Let's dig in...
Watch the first episode of #GameChangers, hosted by Colin Iles, sponsored by Sybrin. He asks the question: "Is self-sovereign identity going exponential?" Together with Andrew Baker, Head of EC2 Engineering at AWS, and Lohan Spies, Chair of the Sovrin Steward Council, they explore the concept of Self-Sovereign Identity (SSI) in detail, discussing what profound implications SSI will have and whether it is indeed the next game changer?
The Inevitable Rise of Self-Sovereign Identity, a whitepaper from the Sovrin Foundation, says: Even with all the progress in online identity, we are still a long way from an internet identity system that works the same way the internet does. The internet was designed to allow any device to send messages to any other device without any administrative authority's permission, meaning the internet can route around any attempts to keep those messages from getting through. An identity system like the internet would allow any person, organisation, or entity to have an identity relationship with each other - and to do this without the need for authorisation from someone else. Because anyone can use these identities and the resulting relationships without an intervening authority, they're called "self-sovereign." Sybrin's Group CEO Marius Maré said:
Our objective for today is to make a contribution to building knowledge around sovereign-identity, as we think it is a key building block in our digital journeys going forward.
Marius Maré
Group CEO
Identity is contextual.
On identity, Andrew Baker said: "Identity is Contextual. I have a job, so I have an identity there, email address, everything. We have many, many different contexts for identity, and unfortunately, we have to manage all of those independently, and I guess that's where self-sovereign is super exciting to me - and the other thing that stands out to me is if you put an Africa lens on it as well." Continuing, Baker mentioned:
We have very poor identity for a large portion of our population, especially when you consider it digitally. And that for me, I think that that must be a massive obstacle from a service perspective. So, enabling banking for unbanked, right at the core of that is identity issues. So, I think if we get this right, not only will it remove admin, risk, and fraud, it will create a huge opportunity from a financial picture perspective.
Andrew Baker
Head of EC2 Engineering at AWS
We needed a solution.
Online identity is constantly evolving. In 2005, most online systems were merely usernames and passwords, and many companies relied heavily on directories as a primary identity tool. Before, interactions to confirm identity came with several issues, including a terrible customer experience. Fast forward a few years, new requirements like mobile and new services like social media and the pandemic have given us identity systems that are much more sophisticated, flexible, privacy-protecting, and user-controllable than anything possible before. Andrew says: "You can imagine the complaints that you get in anger, and the trauma that that creates because there is no route of trust on digital identity. The only thing about the internet itself, you've got DNS. So, the only identity on the internet is the thing that you're going to; it's never the source, it's always the destination - and that's where sovereign comes in and completely turns the game around so that both parties know who's dealing with who."
To really solve the problem of self-sovereign identity, we needed a solution, just like Bitcoin is. Basically, replacing the intermediary trust in banks and putting the trust into the mathematics of the blockchain protocol itself, we needed the solution to move away from a centralised institution and into this notion of DLT blockchain, where everybody can trust the same ledger. But they can effectively operate on an open ecosystem. To solve the problem of self-sovereign identity or digital identity in general, we never really could do that until the concept of blockchain came along. Because once that happened, we could actually start by providing identities and say, "You know what? Everybody can play this game. Everybody can issue and utilise the notion of digital identity." But we all trust this distributed/decentralised network to make sure that we know who is who, and with whom information is shared, in this ecosystem. So, it was really a technological breakthrough that made this identity concept of self-sovereign identity a reality.
Lohan Spies
Chair of the Sovrin Steward Council
Self-sovereign identity is well-positioned to significantly improve, not only the way internet services work, but also the verification of identities in instances where verification is required for regulatory requirements, or confirmation of identity. Heavy reliance on outdated, individualistic identity models will be a thing of the past, along with the high costs of their maintenance. The evolution of existing services will be rapid in order to gain an edge on this new public utility for identity. SSI will also give rise to new services and markets whose development could have never been achieved before. As Marius Maré said: “… it always reminds me of the work of Joel Barker, back in the 80s, … if the paradigm shifts, we all go back to zero. And I think as these things are starting to become easier, there will be a point where the paradigm will shift, and then we'll see real take-off. And I think in the meantime, there are convenient use cases that we can follow to use SSI in closed-loop environments, to make it easier for consumers, and then they'll have a good experience…”
Q&A Session.
Some questions, indicated with an *, have been answered below, while others are answered in the video.
What would the time span of such a verification token be? Currently, for FICA (eKYC), banks retain proof over time - will they then only reference per transaction - i.e., the onus is moved away from the bank as a source of verified information?
Answered Live
Can the Issuer revoke a credential (i.e., it's not like my ID number or fingerprint)? For example, Home Office gets hacked and need to re-issue all identities, or the individual's private key gets compromised. How does the verifier get notified in a timely manner?
Answered Live
Do you see this being the vehicle that enables the ability for an individual to biometrically verify who they are anywhere in the world? I.e., I am me, no matter where I go?
Answered Live
This great concept obviously requires that as many Issuers as possible adopt this technology. How do you pilot this and how do you transform an organisation like the SA Home Affairs to be part of it?
Answered Live
*Can you have a date-range for Just-In-Time verification? We do "perpetual KYC" whereby we KYC all clients every day, so we would like to request that we will verify on a periodic basis (perhaps with an expiry date), not just once?
You can date-range from the information in the credential and base rules on acceptable date ranges.
*With Bitcoin for instance, if I lose my private key, I lose access to my wallet, and it is almost irrecoverable for the non-technical person. What if I lose my identity private key?
Same scenario, i.e., it is paramount to securely backup your private key and wallet data to ensure recoverability. So, in reality, there is a very long time period for full civilisation adoption due to technology resistance in age groups and specific markets.