The nature of the digital world is that organizations, people, software, and devices are connected. This is what enables digital experiences, from business analytics to gaming and shopping.
But with millions of digital interactions happening every second, we’ve reached a scale that is difficult to comprehend, with almost limitless interdependencies. This creates an ever-expanding attack surface with more and more vulnerabilities. For example, today there are 921 password attacks every second, and new threats to our online identities are constantly emerging.
How are we supposed to navigate our digital lives on such a hyperbolic path? The solution is a decentralized identity model for individuals, organizations, systems, and devices–one that is open, trustworthy, and standards based.
Decentralized identity (DID) can provide everyone with an identity in cyberspace that we uniquely own and manage. And though this is a digital concept, it has deeply human roots.
Identity is at the core of the human experience
Anthropologists have long known that facial recognition was a key part of human evolution. The ability to recognize each other quickly was important for survival and became a foundational element for human cultures and societies.
Today, the notion of identity has become a central pillar of our modern, socioeconomic reality. Just try to imagine a world without our names, numbers, and accounts, and the unique identity that surrounds us.
You could even say that your identity is a fundamental human right, according to international law. In 1989, the U.N. Convention on the Rights of the Child declared that every child should have an identity and a name from birth.
But you’ve always had to prove who you are
Given the importance of identity, it was inevitable that we would need to verify who we are. It seems the idea of posing as someone else is almost as old as the concept of identity itself. There are examples of an early Roman law from 80 B.C. addressed falsified documents for land ownership, and an early Elizabethan law prohibiting forgery of official documents and seals.
The mere existence of seals shows a need to validate the source of communications and the parties to transactions. Passwords, counterpasswords, secret codes, and symbols are other ancient ways to prove identity. Passwords have a long and storied history—a simple way to grant access to back rooms, enter ancient cities, and help troops link up with allies.
Eventually, identification evolved to what we have today, with standardized photo IDs like licenses and passports backed by evidence and endorsed by government officials. There are many processes today where producing identifying documents is required, but in cyberspace we’re largely still asked to present passwords wherever we go.
Modern identity tools work, with some limitations
No one today would call passwords simple. Their use has only grown, but they also come with a litany of shortcomings. Passwords create friction for our interactions online. To start, they’re a hassle to remember.
Because of this, people reuse passwords or take shortcuts that create risk. Those risks are exploited by criminals armed with a broad range of tools and techniques to capture credentials and plug them into banking and e-commerce sites, hoping to find a combination that works.
Today’s identity and access systems work well, but it’s becoming impossible to effectively manage our identities across all our digital interactions in a world where every household, business, person, and an almost limitless array of devices are connected.
Today we’re figuring out what digital identity means, and how to protect it
The technology industry has long explored trustworthy digital identification. Multi-factor authentication, biometrics such as fingerprints, retinal scans, and facial recognition—like our ancestors developed millennia ago—are creating a future for online identity that is increasingly passwordless. But there is still much to do.
Ultimately, our verification pathways are still too centralized. Our access is in the hands of the institutions holding our accounts. But this age-old paradigm of posting soldiers at the city gates to ask for your password may finally be sunsetting.
What’s needed now is a way to control our identities in the digital realm just like we do in the physical world. Just like cultures and society evolved with identity at the core, so will cyberspace.
Decentralized identity is open, transparent, and uniquely ours
With all of this in mind, those of us building identity and access technologies are thinking differently today: It should be as easy to trust and verify each other digitally as it is in our physical world.
Rooted in decentralized systems such as blockchains and ledgers, decentralized ID can make this a reality. In fact, it’s already coming to life through new technologies like Microsoft’s Entra that allow everyone to create and own a unique digital identity.
With DID, our identities online belong to us and not to our bank, local utilities district, social media provider, or e-commerce vendor. Like an ancient stone tablet, DIDs are immutable and tamper resistant. But as digital entities, they are universally portable.
Just as we’ve moved beyond cylinder seals, we’ll move beyond presenting physical IDs at the bank or entering a username and password online. Instead of reaching for our wallets or digging into our purses, we’ll approve or revoke a request with a single swipe or click.
This vision is becoming a reality today—consumers can already sign up for their own DID and see how it works for themselves. And as the ecosystem for distributed identity matures, the potential scenarios they’ll encounter are endless.
Any transaction between businesses or people can be more trusted and efficient. This will change how you order a pair of shoes, schedule a doctor appointment, or even renew your driver’s license.
In the physical world, your identity is a basic human right. In the digital world, it should be no different. The path to get there is through a decentralized system of identification that puts the control into your hands.
Bret Arsenault is a corporate vice president and the chief information security officer at Microsoft.