by Simone Onofri (W3C)
Digital Identities have been in development for decades. As governments increasingly consider becoming providers and consumers of these technologies, they now more than ever have the potential to change the web and the concept of identity as we know it.
The world of Digital Identities has its origins many years ago when there were only centralised Identity Models. In recent years, federated Identity Models have spread to all sectors, from social networks and education to enterprises and governments. Federated Identity Models allow users to authenticate across different systems or platforms using a single set of credentials, often managed by a third party. Additionally, several projects have implemented the new paradigm of decentralised identity, where users have a digital wallet and control over their identity.
This has caught the interest of governments worldwide, which are designing wallets and decentralised identities for citizens, intending to have more secure digital credentials. Digital credentials, which can be more privacy-preserving than physical ones, allow users to control the amount of personal information shared, only disclosing necessary details, unlike physical documents that often reveal more data than needed.
Given the scope and scale of this innovation, Digital Identities are significantly impacting the web and, in particular, privacy and human rights, altering the assumptions and the balance that have shaped the web ecosystem. There is a large number of stakeholders, including governments, implementers, privacy and human rights advocates [1]. Considering the number of technologies available and their respective standards development organisations (SDOs), the document “Identity and the Web” [L1] was published in August 2024.
The document provides an overview of Digital Identities, focusing on decentralised identities and their impact on the web and users, to understand the possible threats and how to mitigate them, both from a technology and governance perspective.
The document also highlights several areas where standardisation, guidelines, and interoperability could play a crucial role in managing these changes [2]. These include enabling passwordless credentials for authentication and payments, and facilitating federated identity on the web without relying on third-party cookies. It also emphasises the importance of modelling security, privacy, and human-rights threats associated with decentralised credentials (Figure 1). Additionally, standardising digital credentials on the web can help mitigate issues like surveillance, censorship, intrusion, and discrimination, while ensuring interoperability. Addressing these threats requires careful consideration at both technological and governance levels.
Figure 1: Decentralised identity architecture.
The paper also proposes different use cases of the systemic impact on both the market side and the human side [L2].
In conclusion, standards are crucial for driving innovation and mitigating threats. Coordinated efforts among SDOs, people, and governments are needed to ensure Digital Identities are beneficial, balancing both technology and governance. Additionally, the impact on security, privacy, and human rights should be closely monitored, with threat modelling as a key tool.
Links:
[L1] https://www.w3.org/reports/identity-web-impact/
[L2] https://www.w3.org/reports/identity-web-impact/#uses-cases
References:
[1] UN Office of the High Commissioner for Human Rights, “Human rights and technical standard-setting processes for new and emerging digital technologies: report of the Office of the United Nations High Commissioner for Human Rights,” 2023. https://digitallibrary.un.org/record/4031373?v=pdf
[2] H. Flanagan, “Identity on the Web,” 2024. https://www.w3.org/2024/04/AC/talk/identity
Please contact:
Simone Onofri, W3C Security Lead
