Centralized identity management relies on the collection and storage of user identity data. With centralized identity management, users can access all their applications, websites, or other systems with the same set of credentials. This improves the user experience because you only have to enter one username and password, but it can lead to increased vulnerability if your credentials are compromised.
How does it work?
Because centralized identity management is united across all applications, the user only needs to access one console to enable a variety of services and infrastructure. When a single sign-on (SSO) solution is also in place, users can access the tools they need without having to sign on to multiple accounts because a trust relationship exists between the user, enterprise, and partner sites. This reduces frustration, friction, and password fatigue while increasing data security.
What are examples of centralized identity management?
Federated identity management is a centralized identity management solution that enables SSO to applications across multiple domains or entities. A company can give employees one-click access to third-party applications like Salesforce or Zoom. When an employee signs on in the morning, there is no need for multiple accounts and passwords to carry out their daily activities, which increases productivity.
Centralized identity management provides customers with a similar experience. For example, a bank can provide customers with seamless access to banking services that are externally managed, like ordering checks, sending money through a cash app, or applying for a loan. If the customer updates their address in one application, it is updated in all applications.
What is decentralized identity management?
With decentralized identity management, access is distributed across multiple environments. This means that users have to use different sets of credentials for any applications they access. The decentralized identity model lets individuals store identity-related data in a digital wallet on their own mobile device. In this wallet, a pair of public and private keys are created that let the user share only the information required to complete a transaction and nothing more. The information is kept only in the user’s digital wallet and not stored by enterprises, so the user always has control. They can keep that information and their sharing preferences up-to-date.
How does decentralized identity management work?
Users receive credentials proving their identity from multiple issuers, such as employers and the government, and store them in their digital wallet. The user can create a pair of private and public keys in their identity wallet and choose to share just the minimum amount of information required for a transaction. After the person presents proof of their identity to a company that requests it, the company can verify the proofs are valid through a blockchain-based ledger.
Issuers are official sources of data, such as universities, credit bureaus, or pharmacies, that provide verified data about people. Users can click a link from an issuer or scan a QR code to add verified data, in the form of a card, to their digital wallet.
Users are individuals, such as potential employees and customers, who store identity data (for example, a government-issued ID, vaccination record, or transcript) in a digital wallet that uses blockchain technology to ensure the information is never modified or deleted. Because personal information is stored only in the digital wallet, it's never outside of a user's control.
Verifiers are businesses or individuals that need to confirm something about someone. By scanning a QR code, users can share up-to-date, verified data about themselves with verifiers.
How is decentralized identity management different from centralized identity management?
The most fundamental difference between decentralized identity and existing identity management is that of trust relationships. What is widely deployed today with SAML and OAuth is bidirectional trust, where two parties that are known to each other have formed some agreement to establish a connection. That connection is then used to share information about the user such as authentication, identity attributes, and authorization.
In most self-sovereign and decentralized identity systems, the trust model is fundamentally unidirectional, where a verifier will trust the issuer, but the issuer may have no knowledge of the verifier. Importantly, to accomplish this securely and ensure fundamental one-way privacy, the role of the wallet is a critical component. It is a distinct party with its own independent relationship to both the issuer and verifier, and it must provide strong cryptographic capabilities to perform that role.
These unidirectional trust relationships can be supported with existing solutions. There are numerous supported mechanisms to approximate those types of relationships with today’s platforms. Where the divergence deepens is in the adoption of more advanced cryptography within decentralized identity, such that the crypto itself guarantees the trust boundaries through the use of zero knowledge proofs and anonymous signature techniques. Newer requirements of those still-evolving security technologies have subtle but important implications that have been easier to accommodate from a clean slate as they grow.