Editorial

How wallets turned digital

Richard Astley, solutions architect at Condatis, talks about the importance of identity, the links between physical and digital wallets, verifiable credentials, and more.

Posted 14 December 2021 by Christine Horton


What is my identity? How do I use it? More importantly, how could I be using it?

Let’s look at something I carry everywhere with me in my back pocket; it’s very personal to me. Can you guess what it is?

Yes, my wallet. What do I keep in my wallet?

I keep my bank and credit cards to withdraw cash or pay for things. I have my driver’s licence, which I use to prove my entitlement to drive or sometimes my address or date of birth. I have my emergency breakdown cover card if I need help while travelling and my gym membership which I use to access the gym (I really mean the sauna).

I always carry all this information around with me. These cards form part of my identity and let others provide a service when I present them because they trust who issued them.

Identity from a digital standpoint

In addition to my wallet, I also carry my mobile phone and sometimes make small payments with it instead of my bank card.

My wallet is great because I can show someone my cards with my identity credentials, but how do I use my identity in the digital world?

Most of us have some form of digital identity that we use. We use different identity providers that we build relationships with, like Google, Facebook, or other federated identity providers like our workplace Microsoft accounts. We access digital services using these identity providers to share our identity.

When we use our digital identity, we interact with a digital service, sometimes called a ‘relying party’. A relying party depends on our digital identity information to provide services. The relying party must have a trust relationship with one of our identity providers and trust that we were authenticated securely and our information is accurate and up to date.

When we interact with a relying party, they tell us the identity providers they have a trust relationship with, and we authorise our trusted identity providers to assert our information to the relying party. Since the relying party trusts the identity provider to assert the correct information, they can provide their service.

In a centralised world, we permit identity providers to share our information with a relying party which works well for specific details like our name, email addresses, employment details or for authentication purposes, but it can’t work for all credentials that have been issued in the real world or all relying parties that require access to the same credentials.

A new approach to identity

What if we had a digital wallet on our phones to share a digital version of our credentials in a more secure and tamper-proof way – a way that ensures the information comes from a trusted source and was shared from the wallet they were issued to.

Decentralised identity allows people and organisations to manage and control their digital credentials. It still allows identity providers to issue information about me, but instead of sharing this information with a relying party directly, I hold the credential and share it directly when I interact with a relying party.

This new identity model is still based on trust. Relying parties must trust the identity provider to assert accurate data about me, but we no longer call them an identity provider; we call them an issuer, and they issue credentials about a subject to a holder, the person with the digital wallet.

I still must trust that the relying party will only use my data for the intended purpose. A relying party now verifies credentials in decentralised identity, so we call them a verifier. The verifier still must trust the issuer who issued the credential and have a way to check that what the holder shared with the verifier is the credential the issuer issued.

How does this all work?

To prove that a credential has been issued by a trusted organisation and not tampered with, the issuer creates a DID (Decentralised Identity Document) describing their verification method, which contains their public key and writes it to a blockchain distributed ledger. DIDs allow you to identify and share public keys between issuers, holders, and verifiers and makes decentralised identity possible by creating this trust between parties using DIDs and public keys rather than requiring federated relationships to provide trust in a centralised identity system.

These standards allow an issuer to issue a verifiable credential signed with their private key to a holder to store in their digital wallet.

If a verifier asks for information, the holder can share the verifiable credential with the verifier. The verifier can resolve the issuer’s public key needed to verify the credential and check it was signed by the issuer, ensuring the credential was issued by the issuer and is untampered. Verifiers can build their governance with trust frameworks of who they trust and what information they can provide.

What does decentralised Identity allow us to do?

Decentralised Identity allows us to have more control over our digital identity by allowing us to hold and manage our identity credentials, choosing who we share them with and for what purpose.

The technology allows us to interact with digital services using our trusted identities, reducing the risks of identity theft. Services can ensure we are who we say we are, allowing new self-service opportunities while maintaining the same level of assurance previously needed physical identity checks. Services can use our identity to grant us access to resources securely.

Governments can issue identity credentials to use across all their services at local and national levels. You could fill in a tax return with the same credential used to access a local library or even reuse this trusted credential in the private sector as a highly trusted identity credential extending the reach of your government identity beyond its federated boundaries.

Employees could move between locations proving their identity, qualifications, and experience needed for work. Clinicians can move freely between hospitals, streamlining onboarding processes with quick, highly assured verifications that meet governance checks to safeguard hospitals or other secure sites.

Employers could verify qualifications digitally when applying for a new job or even issue their training records for you to carry on to your next job.

Conclusion

Decentralised identity provides a new way to trust each other online. Trust does not require managing relationships with client IDs, secrets and API integrations with every possible identity provider, attribute provider or relying party. Instead, it allows us to build our trust and verify any credential without having any previous relationship with the issuer. This does not replace centralised identity but is a new way of carrying and sharing our identity beyond federated limitations with unlimited reuse with any party we choose.

Explore decentralised identity further here.