-category__name]CTO Lounge#]

Operator Tokenomics and Respectful Personal Data Brokering [.badge-category__name#CTO Lounge#]

Push Protocol – Challenge/Response & Registration Redux [.badge-category__name#Architecture#]

How To: Configure the SAML2 Authentication Module for Auto Federation in AM [.badge-category__name#Setup#]