Self-Sovereign Identities
SSI is driven by the EU and large companies with millions of euros – for user-friendly and user-centric identity management
Self-sovereign identities (SSIs) organize human and machine identity data in a digital wallet – always up-to-date and under complete user control. If required, the user can share existing identity data for very fast 1-click onboarding.
With SSI, service providers save themselves time-consuming identity management and can access consistent and up-to-date identity data in different applications.
SSI is funded, for example, by the German government with 50 million euros, and numerous large companies are already successfully testing SSI and learning about its benefits.
There are many possible applications for SSI.
Would you like support with your SSI project?
SSI Is a New Kind of Digital Identity Management
SSI organizes organizations’ master data into a single point of truth and allows fast and cost-effective onboarding
Self-sovereign identities are a new and promising approach to digital identity management, helping to organize user master data and to onboard users into your processes.
SSI redefines identity management. SSI can be expected to fundamentally change existing structures.
SSI Is the Latest Evolution of Digital Identities
Role model: Analog identities
Source of image: Wikipedia
The world of analog identity information consists primarily of plastic cards in credit card format: ID card, credit card, driver’s license, health insurance card, club membership card, etc.
If a credential is required when signing up for a service, such as creating a bank account, we can show (a photo of) a plastic card. The service can check whether a credential is authentic based on the security features of the card. Basically, the service will trust the issuer of the cards. Interaction with the issuer is not required. In a similar way, these processes are supposed to be fully digital in the future and run automated in the background during a service registration.
Isolated identities
Image source: Screenshot from zeit.de
Each service on the Internet collects and manages user data and proof of identity itself.
Isolated identities entail a great deal of work for both users and service providers. The same data must be entered or uploaded over and over again.
Access data for dozens of accounts must be memorized. Often the same password is used, which leads to security problems.
Users have to maintain their data in dozens of accounts. This is time-consuming and error-prone. Data in some accounts will be out of date or incorrect.
Federated identities
Image source: Screenshot from crunchbase.com
Federated identities are offered by identity providers such as Google or Twitter on the Internet. Identity providers are both issuers and holders of the identity. Users can use an identity with third party providers for single sign-on given the consent of the identity provider.
The federated identities model builds on the permission of the identity provider to use an identity. In principle, the permission can be withdrawn at any time. Or in the event of an error or hack, the data can be compromised or lost. This would result in the loss of access to all services for which the identity was used during registration.
Users have a very high dependency on the identity provider in this model. Identity providers learn about all interactions with services in which the identity is used and can exploit this data for their own purposes.
For serious KYC, in which the authenticity of an identity must be ensured, federated identities of social media are not sufficient.
Self-sovereign identities
Self-sovereign identities (SSIs) work along the lines of analog identities, transferring how they work to the digital. Thus, SSI combines the advantages of single sign-on with the principle of user control and respect for privacy.
With SSI, plastic cards are replaced with digital, signed Verifiable Credentials.
Image source: https://www.w3.org/TR/vc-data-model/#ecosystem-overview
The three roles in the SSI model are:
- Holder: the holder of an identity. Verifiable Credentials are held in a private digital wallet, e.g., on a cell phone.
- Issuer: a trusted issuer of Verifiable Credentials. To ensure general comprehensibility in different domains and contexts, Verifiable Credentials follow certain structures that are stored as schemas in a public “Verifiable Data Registry”.
- Verifier: for example, a service provider that requests verifiable credentials from its customers. For this purpose, the holder presents a Verifiable Credential issued by an issuer at the push of a button. The verifier can automatically check the credential against the signature.
Principles of SSI
According to Allen, self-sovereign identities are characterized by:
- An independent digital identity
- Complete user control
- Consent of the users when using the identity
- Users can access all aspects of their identity
- Transparency of the SSI system through open source, usable by all
- Portability of an identity between applications
- Interoperability between many application areas
- Minimization: As little data as possible is disclosed in each case
- Protection of user rights
- Longevity of identities – usability should be maintained, but identity can be deleted if needed
Advantages of SSI
Self-sovereign identities offer the following advantages for their users and especially for companies:
The efficiency of business processes can be significantly increased by using SSI. In particular, the onboarding of customers in lengthy registration processes is extremely simplified. Inhouse “know-your-customer” infrastructure can be largely eliminated. Instead, customers can register with one click, similar to social sign-on.
With SSI, users and customers can be quickly identified. Required proofs of their identity are transmitted digitally signed.
By making onboarding easier, companies can focus on their core processes.
The way Self-Sovereign Identities are used is similar to social sign-in, e.g. logging in with your Google account at a third party provider. This ease of use is combined with a high level of user control and privacy.
The user is at the center of Self-Sovereign Identities. Commercial exploitation of identity information by social profile providers is no longer required for users to experience the simplicity of single sign-on. Users have control over their data and can use identity information in any application and at different levels of granularity.
There Are Multiple Applications for SSI
SSI enables fast onboarding of customers into processes and saves effort
Cutting Short KYC
Would you like to save the costs of the time-consuming collection of customer data and ensure the authenticity of the data? SSI will contribute to this in the future by allowing customers to manage their own data and credentials in their wallet and to only have to release it when logging into services. This is similarly convenient for customers as sign-on with social media accounts
Providing Credentials Digitally
Today’s service enrollment processes are form-based and credentials must often be digitized on your own and submitted. Video sessions can be used to verify identities and must be repeated for each signup. With SSI, credentials are available digitally signed. Thus, credentials can be used again and again without effort and the correctness of credentials can be checked automatically by the recipient.
Simply Taking Identities Along
Until now, silo structures in application landscapes have prevented the transfer of customer data to another provider. SSI fundamentally changes this through application-independent self-management of customers’ data. Thus, identity information can be carried across previous borders. This also applies to previously existing hurdles within an organization, where users had to register separately for different processes.
SSI is Successfully Piloted Worldwide
The technology is available, SSI networks are emerging, and Verifiable Credential ecosystems are growing
IDUnion: Identity Network From Germany
IDUnion is a major German initiative to build a distributed identity network using blockchain and SSI technology.
The network allows secure identification of actors and ensures the authenticity of information exchanged by actors. References to identities can be made discoverable in the network. Identity information, however, remains under the control of the respective users.
IDUnion is driven by over 50 organizations, including major companies such as Bosch, Siemens, Deutsche Bank, Deutsche Bahn, Deutsche Post and Deutsche Telekom.
The Federal Ministry of Economics and Technology is funding IDUnion with 15.6 million euros.
51nodes is an associated partner of IDUnion.
Image source: Screenshot of idunion.org
GAIA-X: Self-Determined Data Exchange
GAIA-X is a large, publicly funded initiative to build a data exchange infrastructure according to European standards against the backdrop of a market dominated by American cloud providers.
At GAIA-X, self-sovereign identities are used as a central building block and as a basis for the exchange between actors on the data platform.
GAIA-X aims to use SSI technology to ensure users retain sovereignty over their data. Trust anchors are possible so that digital credentials relating to identities can be trusted and exchanged securely.
The decentralized nature of GAIA-X allows various associations of actors, called federations, for networking and exchanging information based on the data exchange infrastructure. In a federation, members have the opportunity to determine their own rules of cooperation and who may participate.
Catena-X Automotive Network
Catena-X is developing a cross-company data ecosystem for automotive supply chains based on European values.
Companies connected to Catena-X should retain control over the data they bring along and decide with whom and how to share it. SSI technology plays a key role in Catena-X.
The heart of Catena-X is the “Eclipse Dataspace Connector”.
Catena-X is funded by the German Federal Ministry of Economics and has 28 members – including numerous German car producers.
51nodes conducted the technical analysis and design for the interaction of Catena-X and Gaia-X IAM concepts and uses SSI in a pilot implementation using Hyperledger Indy and Aries.
European Blockchain Service Infrastructure
SSI is being driven by the EU-Commission as part of the Blockchain Service Infrastructure.
In this initiative, EU states jointly operate a blockchain network as the basis for digital services and applications. European digital identities are an important component.
The European Self-Sovereign Identity Framework Lab (eSSIF) is an EU-funded project that aims to advance the adaptation and exploitation of SSI in the EU. In eSSIF, an open source software framework for SSI is created and commercial services that use the framework.
SAP Tests SSI to Simplify Business Processes
SAPis successfully testing SSI in its Innovation Center Network together with partners by integrating SSI into the SAP backend and eventually into business processes.
In a software prototype, employees can have SAP’s “Human Capital Management” software issue a credential about their employment. The credential is stored in a wallet from Evernym. Users can then use the credential to open a bank account or apply for credit. To do this, the existing credential only needs to be released to the bank in a simple manner.
The prototype shows that SSI can eliminate document-bound processes and speed up (bank) account opening or loan approval. Also customers’s experience can be simplified.
Bosch Uses SSI for Trusted Business Relationships
In the context of the Economy of Things, Bosch uses SSI in business-to-business relationships, for example. For B2B, master data management is important. For master data management with SSI, Bosch uses an agent software to create a decentralized company ID and to link it to a company’s master data. The data can be released in interactions and verified by the software. This saves time and money.
Another area of application for SSI at Bosch is machine interactions. Machine interactions are to run securely and trustworthily with SSI. Initial pilots are being developed in conjunction with GAIA-X’s self-determined data exchange spaces. In GAIA-X, Bosch contributed to the specification for “identity and trust” with SSI. Testing will take place in the Catena-X automotive network.
BMIL: Digital Identities for Power Generation Plants
BMIL (Blockchain Machine Identity Ledger) used SSI to map the identity master data of power generation assets in a secure decentralized registry.
One approach to enriching a facility with verifiable credentials and an SSI-based machine identity is the KILT protocol.
BMIL’s asset registry is similar to the market master data registry, which is maintained centrally by the regulator. On the basis of BMIL’s registry, thanks to SSI, the possibility arises to integrate power plants easily and quickly (via “plug and play”) into the energy system.
Today, integrating plants into the energy system has requires form-based registrations with overlapping content at different points. For example, a plant must be registered with the grid operator and BDEW, and as a provider for different parts of the electric energy system.
BMIL was an active project of the Future Energy Lab of the German Energy Agency “dena” until 2021.
How Is SSI Implemented Technically?
Open source software and open networks as well as increasing standardization help with the implementation
The Verifiable Data Registry is an important component of the technical implementation of SSI. The Verifiable Data Registry serves as an anchor point for an SSI ecosystem by storing public decentralized identifiers (DIDs) on it, just like in a phone book.
A DID is an URL that is used for verifiable identification of people, organizations or things. The DIDis resolved to a DID document using a specific DID method.
The DID document may contain authentication information. Public-private key encryption methods are used for authentication. The public key of an identity can be stored in the DID document.
A DID document can also reference Verifiable Credentials to prove attributes of an identity (e.g., driver’s license or legal age). Verifiable Credentials are digitally signed in a tamper-proof manner and can be cryptographically verified.
An important principle in SSI is reducing the disclosure of information about an identity as far as possible. Zero Knowledge Proofs (ZKP) can be used, for example, to prove that a person is of legal age without revealing the person’s exact age.
On the software side, Hyperledger Indy is a way to implement a Verifiable Data Registry for digital identities and SSI blockchain-based. Hyperledger Aries is a software library that allows direct DID-based interactions of identities without a SSI network. For this purpose, an “agent” (e.g., in the form of an app or as software in the cloud) represents an identity and can interact with other identities via the DIDComm protocol.
Networks and ecosystems for Self-Sovereign Identities are emerging, for example, with IDUnion and Sovrin. IDUnionis a large German initiative and is supported by over 50 partner organizations. IDUnion builds the infrastructure for decentralized identity management based on the SSI model.
Sovrin is a non-profit organization that is also building an SSI network using Hyperledger Indy.
Cheqd is a startup that uses SSI to build a self-directed data network. To create incentives to share data over their network, cheqd tries to establish an incentive model. The model allows verifiers of credentials to pay the issuers of the credentials. Or the holders of credentials may pay the issuers.
Central to SSI are digital wallets for users to store Verifiable Credentials and to release them to third parties as needed. An overview of wallet providers is provided by the European Blockchain Association. Wallet providers include connect.me, iGrant, Jolocom SmartWallet, Serto and Gataca.
A more detailed explanation of the technological principles of SSI can be found in Fraunhofer’s white paper.
Would you like assistance with your SSI project?
What Is to Be Considered Legally?
The cross-border legal validity of credentials requires supportung framework conditions
For SSI to be most effective, Verifiable Credentials must be usable across disciplines, SSI networks, and even countries. This requires the introduction of regulatory (EU-wide, global) rules and standardization. International organizations such as the W3C and Trust over IP should be mentioned in these efforts.
eIDAS is the EU’s regulatory framework for electronic digital identities. eIDAS aims to make public services that require authentication fully digitally usable throughout the EU. The framework creates the legal prerequisite for EU-wide acceptance of digital signatures – such as those used in Verifiable Credentials.
A potential constraint for SSI is compliance with the General Data Protection Regulation (GDPR). Especially if the identities concern natural persons and personal data are to be processed. Applying blockchain technology to the Verifiable Data Registry is not a fundamental problem in this regard, as it only contains references to DID documents and revocations of Verifiable Credentials, as well as schemas of credentials. Whereas, personal data is stored in protected private wallets.
51nodes and SSI
Get help from software professionals with many years of experience
As an enabler of the Crypto Economy, 51nodes has been intensively involved with Self-Sovereign Identities (SSI) for several years in projects with well-known companies, with its own standard development and in blog contributions.
Project examples
P2P-Energy-Plattform for Honda
51nodes developed a decentralized peer-to-peer energy exchange platform involving electric vehicles. Technical design of a decentralized identity access management approach using SSI. Building on decentralized identities and services using DIDComm and Hyperleder Aries.
Vehicle-to-X Data-Exchange in GAIA-X
51nodes contributes its SSI expertise to the GAIA-X-4-moveID project. The project aims to test the sharing and use of automotive data using the GAIA-X data exchange infrastructure and SSI. In addition, the interaction of cars with their environment (V2X) will be reorganized with SSI. 51nodes helps with technical analysis, design and implementation of SSI approaches for use in V2X environments.
SSI for the Power Transmission Industry
On behalf of the power grid operator TransnetBW, 51nodes explored the potential uses and benefits of SSI in the energy industry – following an inventory of existing processes and IT systems. The potential of digital identities for energy systems is expected to be enormous, as it can simplify onboarding into many processes and increase interoperability.
In projects with SSI, it becomes apparent that the technology is often not yet fully deployable in terms of maturity and that work is still being done on many details. In analyses, 51nodes uncovers technological gaps and addresses them step by step. The introduction of SSI in application landscapes with silo-like identity and master data management is also associated with a migration effort.
51nodes is happy to support you in discovering the added value of SSI and in implementing your SSI project with our own software engineers. We will also be happy to coordinate the entire process for you.
Links on SSI
Self-Sovereign Identity: The Ultimate Beginners Guide (Website)
Self-Sovereign Identity: Basics, Applications and Potentials of Portable Digital Identities (Whitepaper of Fraunhofer FIT, in German)
The Path to Self-Sovereign Identity (Manifest of Allen, 2016)
An overview of the SSI ecosystem (Scientific Article)
Interactive model of trust establishment between digital identities (Trust over IP)