With the metaverse on the horizon, it’s likely that we’ll be spending a far greater amount of time in virtual spaces. Companies will be conducting business in virtual board rooms; transactions of all sizes will be carried out in metaverse retail spaces; and interpersonal experiences, both personal and professional, will take place in a virtual environment. Given that our virtual representation will be an avatar, it’s worth asking: how will people know that you are really you? How will you protect your online identity? What about verifying the identity of others? As our personal identities become more deeply integrated online, it's more important than ever to make sure our online identifications are verifiable and well-protected.
With more personal information at stake than ever before, the sheer number of data breaches occurring in recent years proves that the current model of username/password logins is rapidly becoming obsolete. What’s more, we’re often unclear on who has access to what personal information: with user metadata often on sale to the highest bidder, we pretty much lose control over who can see our information once we hand it over to a given company. But beyond all of that, as our lives increasingly shift into virtual spaces, we need to secure our digital identities and verify those around us. Fortunately, the answer for protecting and reclaiming control over our digital identities lies just around the corner. Introducing, Self-Sovereign Identities.
Self-Sovereign Identity (SSI) is a form of digital identity that's not tied to any platform, service, or company. It's owned by you and you alone. So when companies need your identification, you have far greater control over how much personal information you give them.
To get us started, let’s take driver's licenses as an example. If you're walking into a bar and get ID'd by the bouncer, you have to show them your driver's license. All the bouncer needs to know is your birth date, but by looking at your card, they also learn your home address, height, weight, eye color, driver's license number, and whether or not you're an organ donor. They don't need any of that information, but you have no control over what they read and don't read. With a Self-Sovereign Identity, you're able to select exactly which pieces of information you give out.
Currently, there's two types of identity management you'll encounter on a day-to-day basis:
There are several problems with these two types of identities. First, siloed IDs are inconvenient no matter how you slice it. We're cautioned against using the same username/password combo across multiple websites, so you’re forced to memorize several different login credentials for websites you may not even visit that often. If you cave and use the same login info across multiple websites, you leave yourself vulnerable to having several accounts hacked at once.
Federated ID management is an improvement over siloed IDs in terms of convenience, as it certainly streamlines the login process. But federated ID management hasn't improved account security or identity protection at all. Actually, federated IDs are potentially even less safe than siloed IDs: if a breach occurs within one of the major corporations that's federating your ID to smaller websites, your accounts for all of those websites can be compromised. If that seems unlikely to happen, it already has: in 2019 Facebook suffered one of the , exposing 530 million users' phone numbers, full names, locations, and email addresses.
Regardless of which form digital ID management takes, there are universal drawbacks to the way identities are secured today. Obviously, memorizing username/password combos is a hassle. If a service goes offline or shuts down entirely, your information may be unrecoverable. And perhaps most importantly, identity management services have a serious financial incentive to collect and store user data. That user data, taking the form of valuable – data that provides info about other data – can then be sold to the highest bidder. In their most innocent form, metadata sales can be used to tailor the banner ads that pop up on your screen. At worst, they can be used to influence election results across the world. Just ask .
So how does Self-Sovereign Identity solve these problems? Put simply, SSI puts the user fully in charge of their own personal information. There is no middleman between you and your identity, no transactions occurring without your knowledge, and no central repository of data. That last point is especially important: for an SSI data breach to occur like the 2019 Facebook data breach, a hacker would need to individually hack into 530 million accounts one by one. That would take an impossibly long time compared to hacking into a single data center that contains all 530 million accounts.
Because the personal information contained within SSIs is fully user-owned, users don't rely on a central platform or service to prove who they are. The user is the central platform providing the information, because they possess all the data themselves. SSIs also provide full consent and control over an individual's personal info: nobody has access to your information without your permission, and you get to choose which pieces of information you dole out to whom. To go back to the bouncer analogy, you would be able to show them just your birth date, without revealing any of the other information on your driver's license. Finally, SSIs are interoperable, meaning your SSI wallet will work for any company, platform, or service you're accessing. They can work for your Google account today, and give you access to an exclusive space in the metaverse in the future.
There's a lot of underlying tech here, so we’ll try to keep it simple. The main thing users need to understand is called "The Trust Triangle." The Trust Triangle is (believe it or not) made up of three points: Holder, Issuer, and Verifier.
In the driver’s license analogy, the person trying to enter the bar (Holder) has been provided a driver's license by the state government (Issuer). The person shows their ID to the bouncer (Verifier), and because the bouncer trusts the state government, the identification is credible.
Image credit: SSI Ambassador from Medium.com
The technology underpinning SSI functionality is a bit more complex, and worth looking into if you really want to understand the mechanics of SSIs. To keep it very brief, the three main components of SSI functionality are Verifiable Credentials, Decentralized Identifiers (DIDs), and Blockchain. Verifiable Credentials are the specific bits of information you're providing, e.g. your birth date on the driver's license. Decentralized Identifiers (DIDs) serve as the connections between two parties, allowing them to share personal information securely. And you've probably heard of blockchains before, but in the context of SSIs, blockchains simply provide a sort of virtual receipt for transactions and exchanges.
For a more in-depth rundown on the technology behind SSIs, check out the list of resources at the bottom of this article.
So what will SSIs change? In short, because they’re far more secure than traditional username/password combos, people will centralize much more of their personal information in their SSI. Your SSI will contain not only the information on your driver's license, but also your medical records, dietary preferences, chat logs with others, shopping habits, familial ties, and perhaps even harder-to-capture information like your personal tastes in things like fashion and art. That last part, though difficult to quantify, is actually already being registered through your behaviors on websites via cookies.
"But wait," I can hear you saying. "Isn't the whole point of SSIs that we won't store all our information in one place?" Fair question. It’s worth mentioning first that SSIs are significantly more secure than the username/password combos we use today, thanks to encryption via those elements we mentioned earlier (Verifiable Credentials, DIDs, etc.) That’s why people will feel more comfortable storing personal information on their SSI. At the end of the day though, we have to remember hackers and data breaches aren’t going anywhere. SSIs may be a tougher nut to crack than usernames and passwords, but the threat will still be there, just as it is for user accounts today. So although the tug-of-war between hackers and digital security professionals will continue on into the next generation of identity management, SSIs offer so many advantages over our current system for identity management that they still represent a massive step forward.
We’ve already mentioned how securing and verifying identities will become increasingly important as we shift toward the metaverse, but it’s worth closely examining exactly why that is. The metaverse – a collection of 3D virtual worlds where people can socialize, shop, and interact with one another – will play host to all kinds of virtual experiences. From high-level board meetings to intimate sessions with your therapist or hanging out with a friend at a virtual concert, it will be crucial to protect your identity and verify the identity of those around you. Given how much information we’ll be storing on our SSIs as well, safe and secure identity management is paramount.
All of the data on your SSI will likely be split into tiers, ranging from the basic to the highly personal. Based on how much info a given website or service needs, and how much you trust them in the first place, you will decide what “tier” of information you share with them. This gives you complete control over the information you share with others and also streamlines the tedious process of inputting fields of data and filling out forms. You'll also be able to share tiers of information with individuals as well as companies. Your family can share individual healthcare information with one another, opening up the possibility for Life Alert-style notifications. If your uncle's blood pressure starts to spike, you can be better prepared to react to a potential health emergency.
But perhaps the most impressive benefit of SSIs has to do with combining data sets. By storing separate sets of data all within one system, we can draw connections between seemingly unrelated data sets, unlocking new and meaningful insights. For example, right now your medical records are entirely separate from your grocery store receipts. Identifying correlations between the two is A) impossibly tedious, and B) demands serious expertise to draw any sort of meaningful conclusions. The ability to connect information on your diet, medical health, eyesight, fitness routine, grocery shopping habits, sleep patterns, and more, then allowing machine learning to do the heavy correlative lifting, opens up whole new avenues for understanding who we are and how we can improve our lives.
It's clear that Self-Sovereign Identities represent major advancements in security, privacy, convenience, and even personal health. But SSIs also offer a solution to a global dilemma. As our world becomes increasingly interconnected, international legibility poses an issue for those relocating from one part of the world to another. Medical records aren't standardized internationally so crucial details can get lost in translation, and national IDs are no better (let's not forget that the U.S. has no national ID; Social Security Numbers are a stopgap solution we're still using today.) Globalization presents so many opportunities for work, travel, and life experiences, but the issue of international legibility remains a major obstacle, blocking seamless movement across borders and between governments. Solving this Tower of Babylon issue with personal records is crucial as our world continues to become more interconnected.
But beyond connecting physical spaces, a standardized system for identity management will become increasingly important as we continue shifting toward the metaverse. The metaverse represents an interoperable collection of worlds which transcend national borders, and just like the Internet before it, the metaverse will serve as a global hub of communication and connection. Managing identities so that they’re not only secure but intelligible across barriers of language and culture will help to ensure that the metaverse lives up to its full potential.
For further reading on Self-Sovereign Identities, we've compiled a list of useful resources below:
The Glimpse Group is a Virtual Reality & Augmented Reality Platform Company Comprised of Multiple Software & Services Subsidiaries Creating Innovative VR/AR Solutions (products, software, and consulting services)