Decentralized services are not exclusive to cryptocurrencies, NFTs and exchanges. They are also used by streaming services, image banks, hosting services and more. In the future, almost every resource we use today will be operated on decentralized systems and distributed registries. But one of the most interesting and useful innovations that awaits us in our beautiful Web3 future is decentralized identifiers, or DIDs. In fact, they’re already here – the only thing that’s missing is mass adoption.
Put simply, a DID is an identifier that gives you complete control over your personal information, or your “digital identity”. Thanks to DIDs, you can quickly go through an identification process and establish who, when and what exactly third-party services and organizations can find out about you. At the same time, the data is almost impossible to steal, change or use in any way without your knowledge. Organizations are then able to instantly verify the authenticity of the information provided.
The problem with personal data today
The issue isn’t that our data is stored badly. The main problem is that it’s stored centrally, on specific databases belonging to the services we’ve registered with. In the event of a leak, attackers will gain access to our accounts and, depending on what kind account it is, be able to read our correspondence and steal our documents, files or credit card information.
Some services know quite a lot about us: they have our postal addresses, telephone numbers, places of residence and passport data at their disposal. Of course, all of this ensures that users are who they say they are. The problem is that the data ends up somewhere in the bowels of corporate IT systems and nobody except the companies themselves knows what it is being used for or who has access to it.
You might recall a common practice among certain services, which ask users to consent to the transfer of their personal data to third parties. They often fail to indicate who these third parties are, why the information is being transferred, and how securely the data will be stored by those third parties.
How DIDs work
When you use a decentralized identifier, the data is stored not in the database of a given company, but on the blockchain or a distributed ledger. You aren’t required to go through an identification procedure during the registration process, and you don’t need a username and password to enter your account. In fact, a DID is a non-custodial crypto wallet: it has public and private keys, but instead of signing off on transactions, the private key is used to verify your identity.
You need to prove your identity at the beginning of course. This should be the responsibility of trusted parties capable of authenticating the user's personal information, which can be classified as “issuers”. The role could be fulfilled by a bank or government institution.
Here’s an example of how the process works:
- The issuer creates its own DID, which it will use to interact with other ecosystem participants.
- The user provides the issuer with the information they want to be verified (for example, a passport).
- The issuer carries out the verification process, authenticates the document and creates a verification statement (credential), signed using its identifier. The statement is linked to the user’s DID and stored in their personal database.
- When required to submit their data to a service, company or government institution, the user provides access to it via the DID. The organization then simply needs to verify that the data was issued by a trusted issuer and that the digital signature is valid.
Let’s use a real-world scenario. Imagine a future where DIDs are ubiquitous and the verified data issuer is, for example, the university you graduated from. The verified diploma data is stored in a decentralized registry and includes a full profile of your academic progress.
Now, when you apply for a job, you don’t need to bring a copy of your diploma to your potential employer so that the HR department can check its authenticity. Instead, you scan a QR code that contains a request for data from the DID and select the information you want to share (in this case, the diploma). The employer will know instantly that the document is valid.
When will this future arrive?
At first glance, it would seem that it’s already here – in some places. For example, you can use your Google account to register for and log in to websites and applications. In some countries, public services operate according to a similar principle whereby users can give consent for their personal data to be shared between institutions.
There is a big BUT here: the user data is centralized. Users still can’t monitor how their data is stored and processed. Further to this, if two-factor authentication is disabled, then the only thing protecting users from prying eyes is a password that can be stolen or guessed. If an attacker steals the account, they will gain access to all the applications and sites where it was used to authorize access.
It goes without saying that a DID doesn’t guarantee that the data received from the registry will be stored securely, but the most important thing is that it cannot be accessed at all without the user’s private key. Ideally, companies wouldn’t store user data at all, and would instead request it directly from the DID.
Although mass adoption is still a long way off, businesses have already recognized the opportunities that decentralized identifiers offer, and more and more services are providing DID-friendly infrastructure. One successful example is the DOCK project. The company has been developing a user account platform since 2017, based on a blockchain built on top of the Substrate framework with a proof-of-stake consensus mechanism. The native DOCK token is listed on several exchanges, including Binance and Huobi. The company offers customers protection when creating verified documents (such as educational documents), certificates for the protection of supply chains and more.