What Is Self-Sovereign Identity and Its Impact on Cybersecurity?
In the World Wide Web Consortium, the concept of self-sovereign identity appears in a series of documents describing “verified claims” and “decentralized identifiers” (the term the consortium uses to describe what others call SSI), but without a specific architecture or technologies for implementation.
With SSI, there still must be some credential issuer that is trusted by the college or university. The difference is that the credentials, once issued, are placed under the control of the user and the verification (authentication) process happens independent of the credential issuer.
The proposals for how SSI credentials will be stored and verified are complicated, but all combine a big dose of cryptography and blockchain technology. The cryptography keeps the credentials and any associated personal information private, and is used in the authentication process similar to how passkeys or digital certificates are used for authentication. Blockchain creates a public ledger, so that once the credentials are issued, they can be locked in place and verified by anyone who has a copy of that particular blockchain.
All of these technologies give SSI its desirable characteristics: The user can be authenticated even if the credential issuer goes offline. Once the credentials are stored on the blockchain, the user can decide which pieces of his or her digital identity to share with each web application, preserving privacy.
DIG DEEPER: Four things you should know about passwordless authentication.
SSI and Higher Education
The goals behind SSI mesh well with cybersecurity strategies in higher education. Because SSI credentials aren’t tied to a particular issuer, students could more easily take their digital identities with them from school to school and employer to employer — including transcripts, degrees and certifications — without the current cumbersome process of verifying against each individual institution. Tasks such as transfers between institutions, even international ones, and degree certification for a job would be simplified and instantaneous in a well-designed SSI project.
Because SSI is built around privacy preservation, students could decide what information they want to share, rather than hoping that the institution follows the individual’s instructions or the institution’s own privacy policies.
SSI also could deliver benefits to institutions that participate, such as reduced opportunity for fraud and tampering. Once information is published on the blockchain, it can be cryptographically verified and can’t be modified by the end user.
Higher education IT teams that want to experiment with SSI will find much to explore. But SSI today is not like InCommon or EduRoam, where a university can easily join and gain the benefits of cross-institution federated identity services. Rather, SSI is a combination of privacy requirements, architectural ideas and technologies that are evolving based on projects and experiences. Although the idea of SSI has been around for nearly a decade, it’s still a moving target, especially in an area like higher education.
link