What Is Self-Sovereign Identity, and Could It Impact Higher Education Cybersecurity?

Choosing Between Siloed and Federated Identities

When onboarding new students, faculty or staff, a university might issue a username and password to each of them upon arrival. That username and password are attached to some internal identifier, and that’s linked — directly or indirectly — to the entire spectrum of information that the university has about the person. In identity and access management, this is usually called a “siloed identity.”

Even if the university has a single sign-on solution and a single set of credentials for every university system, the university still owns and controls that digital identity. The user has no real authority over his or her identifying data because they don’t know what is being shared or with whom. Siloed identity systems are the most common on the internet, which is why everyone needs a password vault to hold the hundreds or thousands of usernames and passwords, a different one for every service.

RELATED: What do higher education institutions need to know about zero trust?

Federated identity, a common alternative to siloed identity, uses third parties to issue credentials and protocols such as Security Assertion Markup Language (SAML) to handle authentication and credential verification. If, for example, you’re offered the option to “login with Google” on a certain website, you’re seeing federated identity at work. With these types of identity services, the application or system you’re logging in to trusts the third-party service, called the Identity Provider (IdP).

Although federated identity keeps your password vault from growing, it doesn’t give you control over your digital identity. If it’s Google that’s issuing the credentials, then Google controls everything: the personal data attached to those credentials along with everything else. If Google is offline, you can’t log in. If Google decides for some reason not to verify you, you can’t log in. If you forget your password and you can’t convince Google it’s you, you can’t log in. Federated identity might be convenient, but it takes privacy and security control of identity out of the user’s hands.

Goals of Self-Sovereign Identity

The goal of SSI is to change the focus of digital identity so that the user assumes greater control over the identity, retaining their privacy. The user decides what information to share and with whom, and SSI also distances the user from the credential issuer, shifting the balance of power more toward the user and away from the issuer.

Before we get too deep into this discussion, it’s important to point out that, at this point, self-sovereign identity is just an idea: some technology concepts and a framework of plans on how it all should work, but no large-scale products. For higher education IT teams, SSI is something to keep an eye on, but it’s way too early to commit to the notion of SSI.

Click the banner to learn how the zero-trust model can protect personal information.

In the World Wide Web Consortium, the concept of self-sovereign identity appears in a series of documents describing “verified claims” and “decentralized identifiers” (the term the consortium uses to describe what others call SSI), but without a specific architecture or technologies for implementation.

With SSI, there still must be some credential issuer that is trusted by the college or university. The difference is that the credentials, once issued, are placed under the control of the user and the verification (authentication) process happens independent of the credential issuer.

The proposals for how SSI credentials will be stored and verified are complicated, but all combine a big dose of cryptography and blockchain technology.  The cryptography keeps the credentials and any associated personal information private, and is used in the authentication process similar to how passkeys or digital certificates are used for authentication. Blockchain creates a public ledger, so that once the credentials are issued, they can be locked in place and verified by anyone who has a copy of that particular blockchain.

All of these technologies give SSI its desirable characteristics: The user can be authenticated even if the credential issuer goes offline. Once the credentials are stored on the blockchain, the user can decide which pieces of his or her digital identity to share with each web application, preserving privacy.

DIG DEEPER: Four things you should know about passwordless authentication.

SSI and Higher Education

The goals behind SSI mesh well with cybersecurity strategies in higher education. Because SSI credentials aren’t tied to a particular issuer, students could more easily take their digital identities with them from school to school and employer to employer — including transcripts, degrees and certifications — without the current cumbersome process of verifying against each individual institution. Tasks such as transfers between institutions, even international ones, and degree certification for a job would be simplified and instantaneous in a well-designed SSI project.

Because SSI is built around privacy preservation, students could decide what information they want to share, rather than hoping that the institution follows the individual’s instructions or the institution’s own privacy policies.

SSI also could deliver benefits to institutions that participate, such as reduced opportunity for fraud and tampering. Once information is published on the blockchain, it can be cryptographically verified and can’t be modified by the end user.

Higher education IT teams that want to experiment with SSI will find much to explore. But SSI today is not like InCommon or EduRoam, where a university can easily join and gain the benefits of cross-institution federated identity services. Rather, SSI is a combination of privacy requirements, architectural ideas and technologies that are evolving based on projects and experiences. Although the idea of SSI has been around for nearly a decade, it’s still a moving target, especially in an area like higher education.