Challenge 1: A Verified Identity

Centralized systems sit on national infrastructures, good quality identity profiles, and long-standing processes. Decentralization starts with no verified people. You can run KYC/AML, but the question remains: was it good enough? And verification methods will differ by wallet - will they be consistent?

For Decentralization to flourish, it will need to enforce common standards across all wallet providers.

Challenge 2: A Secure Platform

Identity wallets will be targets. A smartphone is a personal digital device. It is not like a government server with firewalls and teams of security experts to protect it. A smartphone in the hands of the bad guys is all alone and vulnerable.

People I have talked to, who are working closely on the issue in Europe, do not rule out a hardware solution: 5,000,000 hardware devices for New Zealand, please! Obviously this is unlikely, but Decentralization needs to describe how a secure platform can be implemented (we are waiting!).

Challenge 3: Ability to Authenticate

Let’s assume that we have the person embedded safely in a smartphone. We need to authenticate them before letting them receive and distribute their credentials. Centralization is not a model solution here either—primarily because it’s not easy.

But authentication is still inherently challenging and Decentralization needs to converge on a consistent and secure authentication approach. Surely we cannot put up with Multi-Factor Authentication hell?

Challenge 4: Ability to Load Credentials

Just a bit of data transfer? Not quite. Whenever Personally Identifiable Information (PII) is augmented, there should be a check that the new PII is for the same identity. That is what we expect centralized systems to do, and clearly Decentralization will need a method for doing so.

Given that the credential is likely to be a verifiable credential, which field(s) will be used to match against the identity stored on the smartphone? This may have been settled in some designs, but we have yet to see a complete design; hence I keep asking these questions.

Note also that if there is one credential that identifies a person, will that become a default national identifier?

Challenge 5: Distributing Credentials to Relying Parties

Who are they, these relying parties? For Decentralization, those other relying parties may appear as an app on a smartphone—how can the app, and thus the organization, be authenticated? Currently we lack the ability to verify organizations and so Decentralization will need to be the first to solve the problem. Decentralization aims to avoid ‘big brother’ solutions, so a central register should be out of scope? So how will they do it? And then, of course, a method is required to exchange credentials but that should be something can be resolved with the use of good standards.

Challenge 6: Keeping it Up-To-Date

The best use case to think about is drivers’ licenses. If we put a copy in a Digital Wallet, how do we know it is up-to-date? If a license is revoked, clearly this must be reflected when the credential is shared. I remember the bad old days in banking with ‘hot card files’ and similar technologies. It was purgatory!

Of course, there is always the possibility of online checks but if a many-to-many network is to be envisaged, there will be issues of contention etc. When suddenly everyone relies on everyone, there is significant risk that we all look rather embarrassed. Maybe implement a switched network, but isn’t that what Decentralization wants to avoid?

Challenge 7: Recovery

Smartphones are lost regularly - a recovery process is essential. The more credentials that Decentralized supports, the harder recovery will become. Think of rebuilding a wallet with credentials from 5-10 sources! Perhaps we could have a central recovery service, but again isn’t that exactly what Decentralization aims to avoid?

Summary

Decentralization aims to replicate or replace centralized identity.

But Decentralized is a complex solution with many moving parts. This complexity and numeracy creates many challenges.

To commit to Decentralization, we need to see a plan to solve the seven challenges above (and probably a few more as well). Such a plan must include functional design, systems topography, systems architecture, and development feasibility.

Without a plan, we risk everything.

Regards

Alan