Self-sovereign identity: The true password killer

September 15, 2020

From the early days of the web, the concept of authentication has been synonymous with the notion of ‘logging in,’ typically with a username and password. Today, this ubiquity has exploded to the point that the average individual has 191 usernames and passwords acting as one-to-one keys for any website they’ve registered with.

For some, this staggering number can be managed relatively securely with the use of password management software. But for most - two thirds of us, according to a Google survey - convenience trumps security. People opt for easy-to-remember passwords they reuse on different sites, rather than adhering to best practices.

This sacrifice has led to a major vulnerability, with the standard six-character password taking only five minutes to crack by brute force. And when it comes to re-used passwords, the ramifications are much greater: Suddenly a malicious party has access to not just one account on one website, but your entire online identity.

A step in the right direction

Fortunately, we’ve seen improvements on both the convenience and security fronts. Single sign-on solutions (SSOs) like “Sign in with Google” have allowed users to register an account with every single website or app.

Yet, this convenience comes at a cost: privacy. With social media giants being able to correlate nearly everything you do across hundreds of services, our identities remain exposed.

According to Andy Tobin, the European Managing Director at digital identity solutions provider Evernym, “It would be like going to the immigration counter after an international flight and handing all of your travel documents to a Facebook employee who is standing there, copies them all, and then hands them to the border officer. You simply wouldn’t agree to that in the physical world.”

On the security side, we’ve seen the rise in two-authentication (2FA) create a second layer of defense against password vulnerabilities. With 2FA enabled, even if a wrongdoer has your password, they won’t be able to authenticate as you unless they have that second factor (often, your mobile phone or biometric).

Yet, we see convenience take even more of a backseat, with over 90% of individuals not going the extra mile to enable two-factor authentication on services that offer the feature.

So how can we make security more convenient?

While SSO and 2FA are great improvements over traditional, centralized usernames and passwords, they still don’t let us have our cake and eat it too — that is, they don’t give us both security and convenience.

But there’s an emerging technology that does. It’s called self-sovereign identity (SSI).

SSI is a decentralized identity model built on secure peer-to-peer connections, and it flips the equation. Instead of having individuals create accounts with the websites and apps they use, SSI offers verifiable, globally resolvable, and privacy-preserving credentials that we store and manage from the security of our own devices and can show to anyone, anywhere.

In simpler terms, it’s like having a passport for the digital world. Our data lives with us; and with

a few taps, we can share the information needed for authentication (without the oversharing of extraneous data that comes with many SSO solutions).

Often touted as the “password killer,” SSI finally gives us a private, secure, and seamlessly convenient user experience. It takes multi-factor authentication to a new level, with your credentials, the cryptographic keys that secure them, connected devices, and real-time biometrics all adding additional factors to the mix.

This solution builds on the convenience of SSO, but in a way that makes it much, much harder to correlate your digital journeys, as even the credential issuer (such as a government, university, or employer) does not need to know when, where, or to whom you shared a credential.

The key to self-sovereign identity are the concepts of decentralized identifiers (or DIDs) and private cryptographic keys, which replace usernames and passwords, respectively.

DIDs are a new type of unique identifier that do not require a centralized registration authority because control of the identifier can be proved using cryptography. Think of it like a domain name system without ICANN sitting in the middle. Or more aptly, like "Sign in with Google" without Google or any other third party.

Whereas usernames and passwords are essentially “rented” from the sites they’re registered with and only work on that one domain, decentralized identifiers are created and fully managed by the individual through digital wallet software stored on their phones. And unlike passwords, aren’t designed to be re-used or even human-readable. Instead, they are designed to form a unique, cryptographically secure bond between the individual and each of the online services they use.

Similarly, replacing passwords with private keys significantly reduces the likelihood of impersonation and fraud. Not only are cryptographic keys prohibitively hard to guess or crack, but they’re also essentially meaningless in the event of a data breach. If one of your service providers were to get compromised, the key they store to verify your identity would be useless to malicious parties, as it is unique to, and only valid with, that one service provider.

A Passwordless Future

While it’s hard to imagine a world without usernames and passwords, the technology is already here. Several credit unions are already using verifiable credentials for authentication, with early results show that credentials cut as much as 80% off the time it takes to authenticate a member, while other organizations are exploring a wide mix of use cases, from digital staff passports to touchless boarding passes.

Security and convenience have long been at odds with one another, with individuals often sacrificing the former for the latter. Yet cybersecurity is only as strong as an organization's weakest link - or rather, weakest password. In order to create the verifiable online future users need, we must find a way to make it easier for individuals to secure their online identities.

With self-sovereign identity, the digital safety we need is finally possible.

Alex Andrade-Walz is Director of Marketing at Evernym.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 September

This month in Security magazine, we bring you our 2020 Most Influential People in Security annual report, where we highlight 22 industry leaders, their path to security, careers, goals and guidance for future security professionals. Industry experts discuss the evolution of ransomware, houses of worship security, cybersecurity standards, security careers in investigations and the unifying power of security. Diane Ritchey, past Editor-in-Chief, says goodbye and thank you to our readers.

View More Create Account

Self-sovereign identity: The true password killer

Related Articles

Report Abusive Comment