Existing Identity and Access Management systems (IAM) especially SSO (Single-Sign-On) become more and more a problem by themselves rather than a solution. Especially if we are talking about the customer-facing side of information systems. While credentials-based access became fully compromised by often stealing or even giving away logins and passwords, trying to replace them with multi-factor authentication just made the user experience of ordinary and even professional people a true hell.
When we dive deeper into medium size and large enterprises we see that this is not only UX but also a cost concern. In most cases company policies (imposed by risks and regulations) require management of all IAM concerns on-premise basis, we are also expanding maintenance and infrastructure costs.
We are going to discuss here how the IAM problem can be solved with Verifiable Credentials and a Self-Sovereign Identity approach. We can make a full stop-period here. Because Verifiable Credentials are exactly the solution to the problem. Initially, the concept of Self-Sovereign Identity was introduced as a missed security layer of Internet protocols. But why and how would it solve the problem?
Challenges of Traditional IAM and SSO: Overcoming Openings in User Authentication
Most Identity Access Management (IAM) and Single-Sign-On (SSO) systems require at least 3 participants to be constantly online to make the system tick.
The user - who needs access.
The 3rd system - needs to authorize some action of the user.
Initial system or IAM service that authenticates the user or authorizes his or her action.
The user is bound to the IAM service and needs constant support from its side. At the same time, authentication happens via some kind of simple credentials like login and password that can be easily stolen or overtaken using multiple methods like finishing and getting access to poorly protected user databases. It’s great if some social or other federated login is used, cause huge companies like Facebook and Google are trying to more or less protect their users, until they can’t and it becomes a disaster.
The biggest problem here is that the credentials both login and password should be used and travel through the network, or be stored by services one way or another, making them pretty vulnerable even in a hashed state.
Revolutionizing Identity Management: Verifiable Credentials and the Emergence of Decentralized IAM
Verifiable Credentials (VCs) have different approaches for authentication and authorization.
First of all, only the public part of VCs is shared. It’s like showing only the login to the system.
Instead of “telling” the password during authentication, the user cryptographically signs the service’s challenge with it. So the password doesn’t travel through the network or stored on the services’ side. Which makes it exceptionally hard to be stolen.
Verifiable Credentials usually have some signature from a decentralized IAM that is SSI-based, and 3rd service just needs to know the public key of such IAM to check if the VC was issued by the proper authority.
Here very important properties of such D-IAM or SSIAM arise (I’ve just invented these terms, so don’t get used to them):
Some central IAM service isn’t required at all in most cases. A person can do it with special non-server-based software.
Because services don’t need to check with such IAM services to authenticate or authorize users anymore.
So we get a reduction in maintenance and infrastructure costs.
Breaking Limits: OwlMeans' Innovative Approach to IAM Beyond Blockchain and Transaction Costs
Recently different SSI- and blockchain-based authentication systems started to pop up here and there. And of course, most of them rely on crypto and transaction cost claiming that it’s necessary for the proper work and security of such systems.
But in OwlMeans we studied standards and concepts of Web 3 thoroughly and bumped into the blockchainless (and even serverless) concept of KERI, which potentially allows us to establish Verifiable Credentials bases IAM without relying on blockchain or reducing to minimum any server usage. We moved further and made much simpler implementation in our serverless Verifiable Credentials Wallets. Sounds UX scary? Wallets? Make customers and users install them? No. We moved further — we introduced invisible web wallets or integrated wallets for your web services and applications that allow you to start with an even better (true passwordless) experience for your users and customers.
Want to learn more? Contact us…