Self-sovereign identity (SSI) is the first technology to give individuals maximum control over their digital persona – and it’s as simple to use as a social login. Businesses will benefit too.
At the moment, we identify ourselves online in one of two ways.
Typically, we sign into an online service – a Web site or app – using an e-mail address or username and password, and in doing so share some of our personal information. With this method, whenever we switch to another service we have to repeat the log-in process with a different password. This leaves fragments of our data behind on each service we use and forces us to create and remember a different password for each one, which is annoying but essential for security reasons.
The more convenient option for initial log-ins is to use a “social log-in,” such as your Facebook ID, which allows you to use the same username and password to access a variety of different services. With this one “federated identity,” you can complete your initial log-in to a participating app or service by simply selecting “Sign in with….”
The downside of this convenience is that your personal data – and that of millions of other users – is controlled by a single company, creating honeypots of data that hackers have often successfully targeted in the past. There are many examples of sensitive information being stolen, including address data, medical data, credit card details, and more. Aside from not being ideal from a privacy perspective, most people would probably not feel comfortable using a social log-in to access a sensitive service like their bank account.
But there is a third option. Self-sovereign identity (SSI) – also known as decentralized or portable identity – allows users to identify themselves on the Web using credentials stored in a digital wallet on their smartphone. It offers the same convenience as a social log-in, but the user is in full control of the data.
“This technology is not owned by a company,” says Mehran Shakeri, development team lead at SAP Innovation Center Network. “It’s the first completely open standard for digital identity on the Web, and it gives individuals maximum control of their data when deployed with a proper registry.”
User-Friendly ID Technology – For Businesses Too
Companies and organizations can also use SSI technology. After all, they also have an identity – usually in the form of a public entry in a commercial register. For example, when logging into a business network, a supplier must share a range of data, including its tax number, IBAN, and postal address.
Currently, this data cannot be automatically verified. Entities created in internal systems must be verified using a relatively complex and costly third-party service. Records can be inconsistent and difficult to keep up-to-date. Data is often transferred from one system to another without being automatically verified.
This major issue can be solved if a company has a self-sovereign identity. Its digital wallet then serves as a single, vetted source of truth and there is no need for an external third party to verify its credentials.
This opportunity for a “golden record” of master data extends beyond company boundaries. “At SAP Innovation Center locations, we have projects in progress with DATEV, the Dutch government, and a host of other customers to validate use cases with SSI,” says Alexander Schaefer, head of SAP Innovation Center California. “We see tremendous potential in integrating the SSI standard into SAP software.”
This technology would eliminate many of the identification processes currently in use, some of which are highly complex. Anyone who has opened an account with an online bank knows just how many steps it takes to prove your identity. With SSI, all users have to do is scan a QR code with their smartphone to share the relevant, verified credentials stored in their digital wallet. This digital wallet can be on their phone or laptop, for example, as a browser plug-in. The wallet is secured by common authentication mechanisms such as FaceID or TouchID, which have proven to be very secure.
Trusted Authorities Can Issue Credentials
For SSI to work, individuals need a digital wallet containing credentials that have been issued by a trusted third party – such as their driver’s license, MBA certificate, or tax ID. An empty wallet is useless. Trusted authorities that hold this type of data can issue the relevant credentials, which is why it is so essential that these entities adopt SSI.
Among the many companies that can issue these credentials, German IT service provider DATEV was one of the first to embrace the concept. “Together with DATEV, we have demonstrated how self-sovereign identity enables seamless business processes across ecosystems. Transactions from all parties are digitally notarized and tied to their cryptographically verifiable credentials,” says Schaefer. With decentralized identity, master data of organizations becomes trustworthy, which can ensure that companies communicate with verified and trusted partners in the ecosystem.
Before we can all be issued with these credentials, however, SSI technology needs to be widely adopted. Shakeri is confident that mass adoption will come. “There is hardly an industry that would not benefit from SSI,” he says.
SSI as a Driver of Transparency on Sustainable Business
To enable apps to use SSI for business-to-business communication, SAP Innovation Center Network has developed a multi-tenant service built on SAP Business Technology Platform (SAP BTP) called Decentralized Identity Management. With this service, customers can issue and manage verifiable credentials – and verify the credentials themselves – creating the foundation for a decentralized business network where multiple parties can collaborate and share data.
Shakeri’s team is currently working on a use case for sharing ESG (environmental, social, and governance) certificates. “These certificates certify that a supplier operates sustainably, does not use child labor, does not exploit its suppliers, and so on,” he says.
At present, it can be time-consuming to achieve transparency in the supply chain, particularly in terms of how well individual suppliers focus on sustainability in their businesses. With SSI technology, it will be possible to check whether suppliers operate sustainably by requesting their ESG certificates from their digital wallet before deciding whether to work with them.
SSI could even make it possible to trace the origins of a product’s individual components across supply chain parties that work with different solutions – theoretically all the way back to the raw materials. While there is still work to be done to bring the full vision of SSI to life, customers can already benefit from the technology today in one of the many use cases that are likely to be significantly impacted by this technology. This can include supplier onboarding, master data management, and supply chain collaboration in the areas of sustainability and human rights.
Questions for the Experts
Q: Will SSI be widely adopted?
Shakeri: The outlook is very good at the moment, with many large companies actively investigating SSI and its potential. Government projects are also underway, including eIDAS (electronic IDentification, Authentication, and trust Services) in Europe, which aims to provide European Union citizens with a digital ID based on SSI. One of SAP’s cooperation projects with the Dutch government is exploring the impact of SSI in the public sector. If a European digital ID were to be introduced, it would drive adoption enormously.
Is SSI a blockchain-based technology?
SSI is not inherently tied to blockchain technology. However, blockchain is often associated with SSI because it provides a decentralized and secure way to implement some of the key principles of SSI. Blockchain can be used to create decentralized identity systems where individuals have control over their identity information and can selectively share it with others without the need for a central authority.
In the context of SSI, blockchain can be employed to record and verify identity-related transactions, ensuring transparency, security, and immutability. Some SSI implementations use blockchain or distributed ledger technology to anchor identity-related data, but SSI itself is a broader concept and not all SSI systems rely on blockchain.
Is SSI interoperable by design?
There needs to be a standard format for identity data that all industries and governments can agree on. SSI is still in the prototype phase, so we aren’t there yet. But given that it is in everyone’s interests, it’s realistic to assume that a standard format will be agreed on.