Digital Identity Models

• How the centralized model for personal data management works
• How the federated personal data management model works
• How the SSi model works for personal data management

What is a digital identity? This is an increasingly topical question in a world that is becoming more and more digitalised and shifting its services from the physical world to the IT world. From a technical point of view, a digital identity consists of a set of information cataloged within a computer system and managed by a centralized entity that owns that computer system.

Going beyond the simple definition of digital identity, it is now part of all of us. A digital identity is the way we all identify ourselves within our online interactions, which now account for a large part of our daily interactions.

Self Sovereign Identity, a concept we started to explore in this article, is a new model of digital identity management, which is much more individual-centred. To date, in fact, there are several models of digital identity management that have followed one another, and it is very important to know them in order to understand how the Self Sovereign Identity is a radical innovation in this field. 

The digital identity models that have existed to date are mainly three:

• Centralized Model
• Federated Model
• Self-Sovereign Identity model

The Internet, a technology that is increasingly used in our daily lives, has presented us with the challenge of identifying the ever-growing number of online users. For this reason, together with the growth of the Internet, we have seen an increasing growth in the use of digital identities. It is in this context that the definition of identity providers has been coined. The latter are entities that, from the outset, have been responsible for creating and managing the digital identities of users, identified by means of specific attributes (such as e-mail and passwords).

Centralized model

The centralized model of digital identity is also called the ‘Silos Model’. Within this model, as mentioned before, the organisation that creates the user identity for its service remains the central point of the model.

To understand what is meant by a centralized digital identity model, one can think of all those services where it is necessary to create an account with the organisation (e.g. Facebook) that runs that service. The identity and all related information is stored and represented within the account.

Inside this model, users can create their own digital identity (often in the form of an ‘account’). The identity is then effectively centralized by the organisations that act as identity providers (which in this case is also the service provider itself) and allow users to access services, for example by requesting ‘secrets’ that only the user can know, such as a password or PIN.

All the user’s personal data is stored within the organisation’s internal databases, also called ‘Silos’ (hence the name ‘Silos model’). 

The centralized model makes users completely ‘dependent’ on the organisations that hold their data, and brings with it some potential risks and weaknesses: 

• Since most personal data is held within centralized databases, there are cyber security risks due to the fact that a leak of the organisation’s database would expose sensitive user data (as seen in the many hacking incidents that have occurred in recent years, the latest in time being EasyJet);
• Centralized digital identity systems have created what is known as the ‘multiple identity phenomenon’. Users now find themselves having a different digital identity for each service they use: Facebook, LinkedIn, Google, and any other account they may hold online. This makes the user’s online experience more complicated and they have no way of managing all their data within the same digital identity.

The centralized model is a simple model for organisations to use and to implement. It allows companies to store the data of their users, and in this way keep a constant relationship with the user (as long as he or she uses the service offered). On the other hand, this model can potentially present security problems, as already seen in several cases where users’ personal data have been stolen by hackers or have been somehow exposed on the Internet. Moreover, this model does not have an approach that aims at better management for the user, but only for the organisations that hold the data, creating phenomena such as multiple identities.

Federated model

The centralized identity management model presents some problems in terms of how the user’s experience of managing their online identity is handled. For this reason, over time, a transition has been observed towards what is known as the federated model. The main player of this identity model is the identity provider (IDP), which acts as a ‘bridge’ between the user and the service the user is accessing.

In the case of the federated model, the entity that actually ‘holds’ the user’s digital identity and associated data is the identity provider. The user is able to use his digital identity with the various services, always ‘passing’ through the IDP, which remains at the core of the model.

An example of IDP at Italian level can be SPID: through a single identity, owned by a user through one of the providers that is part of the ‘Federation’, the user is able to access several services. Another example of federated digital identity management is represented by Google: a Google user can now access several services in a federated manner through his Google account (one can simply think of public wi-fi networks, which require the user to identify himself by logging in to his Google or Facebook account). 

This model of digital identity management makes it possible to avoid the phenomenon of multiple identities for users, who through a single identity can enjoy a Single-Sign-On experience. At the same time, also in this model, just as in the centralized one, a user is not the true owner of his or her ‘digital’ data, which are instead always held by a third party, i.e. the identity provider. For this reason, a federated digital identity model places a heavy burden on the provider, who has to ‘be present’ in every access by the user to online services. This, as can be deduced, also poses privacy risks to the user, since the identity provider can effectively ‘monitor’ the services used with the user’s digital identity.

Self Sovereign Identity model

A new and completely revolutionary way of managing digital identity is represented by the Self Sovereign Identity paradigm. The SSI concept is completely user-centric, with the user being the sole and independent owner of his or her digital identity and all associated data. 

Self Sovereign Identity is a model that differs from the previous ones and aims to ensure that the user remains the sole owner of his or her data (from the term Self-Sovereign), thanks to the use of protocols such as Blockchain. In fact, the models described above use a ‘centralised name system’ as a database to store the various identity-related information. SSi replaces this by using the blockchain, creating what is known as a ‘decentralised name system’. It should also be noted that thanks to the essential characteristics of a blockchain, such as immutability and resilience (no down time), the Self-Sovereign Identity model boasts greater security for all actors involved. 

Self-Sovereign Identity is a concept that is enabled by a number of innovations, such as the DID and Verifiable Credentials standards that are being defined. The topic will be explored through a series of guides covering every aspect of this new digital identity paradigm.