Mann Hände am Smartphone

“Self-sovereign identity sees the whole picture”

Many Germans have more than just one double life on the Internet. The number of digital identities increases with each new account. Single sign-on solutions from major technological companies promise far more convenience. However, the “one identity for all” approach comes with a cost in terms of security and data sovereignty. 

Experteninterview mit
Helge Michael, Programm Leiter im Main Incubator, der Forschungs- und Entwicklungseinheit der Commerzbank
Helge Michael
project manager at IDunion from the Commerzbank subsidiary Main Incubator

Self-Sovereign Identity (SSI) is a secure concept

Decentralised self-sovereign identity (SSI) is a concept that is both convenient and secure. Helge Michael, from the Commerzbank subsidiary Main Incubator, is the project manager at IDunion. This consortium of companies and institutions includes the Bundesdruckerei and is currently establishing an SSI ecosystem. In this interview, he talks about the advantages and applications of decentralised identity.

Mr Michael, how many passwords do you have at the moment?

In all honesty? I have lost count. I probably use 25 to 30 a month that I am aware of. Then there are a few platforms that I don’t access very often. One example: Car and bike-sharing options. For my commute to work, I used a wide range of providers for cars, bikes and scooters for a long time. Not long ago, a service asked me to log in and update my credit card details. I briefly ran into a few issues. I am probably one of those who have far more than 100 passwords.

However, major tech companies provide a convenient single sign-on solution. One password for all services. Do you use anything like this?

Sure, but I try to limit it severely. There are four fundamental disadvantages: Firstly, you become incredibly dependent and practically lose control of your identity. If the provider were to decide, for whatever reason, to delete my account then this means I would be unable to access all services for which single single-on is used. On the other hand, I cannot just leave and transfer my data to another account - if I have connected several services with one of these providers, then I can no longer leave. A major problem is also the central repository on which my data is stored. For a hacker, this is an easier target than decentralised infrastructures. A smartphone user may not be able to secure their end device as well as a major cloud provider. However, it is far more demanding and less attractive for a hacker to attack countless mobile phones compared to a single cloud server. A final major disadvantage of single sign-on is the correlation of data, which essentially creates “glass customers”. If a user logs into a singles website during working hours, then the provider instantly knows the identity of the person in question.

So, the classic option is better ...

Yes, I generally prefer to enter my email address and use two-factor authentication as well. However, this is not always user-friendly as there is no uniform standard. There are authenticator solutions, SMS PINs or photo TANs. This means: Five different apps are required for two-factor authentication alone. Self-sovereign identity would be helpful in such cases: A mobile app would then only be required for authentication.

Self-sovereign identity aims for a decentralised digital identity. How exactly does this approach work?

Our translation for SSI is self-sovereign identity. Machines and companies can also have one, as well as people. Let’s take a look at individual persons: Many different identity attributes are stored on a smartphone with the SSI concept - these include your first name, surname, address, age, but also includes credit ratings, access codes and all possible forms of identification. Individual attributes come from various issuers and are considered to be “verified credentials”. The Bundesdruckerei would essentially issue a mobile identity (eID) for a smartphone, which can be signed for using a private key and thus be verified. At the same time, they would also leave the appropriate public key on a distributed ledger, which is a blockchain infrastructure, so that the identity can be checked by others. If the person wishes to open an account online, then they will send their eID, saved on a smartphone, to the bank to confirm their digital identity. At this point, the bank now accesses the blockchain infrastructure and checks if the correct public key for the Bundesdruckerei is in place. The revocation file is also checked. This is also provided by the issuer and shows whether they may have revoked the eID. If the comparison is successful, the account can then be opened. 

Doesn’t that mean there is the same correlation problem as with single sign-on? Does the Bundesdruckerei not see during monitoring that the user wants to open an account?

No, as they have already saved both their public key and the revocation file in the blockchain beforehand. The bank has no need to ask the Bundesdruckerei if the user’s identity is secure. They simply look into the blockchain infrastructure. The issuer does not find out how the ID is used. This means the user can always check to whom which data was sent, and at what time.  

You are a project manager at IDunion, a consortium of companies and institutions that are setting up an SSI ecosystem. What lies behind it?

Our consortium offers a wide range of applications. It does not just look at the identities of people, but also at the identities of institutions, companies, and objects. This is why we chose the term ecosystem - it covers many different applications for completely different identifiers. It’s also apposite for another reason: Put it another way, we see the whole picture. A fixed number of identifying attributes are stored on a personal identity card. In the context of SSI, I can issue anything that distinguishes a person as an identifying attribute - even access to a car. This means: There are a huge variety of applications for identity tests, simply as various identity attributes can be readily combined. To some extent, we still don’t know what use cases could arise from this. Anyone who joins our communally organised ecosystem could build their own. 

What would be specific applications in this case?

More complex use cases tend towards KYC (know your customer). In this case, we focus on the question of how a customer can identify themselves to a bank in line with money laundering legislation when they send verified documents to their usual bank. We are also working on a solution for access authorisation to company premises. Companies generally use NFC cards for these, but they are extremely complicated to manage. SSI can be used to monitor precisely who can enter a building or room, and when this may take place. This shows that a self-sovereign identity even has an impact in the physical world.

How is it looking in the field of e-government?

We are currently implementing a project together with the Ministry of Economic Affairs, Innovation, Digitalisation and Energy of the State of North Rhine-Westphalia. On the one hand, the prototype focuses on authentication via the NRW service account using a verified credential on a smartphone in order to request supporting documentation. On the other hand, it should be possible to use this available documentation for other SSI services. For example, I want to request a fishing permit and identify myself to the authorities in the city of Cologne using a smartphone online. After successful monitoring, they provide me with the desired document as a verified credential that I can have on my smartphone at any time and which can also be electronically verified. The exciting aspect here is that many of these documents are genuinely upgraded as a result. Usually, many identity documents simply consist of a sheet of paper with a stamp and a signature - so they’re easy to falsify. However, IDunion and SSI provides a secure form of verification. 

After all, there are many other SSI projects. What sets IDunion apart?

We want a platform for genuine collaboration. Ultimately, SSI will only prevail if many work on a solution together. Self-sovereign identity will only make progress as a concept if various companies and institutions get together and cooperate, agree on a single standard, and combine use cases with each other. If everyone is simply out for themselves, we’ve got no chance against the major American “central providers”. They would simply overpower us regarding digital identity in a few years. 

That sounds rather as if SSI is a typically European solution ...

No, SSI is a worldwide matter and Canada has been particularly helpful in such affairs. For example, British Colombia is a true pioneer regarding SSI and e-government. Meanwhile, there are now many similar projects in Europe. I also think that American colleagues are a little bit envious of us - as Europeans place so much emphasis on data protection and data sovereignty. The mindset of users provides us with more options for SSI compared to the USA, where no-one has heard of eIDAS. In my opinion, it’s likely that Europe will play a leading role when it comes to self-sovereign identity. There are many clusters involved, and the EU Commission is promoting the European Self-Sovereign Identity Framework (ESSIF). Also, the showcase project of the German Federal Ministry of Economics, of which IDunion is part, has provided an initial spark.

Granted, ESSIF is also a type of SSI ecosystem. Can IDunion continue to exist alongside them in the long term?

That is precisely the idea. There should be several networks. Interoperability is the sole decisive factor. Individual identity networks from different countries should be able to exchange information. It is certainly true that in the future we may ponder the idea of merging several ecosystems into one for reasons of cost. However, I can certainly handle the idea of decentralisation - it’s very appropriate.