/**/

The Internet and Identity

mhrsntrk

mhrsntrk / July 15, 2022

Last year, it was an eye-opening experience for me to start working on Self-Sovereign Identity field. Currently, I am managing the Identity and Access Management product in Energy Web, and it gives me lots of insights on the concept and real-world use-cases.

Let's start from the beginning, I mean the creation of the internet! The task was very simple, just connect some number of computers which are far away from each other. But, we find more use-cases for the internet as it grows; such as online shopping, online banking, social media, etc. and all of these new use-cases is related to you as a user not the machine. But, the problem with the internet, it doesn't have a native identity and trust system, what it has is an IP/MAC address to identify your connected machine but not the person who is using it. In web2, we have two identity models to provide the identity system; Centralized Identity Model and Federated Identity Model.

centralized-federated-identity-models.jpg

Centralized Identity Model

This is the most common model which is used by many applications today. You have a username/identifier on the application's database and in order to let the application know you own this username/identifier, you enter a user-generated password. So this is the username/password that we use every single day. So, I might hear you saying, what is wrong with this approach. There are two issues that you cannot solve by using a password manager;

  1. Your data is siloed inside this application, so it is not portable or re-usable. You have to create an account for every application that you decide to use.

  2. The centralized database which stores the user information is a potential honeypot for the hackers. Have I mentioned that global cybercrime damages are predicted to cost $6.000.000.0000.0000 (it is six trillion US Dollars, and yes it has that many zeros) annually by 2021?

Federated Identity Model

It is a fairly new concept for identity management, and the idea behind it was to solve portability and re-usability problems of the Centralized Identity Model.

In this model, we add an identity provider in the middle of user and application. You can easily recognize this model when you see “Login in with some_evil_company_name_here ”. In theory, you can use your some_evil_company_name_here to log in to services that have an integration. So does this model solve all of our problems? Of course not, it just creates a bigger honeypot for hackers.