In the previous section we looked at how the digitalisation megatrend is driving the adoption of digital identity and argued that opt-in decentralised identity will compete with government issued digital identity.
Let's be more specific with examples:
- privacy laws such as the EU's General Data Protection Regulation (GDPR) have transformed personally-identifiable information from an asset to a liability
- healthcare providers are seeking to transfer data back to identity owners through personal medical records
- education providers are seeking to cut costs by providing verifiable digital degrees and transcripts
- formal and continuing education is moving online, requiring digital identification and verifiable certificates of achievement
- digital artists are employing verifiable certificates of authenticity to protect artworks they publish online
- during the pandemic, governments armed their citizens with verifiable test and vaccination documents so that they could travel freely
- document management systems are beginning to incorporate anti-tampering features based on verifiable credentials
All of these examples demonstrate that there is a real need and a desire to deploy decentralised identity technology. Relevant international standards are also in place. But there are at least three challenges which are holding back broad adoption: wallet adoption, easy onboarding and universal verification.
Let's face it, no one wakes up one morning and says to themselves: "I really need to get a credentials wallet". Adoption is usually driven by a specific external requirement, such as the need to pass some KYC test, to present health credentials at an immigration checkpoint or to manage multiple academic certificates.
If a person has only one VC, they can just share the URL or a QR code pointing to the JSON data file. But if they have several, it's much easier to use a wallet in order to manage and share these credentials. The wallet is just a mobile app or a browser extension. It creates public-private keypairs for each credential, which eliminates the need for exchange of passwords. And all of these keypairs are tied to a single decentralised identifier (DID). All the user needs in order to unlock the capabilities of a credentials wallet is a single password - which they can change but should never share.
Key recovery is important when valuable information is being stored securely. The use of 12 words in a 'key phrase' is the most reliable and popular method for ensuring access to a wallet if you forget the password. When you setup the wallet, you'll be asked to write down 12 words and store them securely away from your computing device. Even if you lose your device, you can download the wallet app on a new device and recover the credentials with your key phrase.
One of the adoption challenges is deciding what level of trust is acceptable for different use cases. People will not start using DIDs if they have to provide a scanned passport image and selfie in order to onboard.
But for many digital services, like attending an online course, it is not necessary to obtain biometric proof of a user's identity. There is no need to show a driver's license or passport in order to take a business course. The course provider can recognise users based on their verified Twitter handle or LinkedIn profile. This is known as Social KYC and it has shown great promise in simplifying the onboarding process.
Once an individual has a credentials wallet and a DID, it is really simple to add Social KYC credentials such as a verified email address or LinkedIn profile. The process is slightly different for each credential, but to verify your email address, the service sends you an email with a code in it, and you retype the code to confirm you are in control of the email address. At that point, your email verified credential is associated with your DID, and you can use services that require this level of trust.
The greatest challenge to broad adoption is the lack of truly independent verification. Methods of certificate verification were never formalised as a standard, instead leaving it up to industry to decide. This has resulted in different vendors using different methods to verify their own certificates. So vendor A creates certs that cannot be verified by vendor B, and vice versa. Academic certificates cannot be verified using the same tools as health certificates or certificates of artwork authenticity.
Trust is built on independent verification. A universal verification service would make it possible for an independent service provider to verify certificates from many different vendors. Such a service would be able to verify certificates of any type as long as they comply with the Verifiable Credentials data model. With universal verification, firms like KPMG, EY and Refinitiv could offer free public verification.
How can this be achieved? Actually it is not so difficult. If several vendors agree on a framework, verification can be modular and implemented via plugins. The framework would define which steps are required for successful verification and then each vendor could implement their own methods to do the job.