Microsoft announced on April 5, 2020 that its Azure AD Verifiable Credentials is now in public preview. This solution enables organizations to design and issue verifiable credentials to their users, be it enterprises issuing employment credentials to their employees, universities enrolling students or issuing diplomas, governments issuing passports, ID cards, and countless other uses. This is an exciting step to meaningfully give agency back to individuals to securely hold and exchange their identity data online and in the physical world.
Decentralized Identifiers (DIDs) are a critical technological component to Microsoft’s solution. While there are many DID protocols, the viability of such an ambitious decentralized identity project required a scalable, independent and decentralized network. ION is the result. ION is an open source, public, and permissionless network that underpins Microsoft’s decentralized identity projects. ION is a sidetree on Bitcoin mainnet, enabling anyone to generate and anchor DIDs in the public preview of Azure AD Verifiable Credentials. ION was designed by Microsoft team members in collaboration with members of the Decentralized Identity Foundation (DIF) and from Transmute, SecureKey, Mattr, Consensys, and others.
From Concept to Adoption
The concept to use decentralized solutions for issuing, holding, and exchanging identity data has been viable for about 5 years now. We have seen proof of concepts, short term projects, pitches, and customers beginning to adopt working decentralized identity solutions. These have mostly been user-facing, targeting the general public with self-sovereign wallets to hold credentials, onboard their own credentials, and exchange in peer-to-peer networks. These products functioned, but stagnated without the ability to use these credentials to access many different types of services. But in the last year, momentum has picked up for solutions designed for enterprise usage to address IAM needs. And these products, Microsoft's own included, have matured to the point that widespread adoption just might be on the horizon.
There were many roadblocks that prevented mass adoption, and we are interested to see if Azure AD's Verifiable Credentials will dismantle them.
- Integrations with directory services and authentication sources must be part of a solution. These are integral parts to an enterprise's IAM architecture, and even if an identity credential is held by an individual, it must be able to interoperate with the system.
- Easy adoption in widely used systems: decentralized identity started out as a solution to be adopted based on moral principle. To reach mass adoption, it must be chosen by enterprises and organizations of all types not because it is philosophically admirable, but because it makes sense. While the security and privacy benefits for the individual are very clear, it must have connectors to widely used systems across many sectors.
- Common standards must be used to create compatibility between different systems. Decentralized Identifiers (DIDs) and Verifiable Credentials are both foundational standards that enable decentralized identity solutions to remain independent of any centralized registry, identity provider, or certificate authority, and still be sharable in a trustworthy fashion. DIDComm is another emerging standard to watch out for. Read this Market Compass for more information on the decentralized identity space.
- Use for employee credential issuance as well as consumer: CIAM evolved out of IAM. If enterprises begin using decentralized identity solutions for their employees and partners, there will likely be a natural overflow to CIAM if those solutions are successful. Issuing credentials for an enterprise's own use within its own ecosystem is also a less overwhelming scenario (although issuing credentials to consumers may end up being a very similar process with decentralized solutions). Additionally, employee mobility and completing remote onboarding of new employees are very compelling use cases that can lower risk and expense for enterprises.
- The link to identity verification is essential for mass adoption. The only way an enterprise can trust a credential that is issued by an unknown issuer, which the user holds on their own device, is if there is an additional verification. On top of the cryptographic verifications that accompany decentralized identity solutions, incorporating identity verification into decentralized identity solutions is a powerful way to verify in real time that the holder of a credential is indeed the one being described in the credential.
The chances are better now than they have ever been. It's been a long journey since blockchain first became a buzzword, but it has evolved and matured into an entirely different beast, one where blockchain is still present but does not feature proximately.
Enterprises are also not alone when first dipping their toes into the decentralized identity space. The appeal of using a decentralized identity solution that is already compatible with existing infrastructure – Azure AD and Microsoft Authenticator, for example – is not insignificant. Microsoft is putting together a partner ecosystem of identity verification providers that give global functionality. And the list of customer references shows viability in education, health, and government sectors around the world.
The chances for mass adoption are higher because the use cases are more relevant, the solutions more mature, and the foundational pieces – such as identity verification – are being established. 2021 will be a decisive year for decentralized identity, perhaps for the better.