How Does Decentralized Identity Management Work?

Users are issued cryptographically verifiable credentials to their digital identity wallets, which exist as smartphone apps or online services. These credentials contain the issuer’s claims about that user - e.g., their name, date of birth, or certifications. Users can also self-issue credentials about themselves to which no issuer may attest - e.g., their gender or preferred salutation. Relying parties then request the presentation of these credentials directly from the user’s wallet, allowing users to review the data they are being asked to share and potentially select whether or not to disclose certain aspects of the requested data.

As the next generation of identity management technology, DCI improves privacy, convenience, and security for both the user and the implementing organization. It avoids the costly overhead of managing federation and helps minimize the amount of data stored in centralized datastores. Relying parties can request credentials issued by any number of issuers they trust, giving the user flexibility regarding the credentials they present.

Digital identity wallets provide additional features in addition to presenting credentials for authentication or authorization. As digital wallets contain cryptographic keys associated with the user, they can also be used to sign data indicating real-time consent for transactions—useful for compliance and auditing.

While DCI credentials may contain any information pertaining to a user, a critical use case is the storage of a record of identity proofing. Identity proofing involves collecting and verifying information about a person to ensure they are who they claim to be, frequently using documents such as passports or driver’s licenses. Once proofed, organizations can issue a verifiable digital credential to be stored in the user’s digital wallet. This credential can subsequently be presented to relying parties to instantly strongly authenticate the user without performing identity proofing again. 

Just like a physical credential, verifiable digital credentials may have an expiration date or be revoked in real-time. That way, Verifiers always know whether the issuer has decided the data has expired or whether the user has removed consent to use the data.​​

Issuers are official data sources, such as government entities, universities, credit bureaus, banks, or pharmacies, that provide verified data about people. They are the organizations that create a verifiable digital credential signed with their private key and issue it to the holder [generally the end user of the verifiable credential]. Users can click a link from an issuer or scan a QR code to add verified data, in the form of a card, to their digital wallet.

Users are individuals, such as potential employees and customers, who store identity data (for example, a government-issued ID, vaccination record, or transcript) in a digital wallet. They are the holders who receive and store the verifiable credentials in their digital wallet app. Because personal information is stored only in the digital wallet, it's never outside of a user's control.

Verifiers are businesses or individuals that need to confirm something about someone. They are the relying parties that check the credentials and read the issuer’s public identifier or certificate to verify if the credential was signed by the issuer’s keys. By scanning a QR code, users can share up-to-date, verified data about themselves with verifiers.

Choose DCI for:

• Reduced storage of PII: Only collect the information needed for the transaction. Re-using identity attributes issued by yourself and other trusted issuing authorities

• Privacy preservation: Enables privacy by design, allowing for selective disclosure of identity information

• Interoperability: Facilitates interaction among various systems and services without relying on centralized identity providers

• User-Centric Control: Empower individuals with control over their own identity data

Ideal use cases:

• When there is a need to confirm a user’s true identity and proof of humanity; continuously verifying a user’s identity can be costly for organizations

• High-value transaction scenarios to ensure your audience is legitimate

• Reusable verifications where a large variety of relying parties reuse issued credentials (avoids costly and tight coupling between services)

• Fast onboarding, suitable for a digital-native generation

Limitations of DCI:

• Users are exposed to complex concepts like digital credential wallets and credential lifecycle management, such as issuance, storage, and revocation. Introducing these concepts and their benefits clearly or seamlessly is critical for adoption

• Standards are still emerging, leading to proprietary wallets and credential formats.

• Less tech-savvy users may get frustrated with the proofing process, or they may find interacting across multiple applications burdensome