Within elastOS, the DID dApp allows users to create multiple W3C-compliant decentralized identities called, DIDs. This article defines DIDs, their unique characteristics, the problems they solve, and the current and future status of the DID dApp.
The Problem of Online Identity
In the physical world, identities are generally issued by local or federal governments. Upon receiving these physical identities (birth certificate, passport, ID card), citizens store them securely and use them for proof-of-identity in almost all physical scenarios.
However, on the internet identity is a much more complicated issue. The process of providing a physical identity for online use cases can be tedious, risky, and oftentimes unnecessary. Most internet users have dozens of online identities, and in some cases, a different one for each application. While some of these identities can be used for multiple platforms (e.g. a Facebook login), all of them are centrally controlled by a third party. This system of centralized online identity is not only burdensome for a user to keep track of, but it is also vulnerable to security breaches. With centralized identities, users give up what data can be stored, shared, sold, and hacked, all while having to maintain the equivalent of a giant ring of keys.
DIDs enable an online experience where a user can have one identity for all applications, and where no central authority controls any such identities. With a decentralized identity protocol, life online is simpler and more convenient, and data can be owned and kept private.
What is a DID?
A DID is a default string identifier that possesses several unique properties:
- A DID can (but does not have to) be stored on the blockchain, thus rendering all of its operations and transactions fully verifiable (document signatures, authentication, etc.).
- A DID can attach credentials – those are, pieces of information related to the DID owner – which can be kept privately on user’s device or published on the blockchain for public and permanent visibility.
- A DID is neutral, and thus does not depend on a singular service provider such as Google or Facebook to authenticate and store personal information. Every service or application can share the same DID info, and no one owns the DID (and its content) except the user that registered it.
- A DID provides a standard process to store information, effectively streamlining dApp interactions. The Friends dApp leverages this standardization, as it allows users to retrieve a list of dApps used by their friends simply by virtue of accessing their DIDs. This process functions effectively because dApps register a standard credential on the DID Sidechain for all users.
6 Reasons Why We Need DIDs
1. Users entirely and exclusively own their identity.
In centralized identification systems, the identity providers (e.g. Facebook) own users’ identities and related information. In addition to having the opportunity to act maliciously, the centralized entities that control such identity systems are vulnerable to hacks whereby user identities and data are leaked to unknown organizations and individuals. But with Decentralized IDs, users possess exclusive control over their identity and related operations for functions like authentication and document signatures on third party websites. With Decentralized IDs, no other service interaction is required.
2. ID and personal information are separated.
In centralized identity systems, an “identity” comprises an individual’s person and personal information, such as age, name, address, and phone number. But using DIDs, an individual’s person and personal information are separate, as a DID is by default a meaningless string identifier, and pieces of personal information are credentials related to the DID. Credentials are totally private on the user device, and only that user can decide which to share, and with whom to share it with.
3. Better privacy.
In centralized identity systems, when a user signs in to third-party services (e.g. signing in on a third party website using a Google account), his or her activities are recorded by the identity provider – most often, Google or Facebook. By way of this mechanism, identity providers know everything their users do, and all of the platforms where they do them – a truly zero-privacy model. In DID systems, both DIDs and credentials are controlled by the user directly from his or her device and there is no third party identity provider; thus, user activities remain opaque to service provider.
4. Separation between private and public information.
Because DID is supported by a public blockchain ledger, information can be stored privately on a device as well as publicly. As DID credentials respect a rather standardized format, other dApps – or some crawlers – can retrieve such information from the blockchain. Each user decides whether to store his or her decentralized Twitter ID (a yet to be invented dApp), freelance business phone number, and ELA address publicly. By simply scanning his or her DID QR code, a user can selectively share anything or everything at any moment. For centralized identity providers of present, these features are infeasible.
5. DID is standardized and transferrable.
Whether a DID is created with Microsoft or Elastos, it respects the same W3C standard specifications. As such, even if say, a university issues a diploma as a DID credential to a specific user’s Microsoft DID, the DID owner can later transfer the Microsoft DID into the Elastos ecosystem, and Elastos dApps will be able to access the diploma.
6. DIDs are more secure
Even if you share your DID and credentials with a service provider, the service provider cannot use your DID and credentials to represent you nor do anything malicious or otherwise on your behalf. A DID guarantees this through its cryptography and design. However, in a centralized identity system, you cannot guarantee this level of security.
Features In the 1.0.6 DID dApp Version
- Generate a single user, and generate multiple DIDs for each user
- Create a DID locally on a device
- Manage a profile (=credentials)
- Publish the DID and related credentials on-chain
- Import a previously saved DID
- Support inter-dApp functions to:
- Deliver credentials to other dApps on their request (ex: to implement third party sign in)
- Sign data for other dApps
- Register application profiles (related to the Friends dApp)
- Always selects the appropriate DID for inter-dApp functions. Users can select a different DID for different dApps (generally, this may be of appeal for privacy-related purposes)
- Fingerprint / passwordless support
- Ability to integrate external credentials received from third parties into DID profiles (e.g., a university issues a diploma and the user saves it in his or her profile for later use)
- Related service: automatic email verification service and real identity check service to enable the attachment of confirmed verifications to DIDs. Therefore, third party dApps will be able to use certified information, such as identity checks, email address confirmation, and more.
- Backup and restore full DIDs in secure, private locations – not only the DID key itself, but published and private credentials, and more.
- Password changes
- Onboarding screens for improved user on-board experience.
Comparing DID Sign-In with Traditional Facebook Authentication
- Let’s imagine a user wants to sign in to his or her favorite news website.
- Facebook sign in:
- Click “sign in with Facebook” on the news website page.
- Facebook handles the sign in process on its servers, and it knows which news website is requesting the user’s facebook identity when the user visits that news website.
- DID sign in:
- Click “sign in with Facebook” on the news website page.
- The elastOS DID dApp handles the authorization request. Only the news website communicates with the DID dApp, not Elastos Foundation nor anyone else has the opportunity to retrieve information relating to this communication.
- The elastOS DID dApp directly sends the appropriate DID info to the news website.
- In this case, the user’s mobile device acts as a Facebook authentication server of sorts. The user is “Facebook”, and only the user knows what he or she does with his or her identity.
The Future Role of DIDs in elastOS and the Elastos Ecosystem
- DIDs have been introduced to elastOS only recently, but they are going to be omnipresent throughout the Elastos ecosystem, as they represent the best way to identify a user.
- DIDs will then become integral to the fundamental operations of elastOS. In the future, it is very likely that elastOS will prompt each user to create a DID upon its initial launch, as a mandatory condition to accessing the ecosystem, much like when Windows and MacOS are first launched.
Use Cases Enabled by the DID dApp
- Standardized credentials are essential.
- In a scenario where an official organization integrates DIDs and has the ability to confirm the real identity of a user, such verifications can be stored on the DID Sidechain and are immutable. All third-party dApps that trust the validating organization can request that a user provide such a validated identity, without conducting any independent verification. For example, if a flight booking dApp needs a user’s real identity, it will not have to request the user to verify his or her identity repeatedly; rather, it will be able to use the validated credential delivered by the certification organization. To receive the relevant credential, the flight book dApp will request it from the DID dApp in elastOS.
- As the process to store credentials on chain is standardized, DID usage enables the possibility for apps to start communicating with each other through this new immutable storage. As such, new applicative use cases may emerge soon after the initial dApps have been built.
The Internet is Ready For DIDs
The internet is ready for a simpler, safer, and more interoperable solution to identity. DIDs issued by Elastos make for a seamless user experience where user data is safely managed for all applications within elastOS, without taking control away from the user. No more endless sign-ins. No more hacks. No more exposed sensitive information. At Elastos, we believe that what you do online should be tied to an identity that only you control. Blockchain-based identity systems create the essential user experience for the modern individual – an experience where privacy, autonomy, ownership, and convenience replace a clunky system that has left our data exposed and outside our control for far too long.