1 Introduction
Public institutions and companies typically employ physical credentials (such as passports, social security cards, and employee badges) to identify individuals. Individuals can choose where to store their physical credentials, and sometimes, they can decide to whom their credentials are disclosed. These familiar privileges inspired a new type of digital credential called a
verifiable credential (VC). Similar to physical credentials, individuals can store their verifiable credentials in a so-called digital wallet on their mobile phone, on another edge device, or in the cloud, and they can use verifiable credentials for identification, authentication, and authorization (Sporny et al.
2019).
Verifiable credentials and digital wallets offer a convenient, secure, and privacy-oriented alternative to current physical and digital identity management systems. A recent example – COVID-19 vaccination certificates – highlights this. The verification of paper-based vaccination certificates is often error-prone and time-consuming, especially when many certificates have to be verified in a short period of time, e.g., at a football match or when boarding a plane. Moreover, to establish a sufficient level of authenticity, paper-based vaccination certificates are typically disclosed with additional personal information and identity documents, such as a physical ID card. This requirement to disclose a considerable amount of personal information raises privacy concerns, it is inconvenient, and it increases the total verification time.
The storage of vaccination-related digital information in a centralized database enables faster and more convenient verification, yet it also raises ethical, security, and privacy concerns. Such databases can facilitate unintended profiling, they are appealing targets for hackers, and they typically limit individuals’ control over the processing of their personal data (Rieger et al.
2021). The European Union thus permits Member States’ governments to directly issue EU Digital COVID Certificates to wallets that are controlled by citizens (European Commission
2021b). Although this development is notable, EU Digital COVID Certificates cannot yet be stored in a standardized wallet alongside a broad array of documents, certificates, and credentials that can be used to prove a subject’s identity (Rieger et al.
2021). Further work remains to be done.
This is precisely what motivates the development of verifiable credentials and standardized digital wallets. In this catchword, we introduce this decentralized, interoperable approach to digital identity management. In particular, we discuss the challenges of today’s centralized identity management and investigate current developments regarding verifiable credentials and digital wallets. Finally, we offer suggestions about promising areas of research into decentralized digital identities.
4 Research Opportunities
Decentralized digital identity – based on verifiable credentials and standardized digital wallets – is a rapidly evolving topic. Its implications are especially relevant to incumbent services that rely on the collection of personal information and usage data. Decentralized digital identity presents multiple opportunities for information systems research. Table
3 lists potential avenues and exemplary research questions.
Table 3
A suggested research agenda for decentralized digital identities
Applications of decentralized digital identities | When are decentralized digital identity systems justified? |
| How can worthwhile applications for decentralized digital identities be classified? |
Implications of decentralized digital identities | How will decentralized digital identities affect strategies and business models that are driven by user profiles? |
| How will decentralized digital identities affect the management of business processes? |
Decentralized digital identities and blockchain | How does the use of blockchain affect decentralized digital identity projects? |
| How do decentralized digital identity projects influence the development of blockchain technologies? |
Regulation of decentralized digital identities | How can decentralized digital identity systems balance privacy and transparency requirements? |
| How will decentralized digital identities affect eGovernment services? |
Governance of decentralized digital identity systems | How does the governance of decentralized digital identity systems differ from centralized systems? |
| How can governance become aligned across different decentralized digital identity systems? |
| How can governance frameworks accommodate machine-to-machine interactions? |
Design choices for decentralized digital identity systems | How do different design choices affect the capabilities of decentralized digital identity systems? |
| How do competing design choices affect the adoption of decentralized digital identities? |
Socio-technical theories and decentralized digital identities | How does the association with SSI principles affect decentralized digital identity projects? |
| How do legal frameworks and cultural values affect the adoption of decentralized digital identity systems? |
| How do decentralized digital identities affect organizational practices? |
A first avenue for research is the assessment of worthwhile applications for verifiable credentials and digital wallets. In general, verifiable credentials and digital wallets are appropriate if: (a) the fast, machine-verifiable exchange of identity-related information is desired without the direct interaction of issuers and verifiers, (b) centralized identity management systems present privacy and security concerns, and (c) centralized identity management systems fail to achieve adoption among a diverse array of stakeholders due to a lack of trust or a fear of concentrated market power. The latter topic is strikingly similar to established research about the adoption of blockchain technology (Pedersen et al.
2019). The application of digital identities should be considered beyond natural persons to also include organizations and smart devices (Fedrecheski et al.
2020).
Since decentralized digital identity management has the potential to affect business models that collect identity information and usage data, research can assess and investigate the consequences. How will companies that collect usage data adjust to the prospective adoption of decentralized digital identities? Can regulation prevent service providers from requesting more information from users than they require? How will decentralized digital identities affect data-driven platform strategies (De Reuver et al.
2018) and personalized advertisements (De Keyzer et al.
2015)?
Innovation in digital identity management is also important to consider when designing and managing business processes (Klarl et al.
2009; Mendling et al.
2020). Verifiable credentials and digital wallets can potentially disrupt e-commerce registration and on-boarding processes. An order on an e-commerce website could be completed, for example, by a user who has not previously registered with the website but who does have a digital wallet. The user could scan a single QR code to confirm the disclosure of identity information stored in verifiable credentials, such as their address, their age, or their credit card details. The European IDunion consortium explores these opportunities, with the aim to reduce customer lock-in effects that benefit large platforms like Amazon, Uber, and Airbnb.
A third promising avenue for research is the nexus of verifiable credentials, digital wallets, and blockchain technology. As noted, many decentralized digital identity projects use Hyperledger Indy or Ethereum-based blockchains like Hyperledger Besu to register information that needs to be publicly available. While a close association with blockchain may have helped the incubation of decentralized digital identity projects (Mühle et al.
2018), the long-term effects of this association are less clear. Hence we believe there are opportunities for research regarding the relationship between decentralized digital identity projects and blockchain development communities.
If blockchain is used with care and diligence, decentralized digital identity systems can ensure a high level of privacy. This is especially true if sensitive personal data is exchanged bi-laterally and selectively. A high level of privacy, however, introduces its own set of challenges, especially if privacy complicates the work of law enforcement authorities (Federal Office for Migration and Refugees
2021). Decentralized digital identity systems must therefore balance privacy and transparency requirements, which creates further opportunities for research, especially in the area of eGovernment services (Fridgen et al.
2018). Decentralized digital identity systems might allow citizens to better control the collection and exchange of their personal data by public authorities; but since public authorities in Europe and North America are typically bound by strict laws that regulate their data-processing activities, adding citizen consent as a mandatory second lawful basis may complicate cooperation and communication between authorities in certain cases (Federal Office for Migration and Refugees
2021).
Research to date has addressed the governance of blockchains more than the governance of decentralized digital identity systems. It remains to be seen how the governance of decentralized identity systems differs from today’s centralized alternatives, and how governance can be aligned between different systems and across national borders. We expect many similarities but also a few key differences when the governance of decentralized digital identity systems is compared to the governance of blockchain-based systems. Moreover, governance frameworks should incorporate digital identities for machines, since verifiable credentials can be used to identify and authenticate devices that belong to an individual or a business (Fedrecheski et al.
2020). Verifiable credentials can also be issued to sensors that feed data to smart contracts in order to authenticate the data and prove that the sensors were made by a trusted manufacturer. This may help address the “oracle problem” that is familiar to blockchain researchers (Swan
2015).
The consequences of different design options for decentralized digital identity systems are yet to be properly assessed. Such assessments should not only take into account the perspectives of participating organizations but also those of regulators and users. It is yet to be determined if the adoption incentives are sufficient for wallets that are designed to store only identity-related information. If not, then wallets might need to additionally store central bank digital currencies and/or crypto-assets. Other design-specific examples include different privacy options for verifiable credentials (Hardman
2019) as well as different resolution methods for decentralized identifiers (in combination with their corresponding PKI options) (Reed et al.
2021). Interesting research questions emerge from the competing design choices made by different projects. It remains to be seen, for example, if the German Federal Chancellery’s use of the Hyperledger Aries/Indy stack can be reconciled with the use of Hyperledger Besu by the European Blockchain Services Infrastructure and the Spanish Alastria Network.
Finally, there are multiple opportunities for socio-technical research into decentralized digital identity systems (Pinch and Bijker
1984; Sahay and Robey
1996; Bryant
2006). Socio-technical researchers can study, in particular, the effects of legal frameworks, cultural values, and privacy debates on the adoption and use of decentralized digital identity systems (Leidner and Kayworth
2006; O’Hara
2018; Fry and Renieris
2020); they can examine the different problem diagnoses that decentralized digital identity solutions are expected to address (Williams and Hummelbrunner
2010; Checkland and Poulter
2020); and they can explore the crucial relations between the various governance structures and technical designs (Zwitter et al.
2020). It is also worth examining if a proximity to SSI-related controversies affects decentralized digital identity projects (Ghent University
2020).
5 Conclusion and Future Outlook
Verifiable credentials and standardized digital wallets offer a convenient, secure, and privacy-oriented alternative to both physical means of identification and centralized digital identity platforms. Governmental support for verifiable credentials and digital wallets is particularly strong in Canada and Germany, yet the future outlook is difficult to predict. To be successful, decentralized digital identity projects need to gain more traction and establish interoperability via a common governance framework (Wagner et al.
2020; Lundy
2019). What is required is “guidance within a legal architecture” (Fry and Renieris
2020). More specifically, verifiable credentials and blockchain-based PKI must be recognized as compliant with identity-related regulation, such as the European Union’s Electronic Identification, Authentication and Trust Services Regulation (Alamillo-Domingo
2020; The Council of the European Union
2014). The legally binding ID_Alastria model (developed in Spain), the German government’s support of several Hyperledger Aries/Indy-based projects, and the European Self-Sovereign Identity Framework are significant early steps. The next major steps will perhaps follow the European Commission’s recent announcement about European Digital Identity wallets (European Commission
2021a).
Decentralized digital identity management can expect to face continued resistance from incumbents. Some experts expect “wallet wars” not just for payments but also for digital identities, similar to the competition between browsers or mobile operating systems (Reed
2020). Apple, for example, recently announced their aim to integrate a wallet app that can store a digital driver’s license in the next version of their mobile operating system, iOS 15 (Business Insider
2021).
Research can play an important role in the prospective shift towards decentralized digital identities. Research is required to investigate the actual impact of decentralized digital identities on enterprises, individuals, and societies; it can help design suitable solutions; and it can determine if the adoption incentives for recent, decentralized digital identity solutions are superior to those of past, attribute-based PKI solutions.