In Detail: Self-Sovereign Identities — What Are Those Anyway?

A couple of days ago Super Protocol Founder Nukri made a curious tweet

Feels like there’s a lot to unpack here. Let’s get through this one idea at a time.

Self-sovereign identity (SSI) basically means giving the user back control over digital identity. Right now there are several limited ways to verify your identity. Either trust a centralized third-party provider (such as Google, or Facebook), or undertake a cumbersome KYC process, which includes sending digital copies of your key documents (passport, SSN, etc.) to a human operator and then waiting for them to confirm, or ask for some other additional document. These tools are neither convenient nor secure. SSI suggests that the user holds all of their important data making their own decisions about which app has access and to what extent.

This would enable several important features (as the tweet goes). Higher security without the risk that centralized data storage brings: third-party data leaks, compromised systems, or outages won’t affect users’ data and ability to use other services. Companies and services won’t have to rely on some other provider that might go out of business tomorrow for authentication and identity verification, what’s more, these third-party services won’t be able to hoard additional data on users’ behavior (websites visited, payments made, content watched, etc.).

The important thing here is in today’s workflow, you’d have to go to a particular service, find the security settings, revoke its access to your data (or delete the account entirely), then trust that the service has indeed deleted your data and is not using it in any way. Even then it’s almost impossible to tell if this service has provided your data to some third-party entities that will keep using it. The SSI paradigm reverses this: services have to request permission for the data while the user has their own interface where all the services and their permissions are listed.

Revoking access would mean conveniently unticking a particular service without any effect on others (an impossible scenario in a centralized world, since, for example, removing your Google account would also leave you without access to all other platforms where you’ve created an account using “login with Google” option).

As SSI involves cryptographic protection, it adds even more convenience to by default security. KYC can be done in seconds instead of days, without any human factor involved. Credentials that are almost impossible to forge enable higher levels of trust between parties, removing unnecessary friction and jumping over hoops for the user. It could be automated if the authentication process could be done in seconds (just the way you sign a transaction on the chain).

Authentication automation leads to a number of improvements in user experience and a much bigger variety of services delivered to a particular customer. While big tech has big data that they believe to be proprietary, which means other smaller businesses and companies can’t access and use it unless they play by the big guys’ rules, decoupling platform and the users’ identities would mean each service does not have to rely on someone else’s infrastructure, politics, security, permissions, compliance with local regulations (see the problems Facebook ran into trying to operate under the GDPR in Europe), and benevolence. Hence the interoperability, operational excellence, and algorithmic interactions part. The latter is also possible thanks to automation: the less friction in terms of human-made decisions there is, the more fantastic ways to deliver value to the user we can come up with (for example, loan/mortgage eligibility and approval done in seconds instead of days).

Why are we so into this whole idea? Because sovereign identity would require a secure way to process the data and make sure that the app you gave permissions to is not doing something suspicious under the hood. Super Protocol confidential computing does exactly that: apps can access only what you’ve allowed them to and can do only what they were intended to, even if compromised, no data can be manipulated or stolen.

Super Protocol looks like a perfect place to implement self-sovereign identities and an ecosystem around it.