Centralized vs. decentralized identity management explained

What is centralized identity?

Centralized identity refers to an entity, such as a vendor, employer or educational institution, storing the identity-related information of its users, including personal data and credentials. Identifiers could include usernames, email addresses, government-issued identifiers or other values linked to a person.

Nearly every online resource uses centralized identity to confirm claimed identities. Consider company X that manages identity information for its employees and customers. From the company's perspective, the identity data is centralized -- meaning identity data is all kept in one place that the company fully controls.

From an end-user perspective, centralized identity means a user might have dozens or hundreds of distinct identities and credentials across organizations and resources. What is centralized for the organizations is anything but centralized for end users who have to remember each identifier and password. This overload of credentials often results in password reuse and other poor password practices that can lead to identity theft, data breaches and other compromises.

What is decentralized identity?

Decentralized identity refers to when individuals have full control over their credentials and personal data, which are stored within a digital wallet. The digital wallet acts as an intermediary and protects the security of the personal data and the privacy of the individual. A decentralized identifier (DID) can be an automatically generated string without any personal information, which further protects the individual's privacy.

Decentralized identity gives individuals full control over the credentials or personal information shared with each organization that is verifying their identity.

DIDs are effective identifiers because users' credentials and personal information are verified by a third party. For example, consider a person whose DID is a cryptographically signed driver's license credential. To rent a car, the person could authorize the car rental agency to access their credential, which the agency would then verify. Similarly, a person could authorize their wallet to attest they are over 21 years old to an alcoholic beverage company's website. Other types of personal information, such as address, academic degrees, work history, government identifiers and financial account numbers, could also be verified by the digital wallet.

Decentralized identity systems are usually blockchain-based. Each transaction is recorded in a blockchain holding only the DIDs, not any personal information. Authenticated credentials are also based on cryptographic keys, not passwords, so password management and attacks involving passwords are eliminated.

Decentralized identity benefits

DIDs offer the following security and privacy benefits for users and organizations:

• More secure and private method for handling identity. A user's identity -- including when and with whom it is shared -- remains under the control of the individual. DIDs only need specific personally identifiable information for verification, thereby reducing how much PII may be exposed in the event of a data breach.
• Fewer accounts needed. With a digital wallet and DID, users don't need to create separate accounts for each service.
• Verifiable credentials. Information in the digital wallet is already verified for accuracy and signed by trusted third-party sources, potentially speeding up verification processes.

• Shifted responsibility for handling PII. Some privacy responsibilities are addressed because organizations only receive accurate PII that the individual explicitly authorizes them to use. DIDs aren't stored or managed by organizations, further reducing their responsibilities for safeguarding PII and ensuring user privacy.

• Reduced chances organizations get attacked. If organizations adopt decentralized identity, they may not be an attractive target for malicious actors since they have less user data stored.
• Password problems mitigated. Because DIDs are based on cryptographic keys instead of passwords, password management challenges and password-based attacks are mitigated.
• Blockchain benefits. Using DIDs provides benefits associated with blockchain, such as transaction transparency and tamper resistance.

Decentralized identity challenges

Decentralized identity remains a nascent technology. The following challenges must be addressed before it sees widespread adoption:

• Understanding what decentralized identity is and provides. Education is key. Most people don't understand blockchain, how it works or how it keeps identities safe.
• Individuals are in charge of DIDs. Individuals become solely responsible for protecting the security and privacy of their information, raising the following questions: What information should be shared with each organization? What happens if my digital wallet is compromised?
• Changes to organizational infrastructure. Systems are currently designed around centralized identity. Switching to decentralized identity would require adopting new infrastructure, which can be expensive in terms of adoption and scaling use.
• Understanding what a trusted source is. Questions remain around standardization and who determines whether a source is trustworthy. Standards need to emerge to determine who or what is considered a trusted/verifiable source.
• Lost revenue. From an organizational perspective, many prefer centralized identities because they get to retain users' personal data and track user behavior online. With DIDs, organizations don't have this harvested information to sell.

It's important to note that decentralized identity is in an early adopter phase today. It will take time for standards and interoperable tools to emerge, mature and become widely used. For most users and organizations, centralized identity will be the norm for the foreseeable future.