Mastering Decentralized Identity: The Pillar of Web3
In a new era of identity, there is a lot to gain, but also a lot to lose for getting it wrong
Artwork by Reid Hannaford
Decentralized identity is a framework that aims to give users sovereignty over how their identity is expressed online.
Why master decentralized identity now
- The current centralized identity system confines the personal and professional development of users to a set of rules and incentives that exploit their attention.
- Many major players are invested in a solution, including Disco, SpruceID, Iden3, Polygon ID, Ceramic, the Ethereum Foundation and many more.
- The global decentralized identity market value is estimated to reach $6.8 billion by 2027 – according to Markets and Markets
- Updates in account abstractions and identity wallets have unlocked new possibilities that have yet to be realized.
- Mastering this subject early could open opportunities to help shape the future of social media, digital work and DeFi.
Table of contents
- The problem explained
- What is decentralized and self-sovereign identity?
- How it works
- Decentralized identifiers (DIDs)
- Verified claims
- Decentralized identity parties
- On-Chain DIDs
- Ethereum universal profile
- Smart wallets and account abstraction
- W3C-DID app
- Web3 Identity wallet
- Final thoughts
01. The problem explained
Who are you? It’s an open-ended question with an open-ended answer — filled with two complex and evolving sets of details:
- Identifiers: Anything that represents your personhood — information such as a name, alias, face, BTC address, social profile or ENS.
- Identity claims: Any claim associated with an identifier. They include what you do for a living, your family, your nationality, your social network, your beliefs, your values, your hobbies, your accomplishments, your failures and so on.
Your identity is ultimately defined by how you to choose to express the relationship between these two sets of data. And in the real world, this expression is flexible. We have the ability to shape a reputation according to its context and change both identifiers and identity claims (with varying degrees of difficulty) when needed.
Why online identity is broken
Web2 identity is fundamentally broken because it lacks the inherent sovereignty that comes with identity expression. Third parties such as social media apps, email platforms, and games function as identity banks that gatekeep how and where and why you express your identifiers and identity claims.
Imagine a networking event where all the attendees are blindfolded, and the event is hosted by multiple unrelated parties. To connect with other attendees, you must first register with one of the hosts and provide information about yourself, such as your appearance and profession.
The host then broadcasts those details to everyone in their network who might be interested. However, each host only has partial access to the attendees — making it challenging to find everyone you want to connect with.
This fragmented network is exponentially less efficient than meeting people in an open setting. As a result, attendees share more upfront with the host so that they don’t have to repeat their efforts on an individual basis. They even have to appeal to the host rules and content preferences.
In the digital world, this translates into developing content sharing strategies and curating various social profiles for specific audiences. This approach trades the typical discretion you have in expressing your identity in return for reach and influence.
And even with the extra front-loading of personal information, you can’t transfer reputation from one platform or setting to another.
If you have a video channel that started as a comedy podcast but later became a history podcast, you cannot easily split the videos across two channels or two platforms. You have to start a new one from scratch without the views, subscribers, or comedic reputation from the old channel.
The online world, decentralized or not, is inherently foreign to the human experience. But with gatekeepers, it is impossible to express your identity through your own terms and conditions. As a result, your online expression is governed by central architects. They set the incentives, limit personal development, and ultimately infect their users with anxiety and depression.
02. The solution explained
What is decentralized identity?
Decentralized identity is an identifier framework that aims to give users sovereignty over how their identity is expressed online. It is decentralized in that it enables a management system that doesn’t need traditional identity gatekeepers in the credentialing and verification process.
It ultimately reverses the direction of permissioned data sharing — where instead of users requesting permission from platforms, platforms request permission from users. That recasts the Facebooks and Twitters of the world more as indexers than gatekeepers. This structure enables use cases that would open the door to a new digital identity economy.
But the solution is not straightforward. There are multiple methods with varying trade-offs. Before we explain the different approaches, we need to further map the sovereign self and outline the characteristics needed to manage it within a decentralized digital framework.
- The center of potentiality is the ineffable and immutable arch of self. It sits on the line between existence and non existence because it manages the creation and destruction of your identifiers and identity claims.
- The internal identity is the sum of identity components that are not visible to the public by default. They are things like your opinions and expertise. You can make them part of your external identity through sharing and proving them to others.
- The external identity is the sum of identity components either innately evident or made evident in a persistent and shared reality. A programming certificate is an example of an internal identity claim made evident to the public, and your physical appearance is an example of an identifier innately evident to the public.
It is important to note that only part of the sovereign self that is immutable is the center of potentiality. Everything else is vulnerable to recreation and entropy.
But the mutability of these characteristics and their visibility increases in difficulty the further they are from the center. For example, it is easier to change your opinion than it is to change your fitness.
Solving for sovereignty
Designing a sovereign identity management solution in a decentralized digital framework is the biggest challenge of computer science. It, like the center of potentiality, needs to let you manage the relationship between the internal and external nature of your identity — without anyone’s permission.
For the purpose of this article, we have labeled approaches to solving this problem as Decentralized Identity Management Solutions (DIMS) — distinguishing them from the broader digital framework we have defined as decentralized identity.
In order to solve for sovereignty, DIMS needs to be:
- Manageable: Just as the center of potentiality has creative and destructive capability, users need to be able to manage the visibility and mutability of their identifiers and identity claims. But this potentiality needs to come with reasonable degrees of effort and resistance.
- Portable: Just as there is only one center of potentiality, users shouldn’t be expected to manage multiple identity systems. Users need to be able to carry their identity management system, whether it is a wallet, app or identifier, across platforms and applications.
- Verifiable: Just as our persistent shared reality provides a basis for providing identity claims in the real world, the DIMS needs to provide a way for other parties to verify claims and identifier credibility.
How does it work?
The first step to producing a decentralized identity management solution is to organize the components needed to simulate the sovereign self. Once all the parts are in place, the DIMS need to manage them in a way that doesn’t give centralized entities leverage and undue influence. And lastly, users need a guarantee that the system is manageable, portable and verifiable.
The Web3 identity glossary
Decentralized identity is an evolving discipline, so there isn’t consensus on the full list of necessary components just yet. But we created a list of all the terms you need to study to master the subject.
This list gets pretty complicated, so we created this visualization key to help you map the components and DIMS to the sovereign self.
Decentralized identifiers (DIDs) are identifiers recorded on public and immutable ledgers like Ethereum — typically in the form of an Externally-Owned Account (EOA), smart contract address for an Ethereum Universal Profile, or Ethereum Name Service (ENS). They are decentralized because their existence is not dependent on a single entity. Think of them as the various aliases you use to represent yourself in the real world.
- An Externally-Owned Account (EOA) is an Ethereum account that is controlled by a private key outside the Ethereum blockchain. An EOA can be created by anyone, and it is typically used by individuals to interact with the Ethereum network, such as sending or receiving ether or interacting with smart contracts.
- An Ethereum Universal Profile is a smart contract standard (ERC725) on the Ethereum blockchain that defines a specific interface for identity management. Since it is a smart contract all identity changes incur gas fees as they are managed directly on the blockchain. Users need to connect their Ethereum Universal Profile to an EOA in order to pay those fees.
- Ethereum Name Service (ENS) is a decentralized domain name system that allows for the association of Ethereum addresses with human-readable names.
W3C decentralized identifier (W3C-DID) is a W3C recommended DID specification that, according to the organization, “does not presuppose any particular technology or cryptography to underpin the generation, persistence, resolution, or interpretation of DIDs.” This specification can be used to wrap DIDs from other blockchains together with public identifiers like social media profiles and email addresses under a single identifier.
And while that wrapped identifier may be recorded on a single blockchain, its standardization makes it possible for developers across different ecosystems to integrate W3C-DID functionality.
Verified claims are identity claims about a specific identifier that require evidence from an issuer or third party.
- Verifiable credentials (VCs) are a type of verified claim in which a third party cryptographically signs a claim about another decentralized identifier. This could be a claim about a credit score or a master’s degree. The power of this technology is that it lets the user prove these claims without revealing other sensitive information like their legal name or account balance. These claims are private by default and are proven upon request. Some VCs can even be programmed to be verifiable for specific durations of time or revocable by the issuer.
- Soulbound tokens (SBTs) are a type of verified claim in which a public identifier makes a claim about another decentralized public identifier. This too can be a reputation claim, like a credit score. But the main difference is that the claim is permanent and public. This makes it easier for verifiers to prove, which makes it great for granting voting privileges in governance protocols. The biggest trade off is that these tokens are non-transferable, so if someone sends an undesirable claim, it is public for everyone to see and will remain at that address as long as it exists.
- Non-Fungible Tokens (NFTs) are similar to SBTs, but can be transferred again. They can be used to make claims about a decentralized identifier or as an expression of artistic preference or proof of attendance that is public for the world to see.
Self-verified claims are any type of verified claim that doesn’t require third party evidence. They are things like preferences and opinions. A user makes a self claim by simply issuing it or signing a VC, SBT or NFT to their own DID.
Zero-knowledge proofs enable users to reveal certain claims about their identity without revealing other claims and identifiers. This provides greater privacy and security for the user while still allowing for the verification of claims.
ZK badges: In response to some of the concerns with SBTs, projects like Sismo have developed the concept of ZK badges, which leverage zero-knowledge proofs to verify the attestation layer privately. When a user successfully verifies a claim to a third party, they are issued a Soulbound token (ZK badge), which can then be used to prove their verified claim without revealing any personal information. This approach provides a higher level of privacy while still allowing for trusted identity verification.
Web3 profile is the public and encrypted data a user has ascribed to a single DID or W3C-DID. This is sometimes referred to as a DID document, data backpack or a Web3 persona. Unlike the Ethereum Universal Profile, this data isn’t directly managed on the blockchain.
Decentralized identity parties:
- DID controller — the person with authorization to make changes to a web3 profile
- Issuers — entities that issue claims about another decentralized identifier or themselves.
- Verifiers — any entity or individual that requests evidence or proof of a claim about another decentralized identifier. They may not always know the identity behind that decentralized identifier.
W3C-DID app is a user interface for creating a W3C-DID and Web3 profile that lets the DID controller share verifiable credentials with select entities, manage the visibility of all claims associated with their W3C-DID and issue claims about other DIDs. Most W3C-DID apps only manage one Web3 profile.
Web3 identity wallet is a device or application that is used to manage multiple Web3 profiles, DIDs and their associated identity claims.
Identity record keeping: This provides the persistent and shared reality needed to verify claims about the sovereign self in the real world.
- Decentralized data registries provide a verifiable record of W3C-DIDs and their associated identity claims. Ceramic is an example of a decentralized data registry that is built on top of the IPFS network and the Ethereum blockchain.
- Blockchains Can be used to keep public records for DIDs like Ethereum Universal Profiles, EOAs and ENS domains.
- Identity states are recorded on the blockchain to keep track of changes in claims made about a private Genesis ID, W3C-DID or DID. Depending on the protocol, the claims and DIDs associated with these states can be encrypted or made public.
Sign in with Ethereum is a proposed universal standard for proving ownership of DIDs to off-chain platforms. This would let you sign into applications like Canva or Dribbble with your EOA or Ethereum Universal Profile instead of a Google account.
Currently, there are many different ways that an off chain app or service can authenticate an Ethereum account. But in some instances, third parties use malicious authentication to trick users into sharing their private keys. A universal standard would offer users a portable solution with a trusted wallet or Web3 identity wallet.
Decentralized identity management solutions
If you were to visualize the entirety of the internet as a VR game, then Decentralized identity management solutions (DIMS) would be the headset or bodysuit you put on to access and manage your avatar. The first step to building this identity management system is designing the access point. The design of choice will ultimately form the user experience of the DID controller, issuer and verifier.
The list of design options is potentially endless, but there are three primary approaches.
One approach to DIMS is to use an on-chain DID like an EOA, ENS or Ethereum universal Profile as the access point. The primary benefit to this approach is that it leverages an existing user base.
Users that operate multiple EOAs through their Web3 wallet, such as MetaMask, can use some of those accounts to hold SBTs and NFTs.
Quadrata can issue identity passports to an account as an SBT. This passport would publicly verify that the owner of the address is who they say they are. It could even verify claims about AML risk and on-chain reputation.
And projects like SpruceID are working on a full open-source stack that integrate these solutions across a set of standards like Sign in with Ethereum and Credentialed wallets.
In this case, all claims about the EOA are public on the blockchain. So users need to carefully consider what they want to disclose. They have to think about how they want to use that EOA and fund it for other on-chain interactions. For example, if you want to use an EOA to prove reputation scores, you may not want to also share your account balance.
Secondly, an EOA doesn’t have the ability to reject claims from other parties. So if an account with an identity passport also receives SBTs revealing personal information like your address, then it would be impossible to remove.
Ethereum universal profile
In some instances, an Ethereum Universal Profile can give users the ability to manage the visibility of claims in their account. Users need to either manually create a smart contract using the ERC-725 standard or use an app. When the standard was initially proposed, many organizations joined the ERC-725 Alliance to help build a friendly user experience for a universal profile.
But many of those organizations struggled to produce a solution that avoided the expensive gas fees needed to manage claims. So some have moved on to alternative methods. For example the author of ERC-725, Fabian Vogelsteller is now working on Lukso, a new blockchain built for decentralized identity.
Smart wallets and account abstraction
But with the new implementation of ERC-4337 and smart wallet advancements, developers may be able to create a smart wallet that does not require users to pay gas fees every time they want to make a change in their universal profile.
According to Blockworks Research analyst Ryan West, “A smart contract wallet before 4337 would have a relay in the middle [managed by a third party]. So, you’d send your transaction to the relay, and it would make sure the credentials are correct before sending that to the smart contract.
The new ERC-4337 lets users manage smart contract wallet without using a relay. But it is simply one possible implementation of smart contract account abstraction.
If wallets choose to run their own relay, they could have bugs in their code. So 4337 offers a standard that may be a little more secure. Overall, it is not much different to the user.”
Keep an eye out for his upcoming report on ERC-4337 Account Abstraction to learn more about the risks and opportunities that come with this new standard.
On-Chain DID review
- Manageability: Weak
- Portability: Limited to Ethereum ecosystem
- Verifiability: Strong
- Takeaway: The inability to reverse claims is incongruent with the way you manage the relationship between your internal and external identity.
The second approach to DIMS is to use a W3C-DID application as the primary access point.
Disco.xyz is an app that lets users create their own W3C-DID and Web3 profile called a data backpack. Users first need to create a W3C-DID through authenticating ownership of a DID like an EOA. For now, this is only possible with a Metamask wallet.
Once the W3C-DID is created, users can add and remove verifiable credentials. And because their W3C-DID is connected to a public address on the Ethereum blockchain, they can select which credentials they want visible to the public and which credentials they want to disclose on a case by case basis.
How users manage their credentials
W3C-DID apps such as Disco work together with the Ceramic data registry to provide users the ability to manage the visibility of identity claims in their Web3 profile.
- First, Ceramic encrypts and stores identity data in IPFS. It could be self claims like photos you took on a vacation or claims validated by an issuer – like age, GPA, ect.
- They then record the hash of the encrypted data on the Ethereum blockchain. This provides an immutable reference point for a claim.
- Ceramic then manages and broadcasts the relationship between W3C-DIDs and their associated identity claims through a set of smart contracts on the Ethereum blockchain. The smart contracts define the rules for creating and updating the relationship, and also specify the access control policies for the data that is stored in IPFS.
- This malleable relationship is what actually produces a verifiable registry. It allows third parties to verify that claims made in association with particular DIDs have not been tampered with.
Unlike DIMS that use an EOA as the access point, this solution gives users more control over their privacy. The challenge though is, most apps limit your account to one Web3 profile. This makes it difficult to manage the reputation of multiple pseudonyms.
Imagine a scenario where you are using a pseudonymous profile to apply for a DAO grant. The DAO may ask for credentials that exist on another profile. W3C-DID apps don’t yet provide a way to share credentials without revealing their association.
W3C-DID app review:
- Manageability: Average
- Portability: Strong
- Verifiability: Strong
- Takeaway: You need to duplicate claims for multiple profiles across different accounts in order to manage your internal and external identity with complete sovereignty. This may be too complicated for the average person.
A Web3 identity wallet
The third approach to DIMS is a Web3 Identity Wallet that uses a single immutable and private identifier as the access point. This provides the potential for even greater identity flexibility.
For example, the Polygon ID team from Polygon Labs uses cryptographic tools to issue private and immutable identifiers called genesis IDs. These are different from DIDs and W3C-DIDs because they aren’t published on the blockchain. Instead they are stored privately in a Merkle tree.
Zero knowledge proofs are then used to verify that the owner of the Genesis ID also owns public identifiers like blockchain addresses and social media profiles. This makes claims made in association with the genesis ID private by default and interoperable with an infinite number of web3 profiles.
Instead of using Ceramic’s data registry, these DIMS use identity states to cryptographically prove claims. These states record that a change has been made on the blockchain without revealing any personal data.
Onboarding users to the new features and use cases is an uphill battle as many are unfamiliar with identity wallets and the underlying tech. But the team at Polygon Labs made some updates since publishing:
- They updated their profile feature to include more privacy controls when making connections.
- They launched the PolygonID ecosystem explorer, which showcases a variety of use cases. Some of these include physical and digital gatekeeping and ways to provide KYC checks without exposing sensitive on-chain data.
- They are expanding their educational hub.
A Web3 identity wallet review
- Manageability: Strong
- Portability: Average
- Verifiability: Strong
- Takeaway: It is close to providing a similar degree of sovereignty in digital expression, but is working towards the adoption needed to express claims in a meaningful way.
03. The impact explained
New developments in account abstraction and identity wallets may produce a solution that overcomes some of these challenges. If it succeeds, you will be able to manage every part of your online expression in one place. Instead of publishing a social media post in an app, you might publish to a public persona in your wallet – where multiple social media indexers will share to your followers.
Read more: 6 Web3 Social Media Apps To Keep an Eye On
You could use a pseudonymous profile in that same wallet to apply for remote contract work or vote on a governance proposal. Verifiable credentials can revolutionize reputation and help foster an ecosystem that rewards people more for their contributions than their influence.
The risks of getting it wrong
But there is still work to be done and a lot at stake if it goes wrong. Users need to be able to express their identity without accidentally making sensitive information permanently public on the blockchain. And they need to be able to engage the online world without carrying every mistake into an interaction.
The decentralized identity ecosystem also needs balance flexibility with accountability. If a lending DAO is reviewing the reputation scores of a loan applicant, then the DAO needs guarantees that the applicant isn’t hiding negative reputation claims.
So while there may be a right way forward, it may take more time to earn user confidence.
This article has been edited since publishing to reflect updates in identity wallets
Don’t miss the next big story – join our free daily newsletter.
Follow Sam Bankman-Fried’s trial with the latest news from the courtroom.