Digital Identification on the Blockchain with Microsoft's ION
This article describes the concept of digital identification on the blockchain and the working mechanism of Microsoft's ION.
From time immemorial, identification has been an integral part of the human race signified by many things such as tribal marks, body piercings, etc. In short, all humans have an identity, but how we identify ourselves has continually changed over the years.
Humans identify themselves through identification cards, which is important to confirm our identity relating to people or organizations. For instance, anyone opening a bank account, checking into a hotel, traveling out of a country, or even applying for a driver's license needs a form of identification card that is personal to the owner.
The advent of technology has reshaped how humans can identify themselves, especially online (digital) identification. As the way to represent identity changed gradually from analog to digital (internet), many people lost the liberty to manage their identity credentials online. This has prompted the belief in some people that blockchain could be the answer to the identity problem created by the internet since it is purely decentralized.
The identification on a blockchain will limit the control of people's identity to their own hands instead of a third party. Hence, they have complete control over their data.
This article goes beyond identity on the blockchain to exploring in detail the Microsoft ION identity solution. It defines identity on the blockchain, discusses how ION works and the various architectures and system features that make it unique from other identity networks on the blockchain.
What is Digital Identification in Blockchain?
Digital identification in the blockchain uses blockchain principles to create an identity card and provide management in such a way that gives control to the owner rather than a third party. Since the first blockchain implementation in bitcoin, it has been useful in various applications, including identity, healthcare, supply chain, etc.
Thanks to Bitcoin, a decade ago, that aroused the curiosity of developers, cryptographers, and distributed systems engineers to solve the problems associated with centralized identity systems. Today, cryptographers and other distributed system players are deploying identity solutions on various blockchains, viz; Bitcoin's ION, Cardano's Atala Prism, Ethereum's Element, and so on.
The distributed system community, through groups like Internet Identity Workshop IIW, World Wide Web Consortium W3-C, Rebooting Web of Trust RWoT, are exploring the ideas and technical processes of the traditional identity system. Hence, proposing decentralized identities to achieve a fully distributed and decentralized identity. The purpose behind DID, a foundational technical component of decentralized digital identity, is to give ownership and control to individuals.
While many solutions are proffered, the common denominator is finding a scalable, user-owned unique identifier to a set of cryptographic keys and routing endpoints. So many solutions thus far are not focused on achieving a scalable and decentralized network that doesn't require utility tokens, consensus mechanisms, and trusted validator nodes.
In response to the above-stated issue, Microsoft proposed and launched Identity Overlay Network, also known as ION. Before exploring the solutions, architectures, and killer features of Microsoft's ION, it is crucial to discuss in-depth more about identity.
Why Digital Identification on Blockchain?
Digital identification on the blockchain could solve some of the problems associated with our present identification process. These problems are:
- Data Theft: Currently, most of our identity credentials are stored on a centralized database which can easily be attacked. The database operates with a single point of failure, which makes it a target for attackers. It also contains many people's "Personal Identifiable Information" (PII), which is accessible to hackers sometimes because the database might be weak and outdated. The hackers who access this information can sell it to the dark web marketplace and commit fraudulent activities with the data. In the first half of 2021, data worth about 18.8 billion records were breached, costing billions of dollars.
- Inaccessibility: Identity card is not accessible to many people globally especially those in the rural areas of third-world countries. The process associated with getting an identity card, such as registration and cost, is an obstacle that has prevented many from getting one. Without an identity card, these people can't access many things such as banking, applying for an international passport, and applying for certain jobs.
- Improvement of Cryptography and Smartphone Upgrade: The sophistication of smartphones has made it easier to build a digital identity on the blockchain. The digital identity will be readily available to many people as smartphones are becoming readily available to them.
- Education Verification: Identification on the blockchain will block the loopholes of presenting fake certificates because it will verify the certificate's authenticity wherever it is used.
- Banking: There would be no need for login details at all times before anyone can bank. It will eradicate that and make banking more secure.
- Businesses: It will prevent a company from paying huge fines due to data breaches on their centralized database.
- Healthcare: It makes it easy for health workers to operate as they can easily confirm data swiftly between themselves, providing quality care to their patients.
- Previous Digital Identity Models: The earlier models were not the best as they exposed too much information to third parties.
Models of Digital Identity Management
- Centralized Federation Model: This is the first model of digital identity, which has a point of failure and is purely centralized. The sole identity provider (IdP) is the organization, which collects and assigns identity information to its users. So, each user always has a new digital identity for every new site or company they interact with, which results in a poor user experience.
- Federation Model: The second model tries to solve the problems of the first model by allowing the digital identity of a large and trusted site that you registered on to be available for you to access an organization or website. An example of this model is Logging in with Google. The user can easily log in to a website by using their Google digital identification credentials. This model is still largely in use today.
- User-Centric Model: This model requires a centralized device, where the information about a user is stored. In the user-centric model, a user needs a Personal Authentication Device (PAD) to store their credentials which can then be accessed through a PIN on the device. This model is used in our smartphones and similar gadgets.
- The Self-Sovereign Identity (SSI) is the fourth digital identity model, based on blockchain technology. Since our focus is Self-Sovereign Identity, provided by the blockchain, we will dig deep and correlate it to Microsoft's solution.
What is Self-Sovereign Identity?
Before defining Self-Sovereign Identity, we should understand that the user-centric model cannot give autonomy, which users need. So, the SSI was introduced to provide sovereignty and put total control in the hands of users.
Self-Sovereign Identity (SSI) is a digital identity that people can store on their devices without relying on an external party. The concept of SSI is purely decentralized and gives the power to create and manage an individual's identity to the owner instead of a third party.
The Working Priciple of Digital Identity on the Blockchain
The digital identity in a blockchain is decentralized, and it operates based on the following components:
- Decentralized Identifiers (DID): These are the identifiers that users create and control without any interference from centralized identity providers or authorities. DIDs are unique and global and could be used by companies, objects, or individuals.
- Identity Management: This is a distributed ledger that gives everyone who is using the protocol, access to view the information about valid credentials. It also shows who endorsed the validity of the information without compromising the identity of the actual data.
- Verifiable Credentials: These are statements made by an issuer to verify your identity without showing the actual data. For instance, a third party can confirm that you are a doctor without showing them your identity card or calling your issuer.
The issuer gives a user the verifiable credentials with their public DID attached. The blockchain also houses the DID for everyone to see. So, anyone who wants to verify the validity of a credential can do so by checking the DID on the blockchain and know the issuer. In essence, anyone can easily check the blockchain to know the organization that owns a specific public DID.
Advantages of Digital Identification in Blockchain
Blockchain identification has numerous advantages, which are elaborated on below.
- Decentralized Public Key Infrastructure (DPKI): This is the powerhouse of blockchain identification. DPKI allows everyone to create cryptographic keys on the blockchain in an orderly fashion. These keys give access to others to confirm the data of an identity holder. The DPKI made all these possible because it creates a trusted medium that distributes the encryption keys and verifies the identity holders.
- Decentralized Storage: Digital identification on the blockchain is safer and easily accessible when compared to ones stored on a centralized database. Identity storage on the blockchain limits identity theft, hence protecting an individual's private information. It also gives the user the privilege to use their data on multiple platforms and for different reasons.
- Manageability and Control: A decentralized identification gives the users the sole control of their data, including security, and they can decide to do what pleases them. The scenario is not the same in a centralized identity system, where the identity's control and security are in the hands of the entity providing the identity.
What is ION?
The idea behind ION is to achieve a scalable, resilient, user-owned decentralized identity system where users do not need utility tokens, consensus, and trusted validated nodes. By implication, users own and operate their nodes. ION is a layer 2, public, permissionless, decentralized DID overlay network that runs atop the Bitcoin blockchain and leverages a deterministic DPKI protocol called Sidetree.
Before fully deploying ION in early March, Microsoft started exploring Sidetree between 2017 and 2018. During this period, they determined if it was worth investing in. Upon realization, the team worked in collaboration with SecureKey, Mattr, Consensys, Transmute, Gemini, Bitpay, Casa among others to codify Sidetree into a formal specification with the decentralized identity foundation.
Microsoft's ION comprises a collection of microservices, including a Bitcoin Core, IPFS, and MongoDB (for local data persistence). Simply put, the majority of ION's code comprises Sidetree protocol. As a Sidetree based DID network, it combines Sidetree logic module; a chain-specific read/write adapter, a content-addressable storage protocol (e.g., IPFS), MongoDB, and an existing layer one protocol.
The content-addressable storage protocol like IPFS helps replicate data between nodes. The above combine to form the Sidetree protocol that enables the creation of layer 2 DID networks that run atop existing blockchains (layer 1) at thousands, or even tens of thousands, of PKI operations per second. The Sidetree requires no additional consensus like several other layer 2 solutions. It simply relies on a decentralized chronological ordering of operations provided by the underlying blockchain. Unlike monetary units and asset tokens, IDs are not intended to be exchanged and traded. To achieve greater scalability without relying on additional layer 2 consensus schemes, trusted validator lists, or special protocol tokens. Also, the Sidetree is designed to allow all nodes of the network to arrive at the same Decentralized Public Key Infrastructure (DPKI) state. This allows an identifier based solely on applying deterministic protocol rules to chronologically ordered batches of operations anchored on the blockchain, which ION nodes replicate and store via IPFS.
ION Working Mechanism
ION leverages a single on-chain transaction, blockchain-agnostic Sidetree protocol to anchor tens of thousands of DID/DPKI operations on a Bitcoin chain. The ION node processes and encodes transactions with a hash used to fetch, store, and replicate the hash-associated DID operation batches via IPFS. Without requiring an additional consensus, the nodes process the hash associated DID operation batches following a DIF's set of deterministic rules, enabling them to independently arrive at the correct DPKI state for IDs in the system. The nodes are designed to fetch, process, and assemble DID states in parallel, and also, the aggregate capacity of nodes can run at tens of thousands of operations per second.
How to Run ION and Create DIDs
To run ION, you need to meet certain hardware and software requirements.
- i5 processor (2017+ models)
- 6GB of RAM
- 1TB of storage
Make sure you have running on your machine, Windows, or Linux operating system. Upon meeting the listed prerequisites, follow the below to run ION and create DIDs;
- Generate a DID locally. To do that, use the command line here, for Linux users.
- Run ION node via Docker
- Install an ION node natively
Though digital identification in the blockchain is a field that is still new, it gives an assurance of more tight and user-centered control of one's data than centralized databases. It reduces the risk of getting people's information to hackers who use it for different nefarious activities. Microsoft proffered a scalable, resilient, user-owned identity management system that doesn't require utility tokens, trusted validator nodes, and additional consensus mechanism through ION, a layer two solution to decentralized identity.
Also read DeFi Lending: A Primer