Self-Sovereign Identity (SSI): understanding the concept

Self-Sovereign Identity or the digital identity revolution

‍

With the digitization of our society and the dematerialization of the vast majority of exchanges, the question ofdigital identity is at the center of everyone's concerns. From opening a bank account to paying your gas and electricity bills, or booking an appointment with your GP, digital interactions between organizations and individuals have multiplied, often for the better (booking an appointment in 2 clicks is an easy experience), sometimes for the worse (with the loss of control over one's own personal data and how it is used). 

Today, the issue of trust and security in the digital realm has become more crucial than ever. The years 2021 and 2022 witnessed an alarming increase in data breaches, with over 2.6 billion personal records compromised (1.5 billion in 2022 according to Verizon Data Breach Investigations Report (DBIR) by Verizon Cyber Security Consulting Research in 2023), illustrating growing vulnerability to cyberattacks and data leaks. This worrying trend continued in 2023, where in the first eight months of the year, more than 360 million people fell victim to corporate and institutional data breaches. These alarming figures underline the urgent need to rethink digital identity management systems, naturally pointing towards increased adoption of the Self Sovereign Identity concept as a response to growing concerns about data security and privacy.

‍

Definition of Self-Sovereign Identity

‍

Self-Sovereign Identity (SSI) describes an approach in which the individual should be able to control and manage his or her digital identity, without the intervention of a third-party administrative authority. This user-centric approach - where the individual has full power and control over the management of his or her personal data - is currently lacking in most user experiences on the Internet, where such data is stored, managed and used by online service providers, sometimes without the Internet user being fully aware of the scope of use of his or her data. Self Sovereign Identity puts the individual back at the heart of the digital experience.

In fact, SSI is simply inspired by the physical world within which :

1) Everyone is free to share personal information about themselves.

2) service providers ask for information that they strictly need to provide access to their services (unlike many online services, which ask you for additional personal information and data that is not required to access a service).

Thus, in the real world, a student who wishes to benefit from a discount at a museum presents his or her student card, a traveller applying for a tourist visa provides the supporting documents requested by the country of destination, an employee who wishes to benefit from a company discount for his or her gym membership provides his or her employment contract.

You've got it: in the physical world, you only ask for what you need to get access to a service.

SSI replicates this approach in the digital world, putting the individual and his or her personal data back at the heart of the experience. In this model, to create an account on a social network, you would need nothing more than an e-mail address, a password and proof of age. Service providers and other access suppliers would collect only the information strictly necessary for their services, no more, no less (no more tracking your online behavior to access an e-mail service or a social network). Above all, you will now be able to control third-party services' access to your personal data, with the option of revoking it at any time.

‍

At the heart of the decentralized identity model lies the fundamental concept of the trust triangle, which is essential to understanding how human trust relationships are translated and preserved in the digital environment. This model is based on three pillars: issuers, holders and verifiers.

• Issuers are the entities that create and issue verifiable attestations. These attestations may be identity documents, professional qualifications, proof of domicile, or any other evidence needed to prove an aspect of a person's identity or skills.
• Holders are the individuals or organizations who possess these credentials. They store them in a secure digital wallet and have the power to decide what information to share, with whom, and in what context.
• Verifiers are parties interested in verifying the authenticity of certificates provided by holders. They may be employers, financial institutions, government departments, or any other entity requiring proof of identity or qualification.

Today's technologies allow the digital ecosystem to take the lead in Self Sovereign Identity in its product and service offering, giving control of credentials back to end users.

It's a small revolution that will require some adjustments on the part of digital players, whose business models are based, for the most part, on the exploitation of this personal data, and above all the application of new regulations to frame industry practices as the latest European regulations do: the RGPD, the DMA and especially the eIDAS 2 regulation.

‍

What's new in recent regulatory development?

While the concept of Self Sovereign Identity promises an innovative digital experience, it is not new. In 2016, Christopher Allen published a blog post detailing the 10 principles of decentralised identity - Existence, Control, Access, Transparency, Persistence, Portability, Interoperability, Consent, Minimisation and Protection - of which you can find more exhaustive descriptions on page 38 inour white paper.

What has really changed the game on this approach in recent years has been the emergence of new technologies and the application of a regulatory framework that make ISS possible. The RGPD or even the eIDAS regulation are working to secure data and provide a framework for expressing ISS.

Europe is positioning itself at the heart of the process, with innovative initiatives focused on Self Sovereign Identity. This is notably the case with eIDAS 2, which creates a framework for digital trust, and the European Digital Identity project, which would be a self-sovereign digital identity that could be used anywhere in Europe.

‍

eIDAS 2.0: towards a more coherent digital space

eIDAS 2.0 follows on from the original 2016 regulation, which aimed to facilitate secure electronic transactions within the EU. While the first version laid the foundations for a digital trust area, it also revealed inconsistencies in its application across different member states, hindering uniformity in electronic identification and trust practices.

With the second version of eIDAS 2.0, adopted by the European Parliament in February 2024, Europe is committed to overcoming these challenges by defining clearer guidelines and introducing precise obligations for all players. By including Qualified Trusted Service Providers (QTSPs) within its scope, eIDAS 2.0 ensures that they meet high standards of security and reliability, guaranteeing optimum protection for users.

‍

European Digital Identity Portfolio

One of the pillars of eIDAS 2.0 is the creation of a European Digital Identity (EUDI) wallet for every EU citizen, resident and company wishing to adopt it. This tool aims to equip at least 80% of EU citizens with a digital identification solution by 2030, facilitating their secure interactions across the Union.

Digital identity portfolios will enable users to manage their personal data securely and centrally, offering greater control over information shared with services requiring specific identity attributes. This focus on the needs of consumers and citizens marks a significant evolution from the initial B2B-centric vision of eIDAS.

As a reminder, the eIDAS regulation applies to electronic identification, trust services and electronic documents with a view to securing personal data and preserving the digital identity of every European citizen.

‍

‍

How decentralized digital identity can support ISS?‍

The emergence of Self-Sovereign Identity (SSI) marks a revolution in digital identity management, promising users greater control over their personal data. However, realizing this vision required an infrastructure capable of supporting the fundamental principles of SSI: autonomy, security and interoperability. It was in this context that blockchain, with its inherently decentralized nature, played a decisive role.

Contrary to what many might think, the application of blockchain goes far beyond cryptocurrencies and NFTs (Non-Fungible Tokens). At the heart of its utility lies the ability to facilitate direct peer-to-peer relationships, without a third party having to own or control those relationships. This characteristic is fundamental to the decentralized identity model that is part of the ISS philosophy.

Decentralised digital identity, based on blockchain, is all the more relevant as the user directly administers his own digital identity thanks to the use of a distributed registry architecture. It is a first choice alternative to the current model, which means that each time an account is created to access a service (banking, social network, mutual insurance company, etc.), the user's digital identity is managed in databases specific to each service provider.

This centralisation increases the points of failure and is accompanied by an accumulation of personal data at the technology giants.

Today, with the proliferation of online services, the number of user profiles created is uncountable. It is estimated that one person has around 150 different accounts, i.e. 150 different points of entry to the personal data of a single individual, who rarely knows how his or her personal information will be used by service providers (who are not invulnerable to cyber-attacks, as the numerous security breaches of recent years demonstrate).

Digital portfolios for citizens and businesses

Digital wallets play a crucial role in the decentralized identity model by storing verifiable attestations of identity attributes. Similar to a physical wallet that holds ID cards, driver's licenses and other important documents, a digital wallet offers an elegant solution for storing, protecting and managing digital identities.

• Secure storage: Digital wallets provide a secure place to store private cryptographic keys and verifiable credentials, ensuring that only the rightful holder can access and use this information.
• Easy access and sharing: Users can easily access their certificates and present them selectively to auditors, without having to disclose more information than is necessary for the current transaction.
• Interoperability: Digital wallets are designed to be compatible with different systems and standards, enabling users to navigate the digital world with a unified, recognized identity across a range of services and platforms.

Digital wallets don't just store verifiable credentials; they also facilitate secure, authenticated transactions, boosting efficiency and trust in digital exchanges. By incorporating digital identity management into accessible, user-friendly wallets, the decentralized identity model promotes a new era of digital sovereignty for users, giving them full control over their identity and personal data in the digital world.

What uses for SSI?

SSI enables a much smoother, more secure user experience for the Internet user. ISS will impact many sectors and reinstate digital trust for both individuals and businesses.
‍
Here are just a few examples:
‍

For Individuals
‍

• Finance and Banking: SSI simplifies the banking process by making account creation, transactions and transfers secure. It allows users to prove their identity securely without disclosing unnecessary information, facilitating access to personalized, secure financial services.
• Education: In the education sector, ISS enables simplified, secure management of academic records. Students can easily share their diplomas and study certificates with institutions or employers, while preserving the confidentiality and authenticity of these documents.
• Healthcare: ISS is transforming access to healthcare services by making it easier to book appointments, manage medical records and register with mutual insurance companies. This approach ensures better protection of sensitive data and facilitates communication between patients and healthcare professionals.
  ‍

For Companies
‍

• Authentication and identity management: Companies benefit from SSI to offer a frictionless authentication experience, while strengthening security. This eliminates cumbersome authentication processes and reduces the risk of fraud.
• Compliance and data security: With ISS, companies can better comply with data protection regulations, such as the RGPD, by giving users control over their information. This helps build digital trust and minimize the risk of data breaches.
• Simplifying onboarding processes (KYC- KYB- KYE): Whether for new employee integration or customer acquisition, ISS streamlines and secures onboarding processes by verifying identity in an efficient and privacy-friendly way.
• Procurement and supply chain: In the procurement sector, ISS can be used to verify product authenticity and supplier reliability, improving transparency and confidence in the supply chain.
  ‍

The Archipels d'identité solution adopts an SSI approach

Archipels is well aware of the complex technical issues involved in a company's SSI approach, and offers turnkey solutions enabling companies and public authorities to opt for a digital identity system based on the Self-Sovereign Identity approach. From automatic identity verification to the issuing of certificates, Archipels adapts to all your use cases, while respecting the confidentiality of your end-users and complying with European regulatory standards on data security. 

In this way, companies can completely revolutionise their approach to data management and digital security of their users, while substantially improving the user experience - from onboarding to monitoring of users and customers - and thus increase their revenue.

If you'd like to explore Self-Sovereign Identity with us, please get in touch !