After rejection of the e-ID Act in March 2021, the Swiss Federal government is working at full speed on a new proposal. The first results were published in a discussion paper on September 2. Self-Sovereign Identity (SSI) is one of three possible solutions proposed for the implementation of the future e-ID. What is SSI is and why does it bring significant added value in terms of data privacy?
Think back to the 1970s, when all processes were paper-based and your piece of identity was in your wallet. You decided when and to whom you show your ID. Nowadays, people are more digital, yet the digital ID is still missing. Current authentication on the internet is characterized by communication between you and an identity provider. All information is issued and maintained by this central identity provider. This means that every time you click on "Sign in with Google", you reveal your behavior. In summary, the user is not aware of the personal data usage and cannot control it actively. This is like your wallet was managed by another company.
Additionally, the growing intention to digitize and automate cross-company business processes we have experienced in the last decades increases the need of trust between organizations. The fact of not being able to assure the veracity of the identity is an obstacle to digitization.
Self-Sovereign Identity addresses exactly these aspects. It is intended to manage digital identities in a decentralized manner, giving the users full control of their data and enabling trust between institutions.
How does SSI work?
The SSI concept brings the personal wallet idea to the digital world as an application on a smartphone or computer. The electronic wallet is the core of SSI. Every participant in the ecosystem has such a wallet which stores verifiable credentials such as identity, certificates, home address, etc. In the SSI system, three roles are defined: the issuer, the holder, and the verifier. The issuer is an institution that distributes verifiable credentials, such as an authority issuing an identity, an insurance issuing a health card or a university issuing a diploma to a person. The holder is the person in the center of the system and stores the verifiable credentials in his mobile wallet. The verifier can ask for information of a holder to offer a service, such as credentials to log in to a web page or the age for a rent-a-car service. The SSI ecosystem enables a lot of chains of trust and use cases for a secure and smart future.
SSI is the next level of identity management
SSI is a solution that brings distinctive advantages for every role in the ecosystem.
As holders, users have full control of their personal data which are stored in their mobile wallets. Using their wallet, they keep their credentials and login activities confidential. Furthermore, SSI gives them the possibility to disclose information in a granular manner (only the minimum amount of data necessary to accomplish the task at hand). Additionally, they benefit from zero knowledge proofs (ZKP). ZKP is a possibility for a holder to answer a yes-or-no question without revealing the data. The most common example is proving that the holder is over 18 without revealing his birthday. SSI in combination with the smartphone security is a huge gain for the data privacy of users.
By using SSI, the issuer can easily create credentials and prevent fraud, because via advanced cryptography, the issued verifiable credential is guaranteed to be immutable. Furthermore, issuers can dispose of verifiable credentials from third parties to create their own credentials. Finally, it enables a secure and easy verification of the issued credentials in both the virtual and the physical world.
The verifier also benefits from data privacy. Thanks to ZKP, it is possible to verify information without getting the data. This allows easier compliance with the data privacy laws GPDR and FADP. What’s more, the verifier can aggregate information from credentials from different institutions, which helps to digitize cross-company processes.
SSI solves core privacy problems existing in centralized and federated identity models and offers new ways of using identities and official documents. Not only users benefit from this. With SSI, the whole ecosystem gains advantages.
SSI is on the fast track
Currently, governments support SSI on a national and international level and companies in all business areas prepare themselves for the next steps. The European Commission introduced the European digital identity, which is on priority until 2024. Hence, the European Union funds SSI projects, such as the European Self-Sovereign Identity Framework Lab. Furthermore, the German government started an SSI pilot on the national level for business travelers in Germany. It is possible to use SSI to speed up the check-in process. Besides, in Switzerland, the discussion for a national electronic identity focuses on SSI as one of the favorite solutions. Overall, the pressure is growing to realize SSI as a new level of identity management.
SSI and AdNovum
Identity management, data privacy and security are part of AdNovum's DNA. Therefore, it was only natural that the AdNovum Incubator decided to take a closer look at SSI. In 2016, the Incubator began to analyze the technology as part of the cardossier project. Since 2019, in cooperation with the cardossier association, we have been relying on SSI as a solution for identity management. In a first step, the Google login of cardossier members was replaced with an SSI-based login. Lately, we launched an SSI initiative based on real use cases with public and private players. For more insights, go to SSI Innovation Initiative.
Self-Sovereign Identity is changing the way the world looks at digital identities. The advantages are significant for the whole ecosystem. Additionally, we see that governments are pushing this topic on both an international and a national level. Hence, it will gain in importance for companies, public institutions, or individuals in the future. The advantages are being presented, the regulation is in preparation, the concepts are defined, and the first implementations are in production. SSI is surely the next level in the evolution of identity management, and everyone should ask themselves «How can I take advantage of it?».