What’s Wrong with Our Digital Identity? (And How to Fix It)

You might not feel this headache—or even think that anything is wrong—but that doesn’t mean we have to accept the web as it is.

Today, it seems perfectly normal to remember countless usernames and passwords, for our parents to carry lists on paper, to receive advertisements from companies to which we never gave our data, or to have our identity document floating around anywhere—even that odd effect of discussing something and then immediately seeing related ads on social media. The benefits of the Internet far outweigh these inconveniences, which is why we put up with them. However, that doesn’t mean we can’t build a better, safer, and more user-friendly web. The key is to reinvent our digital identity—finding ways to use our identity more like we do in the physical world, where privacy is built in by design rather than an afterthought. Decentralized Identity is the path to rethinking the Internet—at least, that’s what countries like Canada, the U.S., and the European Union believe. In Latin America, the City of Buenos Aires is a pioneer; just a few days ago, it released the code for the QuarkID protocol, of which OS City is a founding member.

To better understand the benefits of this new identity model, let’s first examine what’s wrong with digital identity today.

What’s Wrong for the User

How we use our identity in the physical world is nothing like how we use it online. Imagine that I want to buy a beer at a nearby liquor store or supermarket. The sequence goes something like this:

• I show up at the location.

• The seller must ensure that I am over 18 years old.

• To do so, I present my identity document (or another acceptable document, depending on the country).

• The seller verifies that I am over 18 and sells me the beer.

This process is simple and, importantly, exactly the same in any liquor store. I present the same credential, and the sequence remains unchanged regardless of the brand, branch, or city. In this world, there’s no need to think about interoperability between liquor stores or for the stores to share information with a third party. The transaction involves three main actors: a credential issuer (the government), a holder (the citizen), and a verifier (the liquor store). Achieving that simplicity and trust in the process took decades.

In this model, the verifier (liquor store) doesn’t need to call the issuer (government) to verify the credential. The store employee trusts the credential, the photo, and the other security features of physical credentials without needing to consult the issuer to determine if the credential is genuine. Imagine if, every time someone needed to verify a document, they had to call the government office responsible for that credential. It would be impractical. The model isn’t perfect, but we trust it. The same goes for other types of credentials, such as a driver’s license, a university degree, or many others. An important point—central to preserving privacy—is that the credential issuer doesn’t know when or where you use it. The government has no way of knowing that you visited a liquor store or how many times you did so. Since the credential can be verified without “calling the issuer,” the issuer never knows (nor can know) where you use that credential. Physical identity and credentials safeguard our privacy by design. What would happen if the State or a company knew every time you interacted with a shop, bank, or any other institution? In the physical world, that seems absurd—but what about online?

In the virtual world, things are different. Web 2.0—with its social networks, e-commerce, and the web as we largely experience it today—has multiplied our ability to communicate, consume, express ourselves, generate new businesses, and more. But we must remember that the Internet emerged without a layer of identity; it wasn’t originally designed to handle all these functions, so there was no need for a digital identity infrastructure. Basically, in the early days of the web, no one knew if you were a dog.

When we started using the web for more than just accessing information, we needed to build mechanisms to ensure that the person behind the computer wasn’t actually a dog—or, more precisely, at least to know that the dog is who it claims to be. To avoid fraud, we need to ask for the dog’s name, address, owner, etc.

Over roughly a decade, we had to invent novel ways to validate people’s identities online by creating new services, applications, and infrastructures. Some of the methods we invented may sound a bit ridiculous but are now widespread: moving your head, winking, smiling several times, hopping on one foot (or two if you’re a dog), finding a well-lit spot, and repeating the process until the system recognizes you. None of that was necessary in the physical world.

Beyond all the contortions required to validate our identity online, digital identity itself has an architecture very different from our physical identity. Let’s return to the example of buying a beer, but this time online. The sequence might look like this:

• I log into the website of the liquor store or supermarket.

• The seller must ensure that I am over 18 years old.

• To do so, I am redirected to an identity provider—a third party that validates my identity (such as Google, Facebook, or the State).

• The identity provider validates my identity and issues me a claim or credential to access the liquor store.

• The liquor store trusts the identity provider, receives the validation of my identity, and allows me to buy the beer.

Unlike the physical process, here a third party—the Identity Provider (ID)—is involved in the relationship. To avoid having to create a new digital identity each time we interact with a website, identity providers let us use some of our existing profiles (login with Google, Facebook, Apple, etc.). The same has happened with many online public services. For example, in Argentina, instead of creating a profile for every government agency, I can use my ANSES or AFIP identity to interact with public administration (commonly via Autentic.ar). These identity providers give us a token to use with the liquor store, and to prevent misuse, that token is exclusively for that store. I can’t use the same token or credential at another liquor store.

This model has simplified the user experience since I don’t always have to create a new digital identity for every company or institution. However, it falls far short of the ideal presented by the physical world for several reasons. First, all the liquor stores or websites would need to share the same identity provider—and even though that practice is widespread, we know that I can’t always log in with my Google or Facebook account. If Liquor Store A and B do not share the same ID provider, then I must create a new digital identity for each one. Moreover, the ideal of every website sharing the same identity provider would result in a much more centralized web than what we have today (which is significant). Second, every time I interact with a liquor store, the ID provider knows—or can know—I’m accessing it. It is a trusted third party that intermediates between the user and the store and therefore can (and should) know every time I log in. The liquor store has to “call” the ID provider every time someone wants to enter. Third, the liquor store and the ID provider (or the State) must share information with each other and reach an agreement. While physical identity is a decentralized model, digital identity is siloed. And like all silo models, each silo must be coordinated and agreed upon to achieve interoperability. We’ll revisit this when we discuss credentials and wallets.

In addition to the problems created for the user, today’s Internet brings other issues that may be even more concerning.

What’s Wrong for the Economy

The Internet as we know it is broken—not only because of the problems mentioned above, but also due to some alarming figures:

The World Bank estimates that the digital economy contributes more than 15% of the global Gross Domestic Product (GDP) and has grown two and a half times faster than the physical economy over the last decade.

Furthermore, according to data from the World Economic Forum, the digital economy was valued at US$14.5 trillion in 2021, but the estimated global cost of cybercrime was US$6 trillion—that is, 41% of the digital economy. More than 40% of the digital economy is lost to cybercrime. Imagine if this happened with the physical economy—what would happen if nearly half of the global economy were lost to crimes, offenses, and theft?

Even more worrying, by 2025 the digital economy is projected to reach US$20.8 trillion, but cybercrime is expected to cost US$10.5 trillion. So despite the digital economy’s growth, cybercrime will grow even faster, representing 50% of the digital economy’s size by 2025.

While trust is an abstract idea, it is fundamental to building a better digital ecosystem. If we’re not sure whom we’re interacting with online, we’ll stop doing so. And if many of us lose trust in online services, large parts of the global economy—and therefore society—will begin to crumble. Part of the problem is that the web wasn’t originally designed for activities that require a person’s identity. As we started doing more online, both companies and the State created digital identity mechanisms with the tools available at the time.

So what’s the solution? We need a new way to interact online, both in the private sector and with the State. Consider for a moment how difficult it is for the average citizen to interact digitally with different governments. Have you ever stopped to think how many digital profiles you have online? How many “usernames and passwords”? Now imagine a citizen who works in one municipality but lives in another, who is also the legal representative of their company and pays taxes in different states or provinces, and obviously interacts with various national agencies. For each of these public organizations, they must create a specific digital identity, and thanks to the widespread idea that each government must have one (or many) apps, the citizen ends up with a separate app on their phone for every government they interact with. This happens because we have digitalized bureaucracy. If you think about it, most digital services and procedures are based on proving different aspects of our identity to the State: that we have children, that we are professionals, that we have a permit, that we can drive, etc. The big problem is that all those attributes are fragmented across the dozens of identities (both physical and digital) we have as citizens, and none of these profiles communicate with one another. For example, I can’t digitally present my driver’s license credential from one district in another, or the credential my municipality issued in its app only exists within that app and cannot be digitally shared when completing a procedure with another agency. There’s a difference between digitizing (turning bits into paper) and fully leveraging digital capabilities. By following the first model, we have created isolated silos of concentrated information that don’t interact with each other.

Identity and Credential Silos

Let’s return to our comparison with the physical world. Most (if not all) of us have a wallet in which we keep money and credentials or cards. Every wallet has a section for bills and another for credentials like your national ID, driver’s license, health insurance card, club membership card, etc. Some key points about how physical wallets work are:

a) None of the institutions had to share information with each other to issue the credential,

b) Only the wallet owner knows which credentials are inside, and

c) To standardize carrying credentials in our wallets, the issuers only had to agree on one standard: the size of the credential.

A credential (or its data) is one thing, and the artifact that holds it is another. I can easily take my credentials and put them in another wallet; I can carry them wherever I go and share them as many times as needed through a simple process. The credentials are issued by an institution, but the wallet belongs to the user, giving them the autonomy to use it outside of the issuing institutions.

In the digital world, however, the model is completely different. We have digital credentials, but they reside only within the app of the issuing institution. For example, in Argentina, I might have a digital driver’s license or national ID, but these credentials can only exist within the “Mi Argentina” app. They cannot live outside that environment and, more problematically, cannot interact with other systems or be shared outside that app. The same goes for my health insurance credential or club membership card: they only “live” within the app. Analogously, it would be as if, in the physical world, my municipality issued my driver’s license but only allowed me to carry it inside a leather wallet provided by the same government—for every institution, I’d end up with dozens of different wallets, each supporting just one credential. That’s why the credentials we have on our devices today aren’t truly digital credentials, but rather digitized credentials. They don’t have all the capabilities of digital credentials; they only allow us to perform a limited set of actions. With my physical ID I can buy a drink at a wine shop, but with my digital ID I can’t do the same on an e-commerce site.

We need an identity model that combines the best of the physical world (privacy, simplicity) with that of the digital world (portability, verification). We should be able to use our digital identity under the same parameters as in the physical world to interact with institutions more simply, securely, and confidently. Balancing privacy with user convenience is possible—we just need to rethink the architecture upon which our identity operates.

How Do We Fix It?

Christopher Allen, one of the “fathers” of Decentralized Identity, mentions that it has two layers: an ideological one and an architectural one. How we use identity on the Internet affects our rights; it’s not just about finding a friendlier and simpler way to use it, but also about protecting our rights and privacy. On the ideological level, we need to regain control over our own information every time we interact with other people or organizations. Today, we are unable to control our identity—data is exploited without our consent, and the day-to-day management of our information and credentials has become a tedious task. To change this, we need not only new values upon which to build a new web but also a new architecture that allows us to exercise those values. From a privacy perspective, we need more than just laws or a governmental authority to safeguard our data; we know that such measures fail or can fail. We need infrastructures that protect our privacy by design while also breaking down the current digital identity silos.

Decentralized Identity aims to resolve the issues of the web as we know it today by safeguarding user privacy by design and promoting global interoperability of our identity. This is achieved through three key components: a decentralized identifier (DID) that uniquely identifies the user, a wallet (or “credential container”) that provides the user with a pair of cryptographic keys to manage that DID, and Verifiable Credentials—cryptographically secure information that a third party can automatically validate for various properties (issuance, authenticity, ownership, etc.). These components create a triangle of trust among issuers, recipients, and validators of information. Let’s revisit our earlier example to see how it works.

Imagine my friend needs to buy beer online but, this time, using the Decentralized Identity model. The citizen has a wallet that allows them to generate their decentralized identifier (DID) and possesses a pair of cryptographic keys to prove control over that DID. In turn, there is a credential issuer—say, the Government issuing an ID (identity credential). This ID is issued in the form of a Verifiable Credential, signed by the issuer with its cryptographic keys, and associated with the citizen’s DID. The citizen receives that credential in their wallet and, when sharing it with the liquor store, signs it with their own cryptographic keys to prove ownership of the credential. The liquor store then verifies both signatures (the issuer’s and the holder’s) and can confirm that it is a valid credential, so it proceeds to sell the beer. If the citizen goes to another liquor store, the process is similar—they can present the same credential, just as in the physical world.

As we can see, this identity model differs significantly from today’s digital identity. First, the liquor store doesn’t have to consult the credential issuer to verify its authenticity—it only needs to check that the signatures are valid. Because the store never “calls” the issuer, the issuer never learns that I went to a liquor store; privacy is maintained by design or architecture. Second, the citizen doesn’t have to go through a new KYC every time they visit a liquor store (or any other organization) and can use the same credential issued by the Government, just as in the physical world. Third, the issuer and the verifier (the liquor store) don’t have to share any information with each other—they only need to follow the same standard to validate credentials. This is similar to the physical world, where credentials follow a standard size, but institutions don’t have to share data for the citizen to carry them in their wallet. Fourth, only the citizen knows which credentials they have, and they can carry them on any device or “container” they choose. They are portable and secure. Finally, this process can be used both in the physical and digital worlds. The citizen can present their credentials and have them validated either by a website or by a physical system. I can scan a QR code to present it in a brick-and-mortar liquor store or share it from my wallet with a website to automatically verify my age. Imagine being able to log in to a website with the same credential instead of remembering countless usernames and passwords. That’s the power of Verifiable Credentials and Decentralized Identity.

What’s Next

Decentralized Identity isn’t just about solving data-sharing issues within government—it’s about creating global interoperability, where credentials can be easily shared and validated by public and private organizations, institutions, and individuals, across cities and countries. It aims to radically change the way we use the web. To achieve this, we need to build an ecosystem of data and credentials, in which both public and private institutions integrate into the model and share protocols and standards. We know it’s not an easy task, but the decisive push from regions like the European Union will accelerate this process. To fully realize the benefits of this model, “credential liquidity” is required—that is, a density and diversity of organizations, credentials, and wallets in an open ecosystem that interact under the same parameters. There’s no point in the government issuing credentials in formats that only the government can validate; that’s the current model. Just as Buenos Aires, Luján de Cuyo (Argentina), Bogotá, or Monterrey have already begun down this path, we need private organizations, universities, banks, and other institutions to start interacting with this ecosystem. Decentralized Identity can transform the web and, in the process, improve the relationship between citizens and governments.