The Downsides to Decentralized Identity and SSI

Decentralized identity will become significant in identity proofing and verification in the coming years. There are plenty of explainers and deep dives into the technology and why companies and people should pay attention to it. It is still a fragmented space, but new iterations are slowly improving and standardizing the solutions. Many businesses like to cheerlead their solution and won't provide counterarguments for some mishaps with a decentralized identity. We want to offer the other side of the picture. Ideally, a decentralized identity takes over and saves everyone more time for KYC. It could be the base case, but each business should understand any flaws with decentralized identity. For most companies, it will provide tremendous cost savings and consumer time for authenticating and verifying identities for various services. We will explore some scenarios where either additional controls or alternative identity verifications should be used. There are many ways for decentralized, SSI, centralized, federated, and more to work in synchrony to provide robust security systems.

The first issue with some decentralized solutions revolves around the legal and audit aspects of identity. One company might not want the liability of sharing that they have proofed a certain identity when in the future there is maybe a laundering case then it also puts into question the original proofer. The privacy aspect of it is also interesting as we don't see customers willing to allow a company share their identity datapoints with an unknown amount of other companies. Also, companies do not think of it as a large revenue model as identity is typically not their core business so instead it would add another risk factor to manage the sharing aspect. If a reusable credential is issued and then used for a service, many companies might need more data than the platform provides. For example, proof that you verified with X service may not be enough, but the business might require the original photos or sources of verified credentials. Nothing stops someone from creating a fraudulent mDL (Mobile driver's license) with a fake Apple wallet. The steps required start with a physical ID scan, which can be faked with the same data as on the driver's license. The most challenging part is bypassing the facial scan, which is used to compare the photo at the DMV. Apple's IR and face ID may be robust, but they are not foolproof. In these cases, the original provider might verify a stolen identity and then pass it to another business. The efficiency of the entire process removes some security checks where there are multiple chances to catch a case of fraud. You are still centralizing the proofing to one point using an SSI or decentralized solution. Even if you do liveness checks and other at-point authentication, AI is making them less reliable. This underscores the need for caution and thorough consideration when implementing decentralized identity solutions.

Another aspect is you may fail to benefit from the speed of innovation of different solutions when relying on an SSI or decentralized identity. These solutions are technology and software at the end, with the cryptographic portion being the differentiator, but the same security measures can be applied to any solution. Please do not fall for some of the marketing hype that they are magically unhackable, as, in the end, only one source can be trusted. An authoritative source of identity can be achieved by using multiple data points, and it will become more assertive in person. Fraudsters like to create a piggy bank of identities, and if they have a wallet to choose from that was bypassed earlier in a year with deepfakes, there is nothing stopping reauthentication checks from catching the prior fraud. As well as ongoing risk issues where an ID might expire or other issue from the time of the original issuance credentialing. Refreshing a decentralized identity is another dilemma that needs to be solved as if anyone ever deals with normal KYC knows that users are difficult to remind about completing tasks. There needs to be a similar approach for credit cards where there are account updaters that get new expiration dates of a card token for subscriptions. Decentralized providers can mitigate this risk by continuously adapting their verification methods and including other fraud detectors on their platform.

Losing and recovery of an SSI is another pitfall that leads to more issues. If your wallet with your identity is digital and your phone gets stolen, in that case, you will have to reissue all your information to a new device. This not only poses a risk to your personal data but also the potential misuse of your identity. While the credentials should remain encrypted without a biometric unlock, the hassle of re-credentialing your identity is a significant inconvenience. This is especially true for populations that are not tech-savvy or do not have a device that supports the technology. If given the option, most businesses will still rely on a government-issued credential. Some countries are taking this path, but for now, in the US, there are a myriad of solutions, all trying to do the same thing. If a federal-level solution is released and easy to integrate, it would take precedence over many decentralized solutions. Consumers may believe their SSI will work for some services, but opening a bank account will always require some centralization to prevent money laundering and other AML checks.

The last downfall to decentralized identity solutions is their longevity in use. Businesses and consumers want stable solutions, and most of the options for SSI or decentralized credentials are still in their infancy. This is not to say they will not exist in a few years, but putting in the investment to use them and no longer being supported would be a massive failure for the entire movement. What happens when a blockchain ceases improvements or security updates in the face of future vulnerabilities? It would render it all worthless for identity. You are also giving up flexibility and control over the process of proofing and verification; as a small customer, good luck going to Microsoft and trying to have them modify an Entra ID feature to support your business case. As a developer, too, these decentralized solutions might not meet all the requirements, and any changes will require custom coding around a solution. These should be lower on the totem of worries for established solutions, but selecting a solution with no long-term business plan and understandable economics doesn't make sense. The lack of a clear long-term business plan and understandable economics can lead to uncertainty and potential disruption in the future. Businesses are also giving up some of the control, UI, and UX to use a decentralized solution. If you want to keep your user in an app or signup flow, it may result in some compromises when you do not own the entire process. Also, who maintains support for any technology problems and how to resolve a stuck user in a KYC flow is another aspect that you should pay attention to. Decentralized identity puts a wrapper around the identity process, but it is not magic and will still require in-depth knowledge of how to implement it properly.

Acknowledging some of the downsides to decentralized and SSI identity solutions is essential, as they may not fit your business case. With all the technology and solutions available, one does not have to jump right into the solution because it is a hot new thing. Instead, take a step back and think objectively about what the solution will do for you and if it meets your requirements. Understanding the benefits and cons will save you from hastily implementing a solution that might be overkill for your needs. Identity is an essential factor, but decentralization brings more complexities into your operations and how to handle identities. You might discover that consumers don't trust certain decentralized solutions and would only trust a specific business with their identity data. A decentralized ledger with anonymized identifiers still becomes a centralized way to track a particular user, and someone with privacy concerns might not see that as a benefit to themselves even if it is only a DIDs (Decentralized Identifiers) that remains on a blockchain that still is a trace of your existence or identity using the service. Suppose you want to remove all your identity data altogether. In that case, it is impossible to use decentralized solutions because they were already public at one point, resulting in countless storage points that need purging. A centralized solution may completely erase all identifiers as a one-time event. In review, decentralized identity will continue to evolve and likely solve many of these problems mentioned. There likely will be a market for all types of identity solutions as the overall industry is still growing tremendously with the continued digitization of services.