Self-Sovereign Identity for Organizations – Ultimate Guide

Mathieu Glaude

February 25, 2021

Introduction to Self-Sovereign Identity (SSI)

Self-Sovereign Identity (SSI) is a new field for many organizations and is somewhat threatening given the design to move control of personal data into the hands of the user. This Self-Sovereign Identity for Organizations Guide is designed to give you the answers to:

    • Why did Self-Sovereign Identity come about?
    • What is Self-Sovereign Identity and how does it work?
    • Does this mean a loss of customer data?
    • How would I use it and why should I care?
    • What opportunities to innovate are there?
    • How do I get started?

The Self-Sovereign Identity field, like many early technologies, is full of jargon and buzzwords. We tried to remove as many of them as possible, but if you find yourself lost, please refer to our SSI glossary for help. Still lost? Call us, we can help.

Seismic shifts in Consumer-facing technologies

There are multiple forces at play with consumer- facing applications, amongst them:

    • Cyber security breaches;
    • Customer privacy complaints and laws;
    • Customer Centric Design and;
    • Blockchain technologies.

In the past 40 years, cyber security was formed around the concept of a solid perimeter.

If you could build an impenetrable perimeter, then you would be safe in the knowledge that whatever happened inside the firewall was secure.

Unfortunately, there have been so many instances of hackers gaining access to these soft-underbellies of organizations, including honeypots of customer data, that the whole concept needed a re-think.

The latest concept to address this started with an innocent question: “What if we never trusted anyone or anything at any time? Even internal applications?”

By taking this question to its ultimate point, Zero Trust Frameworks came about.

With Zero Trust, each transaction is treated as potentially hostile until proven otherwise.

So, with that in mind, how do you handle transactions from customers, prospects, partners and employees, any one of which could be a hacker or at least nefarious?

Before we get to that solution, let’s look at prevailing customer privacy demands and laws.

Late in 2020, a small product update from Whatsapp was issued with an update to the privacy policy.

For various reasons, this became a viral issue with millions of Whatsapp customers abandoning the app for Signal, a competing product with more explicit data privacy protection.

This issue illustrates a growing demand for data privacy driven by the public.

Furthermore, there is growing legislation to protect people.

The California Consumer Privacy Act (CCPA), the European Union’s General Data Protection Regulations (GDPR), South Africa’s Protection for Personal Information (POPI) and Brazil’s Lei Geral de Protecao de Dado (LGPD) are just four of a handful of ground-breaking legislation aimed at protecting private data.

Gartner Group predicts that by 2023 65% of the world’s population will have its private data covered under modern privacy laws, up from 10% in 2019.

The term “customer centric” design has been around since the late 1990s. Initially termed User Experience (UX), the term meant to focus customer facing applications designs to be friendly to the user.

However well intentioned, this concept missed the mark as it looked at the user’s experience only with that one organization and not holistically.

For example, if you are applying for a mortgage from 5 or so banks, why do you have to repeat the process of gathering information each time?

To get over this, agents popped up to take your one application and source the best deal across any number of institutions, but to make these financially viable, a fee or percentage had to be paid to this intermediary rendering this impractical. Some way of providing “repeat-ability” is needed.

Finally, blockchain technologies burst on the scene in the early 2010s with the advent of Bitcoin and later, Ethereum and other platforms, with or without a crypto currency.

For those blockchains like Ethereum that focused on the immutability of data records (data that can be proven to be untampered with from a point in time), the promise of the technology was that data could be proven to be true using a three point system (very much simplified for understanding):

  1. An issuer creates a data record. A verifying agent, with no ties to the issuer, validates the data and its source as being legitimate. It then writes the data to the blockchain with an encrypted summary of the previous record.
  2. This encrypted summary, or “hash”, is compared to the previous data to ensure that nothing has been tampered with, thus ensuring “immutability” of the data.
  3. The user receives the data with a private key to unlock the record.

What is Self-Sovereign Identity (SSI)?

The basic premise of Self-Sovereign identity is that a user holds their verifiable data and releases it to other people or businesses on an opt-in/need to know basis from their “digital wallet.”

This wallet, much like a real wallet, holds data in the form of “credentials” like a driver’s license, a college degree, an employment contract or an insurance policy. What makes it valuable as a technology is the three point verification process for each credential is in place as the user receives the information.

So, as an example, if you were to download a SSI mobile wallet, you could get your employer or payroll provider to send an employment record to you (as the validating agent) and the wallet would store the proof of that validation on a public blockchain.

So, if the user needed to provide proof of employment to, say, an car insurance company as part of a policy application, they could do so and the insurance company would access the record and verify the source electronically without having to contact the source company directly. It is this verifiability of data, or credentials, that is powerful for organizations.

The next part of SSI, are peer-to-peer relationships. These relationships are cryptographically secured addressed between two wallets (a person, business or Internet-enabled object) and are referred to as Decentralized Identifiers (DIDs).

Much like a contact list or address book, the wallet stores these DIDs so that the user doesn’t have to.

what is self-sovereign identity

Why is this last point important? When you access an organization’s website today, you are required to have a username and password. With SSI, your DID stores a long-form, encrypted username and password and the user never needs to know that combination.

As a result, it appears to the user as password-less access. Furthermore, SSI wallets are most frequently accessed using biometrics, so the system is more secure than any Single-sign on or multi-factor authentication.

And, the system can be more secure if the Wallet asks for re-authentication of the biometrics upon use of a DID.

A key point to understand is how is an SSI Wallet different from Google Pay or Apple Pay wallets? These two are stored on a cloud infrastructure and managed by Google and Apple respectively.

These organizations have access to the user’s activities whereas with an SSI Wallet the software runs on a mobile device or desktop and only the user has access to the activity history – unless they give it away.

Finally, at any time the user can remove the access to the data by deleting a DID. Does this automatically provide compliance to data privacy laws like GDPR? No, because these laws are not as simple as “forget me” but include processes around providing the user with a report of what the organization has collected about a person.

By way of example, this report, right, shows just how much data different organizations have collected about users. Under these privacy laws, when a user “off-boards,” they can request to receive the data about themselves as well as for this data to be deleted, with exceptions for legal reporting. These exceptions, for example, can be for taxation purposes.

The Organizational View

Since the dawn of the Internet, organizations have built prospect, customer, employee and partner facing applications to collect data from these sources with the dual goal of both servicing them better and exploiting them for more sales.

To that end, some organizations have been very aggressive in collecting personal information about their users, oftentimes not being very clear with what they were collecting.

In addition, some organizations, Facebook and Google being the most prominent, not only collected this information but resold it directly or indirectly. With Self-Sovereign Identity for organizations, there are clear limitations of what an organization can collect – or is that true?

Data collection – Opt-in only

Self-Sovereign Identity may seem like it imposes a significant loss of access to user data for organizations but that truly isn’t the case. All an organization needs to do is ask for the data.

This explicit request can cause some drop-off in on-boarding, but the counter-effect is that those users that do provide data are likely to me more loyal.

However, since the organization knows what it is looking for, it can ask for it either by data field or by a credential known to have that data.

Furthermore, the organization can ask the user for what credentials they have, and, if the user opts-in, can investigate which fields are available and ask for some set of those.

One critical point is that because users’ private data (name most typically) does not reside on the organization’s side, there are no real honeypots of data for hackers. This helps reduce the incidence of hacking in general.

Use of Credentials

Verified Credentials can save a lot of time and effort for organizations. With customers’ credentials available from their mobile device or desktop, you can glean verified information in far less time.

Take for example a car loan. From a user’s perspective, they need to get employment/salary verification, information about the prospective vehicle, driver’s license and insurance information to be able to apply.

In today’s world, that means each time they apply for a loan, they have to re-supply this information and the lender, has to individually confirm the veracity of that data. With SSI, it is getting the information once and re-using each time.

More complete uses of Credentials include multi-party processes. For example, if an organization issues an RFP for some work, multiple parties can jointly bid and with SSI, provide a portfolio of credentials backing up their bona fides.

Prospects, Customers, Employees, Partners, Contractors & IoT Devices

SSI users come in a variety of colors:

    • Prospects (people I don’t know or haven’t become customers)
    • Customers (they bought something from us)
    • Partners (they provide something for/with us)
    • Employees (people with special rights – especially around access)
    • Contractors (people with some rights)
    • Devices

Any or all of these can be targets for Self-Sovereign Identity for organizations in the short, medium or long term as there are plenty of use cases involving some or all of these user groups.

Dashboards & Activity Monitoring

self sovereign identity dashboards and activity monitoring

A new feature of leading Self-Sovereign Identity platforms for organizations are dashboards.

Once people provide consent to the organization, these types of dashboards can provide visibility into customers, employee, contractor and partner activities.

These configurable dashboards help drive understanding of the network activity, resulting in more agile business processes and better ROI.

Discovery of Users & Services – Creating the Network Effect

A new key feature for organizations is the discovery of users and other organizations on a network.

With this feature, organizations can reach out to prospective customers through secure chats (user peer DIDs) to expand their networks.

This can also be used to discover new services from other organizations along with their VCs, supporting their claims.

Self-Sovereign Identity (SSI) for Organizations: Use Cases

(Self) Onboarding – with KYC & AML

This use case is really quite simple – provide basic details about yourself, typically including:

    • Your full name
    • Your address
    • That you are alive and your image matches a valid piece of ID

To do this, many organizations are allowing self-on-boarding with a user uploading one or more government IDs that are matched to a selfie along with a liveness test (are you real?).

This set of test proof that the user is physically a match to valid ID with AI recognizing if the government ID is valid against a known set of tests. This provides the base layer of KYC and a degree of AML compliance.

Further “ID Proofing” can include:

    • matching the location of the user to the location of their phone;
    • background checks;
    • social media matches & scans;
    • education credentials;
    • Asset identification and;
    • employment/contract verification.

Each of these may be augmented with other data that is key in for your organization or industry such as health data, family members or asset history.

Again, don’t forget about IoT devices as they can be “credentialed” and with expiring of these credentials (either on time or usage), maintenance can be automated very easily (and you can ensure the technician is capable/certified for that device too).

Customer Service

Customer service calls, especially those that might involve sensitive data, typically start of with a user signing in. With SSI’s password-less access, the user experience is already off to a great start.

Today however, the experience starts with some sort of investigation by the service staff to determine if the person calling/chatting is who they say they are.

Knowledge Based Authentication (KBA), multi-factor Authentication (MFA) or the like are common and try the patience of the customer. And, at the end of, the user has no idea if the person they are communicating with is valid either.

With Self-Sovereign Identity (SSI), a valid customer would have received a customer certificate when they on-boarded which could be used to initiate the service call while at the same time, the user would know that by using a valid DID, the contact at the other end was verified from that organization.

Once that call/communication (ie. chat functionality) was initiated, the service person could ask for product, service and warranty certificates without having to ask for product details and getting a potentially muddied, or incomplete picture. In this way, service calls can become far more efficient.

A final point: up to 40% of customer service calls are to reset customer log-ins/passwords. This time is completely eradicated with SSI.

Up-selling

Up-selling, much like customer service, can start off on a great foot with password-less access and full trust between the agent and the customer.

Furthermore, knowing exactly what the customer has (or had), allows the agent to up-sell with greater confidence. Part of that knowledge can also include what products the customer has that are not from this organization; so if you are a customer you don’t have to be sold something you already have and the sales agent doesn’t waste time either.

With Self-Sovereign Identity for organizations, there are many new, rich areas to work with your customer base.

For Fintech clients, knowing their level of sophistication, you can propose seminars and learning opportunities – outside your organization – which can raise the qualifications of the customer to the point they can invest in more sophisticated instruments that can have higher yields. And, with these credentials, your compliance increases.

For legal firms, advice can be more easily tailored to the needs of your clients, reducing non-billable time (and the customer’s time). This is true for any consulting organization.

Upselling is probably the single biggest opportunity for organizations to innovate. With 80% of typical revenues coming from existing clients, up-selling should be a key focus.

Recruiting

Recruiting today is a mine-field of looking for people or organizations with a certain skill set or capability.

In the past, CVs/Resumes ruled the day along with a cover letter. but now, with access to a global cast of people and organizations available through digital access, recruiting needs to be more trustworthy than ever.

With SSI this can be accomplished when the person or organization provides bona fides (credentials) with verified sources. For example, a candidate can provide a portfolio of created work (written documents, presentations, videos, etc.) along with the organizations that sanctioned the work.

Or the candidate can provide education and employment credentials certified by educational institutions or hiring organizations. This avoids the circumstance where a candidate points to a LinkedIn profile with positions that may or may not be valid at companies that may or may not have hired them.

The due diligence in the past has been time consuming and lacking in rigor.

With Self-Sovereign Identity (SSI), many of these issues are greatly diminished as the validity of the candidate’s claims are present from the start.

Does this mean that hiring is fool-proof? Far from it, but the due diligence on references and work deliverables is far less.

Other SSI Use Cases

There are dozens of use cases for SSI. For a more complete list, check out one of our blog posts of Use Cases by industry. And don’t forget, a user can be a person, organization or an internet enabled device (IoT).

Getting started with self-sovereign identity

Assessment

For any organization, the starting point is always assess your level of understanding about SSI:

    • We need to be better educated
    • We need help brainstorming ideas
    • We are good to go

There are plenty of organizations that can help; You can find a number of examples on our ecosystem page or just contact us and we can help.

Project Planning

Then, once you have ideas as to what you are going to need, it is time to move onto the business case including:

    • We need help building/validating the business case(s)
      • Value proposition
      • Project Planning
        • Proof of concept?
        • Pilot
        • Go-live
        • Future phases
      • Risk assessments
        • What is the pool of users with Wallets? Is this a problem or can I have them self-on board? Is this an opportunity to get new customers?
        • Access to credentials?
        • Costs?
    • We are good to go.

Technology & Implementation Selection

Selecting the right technology isn’t easy as there are a variety of options. And, not only that, there are a number of SSI implementation options to consider:

    • We need help with access which technology is right for me
      • White label a solution to bolt onto my existing solutions
      • Joint development project
      • Turn-key solution
    • We need assurance our selection is the right one;
    • We are good-to-go.

Summary

Self-Sovereign Identity (SSI) opens up a world of new opportunities for innovation for organizations.

Re-inventing the user experience truly from their perspective will allow the early adopters of SSI to gain market share through better customer on-boarding (conversions), up-selling and servicing.

Furthermore, back office tasks like recruiting and procurement can be made more efficient through the use of Verified Credentials.

Getting started in the Self-Sovereign Identity for Organizations space usually involves getting help. Please contact us if you need any or refer to our Ecosystem page here.

Related Posts

Introducing our groundbreaking Trust Registry platform

The ultimate solution for forging resilient trust ecosystems in today's digital landscape.

Trust Registry

Products

 

Orbit Enterprise

Establish your own trusted digital interactions ecosystem with your customers, partners and suppliers

Orbit Edge Wallet

Hold and manage issued verifiable credentials securely and in a privacy-preserving way

Orbit Trust Registry

Empower your organization to establish credibility, verify identities, and foster secure interactions with confidence and ease.

Updates

 

Product Updates

Solutions

 

Verified Person

Receive a verifiable credential from Northern Block

OpenID4VC

Try our new OpenID4VC demo

Energy and Mines Digital Trust

Organizational Wallet and Credentials

Receive, store and exchange organizational credentials within your ecosystem

 

 

 

OpenID4VC Demo

Exchange verifiable credentials over OpenID4VCI and OpenID4VP.

 

Resources

 

SSI Orbit Podcast

Self-sovereign Identity, Decentralization and Digital Trust

Blog

Insights and News from the Forefront of Self-sovereign Identity

Latest Content

 

The Global Acceptance Network (GAN) (with Darrell O’Donnell)

The Global Acceptance Network (GAN) (with Darrell O’Donnell)

🎥 Watch this Episode on YouTube 🎥🎧   Listen to this Episode On Spotify   🎧🎧   Listen to this Episode On Apple Podcasts   🎧 About Podcast Episode What if there was a way to establish a new trust layer for the internet, enabling secure digital interactions and unlocking...

read more