The Decentralized Identity Revolution

Dear Bankless Nation,

Decentralized identity has always been a consistent (yet under-discussed) topic in Web3.

Today, we have the first footprints of our digital identities. The problem is that we have them through massive, centralized tech giants like Twitter, Facebook, and Google.

They’ve done an okay job, so far. It’s a start.

But there are plenty of issues. We don’t actually own our identities. They’re owned by the tech giants. Facebook and Co. can revoke and delete your profile in a few clicks.

This is where decentralized identity comes in. You can own your identity on the internet on an unstoppable, decentralized platform. It can be empowered with universal, single sign-in. No more trying to remember your password to that random site!

Decentralized, digital identities will be big.

But it’s still early in this ecosystem. Fortunately, we’re starting to see different primitives pop up—Proof of Personhood, verified credentials, and soulbound tokens might all play a role in this future.

But it’ll take a revolution to make it happen.

Prepare yourselves, the decentralized identity revolution is coming.

Donovan explains.

- Bankless Team

Today’s digital identity systems have glaring problems: centralized entities control who and how we can access the world, we have password fatigue from tracking too many accounts, and the organizations controlling this data are giant honeypots for cybercrime.

How did we get here?

It’s fashionable to pin the blame on the Web2 giants, but the truth is that Big Tech vastly accelerated digital identity innovation by popularizing federated identity models.

By building on federated identity protocols like OAuth, SAML, and OpenID, Big Tech acted as “identity provider” middlemen and substantially reduced the number of logins users had to track. “Single sign-on” increased the interoperability of our digital movements between online services.

It’s what allows you to access Gmail and YouTube without logging into multiple accounts, or using Facebook or Twitter to log in to various e-commerce sites.

But while Web2 digital identity ameliorated many of the problems associated with centralized digital identity, problems persist. Web2 digital identity still operates within the same account-based structures as its centralized predecessors.

Accounts still belong to the Big Tech companies that issued them. As such:

1. The “ownership” of your digital identity is not yours.
2. The operation of your digital identity depends on their servers.
3. We are not privy to the richness of our social relationships, as these are proprietary data owned by private companies.

The good news is that thanks to the advancement of cryptography and decentralized blockchain networks, there is a forthcoming alternative on the horizon.

I call this the decentralized identity revolution. For once, blockchains offer the opportunity to formulate our own self-sovereign identities in spontaneous bottom-up ways, as opposed to traditional ways that require we jump through the hoops of centralized institutions.

Functionally speaking, the critical difference in the decentralized identity revolution is that ownership of your online identities is no longer account-based and “provided” for you by a middleman. Instead, it is a digitally shared connection that all parties to the relationship commit to maintaining over time, reflecting the types of direct relationships we have in the real world.

That is what this article is about. Broadly speaking, there are three groups of Web3 digital identity players.

They are Proof of Personhood projects, verifiable credentials, and most recently, soulbound tokens.

Let’s take them one at a time.

Proof of Personhood

Proof of Personhood (PoP) protocols are probably the least ambitious of decentralized identity projects. As its name suggests, these projects try to do one thing and one thing only: proving identity uniqueness.

Popular examples include Proof of Humanity, BrightID, and IDENA.

PoP projects are primarily leveraged towards establishing unique identity in projects where sybil attacks are especially problematic, such as those trying to deliver a “universal basic income”, or quadratic fundraising like on Gitcoin.

They do so through a mix of traditional identity verification methods like photo and video submissions, or complex AI-generated CAPTCHA tests.

Although PoP projects also establish identity via “web of trust” community mechanisms like requiring participants to sign each other’s digital certifications as a form of “vouching”, they do so solely to prove identity uniqueness.

In short, these projects are useful in establishing personhood, but that individuality is a black box. They are not geared towards the mapping of rich, contextual identities on a social graph and how people relate to one another like soulbound tokens and verifiable credentials try to do.

Soulbound tokens

In May 2022, Glen Weyl, Puja Ohlhaver, and Vitalik Buterin published Decentralized Society, laying out the case for “soulbound” tokens (SBTs).

SBTs can be simply thought of as a permanent and non-transferable token on a public blockchain, like the popular World of Warcraft video game that the coauthors borrow the “soulbound” metaphor from. They can be issued in various forms — a scholastic achievement, a financial debt, an employment contract — by anyone, be it an individual, private company, university, commune, or government.

Why do we want these facets of our identity to be non-transferable and permanent?

When two people have a handshake on their first meeting, that relationship exists only in their fleeting memories. SBTs are an attempt to formalize that handshake on a public blockchain that the rest of the world can witness and verify. In doing so, it allows us to color a person’s identity with social context, opening up a world of coordination possibilities that until now wasn’t possible without a middleman.

In essence, SBTs are a codification of social capital (i.e., reputation) into formal property ownership. By “baring our souls”, individuals can stake their reputation openly and prove the authenticity of who they say they are.

Here are a few examples of the kinds of economic innovation SBTs can unlock.

• 🎨 Art: A struggling artist without professional accreditation but has received endorsement from a grassroot community can prove their “street cred” through SBTs
• 🎓 Education: Those who cannot afford an expensive university degree can prove their educational credentials through SBTs obtained from avenues of informal learning
• 🏦 Banking: Loan applicants can prove their trustworthiness through the absence of bad credit history, or by showcasing their good reputation through an SBT collection, removing the need for capital-inefficient overcollaterization models commonly used in DeFi (Upon repayment of the loan, another SBT could be issued as proof of repayment)
• 🏘️ Governance: DAOs can improve their collective decision-making systems by safeguarding against whales (you can’t buy a SBT). DAOs can also avert a tyranny of the majority consensus through a more inclusive voting system design by issuing SBTs to trusted outsiders.
• 🗄 Record management: SBTs can reduce the friction of exiting existing relationships with your medical or insurance providers by easily transporting all your medical records as SBTs
• 👔 Business Operations: SBTs can improve the efficiency of traditional business functions like sales/HR by easily locating the types of SBTs that potential customers/employees are carrying

The grand vision behind SBTs is that someday, in a society where Web3 has permeated the mainstream, there would exist an ecosystem of abundant SBTs so pervasive that a person’s wallet address can provide a reliable and comprehensive “digital identity”, in contrast to the unreliable self-issued credentials that we decorate our LinkedIn pages and job resumes with.

“Proficiency in Microsoft Office” will no longer be a meaningless placeholder, but an actual market-tested credential publicly viewable on the blockchain, that some business enterprise (perhaps Microsoft themselves) would issue to you as proof of your skillset.

Do We Really Want to Bare Our Souls?

Soulbound tokens are not without their criticisms.

An SBT’s permanence is great when we want to prevent the concealment of negative behavior, such as a person’s bad credit or criminal history. But this censorship-resistance could backfire.

This critique of SBTs has been prominently made by Disco founder Evin McMullen (see also Kate Sillis’ critique).

👉 Tap into our debate on Soulbound tokens with Vitalik and Evin. 👈

The permanence and public nature of an SBT allows anyone to draw easy correlations and inferences of a person, and might prove too costly of a loss in privacy and incentivize certain forms of negative discrimination.

For example, a racist employer might discount a potential employee because a peek into the jobseeker’s wallet shows proof of attendance at a Black Lives Matter event.

To mitigate this problem, SBT critics like McMullen much prefer the W3C-led format of “verifiable credentials” (VCs), sometimes confusingly referred to as attestations, badges, or claims.

Like SBTs, VCs can be issued by anyone and can represent any bit of information. The key difference, however, is that it operates privately by applying zero-knowledge proof technology.

Here’s a simple illustration of how VCs work:

1. I say I’m Batman, but you don’t believe me.
2. To prove that I am indeed the Dark Knight of Gotham, I send you an encrypted VC that exists off-chain.
3. This VC was issued and cryptographically signed by the Gotham Police’s decentralized identifier (think of this as a wallet). Every decentralized identifier’s “signature” represents a unique watermark so you know this information hasn’t been tampered with.
4. You now know I am Batman, because an imposter couldn’t have had access to that proof
5. The entire verification process is private, and I don’t have to reveal anything else about myself to you.

In short, verifiable credentials work on a “selective disclosure” basis, unlike SBTs.

Many verifiable credential protocols in the Web3 space already exist and are market-tested.  They build on the official web standards established by the W3C framework recently in July, and provide a decentralized way of establishing digital identity that is privacy-sensitive and does not require a central issuing agency.

Some prominent examples include Civic, whose on-chain VC product has supported 295+ NFT minting projects and helped block 1.2 million bot attempts. Another is Ontology, whose flagship identity solution has created over 1.5 million DIDs.

Lastly, a protocol like Disco lets you create decentralized identifiers from your Ethereum address to sign VCs that exist off-chain.

Workarounds and Tradeoffs

The coauthors of the SBT paper are not ignorant of these claims. As they explicitly acknowledge in their paper, SBTs could lead to “dystopian scenarios” such as permissioned immigration systems, entrenching regulatory capture, or automated redlining.

But these criticisms are not necessarily a nail in the coffin.

To resolve privacy issues, zero knowledge technology could be applied to SBTs to create separate access permissions to read them, allowing SBT holders to decide how and when to reveal their SBTs. Second, variations of SBTs could be used to mitigate its non-permanence. For example, letting the SBT turn into a transferable token after some duration, or allowing issuers to revoke the SBT entirely.

The tensions between soulbound tokens versus the verifiable credentials paradigm can be thought of as the difference between choosing to be a public figure versus maintaining a private low-key presence. A person’s public reputation (soulbound tokens) carries a lot more weight and power because it is in effect a loudhailer for “I have nothing to hide”, but your enemies can also sabotage it by smearing you.

A private reputation (verifiable credentials) on the other hand does not command public trust by virtue of its secluded nature, but it is less vulnerable to unwanted manipulation and you have much more control over how a smaller number of people perceive you.

Seen in that light, the biggest drawback to soulbound tokens is also its biggest strength. Being able to stake your reputation publicly for scrutiny has its use-cases, but you had better make sure there are no skeletons hanging in that closet or it will backfire on you very quickly.

The Decentralized Identity Revolution

The internet was built without an identity layer.

Decades of efforts to construct that layer have relied on some form of centralized provider… until now.

Web3 digital identity — soulbound tokens, verifiable credentials, and Proof of Personhood projects — represent a credible alternative to formulating digital identities in a decentralized, bottom-up manner.

Although their methods differ, these builders are aligned in the same goal: Enabling individuals to create a rich social layer without reliance on central issuers.

In all likelihood, an archipelago of different digital identity solutions would exist for different purposes. Whatever identity setup is settled on would differ based on what purpose it is being built for. Deeply personal information like a person’s medical status would likely not be stored as an on-chain SBT, whereas it might be more suitable for other cases like a person’s criminal history.

Thanks to blockchain technology, these efforts are culminating in a slow supplanting of centralized identity systems (driving licenses, passports, birth certificates), diminishing the reliance on the powerful to decide the rules of human identity for once.

Action steps

• 🧐 Evaluate the different decentralized identity solutions (PoP, VCs, SBTs)
• 🔊 Listen to our epic debate on Soulbound tokens with Evin & Vitalik