a good thing!
SSO, FIM, and DCI cater to varying needs and environments, demonstrating the increasing sophistication of identity management. Single sign-on provides a centralized, straightforward solution for reducing the complexity of password management within a single organization. Federated identity management expands the centralized model to cross-organizational domains, enhancing collaboration and resource sharing. Decentralized identity champions individual control and privacy and is designed for modern omnichannel interactions.
The most fundamental difference between decentralized and centralized identity management is that of trust relationships. What is widely deployed today with SAML and OAuth is bidirectional trust, where two parties that are known to each other have formed some agreement to establish a connection. That connection is then used to share information about the user such as authentication, identity attributes, and authorization.
In decentralized identity, the trust model is fundamentally unidirectional, where a verifier will trust the issuer, but the issuer may have no knowledge of the verifier. Importantly, to accomplish this securely and ensure fundamental one-way privacy, the role of the wallet is a critical component. It is a distinct party with its own independent relationship to both the issuer and verifier, and it must provide strong cryptographic capabilities to perform that role.
Existing solutions can support these unidirectional trust relationships. Numerous mechanisms exist to approximate those types of relationships with today’s platforms. The divergence deepens in the adoption of more advanced cryptography within decentralized identity, such that the crypto guarantees the trust boundaries through zero-knowledge proofs and anonymous signature techniques.
Another significant difference between DCI and other approaches is that it shifts control to the individual, allowing them to manage the sharing of their identity data. DCI is frequently associated with distributed ledger technology (e.g., blockchain); however, that is only one type of implementation.
DCI begins with one very distinct architectural difference from the other approaches. The identity information is decentralized, meaning it is not centrally stored. In traditional SSO deployments, each application that accepts the authentication token must look up the user's information from a datastore. In the case of FIM, each application trusts the identity service provider to provide them with information. In contrast, in the world of DCI, each service requests the data directly from the user. They don't perform a lookup through another service. They then make a choice to trust that information based on who issued it to the user, having verified its authenticity.
Centralized Identity | Decentralized Identity |
Data is kept and controlled by the organization which collected or created the information. | Information is controlled by the individual and stored on their personal device in their digital wallets |
Data may be collected, stored, and shared with “trusted” third parties, commonly without end users knowledge | Data is shared when the person explicitly approves the sharing |
Large databases of user credentials and information are the target of cyber attacks | Since each individual stores their own data, there is no centralized source of information for hackers to attack. |
Start Today
See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.
Request a FREE Demo