A Holistic, Hybrid Approach to Digital Identity in Web3
This is Part 2 of Snickerdoodle’s Digital Identity thought leadership series. To review the current failings of Web2 and centralized identity systems, please visit our first installment.
Much of the fanfare around digital identity in Web3 falls a little too squarely into two camps. There are those that anticipate that non-fungible tokens (NFTs) – and now the non-transferrable soulbound tokens (SBTs) – will become the primary next-generation of data containers. There are others understandably alarmed by the suggestion of publicly publishing identity data on-ledger, and believe cryptographically signed off-chain verifiable credentials (VCs) that follow W3C’s standardization are the way forward.
The divide between these two positions, however, is probably artificial and more rooted in an overly narrow definition of digital identity than a true disagreement over optimal technical architecture. Digital identity encompasses an almost inconceivable range of data points. One handy framework that helps map all of the possible manifestations of identity is that of the World Economic Forum, which disentangles identity attributes into three groups: inherent (age, fingerprints), accumulated (behaviors, preferences), and assigned (government issued documentation, student number). Of these attributes, some are more or less fundamental to establishing a differentiable identity that allows me to participate in wider society. My tax identification number, for example, is more instrumental to my labor market participation as a data source than, say, my taste for second-hand, older season designer items. While we may not put as much weight on the levels of assurance required to authenticate and process each identity attribute, both pieces of information when presented digitally still coalesce into my aggregate digital identity. Therefore, how identity data could or should be expressed in Web3 is more a function of the use case than some kind of technical supremacy.
NFTs are unique tokenized digital assets (e.g. pictures, videos, audios, documents, etc.) in the sense that no two NFTs share the same contract address and token ID pair. As NFTs are minted by smart contracts on blockchains, the issuing party and associated wallet can be established. All subsequent NFT trades after minting are captured on-ledger. These underlying properties position NFTs as an excellent mechanism for use cases that involve digital asset ownership. Possible applications include intermediary-free content creation and distribution from art to music, ticketing, in-game items, metaverse wearables, digital twins, virtual real estate, item provenance and more. Most of these applications would belong to the ‘accumulation’ rung of digital identity – a window into individual online consumer behavior and consumption patterns.
SBTs, which retain the same qualities of NFTs barring transferability, also boast an interesting bucket of use-cases. Due to SBTs’ permanence, their utility does not reside in tradable digital assets. Instead, SBTs are better purposed for social-oriented digital interactions that do not touch highly-sensitive personal identifying information (or at least not until the proposed mechanics of non-public SBTs become more than pure theory). Use cases could include event attendance badges, online course certificates, personal skill endorsements, charitable giving acknowledgements, lifetime affiliations, and more. If revocation is integrated into SBTs’ functionality, as has been suggested by Vitalik Buterin, other use cases like temporary memberships or ‘symbolic’ credentialing might emerge. For the latter, DeFi KYC might be one area of exploration.
Central exchanges or technology solution providers already implement KYC checks during on-boarding within the Web3 ecosystem. Even though the underlying personal identifying data must remain siloed in a Coinbase or Netki’s identity management system to preserve privacy, these stakeholders could issue public SBTs which attest that a wallet’s owner underwent KYC. Whether or not these SBTs could stand-in as a sort of consortium KYC is more dependent on regulation and perceptions of reputational risk rather than technical feasibility. In the United States, for example, Section 326 of the Patriot Act does indeed stipulate that financial institutions can outsource its Customer Identification Program (CIP) to third-parties. However, certain rules must be followed, not least of all a binding contractual agreement in which the third-party certifies its annual obligations to fulfill the partner financial institution’s CIP. So while SBTs have the potential to incorporate all three rungs of digital identity (which in the DeFi KYC scenario envelopes inherent and assigned attributes), the inability to disclose the underlying data privately and bilaterally stifles SBTs use cases for the foreseeable future.
It is this shortcoming of SBTs that Verifiable Credentials (VCs) resolve. VCs are off-chain identity claims cryptographically signed by an issuer and stored in the encrypted digital wallet of a holder. In this model, the only information recorded on-chain sits within the verifiable data registry. This registry encompasses: 1). the public decentralized identifiers of the issuer – such as a public key 2). a schema defining what fields will populate a verifiable credential 3). a credential definition declaring an issuer’s decentralized identifier, public key, and schema format and 4). a revocation registry.
When the holder presents a verifiable credential and the enclosed identity claims to a relying party, so long as cryptographic verification executes, the relying party can rest easy that the verifiable credential itself is not counterfeit. Whether or not the identity claims can be trusted is a question of more nuance. Like SBTs, the issuer can be traced. What decentralized, trustless, and permissionless processes cannot compensate for, however, is authority. The relying party must not only place confidence in the issuer’s authority to make such identity claims, but its procedures validating that a digital wallet owner corresponds to the correct, authenticated claim holder. In the same context of DeFi KYC, before a financial institution could release a patron’s vetted identity claims in the form of a verifiable credential, it must prove the account holder’s control over a wallet address. Use cases beyond DeFi KYC handle wildly different data of varying sensitivity – generally, the more important the data, the higher the level of assurance necessary for authentication. If all of these conditions are met, verifiable credentials could introduce more portability, privacy, and security to use cases hinging on more vulnerable datasets from employment eligibility to prescription pickup.
NFTs, SBTs, and VCs are all Web3 technical implementations that capacitate digital identity applications. What we as a community have yet to reconcile is what data containers are most fit-for-purpose with what use cases (and, in what instances should NFTs or SBTs be used in combination with VCs). Therefore, any foundational Web3 data layer must accommodate a flexible, agile, and holistic approach to digital identity. In our next installment, I will propose the Synamint protocol as an infrastructural solution that will empower organizations, brands, communities, and individuals to experiment and pivot as we refine digital identity applications in Web3.