Federated vs Self Sovereign Identity

A couple of weeks ago Covid-19 prevented me from flying to Las Vegas for the Know Identity Conference and made me abandon my plan to write a post on what I discovered there.

So, having had a rethink over Easter, I decided to record my perception of the differences between Federated Identity and Self Sovereign Identity and why I think that Federation cannot provide the Internet’s missing identity layer.

Federated identity management (FIM) is a means to enable users to access the systems and applications of multiple organizations using one login credential. Identity federation allows users to maintain login credentials with multiple credential service providers (CSPs) (e.g., email or social media providers) and then choose among them when logging into different online services
– NISTIR 8149

To my mind, the principal beneficiaries of federated identity is the business organisation (Identity Provider) not the citizen i.e.

  • Increased efficiency and cost savings from not having to manage users’ login information;
  • Improved risk management through multilateral agreements;
  • Reduced privacy risks due to limited replication of users’ personal data across the organisation’s infrastructure;
  • Improved system design criteria based on a defined risk profile that is aligned to the community being served.

But that is not to say that users of federated identity systems do not also benefit, they clearly do:

  • Improved user convenience and reduction in risk resulting from having fewer sets of usernames & passwords to remember and manage;
  • Single Sign-On (SSO), enabled by FIM, is an efficient way for employees to access the corporate resources, applications and data they need to do their jobs.
  • The organisation’s HR department and its associated access control mechanism act as a single source of the truth, preventing users from repeatedly entering personal details when requesting access to shared resources.

The downsides of Federation

But … what about us as Citizens, when we are not at work, when we are managing our online life and when we are using the Internet for our own personal reasons?

To operate effectively FIM needs multilateral and mutual trust between service providers, operating across a clearly identified infrastructure with an understood and consistent risk profile. For example the UK governments Verify solution relies on a common (and crucially) formally assessed risk profile for OFFICIAL information. Once an individual’s identity has been established by the identity providers operating Verify, that identity can be used by the citizen to gain access to various government services, such as benefits, taxes, driving licences, passports etc.

What’s good for the workplace doesn’t necessarily transfer to the wider world…

The Internet does not have the common risk profile and multilateral, mutual trust and governance that Federated Identity Management requires.

But not to worry, that yawning chasm is being filled by GAFAM, the Internet’s Big Five – Google, Apple, Facebook, Amazon and Microsoft!! Each time you come across one of these buttons, you are being offered the opportunity to share your identity with GAFAM.

So what’s wrong with that, you might ask.

Well lets have a look at the UK Information Commissioner’s 2018 Report to the UK Parliament on their investigation into the use of data analytics in political campaigns. Decide for yourself whether Facebook can be trusted with your personal data.

The ICO –

  • Found found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information, without sufficiently clear and informed consent, and allowing access even if users had not downloaded the (personality testing) app, but were simply ‘friends’ of people who had. Facebook also failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform
  • Issued Facebook with the maximum monetary penalty of £500,000 available under the 1998 Data protection legislation.
  • Referred Facebook to the Irish Data Protection Commission regarding their targeting functions and techniques used to monitor individuals’ browsing habits, interactions and behaviour across the internet.
  • Investigated other organisations linked to Facebook and engaged in buying and selling personal datasets in the UK, so called data brokers, were also subject to substantial monetary penalties.
  • Concluded that Facebook did not take sufficient steps to prevent apps from collecting data in contravention of data protection law.
  • Established that the personality test app utilised the Facebook login in order to request permission from the app user to access certain data from their Facebook accounts.
  • Found that Facebook did not follow up on a request to Cambridge Analytica that personal data from Facebook be deleted

On the basis of evidence produced by the ICO I, for one, don’t trust the the privacy management capabilities of Facebook. I certainly won’t be trusting them with my identity data and I’m disinclined to use any of Big 5 to act as arbiter of my identity.

There simply must be a better way of enabling single sign on to all manner of Internet services, including banking, medical records, online shopping, social networking, interaction with government services, holiday bookings, clubs and memberships, email, educational & professional qualifications, investments & mortgages etc… etc…

And there is…

Self Sovereign Identity

A number of leading lights in the SSI community have come together to write the definitive study of Self Sovereign Identity, which is due to be published in December 2020. I highly recommend the early access copies of this book as essential reading for those interested in this intriguing and fast developing area of new technology.

MEAP v3 by Alex Preukschat and Drummond Reed.

Preukschat and Reed identify a number of reasons why the Federated Identity Model does not provide the missing Internet identity layer:

  • There isn’t one IDP that works with all sites, services, and apps. So users need accounts with multiple IDPs, and pretty soon they start forgetting which IDP they used with which site, service, or app.
  • Because they have to serve so many sites, IDPs must have “lowest common denominator” security and privacy policies.
  • Many users—and many sites—are uncomfortable with having a “man in the middle” of all their relationships, particularly being able to surveil users login activity across multiple sites.
  • Large IDPs represent some of the biggest honeypots for cybercrime ever created.
  • IDP accounts are no more portable than separate accounts linked to each website (centralised model); if you leave an IDP like Facebook or Twitter, all those account logins are lost.
  • Lastly, due the security and privacy concerns, IDPs are not in a position to help users securely share some of their most valuable personal data, e.g., passports, government identifiers, health data, financial data, etc.

The most important difference between SSI and FIM is that SSI is no longer account-based. Instead there is a direct secure peer-to-peer relationship between the two parties i.e. there is a shared connection. Neither party “controls” the relationship and this is true whether the parties are people, organisations or things.

The key to the security of these connections is the underlying decentralized public key infrastructure (DPKI) that is supported by blockchain technology. Together these enable:

  • The exchange of public keys directly between any two peers;
  • The exchange of digital identity credentials (aka verifiable credentials) to provide proof of real world identity; and
  • The storage of public keys on public blockchains specifically designed for the purpose.

In the centralized and federated identity models, the locus of control is with the issuers and verifiers in the network. In the decentralized self-sovereign identity models, the locus of control shifts to the individual identity owner, who can now interact as a full peer with everyone else.

SSI MEAP v03, Manning Publications

Preukschat and Reed summarise the differences between FIM and SSI concept of operation.

FIM ArchitectureThe user first contacts the Service Provider, is then redirected to the Identity Provider where he/she logs in, and is then redirected back to the SP providing the latter with the user’s identity attributes that the IdP is willing to release.
SSI Architecture using VCsThere is none of this web-based redirection within a defined “federation”—the user as holder obtains VCs from issuers and uses them independently at any verifier that will accept them.

The FIM architecture places the IdP at the centre of the ecosystem, whereas the SSI/VC architecture places the holder at the centre of the ecosystem.

Fundamentally, the SSI/VC philosophy is that users are paramount and only they decide who to give their VCs to, whilst the FIM philosophy is that IdPs are paramount and they decide who can receive the user’s identity attributes.

Today’s federated identity management infrastructures give issuers (IdPs) great power because they are at the centre of the ecosystem. SSI/VCs turn this model on its head and place users at the centre.

We started out trying to find a solution to the Internet’s missing identity layer; what we ended up discovering was that to solve those problems we needed a shift in control from the centres of the network—the many “powers that be”—to the edges of the network—where all of us exist and interact as peers.
– Preukschat & Reed

Three dimensions to Digital Identity

In his June 2018 webinar as part of the SSIMeetup group, Danial Hardman presents an interesting take on digital identity, calling it multi-dimensional and manifesting itself in three separate planes along three separate axes – Relationships, Data or attributes and Agents or Proxies.

Digital identity is multi-dimensional

Agents or Proxies axis

These are the devices, software and services that represent me when I use the Internet, they are effectively acting as my agent or proxy. It is in this category that the proposed digital wallet sits, as it’s purpose is to negotiate identity-related transactions and connections on my behalf. Consider eBay, for example, which represents me to the seller and the seller to me, handling necessary financial transactions to an acceptable level of security; there is no direct connection between the seller and I.

Attributes or Data axis

Facebook, for example, gathers information about its users, which it uses for a number of commercial purposes, some beneficial to the user and some beneficial to Facebook. In the current federated identity model Facebook can act as a trusted identity provider by using my authentication data to allow me to sign on to other sites. On the other hand the Cambridge Analytica scandal shows us that Facebook gathers and uses all sorts of other data relating to us for commercial purposes. They are clearly not impartial or independent intermediaries in these transactions and it is questionable the level of trust we should have in them. One could argue that the true home of a social network should be along the relationships axis.

Relationships axis

We are not allowed to take our relationships with us when we opt to extract our personal data from Facebook and other social network providers and store it elsewhere; we are obliged to close down our account. This renders the extracted data useless for maintaining relationships and reinforces the lock-in to provider services. This situation is much like the early days of online banking when the hassle of moving from one bank to another was out of proportion to the benefits achieved; with Open Banking this is no longer the case.

Who knows what about me?

Currently, this question is impossible to answer. In the future I expect my Personal Online Datastore (POD) and digital wallet to keep track of the personal data that I have chosen to share with those I have established personal or commercial relationships.

When they were breached it took Equifax many weeks to disclose the fact and many more to establish what information had been compromised and even longer for them to get round and notify everyone that their information had been stolen. No one knows where that data is now but some commentators suspect that the proximity of the breach to other major data breaches and the fact that this data has not appeared on the dark web suggest that it has been saved in a huge Chines data lake and is being used to support espionage operations against the West.

Knowing who knows what about me is a critical factor in the maintenance of the privacy and security of personal data.

Which agent or proxy can represent me?

Answering this question is, theoretically, a little simpler that knowing who has my data, in that I have a relationship with my agent or proxy and should be able to control the release of personal data. This may not always be the case as the context of the representation is critical. My solicitor may represent me in court but I wouldn’t expect her to speak on my behalf when arranging a holiday. I would expect my doctor to share relevant medical information with a hospital but I’m a little bit more wary if they are seeking to share the same information with big pharma, without the necessary anonymisation controls in place.

Which agent can share what about me?

I don’t expect eBay to share my credit card details with the seller, I don’t expect commercial organisations to share my phone number and address with partner organisations and I certainly do not want metadata from my social media interactions to be shared with advertisers so that they can personalise the adverts I see online.

Greater granularity, detailed configuration and improved contextual analysis is required to maintain continuous control over the sharing of personal information by agents or proxies on my behalf.