Part I: introduction to the topic
‘Decentralised Digital Identity: The future of IAM?’

Decentralised Digital Identity (DDI) announces a paradigm shift in how identity is managed and verified. Unlike traditional centralised systems, where a single entity (like a government or corporation) controls identity data, DDI distributes this information across a network of nodes. This decentralisation promises to enhance security, privacy, and user control. DDI is not yet mainstream, its potential benefits are driving significant interest, suggesting that it could become a key component of digital identity management in the coming years. But what is the experience of the focus group members on this novel way of looking at IAM? What could be the use cases, benefits and challenges of implementing DDI?

Introduction by Delaware

The introductory presentation was given by Wouter Hemeryck of Delaware and included a short presentation about the company, after which he addressed IAM in the SAP world, ABAC, Customer identity and access management (CIAM) for citizens and IAM for network access.

IAM in SAP world

SAP has a complex authorisation model with different roles. The usage of Attribute-Based Access Control (ABAC) which grants or denies access to resources based on attributes and policies, within SAP requires for these policies to be rolled out for every new application linked to SAP, making sure that the segregation of duties is enforced. This can be challenging as some roles and authorisations need to be combined due to the fact that most organisations do not have enough employees to fully implement the segregation of duties principle.

The SAP interface FIORI offers access to +15,000 apps and over 5,600 authorisation objects for which needs to be decided which ones are needed and need access. There are 5,000 single roles giving access to part of the applications, and 250 composite roles.

IAM projects for SAP take a lot of time to implement, usually about 200-300 days. IAM for SAP is a specialty on its own.

The IAM landscape itself is quite SAP centric. SAP offers proprietary Cloud Identity services that are linked to the business applications, including SAP Ariba, S/4HANA, Successfactors and others.

Attribute-Based Access Control (ABAC) for tailor-made applications

The disadvantage of Role-Based Access Control (RBAC) for custom applications is that it can lead to a lot of duplication of logic. As a project manager, for instance, one needs to see their own projects. Project manager is the role, and the projects are the ‘logic’ on which RBAC is relying to allocated accesses. This logic needs to be repeated in different applications, with the same set of rules. In the presence of only a limited number of applications, there should be no issues but managing numerous policies can become complex with a large number of applications.

The idea is to centralize policies to make sure that the access is the same across applications based on the same business rules. This is where Attribute-Based Access Control or ABAC comes in, which is based on attributes and policies. The properties (attributes) originate from the account (User ID/ Username, Department, Role, Age…) as well as the context (time zone, physical location, network location, etc.) and external data sources.

All applications then basically ask the policy whether a user has access. On an application level, there is still a policy enforcement point, but it does not know the logic, so it pushes for a YES/NO answer, referring to an external system. This system comes with challenges, for instance, if you have to ask a YES/NO answer for 15 applications, and one goes down, it can block the approval process.

Questions discussed in the focus group on ABAC

• How do you manage ABAC policies?

There is a risk indeed that you end up with an explosion of policies. Not everything needs to be turned into a policy, but strong governance is required to ensure that the right policies are properly implemented. Implementing ABAC is not a simple task, making it particularly relevant in larger environments.

• Is ABAC relevant for SMEs?

As mentioned, ABAC is usually only justified for larger and complex environments. E.g. Delaware itself (5,000 users) does not have enough apps to fully set up an ABAC model. Usually, ABAC is too complex for an SME.

• Does the organisation manage ABAC itself or is it done by an external provider?

In many cases, the service provider helps to set it up, but usually the organisation manages it.

• Can ABAC and RBAC be combined?

Yes, it is possible to do so, and many organisations are combining both ABAC and RBAC. ABAC can be used to manage Identity and Access Management (IAM) at a higher level, while RBAC can handle more granular access control at a lower level.

• Is ABAC the future?

Here to stay, ABAC is currently still a niche. The market needs to mature further and there is still a lot of experimentation going on. It is vital for tooling to evolve to increase adoption. Currently for most environments, RBAC will be sufficient, combined with some policies.

IAM for network access

The presentation also briefly touched upon the topic of CIAM for citizens. Next up, IAM for network access was briefly discussed.

IAM for network access is a topic that is specifically relevant for Managed Service Providers (MSPs) as they have different systems for various customers on different platforms. Therefore, at an early stage, network access needs to be prevented to avoid people getting access to the wrong environment. So, identity is needed on a network level to make sure that firewalls understand that a specific user cannot have network connectivity.

In this case, defining who has access to what is difficult to manage via role-based access control. RBAC is not the most appropriate solution, yet firewalls only understand that one. That is why Delaware built a policy calculator to create automated groups. There will be many groups, but they are managed automatically. Delaware uses this to create “Chinese walls” for people working for different customers.

Decentralised Digital Identity – setting the scene

The scene to the focus group’s main topic was set by Kurt Berghs from Trustbuilder whose presentation dove into the basics of Decentralized Digital Identity (DDI), the problem of online onboarding, identification requirements and solutions, as well as the difference between Mobile ID identification and authentication.

Decentralized Digital Identity

Digital Identity is a well-established concept in Belgium. Essentially, when a company or online store needs to verify a user’s identity, it consults a third party that provides this information. With the introduction of new European regulations and the ‘European Digital Wallet,’ additional types of information will also become accessible alongside identity verification.

Belgium pioneered with digital ID card in 1992. Today, the application itsme is very popular, used by a majority of the citizens (over 80%). In Europe, there are similar solutions available, like BankID in the Nordics, SPID in Italy and France Connect in France. Yet, other countries, like the UK, do not have such a solution, or even worse, neither do they have a central ID digital system. On a global scale, more than a billion people currently do not have a digital ID. Even in Belgium, nearly one-fifth of the population does not use a digital identity.

The problem of online onboarding

Online onboarding processes often present significant challenges for users. Organizations want to make the process as simple as possible, but at the same time they want to be sure that the person who onboards is also who they claim to be.

Forms filled with excessive data can be tedious and error-prone, leading to mistyping issues and manual proofing of identity. Users may also hesitate to share personal information, creating reluctance to proceed. These factors contribute to a frustrating and time-consuming onboarding experience, hindering user adoption and engagement.

At the same time, hackers are getting more and more inventive trying to impersonate users and steal IDs, either by stealing credentials from other companies, getting information through social media, or even use AI to fake official credentials.

Moreover, companies need to comply with a number of regulations and requirements including privacy regulations such as GDPR, CPRA and HIPAA, as well as important banking concepts such as Know Your Customer (KYC), Know Your Business (KYB) and Anti-Money Laundering (AML).  These factors create a balancing act between the personal data that marketing and business professionals can collect and what security personnel need, to ensure compliance with regulations. The goal is to achieve regulatory compliance while also obtaining the necessary user verification.

Identification requirements and solutions

Indeed, when looking at the requirements for ID proofing, the KYC banking requirement, for instance, expects you to gather a significant amount of data to prove a person’s identity, whereas on the other hand privacy regulations force organisations to be careful with what type of data and for how long they store it. Obviously, what data is needed depends on the type of business. Web shops for example do not really need a whole lot of identity data to complete a purchase process.  

Options for user identification

Depending on the use case, a number of user identification scenarios are currently available, each with its own advantages and disadvantages.

• Manual options involve users filling out forms, making them suitable for low-risk environments and marketing purposes. While this approach offers a 100% reach, it lacks assurance and security against hackers.

• Federated B2B and Social login relies on third-party identity providers (IDPs) like AD or LDAP for verification. This method will become particularly relevant as part of the European Digital Wallet initiative (see further in this document). This option simplifies onboarding and enables single sign-on (SSO), making it ideal for B2B environments, where users can log on with their own company AD in applications of other companies. However, this is complex to set up in B2B environments and relies on the third-party identity providers (IDP) for verification. Social logins through social media platforms such as Facebook are well-known options as well.

• Mobile ID leverages government-approved third party IDPs for identity verification. This option offers easy onboarding but has the downside of cost. Moreover, in a European or even broader international context, regional differences have their limitations. In Belgium, for instance, there is itsme, a high-quality digital identity application, however, not all countries have identity solutions of the same caliber.
• Document verification involves using physical government-issued documents such as eIDs, passports, or driver’s licenses. It provides assured data and a global reach but can have a medium onboarding experience depending on the document type.

Mobile ID vs Document verification

The presentation then zoomed in on the difference between Mobile ID vs Document verification, which depends a lot on the country they are implemented in.

The big advantage of the Mobile ID is that the process is fast compared to document verification. Another advantage of Mobile ID is that it is easily accessible and does not require extensive user education. Depending on the use case, Mobile IDs can be used as an authenticator, whereas document verification is not suited for that. The drawback of Mobile ID as an authenticator is that people are to repeat consent at every login and leave the application, hindering the user experience and making end-users potentially more hesitant to share their full mobile ID with a private company.

When it comes to document verification, its biggest advantage is a global reach, with another benefit being that it can be integrated within the user’s own application, which is associated with more user trust.

Additional benefits of document verification are proof of possession, possibility of user matching, additional KYC checks, local identification through kiosk or phone, and options for more secure account recovery.

EIDAS and mobile wallets

Next, the presentation focused on the topic of EIDAS and mobile wallets. The European Digital Wallet is a new and a hot topic, with currently four pilot projects ongoing. The idea behind this wallet is a way to prove your ID and other individual data to a service provider within the EU market space. This could include identity information, a driver’s license, educational degrees and other information.

Each European country needs to provide a wallet provider that supplies an end-user app where information is stored. So, when a company requires the information, they need to consult the wallet provider app. Service providers can then use this information to verify whether a user has the right identity and the correct qualifications for a certain service.

The model presented would require an ABAC system, and attributes could be literally anything (job, time, location, etc.). Even if the guidelines and pilots are put in place, the European Digital Wallet project is still in its early stages.

Part II: Interactive session: Challenges

After the introductory sessions, participants engaged in an interactive roundtable to discuss the key topics related to DDI. Here are the take-aways from the discussion following questions addressed in the plenary focus group.

1. What are typical use cases for Decentralised Digital Identity (DDI)?

In general, the case for DDI seems still to be made in order to turn it from theory into practice. The members of the focus group seem to acknowledge that DDI can in the short term be beneficial in a context where identity-related/governmental data are to be proven in view of compliance with regulations and legal requirements.

Even though there are commercial use cases as well, there seems to be a consensus that for the most common commercial transactions, DDI seems more like “a password manager on steroids”. It was suggested within the group that as long as it is not mandatory, it will probably not be used or be so effective. DDI seems to be linked as well to services and applications that end-users use relatively rarely or only once.

In an evolving context where identity theft and security are becoming more and more prominent, it is possible that DDI will be used in a more widespread way in commercial contexts.

Some of the current possible use cases that were discussed:

• Online voting:

Secure and verifiable voting systems. Estonia is a pioneer in implementing secure online voting.

• Supply Chain Management & Logistics:
  • Tracking the provenance of goods and ensuring authenticity.
  • Complex logistic processes that require truckers to have specific qualifications for driving with certain goods.
  • Rental of storage room or a car
  • …
• Financial and administration services:

Verifying customer identities for transactions, including signing of contracts, insurance policies.

• Healthcare:

Securely sharing patient records and credentials.

• Education:

Verifying academic qualifications.

An interesting question was raised about whether identity only applies to people. There are use cases where digital identities can be deployed to ‘identify’ companies (e.g. a system exists in the Netherlands) or even goods and products (e.g. in the context of IOT to create IDs for smart devices).

2. What benefits does DDI have? 

Before focusing on the problems and challenges of DDI, the group was asked about the key benefits that DDI could offer. Several topics were discussed.

• Enhanced security and compliance: Decentralization reduces the risk of data breaches and single points of failure (e.g. social digital identity). It can help organizations to comply with existing and new regulations.
• Increased privacy and user control: Users have greater control over their personal information. They can potentially decide what information to share and with whom, reducing the risk of privacy breaches.
• Improved interoperability: DDI could facilitate interactions between different systems and services.
• Efficiency and lower costs: By streamlining identity verification processes, DDI can reduce the time and cost associated with identity management for both organizations and individuals. One such example is the verification of official documents such as university degrees.

3. What are the key challenges for DDI?

The implementation and adoption of Distributed Digital Identity (DDI) faces several challenges, particularly in the context of a region as the European Union (EU), as raised within the group.

• Unification on EU level:

The EU is a region which has stringent regulatory requirements and a diverse set of stakeholders. One of the key challenges for DDI therefore lies in way that technical, interoperability, legal and regulatory requirements are addressed in a unified way. There is still a big difference in maturity when it comes to digital identity depending on the country you live in. Members states and other stakeholders will need to work together and address many hurdles to make a European Digital Wallet a reality.

• Technical and interoperability challenges, involving the use of universal standards, assuring data protection and DDI systems to be able to work together, in a secure way, supported by an adequate technological infrastructure. e.g. in Belgium there may be a register of doctors or university degrees, but how is this organized in other countries. And what if someone is suspended, is there a record of that? Long–term considerations will be evolving around the practical way of managing and protecting different wallets issued by various countries.
• Regulatory and legal hurdles: Including data privacy, compliance with GDPR and other privacy regulations, establishing reliable verification methods and development of clear legal frameworks for DDI.
• Economic/business drivers, including business models/cases, competitive landscape, market demand and growth potential.
• Trust and user adoption:

The bulk of the discussion during the interactive session focused on the impact of implementing DDI on the end-user, touching upon aspects of privacy, trust and awareness.

A fundamental aspect of the idea behind DDI is that the user is the ultimate owner of their data and has greater control over what to share and what not. The question, however, is to what extent the end-user or citizen will be able to control, in everyday practice, which data is shared and where, especially when it comes to sensitive medical or financial information. This relates to the question as to what type of data various service providers will be requesting for end-users, what the discrepancy will be between what data is really required, and what data will be requested, what actual power will the end-user have to accept these data requests or not. What could be the role of the government to impose on institutions what end-users can share or not. This even touches on the discussion about what ‘identity’ actually includes.

According to the group, the question about trust and adoption is tightly linked to the need for high levels of awareness and education of DDI among citizens/end-users. Today, most people still do not know what a digital identity involves, where the information is stored, and with whom it can potentially be shared.

4. How does DDI integrate with existing IAM solutions?

DDI could be integrated in the conditional access policy of organisations, allowing them to combine data (e.g., a person is a European citizen and an employee of company XYZ). This raised the question whether this data can be checked only at the onboarding stage or continuously. Within the group the response was uttered that this could be solved by using attributes, and that DDI can be integrated with IAM using OpenID Connect (OIDC) as a technology to share these attributes, backed by a policy engine.

Is DDI more of a solution for CIAM than for employee access management? A member of the group highlights some bad experiences with introducing DDI for employee access purposes in which employees were reluctant or refusing to use their Digital ID for use within their work environment.

Again, the question is raised what the use case for DDI will be outside of the governmental context, as this will influence the way it will be integrated.

Conclusion: is DDI ever going to be a reality?

Decentralised Digital Identity (DDI) is set to have an impact on how we interact with the digital world. By providing individuals with greater control over their personal data and enabling secure, efficient, and interoperable digital transactions, DDI has the potential to transform a wide range of industries and services.

And yet, a lot of questions remain on how the development and adoption will evolve in the years to come. The EU has shown a lot of ambition with the European Digital Wallet, proposing big and broad use cases that may be too complex to realize. As mentioned before, there are currently four large scale pilots. Knowing that the smallest one already involves over 160 partners, the question remains how all of this will be managed.