KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
2022 brought a lot of activity in web3/crypto identity solutions: Soul Bound Tokens, Verifiable Credentials, and even web5?! In this year-in-review we'll examine the varying approaches, the problems they were trying to solve, and discuss how this can inform all of our user-centric identity efforts.
2022 brought a lot of activity in web3/crypto identity solutions: Soul Bound Tokens, Verifiable Credentials, and even web5?! In this year-in-review we'll examine the varying approaches, the problems they were trying to solve, and discuss how this can inform all of our user-centric identity efforts.
It is nearly 3:00 AM where I am. So I apologize in advance, but we're gonna have a, a lighthearted walkthrough web, three plus plus identity. So through last year, there was a proliferation of proposed web two successors, web three of course, which has been a, a big focus, web five, and then even in some W three C mailing list, web seven. Each of these were associated with different approaches to identity claims.
And I think one of the biggest, one of the bigger focuses in terms of identity and decentralized identity last year was the sold on token versus verifiable credential debate That gave a lot of attention to verifiable credentials. It feels like that was never fully resolved. It seemed like a good time to sort of step back, think about web three identity patterns, the problems that are trying to solve and assumptions. And basically the ideas is focusing on the takeaways and how it can benefit to the way that we think about identity solutions.
So it helps to base it in the narrative, the web three narrative. So starting at web one through web two, which we're very familiar with. So Web one is described as a, a read only static approach. Vast majority of users, work consumers and not producers of content. And then starting in roughly 2004, the idea of the web is a platform where we were creators of, of content was pushed forward. Now this is where the sort of decentralized identity progression of Web two to Web three kind of differs. So a focus is read, write, own, but then also that the content is verifiable.
So one of the contrasts that's drawn from web two is that is from the web two silos. So where you don't really own data about you, but it's you're monetized. So in Web three, the idea is that you have ownership, you can participate in the monetization, and then there's this whole, it, it's gets really tied up into Technomics historically in, in web three. So that's the other sort of contrast with decentralized identity approaches generally.
Now, the identity narrative sort of looks like this, and I'm calling it a narrative because it's not quite the simple. So Web one, we're familiar with this sort of centralized login kind of approach that moved to the web two sign in with Facebook, Google, apple, the more federated approach to identity that results in this sort of NASCAR login screen. Now in web three, there's this simple experience that's presented where you just show up with your wallet. Now it is kind of a, as is often pointed out, a reductive view. It's your wallet is sort of your financial status.
So it's not anymore robust identity claims, but is it is the idea that it's this simple experience, you just show up with your wallet. Now in reality, it's, we've replicated the NASCAR experience through, you know, there's, there's varying standards, not necessarily the simple experience.
And, and this doesn't even get into sort of identity claims. So while it's generally aren't capable of expressing anything beyond whatever native token to its environment, so, so the reality isn't that simple.
Now, it's helpful to get into when, when thinking about identity as applied to web three. So there is, and has been increasing awareness that some notion of identity claims is helpful. Loans are often over collateralized and some notion of identity is critical for de-risking it. But in terms of the motivation or the why for identity, I would say that the, there's sort of the, the ones at the bottom say like identity fraud, theft, risk of data breaches, those tend to be lower in people's concerns than sort of user control of personal data.
So that's another factor that's slightly different from how we in decentralized I identity generally think about the risks. The other differing part is that it's really hard to do a lot of decentralized identity things in Web three, you know, again, most of the assumptions do in building blocks do gravitate on chain, which is a huge reason that we've seen, you know, the, the success of NFTs. And so bound tokens kind of approaches there are oracles, but in terms of, you know, it tends to be a lot more complex, costly, and, and the tooling is, is varying.
Now the other approach, the way standards happen tends to be through ERCs or similar depending on the chain, but some kind of standard that's specific to the environment. So it's a good time to think about the highlights and lowlights of what we've seen so far. So in terms of what is happening in web three compared to say decentralized identity kinds of approaches, there's strong philosophical alignment in terms of, you know, iden individuals having some kind of control or ability to manage their data. So there ends up being very similar goals.
Even better, you have an audience that's accustomed to key management. So that's always a problem in decentralized identity. How do we get people comfortable with that?
It's, it's very risky, but I think most importantly is the idea of a, a concrete use case fit. And on the demand side, there's often so like say a case of a defi protocol that wants to know some identity information about you, they generally don't want your personal data.
So that's, that makes it kind of nice. It makes it, you know, decentralized identity types approaches more natural. Now low lights that we've seen is that there's more awareness needed of the risks. So there's a, a lot of solutions that have been proposed in identity have a lot of the, the risks that we are, are well known in decentralized identity space. So risk of correlation discrimination.
I, the last talk ended on discussion of re negative reputation. That one really stands out to me because in one of the, I think it was the Unbanked podcast where Evan discussed with, with Vitalik the idea of sold on tokens versus VCs. Vitalik mentioned the idea of a lack of proof of criminal history as establishing trustworthiness.
And, and that's something, those kinds of things that we think about and the sort of discrimination involved in the ability, the the need for people to sort of control and curate the data about them and these sort of systematic threats that, that exist is really key. And so a lot more awareness of these kind of risks is needed.
Further, a lot of work is needed to establish the equivalent trust off chain that's enabled by on chain approaches and the tooling that's kind of more natural. And then also we need a lot more progress on the meaning of these identity claims. So a lot of approaches just sort of let in to say like, okay, well we can do these portable KYC attestations to, you know, enable, you know, sort of more nuanced, get away from the over collateralized lending and things like that.
But you know, the, the what it means to sort of rely on these identity claims, you know, with ambiguous regulation tended to result in uneven success of, of pilots. And then there's a whole other can of worms that like positive and negative. So how Technomics affects all of this and you know, but I do think that the idea of community governance could offer some, some much needed clarity that, that we need.
So that's sort of a mixed bag out outside of scope now because we don't have much time in, in this talk and certainly cuz I wanna leave some time for q and a, I wanna point you to a paper that came out of rebooting web of trust in terms of establish that describes, gives a survey of web three identity patterns briefly. It breaks it down into four categories.
And the, the area that's especially interesting gets towards the end of the paper where it talks about, you know, which pattern is useful for which kinds of use cases and also different kinds of benefits. So the, these are roughly listed in order of ease of implementation. So badge is the term that's used for some kind of on chain token, like a, like a sold down token or N F T. And so it's very, tends to be very flat in the current form. It's on chain, it has some claims associated with it, but you know, so there's, there's a huge risk that, that you'd say there.
Like you don't necessarily naively without a lot of work on that approach. It, it's just a lot. It's very risky and, and you know, not even necessarily in terms of not, would not necessarily be compliant with regulations, for example, trust and intermediary, whether that intermediary is an oracle, a contract or something is, is another common pattern. And blinded off chain proved verified on chain. That's something you can think of as sort of, not in terms of a non-res, but it's like an anonymous credential that in theory helps with this sort of correlation threat.
And then lastly, a much more complex generally implementation is peer-to-peer off-chain verification. So I recommend checking out this rebooting web of trust paper that recently came out. Now. So this is not to say that the web three community is unaware of the risks that I've pointed out.
So, and I'm sure this has been covered in, in similar talks here, but there's a lot of exciting prospects to address some of these concerns. So a lot of the, the risks in web three up until now has been the idea that, you know, identity claims tend to be bound to an account or to a, a wallet address. And so obviously there's a ton of correlation problems that can happen with that.
Now account abstraction in theory could give us some kind of benefits to reduce correlation and then also tremendous pro progress and zero knowledge proof types approaches that could allow some more nuanced rather than sort of the on chain learn everything about someone kind of approach. There's emerging standards in community development. This is something I'd like to see more of, but I wanted to point out a, a specific example K 1 69 through the Chain Agnostic Standards Alliance.
And this is demonstrates how verifiable credential protocols could be added to well known wallet protocols such as as wallet connect. So you know, that one is a, the, the standard exists and well I have my own kind of little prototype that I'll merge back is that's not something we've really te seen take off much. It still doesn't address the more complex problems of wallet storage or, or credential storage in a wallet. But that's something that people could experiment with more. It's good to see some standard existing there.
And then in general a lot of work is happening at CASA and Decentralized Identity Foundation. Lastly, there does tend to be focus on more impactful pilots in the commerce days. Last year was very euphoric and lots of, you know, lots of N F T kind of projects that were maybe dis distracting from more important pilots that really speak to sort of the, the purported vision of web three, which is empowering people financially, things like that. And so we're close to time. What about web five?
I think most of the people in the audience are probably familiar enough, but this is from my perspective, a lot of the same decentralized identity SSI standards that we've already been talking about that are happening at diff. So v well and W three C. So you know, verifiable credentials, DIDs, the credential manifest presentation exchange protocols, plus focus on, I probably don't have the latest acronym right? But centralized web nodes that really help with the self custody.
So yeah, let, let me end there and see if you have any questions or insights or comments on this. Again, the goal was not to advocate for a specific approach, but sort of talk about the lessons learned from Web three identity and, and where it seems to be going. So thank you. Thank you Kim for this very, very nice presentation. So actually we do have some questions here. I would pick the one or the other depending on how much time we have, but one of them are is how can decent centralized identities be implemented effectively and what is the role in web three security, Right?
So decentralized identities, if we're as assuming we're talking more broadly and not necessarily about did specifically. So I would point to the, it, it let me know if otherwise, but I would really point to that paper, the rebooting web of trust paper as describing, you know, some common patterns in the sort of the implementation considerations. Use case fitness, there's also important notion of sort of compliance consideration. So some are more suitable to, you know, the needs of say like the forensics kind of analysis that need to be done.
I think the other thing that I didn't really focus on much would be that, you know, a lot of us have kind of a visceral reaction of like on chain identity token just sounds like a really bad idea. But I think there does seem to be, there is increasing awareness and there's some standards type groups focusing on, you know, what that really means. How to really tease apart, you know, cuz when we talk about VCs versus solvent tokens, it feels like a lot of the conversations haven't really said specifically or clearly articulate a lot of the risks.
So putting it in ways that people can say like, this is the sort of area that's less risky versus this area that's more risky. Okay, thank you. Maybe there are some questions from the audience. Not yet. Not here in the room. So nothing in the room at least. So maybe I continue with another question. If we like do consider the ethical perspective into the analysis of web three identity data to extract the signals.
How, how can we address this one? Yeah, the ethical thing is real and something that, you know, it's, it the i'll, I guess I'll say that the down market is kind of a good time especially and and forcing function to reflect on all of this. I think there's a real risk in solutions that lead in and we see this a lot, not just web three but in decentralized identity space. The idea that we're sort of often designing solutions at people at populations saying we're going to bank the unbanked, we're gonna do all of this.
And without a real understanding of the problems, it can introduce a lot of harms. I think, you know, a lot of web three approaches are sort of have talked about really need a problem that needs addressing. So like very predatory payday loans and things like that. But are we necessarily replacing it with something better?
You know, when web three crash happened, like who was affected by that? And so I think there's a real risk when we pit something as you know, helping a population and you know, completely, you know, pulling in celebrities to endorse this as the future. Like I definitely advocate for caution in that and I hope that, you know, we never seem to learn our lessons though, so, but I don't wanna end on a negative note like that. But Thank you very much for this. Thank you. Thanks a lot Kim. Thanks for participating. We are then on time to present our next session.
