Versions Compared

Old Version 19

changes.mady.by.user Dr.-Ing. Roman Zoun

Saved on

compared with

New Version 20

changes.mady.by.user Dr.-Ing. Roman Zoun

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Onboarding processes are established on nearly every online service using social login via OIDC This is easy, but involves a central identity provider such as LinkedIn Facebook google etc, see this page of hyperledger foundation:
  2. The current solution is user friendly and everyone love to use it, mostly with an two factor authentication, which involves often the mobile phone and a password. 
  3. The social login is integrated in the process like start-button on windows desktop, but every time I use it, the central identity provider notice this and can learn more about the behavior of the user. For example, I logged in here using linkedIn, so LinkedIn will provide me some advertisement around Linux foundation. 
  4. And if I'm not logged in in LinkedIn, I need to login again, which means I need to know my password
  5. Summary of Problems:
    1. The users behavior is tracked in the current services, which makes the user to a product of social identity provider!
    2. The user need to remember so much passwords! 


→ Market Research to this topic in the Appendix

Solution

  1. Provide a service which combines the usual social login onboarding, without the central IDP get your behavior. We introduce the Social verifiable credential, a service where a user login once, and issue his social account as verifiable credentials in his wallet. In addition, we introduce a simple OIDC SSI verifier to include the social login as verifiable credentials easy into your service.
  2. The user have then a passwordless social identity, because the whole account is in your wallet
  3. We introduce a easy auth server using SSI configured for the social accounts, that can be used for Login on every plattform.
  4. Our solution doesn't include any central IDP, no databases for storing the data and is easy to integrate to your service, as configuration for docker-compose, kubernetes AWS, Azure, Google Cloud ...
    1. alternatively we plan to use zapier for easy integration, like trinsic
    2. Our goal is decentralize, so verey service provider need to add his own verifier but we provide the easiest way to do it
  5. Minimum Implementation goal:
    1. As minimum is an issuer with the social login via central IDP. The verifier is not needed in the beginning, since a lot of products can solve this (trinsic, esatus, ...)

...

  • The risk is, that no one will integrate the OIDC-Verifier, because of the effort and no users on market (chicken egg problem)
    • We reduce the risk by providing a lot of tutorials and support to integrate the OIDC verifier
    • OIDC-Verifier is free, and we say that other products of trinsic, esatus, evernym can be used here
    • we need good short pitch videos that we can spread over social media - see milestone 4
  • Another risk, is that users will not use it, because no services offer it (chicken egg problem)
    • We need at least on hyperledger/linux foundation the possibility to login with it, then we will make marketing to show the data privacy benefits for the user
    • hope it begins with some enthusiasts but will scale later to everyone
    • Since this is something that users get into SSI, we are sure, we get marketing support of SSI companies and enthusiasts
    • we need good short pitch videos that we can spread over social media - see milestone 4
  • another risk is the scalability of user access, what if it goes to the moon, we are not sure about the scalability of the aries wallet
    • we just hope hyperledger community and some SSI product providers support us for production ready deployment of cloud wallet
  • Another Risk is that one social provider blocks us
    • Limit risk by instant marketing reactions around this, and starting petitions, and ask all known GPDR data protection auditors to look at this...and we can say, that tracking user is not needed and should be punished by GPDR...we can't do other things
    • Add positive feedback/marketing to providers who accept this for publicity and privacy of their customers and negative about the ones who blocks our platform


Appendix


Market Web Research

We research companies why how they see the future of login and identity management with following results:

"Self-sovereign identities (SSI) are digital identities that are managed in a decentralized manner. This technology allows users to self-manage their digital identities without depending on third-party providers to store and centrally manage the data"

[https://www.bosch.com/stories/self-sovereign-identities]


"Self-sovereign identity (SSI) is a term used to describe the digital movement that recognizes an individual should own and control their identity without the intervening administrative authorities. SSI allows people to interact in the digital world with the same freedom and capacity for trust as they do in the offline world."

[https://sovrin.org/faq/what-is-self-sovereign-identity/]


"By 2022, Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases — up from 5% in 2018."

[https://www.gartner.com/smarterwithgartner/embrace-a-passwordless-approach-to-improve-security]


"There are serious concerns about any kind of centralized Identity Providers (IdPs) as used in many areas of our daily life (e.g. in social logins). In the digital age our personal information is stored on computer systems. Databases store millions of records that are hosted on servers or in data centers which often belong to private companies. This probably sensitive information is stored centrally and is thus often at risk from data theft by hackers."

[https://www.switch.ch/export/sites/default/about/innovation/.galleries/files/SWITCHInnovationLab_IDAS.pdf]


"Self-Sovereign Identity (SSI) is a game changer in the area of digital identities. It allows a decentralized management of identities while giving back control to their owner. It solves core privacy problems existing in centralized and federated identity models and offers new ways of using identities (e.g. user accounts) and official documents (e.g. diplomas) in the form of verifiable credentials."

[https://www.adnovum.ch/en/incubator/innovation_initiatives/self_sovereign_identity.html]


"In a world of changing privacy regulations, identity theft, and online anonymity, identity is a precious and complex concept. Self-Sovereign Identity (SSI) is a set of technologies that move control of digital identity from third party “identity providers” directly to individuals, and it promises to be one of the most important trends for the coming decades."

[Self-Sovereign Identity - Decentralized digital identity and verifiable credentials, May 2021, ISBN 9781617296598]


Overall, it seems the need for secure communication and secure exchange of personal data is a need.