Microsoft Embraces Distributed Identity

In the early days of the internet, a famous New Yorker cartoon noted, “On the Internet, nobody knows you’re a dog.” The cartoon was making the point that the internet allowed for truly anonymous interactions in a manner we had not seen before.

The anonymity of the internet is as much a feature as a bug. The internet was initially designed to be censorship-resistant, and anonymity—by eliminating the possibility of punishing speech—reduced the potential for censorship.

But as we have seen in the subsequent 27 years since that cartoon was published, internet anonymity has its downsides. It’s been difficult to police illegal behavior on the internet, and anonymity has encouraged the proliferation of fake information that appears to come from reputable sources.

Anonymity also raises the question of how we as individuals assert our own identity for the purposes of government interaction, commerce, and employment. How do we prove we’re not a dog? Or, at least, how do we establish our identity across the internet?

Over the past decade, the leading personal identity approach has been federated identity. A federated identity lets an internet giant such as Google, Facebook, or Amazon attest to our identity based on the identity you have registered with them. Either we use the OAuth framework to allow a site to identify us by our Facebook, Google, Microsoft, or other account, or we use an email and password combination. Since most of our long-term email accounts are held by providers such as Google or Microsoft, the end result is the same.

These federated identities make it easy to consume internet services and perform online shopping, but they put us at the mercy of mega-corporations. Many believe that Facebook already has too much control over our social interactions and is contributing to polarization and fake news. Giving Facebook control over your internet identity makes it that much harder to terminate your Facebook account without losing your entire digital identity. And by observing your internet interactions outside of Facebook, Facebook gets even more insight into your personal life—without your informed consent. Other federated identity providers such as Google have similar conflicts of interests and downsides.

The decentralized identity (DID) movement aims to give individuals control over their identity. Many, if not most, DID solutions are built on top of blockchain frameworks. Just as blockchain allows for currency transactions between individuals without the need for trusted third parties (e.g., banks), decentralized identifiers on a blockchain can be used to allow an identity to be asserted without the involvement of a trusted third-party entity such as a Facebook or a Google.

Distributed identifiers are an important part of the self-sovereign identity concept. A self-sovereign identity is a portable digital identity which does not depend on a centralized third party. In practice, distributed identifiers implemented on public blockchains form the basis for most practical self-sovereign identity projects.

Microsoft’s ION project is a DID system which is layered on top of the Bitcoin blockchain. It is designed to provide high throughput and reliable, self-sovereign identity at scale. The project is open source and has just entered a public beta.

There are a lot of self-sovereign identity projects, but Microsoft’s ION is in a particularly strong position, given that Microsoft owns the de facto enterprise identity system, Active Directory. If anyone can make DID and self-sovereign identity work, it’s probably Microsoft.