Centralized vs. decentralized identity management explained
With decentralized identity, organizations can worry less about data security and privacy, while users get more control over their information. But it's not without challenges.
Decentralized identity has been getting attention as a way of addressing the shortcomings of centralized identity. But what does decentralized identity really mean? And how would managing centralized identities differ from managing decentralized identities?
Learn about centralized vs. decentralized identity management, as well as the advantages and disadvantages of each from two viewpoints: organizations that want to verify user identities and individuals that want to access organizations' resources and services.
What is centralized identity?
Centralized identity refers to an entity, such as a vendor, employer or educational institution, storing the identity-related information of its users, including personal data and credentials. Identifiers could include usernames, email addresses, government-issued identifiers or other values linked to a person.
Nearly every online resource uses centralized identity to confirm claimed identities. Consider company X that manages identity information for its employees and customers. From the company's perspective, the identity data is centralized -- meaning, identity data is all kept in one place that the company fully controls.
From an end-user perspective, centralized identity means a user might have dozens or hundreds of distinct identities and credentials across organizations and resources. What is centralized for the organizations is anything but centralized for end users who have to remember each identifier and password. This overload of credentials often results in password reuse and other poor password practices that can lead to identity theft, data breaches and other compromises.
What is decentralized identity?
Decentralized identity refers to when individuals have full control over their credentials and personal data, which are stored within a digital wallet. The digital wallet acts as an intermediary and protects the security of the personal data and the privacy of the individual. A decentralized identifier (DID) can be an automatically generated string without any personal information, which further protects the individual's privacy.
Decentralized identity gives individuals full control over the credentials or personal information shared with each organization that is verifying their identity.
DIDs are effective identifiers because users' credentials and personal information are verified by a third party. For example, consider a person whose DID is a cryptographically signed driver's license credential. To rent a car, the person could authorize the car rental agency to access their credential, which the agency would then verify. Similarly, a person could authorize their wallet to attest they are over 21 years old to an alcoholic beverage company's website. Other types of personal information, such as address, academic degrees, work history, government identifiers and financial account numbers, could also be verified by the digital wallet.
Decentralized identity systems are usually blockchain based. Each transaction is recorded in a blockchain holding only the DIDs, not any personal information. Authenticated credentials are also based on cryptographic keys, not passwords, so password management and attacks involving passwords are eliminated.
Who should use decentralized vs. centralized identities?
Decentralized identities have the following benefits for users:
- They give them control over their personal information and privacy.
- They could minimize the number of identifiers and passwords users must manage.
Using decentralized identities also provide benefits associated with blockchain use, such as transaction transparency and tamper resistance.
Organizations can also benefit from supporting DIDs. The main benefits include the following:
- Some privacy responsibilities would be addressed because organizations would only receive accurate personal information that the individual has explicitly authorized them to use.
Decentralized identities don't need to be stored or managed, further reducing organizations' responsibilities for safeguarding sensitive user data and ensuring user privacy.
On the other hand, DIDs also have distinct disadvantages. From the user perspective, individuals become solely responsible for protecting the security and privacy of their information. This raises the following major questions:
- How would you decide what information to share with each organization?
- What happens if your digital wallet is compromised?
From an organization perspective, many prefer centralized identities because they get to retain users' personal data and track user behavior online. Organizations might be able to resell this harvested information -- and that can be a major source of revenue.
It's important to note that decentralized identity is in an early adopter phase today. It will take time for standards and interoperable tools to emerge, mature and become widely used. For most users and organizations, centralized identity will be the norm for the foreseeable future.