The End of Logins and Passwords, Just for Starters

Self-sovereign identity is a decentralized model that allows users to control their data, enabling digital experiences that are secure and interoperable.

A woman's face is segmented by different colored web browsers that show different anonymizing, irregular, and contrasting elements: sunglasses in one, a hat in another, a thin mustache in another, creating a mosaic disguise.
Abbey Lossing

Let’s say your name is Jennifer, and you’re in line to buy a cappuccino at a coffee shop where nobody knows who you are. As you approach the counter, the woman ordering coffee in front of you identifies herself as Jennifer so that the barista can call out her name when it’s ready. When it’s your turn to order, to avoid confusion, you give your name as Sally. Then, when your coffee is ready, and they call out “Sally,” you grab it and go on with your day without a second thought.

This scenario is an example in the physical world of what’s called self-sovereign identity in the digital one. It’s a technological model that enables a person to control their digital identity by selectively sharing credentials on a need-to-know basis, rather than unwittingly surrendering extraneous personal data whenever they access goods and services online.

The base state of self-sovereign identity, or SSI, is anonymity: to be nameless. You are anonymous by default in the physical world, outside of the circles where you introduce yourself or are already known. The same should be true in the online world. It can be with SSI, because you only present relevant credentials on an as-needed basis to parties that require them. That means you share the minimized information in a verifiable form. For example, that you are old enough to drink, a member of the club, licensed to drive, or on a list of attendees. Interactions such as the one in the coffee shop could be limited to just revealing that you are a distinct human being among others in the queue.

In today’s digital world, we are constantly identified in various ways that are outside of our knowledge and control, whether we like it or not.

In the physical world, unless you’re cursed by celebrity or by living in a fully surveillant state, you’re anonymous to people who don’t know you by name, face, or voice. This is a grace of civilization because it assures a degree of public privacy. It also gives you lots of options about what you disclose to others selectively, on a need-to-know basis. This is why you carry credentials such as a passport, a membership card, and a driver’s license.

But that system isn’t perfect, because disclosure isn’t minimized by design. Your passport and driver’s license both say more about you than you may want to reveal to another person or system, when they don’t need to know more than the fact that you’re a citizen or licensed to drive. So the challenge for identity in the online world is to leverage what works well in the physical world and improve on it in ways that can only work in the digital one.

This is something of a tall order because, in today’s digital world, we are constantly identified in various ways that are outside of our knowledge and control, whether we like it or not. For that we can thank a simple law of technology: What can be done with a new technology will be done—until we learn what shouldn’t be done with it.

Among the infinitude of things that can and will be done with digital technology and the internet today is surveillance, as Shoshana Zuboff explores in her massive and magisterial book, The Age of Surveillance Capitalism. “The digital future has been hijacked by this rogue capitalism that now owns and operates the internet,” she writes. “There is a lot of work to be done if we are to build new bridges to a digital future that we can all call home. We deserve a digital future that amplifies human rights, individual sovereignty, and other requirements of a free and flourishing democracy.”

SSI addresses the individual sovereignty part of that challenge.

The idea isn’t new. Kim Cameron, who was Microsoft’s chief identity architect for many years, outlined what would become SSI in 2005, with his Seven Laws of Identity. In a 2012 blog post, Devon Loffreto, a teacher and open source software developer, distinguished between “sovereign source” and “administrative” identities. As he explained in a 2016 post, “Self-Sovereign Identity must emit directly from an individual human life, and not from within an administrative mechanism created by, for, as abstractions of individual human activities, and must remain amenable in design and intent directly by individual humans with original source authority.”

This exposed the distinction between identity and identifiers:

  • Identity is personal, and at the root of human agency.
  • Identifiers are for administrative record-keeping.

All we had in the online world was the latter. So this laid out for developers the need for real identity, rather than yet another way to issue identifiers.

When you look at it that way, you see that there has long been a symbiosis between the self-sovereign and the administrative sides of identity in the physical world. Managing that symbiosis from our side wasn’t too hard. We could keep track of our business relationships and our schools, clubs, and churches with our books of contacts, our checkbook ledgers, and the collection of credit and membership cards in our wallets. When somebody asked for our “ID” (which, to be clear, was actually just somebody else’s administrative identifier), we could usually assume that they weren’t going to use inessential information on the rectangle we showed them for other purposes.

SSI differs from this system by requiring administrative systems to issue verifiable credentials rather than an “ID.” So rather than a driver’s license, for example, you have a collection of attributes (authorization to drive, age, height, weight, eye and hair color, address) that the license issuer provides as a credential and others can verify on an as-needed basis. You carry these credentials in your virtual wallet. These (like the ones in our pockets and purses) are substitutable and can be made by anyone. For example, here is one from Trinsic, and here is another from Evernym.

There is no end to the number and ways SSI can grow outside of the old administrative identity box. Take, for example, what the tech educator Phil Windley calls the self-sovereign internet of things. Here your things are truly yours and under your control. They don’t even need to be smart. For example, you can slap a QR code on your dumb gizmo, scan it into a cloud of its own (called a “pico,” for “persistent compute object”), and you can have a relationship with the maker or seller of that gizmo through that pico. When picos become common, they will give you one way to deal with many different companies, and save those companies the trouble of maintaining their own proprietary systems for limiting customer involvement (including useful forms of customer input).

Pico Labs, a research team led by Windley at Brigham Young University, focuses on developing pico-based technologies, such as a user interface for managing all of the things we own and our relationships with them — and with the companies that made them, the retailers that sold them to us, or the lessors we rent them from. One interface prototype is called Manifold. Since picos and their allied technologies are open source, the development opportunities are boundless.

These SSI scenarios are still mostly conceptual at this point, much as e-commerce was largely conceptual in 1991. But development is underway. Search for “self-sovereign identity” with quotes on Google and you’ll get nearly 600,000 results. On Bing you’ll get around 700,000. 

Looking through those results, you’ll see that credit unions are now using verifiable credentials with MemberPass, “the first identity wallet app built for credit union members to provide contactless, self-sovereign control over personal information.” Search for Canada+”self-sovereign identity” and you’ll find businesses and government entities applying SSI in a variety of ways. For European action, search for ESSIF. On the health care front, there are multiple efforts toward SSI-based COVID-19 “immunity passports.” To keep up with news about all this and more, look up #SSI on Twitter.

Working against SSI are two forces. The first is the “rogue capitalism that now owns and operates the internet,” as noted by Zuboff. Surveillance capitalism has spread from our browsers and apps into our digital appliances, our cars, and our public spaces. This is a non-trivial trend, but SSI has a good answer for it: more reliable (as well as secure and private) personal data than any amount of surveillance-based guesswork could ever produce. The other is the status quo around business-as-usual. Fortunately, there is one form of business-as-usual that everyone hates and SSI can solve: getting rid of logins and passwords, which may be the biggest pains in the ass ever invented in the connected world.

Today we have as many logins and passwords as there are administrative systems in our digital lives. Fortunately, this is also a big pain for the companies that build on it. Besides needing to maintain login-password systems at their ends, there is a massive temptation for bad actors to hack their way into those systems. By distributing user and customer relationship connections across many small points rather than one big database, the attraction of the familiar login-password honeypot disappears. 

Alex Andrade-Walz, a marketing expert, explains how SSI relieves everyone of login/password pains: “SSI is a decentralized identity model built on secure peer-to-peer connections, and it flips the equation… Instead of having individuals create accounts with the websites and apps they use, SSI offers verifiable, globally resolvable, and privacy-preserving credentials that we store and manage from the security of our own devices and can show to anyone, anywhere. In simpler terms, it’s like having a passport for the digital world. Our data lives with us; and with a few taps, we can share the information needed for authentication.”

In this interaction, both parties keep a record of the authentication. This gives us the ability to audit compliance with agreements, such as those regarding the confidentiality of shared information. You can’t do that today with any of the many websites that record your “cookie preferences.” That’s because they’re the ones with the records. You have nothing but unearned faith that they’ll hold up their end of what in nearly all cases is a bad bargain.

SSI also gives each of us scale: one way to deal with everybody and everything that needs information about us. Think of the work involved when you change your last name, your home address, or your credit card’s expiration date after it has been renewed. With SSI, you can make that change across all the entities you deal with in one move.

As with all new technologies and approaches, there are caveats to take into account. For instance, concerns have been raised (see here and here) that push back on the idea of vaccine and immunity “passports” based on some approaches to SSI.

But this entire field is still new, highly varied in approaches, and promising in the way it provides individuals with a form of agency that has been absent since the digital revolution began only a few decades ago. As a longtime advocate of increased personal agency online, I no longer have mere hope of real solutions. I have faith. Especially for the end of logins and passwords. Prior to SSI, I thought nothing would kill them. Now I know that their days are numbered.

Follow The Reboot

Join a growing community that’s examining the state of the internet and exploring its future. Subscribe to our newsletter.

A woman's face is segmented by different colored web browsers that show different anonymizing, irregular, and contrasting elements: sunglasses in one, a hat in another, a thin mustache in another, creating a mosaic disguise.

Artwork By

Abbey Lossing

Contact Us

Have an idea for a story or illustration? Interested in discussing partnerships? We want to hear from you. Send us a note at info(at)thereboot(dot)com.

Recommended Reading