How decentralized identity is shaping the future of data protection

In this Help Net Security interview, Patrick Harding, Chief Architect at Ping Identity, discusses the promises and implications of decentralized identity (DCI) in cybersecurity.

By redistributing identity management responsibilities among issuers, holders, and verifiers, DCI empowers individuals to selectively disclose personal information, thereby minimizing fraud risks and increasing privacy. However, challenges persist in educating users about the benefits and adapting to the new user experience paradigm.

Decentralized identity promises greater user control and privacy. How is this achieved, and what are the implications for cybersecurity?

Decentralized identity (DCI) is an approach to identity management that allows users to control their identity information and eliminate the need to provide unnecessary amounts of personal information in order to access a service. There are three parties involved in this process that each play an important role: the issuer, the holder, and the verifier. The issuer is the organization – universities, credit bureaus, pharmacies, etc. – that creates a verifiable digital credential; the credentials are a set of claims that represent unique attributes of an identity – date of birth, address, degree type, credit score, etc.

The goal is to empower individuals with the release of their own individual claims when required. For example, only release date of birth from their driver license when required to verify age, versus also sharing their address, weight, height. By putting personal data in the power of the individual, decentralized identity increases privacy and reduces the possibility of fraud and account takeovers by helping ensure the person behind the credential is who they claim.

In terms of the cybersecurity implications, it is changing the entire attack surface by shrinking it. Since each individual manages and stores their own data, there is no centralized source of information for cybercriminals to attack.

What are cybersecurity professionals’ main challenges when implementing decentralized identity solutions?

As with most industries right now, AI is impacting operations and causing organizations to evolve in real-time. This is no different with decentralized identity. AI will make the authenticity of individuals less obvious, so organizations will have to present layered approaches to authentication to ensure that people are who they say they are before they are issued a credential.

The user experience also poses challenges – including how to use the wallet, wallet recovery, wallet selection, selecting which claims to make available, etc. Additionally, when issuers and verifiers are different organizations, it requires interoperable protocols – which is still in early stages of development.

What role do standards and interoperability play in successfully deploying decentralized identity systems?

Standards and interoperability will be critical for DCI to achieve adoption at internet scale – and take advantage of network effects. Standards must exist to enable interoperability between different organizations acting as issuers and verifiers, as well as different wallets, that all may be enabled by different vendors’ open-source implementations. This requires rethinking about an organization’s relationship with personal data and their ability to mine that data.

When organizations and end users realign on new ways to create insightful and personalized services that offer meaningful personal control of data, we will see greater adoption. Standards can ensure that major digital wallet players, as well as smaller and more niche speciality providers, interoperate with services in the issuer and verifier roles in a seamless way.

How do decentralized identity systems align with regulatory frameworks like GDPR or CCPA?

DCI is aligned with these frameworks as it is designed to enable the user to maintain control of their information and preserve their privacy. A key tenant of decentralized digital identity is to take away the possibility of being non-compliant by minimizing exposure to personal data. It’s important to note that being compliant doesn’t necessarily guarantee security or privacy.

How will decentralized identity change the landscape of cybersecurity practices?

DCI will improve security for many organizations as they can rely on users providing PPI from a wallet on demand – as opposed to having to store PPI and run the risk of data breaches. DCI can be used to limit the information attackers can access in a centralized place.

As with any innovation, threat actors often find ways to infiltrate even the most robust of security operations and protocols. In light of this, it is critical for organizations to remain vigilant, even when implementing a decentralized identity approach.

As decentralized identity becomes more commonplace, organizations need to stay one step ahead of attackers by continuously investing in capabilities and products to thwart potential risk.

What challenges do you foresee in educating users about the benefits and use of decentralized identity?

Decentralized identity completely changes the user experience. Not only will organizations need to educate users about the benefits in a straightforward way they can understand, but they will also need to explain why and how the user experience will differ from previous identity verification processes.