[ - by Jelle Milleenar]
Digital Identity has become a hot topic across the globe. The concepts of Self-Sovereign Identity (SSI), where people regain control over their digital identity and data, are becoming mainstream. If you are unfamiliar with SSI, please consider reading more about it here. SSI is being explored by the major Identity and Access Management (IAM) players and is finding its way into digital identity and privacy regulations across the world. The most crucial regulation is eIDAS 2.0 (electronic IDentification And trust Services) in Europe. The regulation that is still being finalized, stands to completely change the game. Let’s explore how it enables SSI companies such as Impierce Technologies and the role that Blockchain may have.
eIDAS in short
The eIDAS 2.0 regulation is currently being finalized by the European Commission and is likely to go into effect in 2025. It defines an iteration of the current digital identity framework in the original eIDAS regulation. Where European citizens are currently able to digitally authenticate themselves to (local) government agencies in order to, for example, submit taxes, eIDAS 2.0 greatly enhances the system. Most importantly, the digital identity framework can now be used in the private sector and is even mandated across some major industries, including finance, education, and healthcare.
It redefines the current framework to follow SSI principles. Citizens will have a European Identity Wallet that allows them to collect signed statements about themselves and share them with whomever they decide. It follows privacy-by-design, enforces data minimization, and reduces the need for third parties to store personal information. Access to (digital) services becomes significantly easier as users can authenticate themselves and securely share trusted information without creating new accounts and remembering passwords.
The private sector has been wanting such an identity system for decades. It is therefore likely that the adoption of this new ecosystem will happen rapidly on a large scale. In the Netherlands alone, hundreds of companies, government agencies and start-ups are collaborating on a Dutch SSI ecosystem. The EU aims for 80% of the European population to make use of this digital identity ecosystem.
The system can save costs and reduce risks while improving the customer experience. Many sectors will jump on this opportunity as it can revamp customer onboarding, reducing Know-Your-Customer (KYC) processes from a manual process taking days and costing a significant amount per new user, to a near-instantaneous and free process. It will be easier to open bank accounts, sign up for cryptocurrency exchanges, join a university class, gather loyalty points and use e-prescriptions.
eIDAS 2.0 is currently designed to enable use cases that rely on strong user authentication and where the Issuer is a company that wishes to register itself to its local government. It uses trust lists to identify which entities can be trusted to sign specific statements. For example, these lists would empower universities to sign degrees, while insurance companies can sign insurance credentials.
The process for inclusion on a trust list doesn’t fit well with smaller use cases such as badges, references, and work experience because becoming part of a trust list is a centralized process that will likely involve long government processes and creates excessive governmental control.
eIDAS 2.0 does not strictly require the use of trust lists. An alternative solution is the use of Decentralized Identifiers (DIDs). These identifiers allow entities such as people, organizations and even devices, to manage their own identification online without relying on any centralized authority. It can include evidence about who the identity is and provides the means to authenticate as the identity. For example, DIDs can be linked to websites, can be tied to (ISO) certifications or company registrations. This is the perfect framework for the smaller use cases (while also being suitable for the larger use cases).
The Role of Blockchain
Distributed Ledger Technology (DLT), often referred to as Blockchain, can play a pivotal role with the new SSI ecosystem created by eIDAS. It might no yet be trusted enough to support the high-assurance use cases from that require governmental oversight, but can enrich the ecosystem with an permissionless and public trust system. DLT can be used to store and grant access to DID Documents in a secure manner without having to rely on a centralized party.
Secondly, the DLT can act as a place to publish more information about the identity. The aforementioned data that helps identify the Issuer is directly tied to the identity and always available for validation. The DLT can simultaneously act as a revocation list, which lists credentials that are made invalid. Both the identity information and revocation information would then be accessible via a decentralized system, creating a method where no party, including the Issuer, has any notion of how credentials are used.
The European eIDAS 2.0 legislation is normalizing Self-Sovereign Identity concepts. When fully active, it will reshape how we interact online. The internet will transition away from accounts with passwords and make it much easier to identify yourself to new service providers such as webshops, universities, banks and even government services. Blockchain can have a pivotal role in supporting lower-assurance use cases, avoiding the need for excessive governmental oversight.