Social Commerce in Trend: Protecting Digital Identities Using 2FA
In an age of individualism, self-determination has never been more important. Such a mindset has also entered the digital world. What makes us truly unique as individuals is certainly our personal data – information requiring protection and, ideally the option to manage it ourselves. This is now possible thanks to SSIs – self-sovereign identities.
What does SSI stand for?
Self-sovereign identities allow private individuals or organisations to generate a digital identity. What makes SSI technology unique is that users can decide for themselves whether to share their identity and how much they want to reveal about themselves. The German federal government is supporting this SSI approach through its initiative to establish a digital identity ecosystem. The technology relies on tried and tested security mechanisms such as 2FA (two-factor authentication). This model is widely used in areas such as ID verification, which is frequently used for setting up online bank accounts. The fundamental aspect of SSIs is that the person is at the centre. They have full control and can determine who gains access to which of their data.
Components of a self-sovereign identity
But what does an SSI (self-sovereign identity) consist of precisely? Three elements make it possible to administer personal data independently.
- Issuer
This is who ‘issues’ the identity. The issuer is usually the state, who produces documents like IDs and passports. In theory, however, it is possible for anyone to create a proof of identity and thus be the issuer of certificates. It is, therefore, important for the certificates and their production to be strictly controlled and regulated so that not just anyone can create such certificates. An example of a document far removed from state IDs is a university certificate indicating that someone holds an academic degree. Such a certificate in the analogue world is usually provided with a seal or special patterns on the paper to allow its authenticity to be verified. When it comes to the digital sphere, private cryptographic keys provide proof in the SSI ecosystem as an elementary part of the public key infrastructure. Digital certificates that work according to this principle are already used today for electronic signatures and can be easily adapted to new uses. - Holder
The holder is usually the person who owns an identity wallet and requests and manages the documents to be verified. The basic idea of self-sovereign identity management is implemented in the wallet. This is where everyone can determine which information from the stored documents can be viewed. After all, a digital wallet holds not just our ID but also has plenty of space for other certificates and documents. Users can place all sorts of credentials in their wallets. If a third party wants to see an applicant’s English grade, for instance, the user can go to their wallet and only allow this grade to be viewed without disclosing all their other school grades. This mechanism works in just the same way with online shopping when proof of age is required. - Verifier
As the name suggests, this person or entity wishes to verify something. For example, if a prospective employer wants to see and check an employee’s last job reference, they can request this from them as the digital wallet holder. They can then choose whether to provide this information to the employer or not. The verifier and issuer never communicate directly with one another at any time. The key step in this process involves verifying the issuer’s digital signature – usually done using a decentralised identifier (DID) – which might be stored on a blockchain network.
My data belongs to me
SSI technology allows us to choose which data we share with third parties and is primarily about defining and managing our own identity. This is also why the storage location for personal data is as private as the photographs we have on our smartphones. Put, all personal data is stored only there – on the mobile phone itself. Users process sensitive data in their internal systems, taking responsibility for complying with the General Data Protection Regulation (GDPR).
SSI technology is secure as every user can manage their data individually. Last but not least, the tried and tested technologies of blockchain, and asymmetric cryptography provide security, are constantly being further developed, and can, therefore, always rise to new challenges.
