Digital identity – enabling secure collaboration with blockchain technology

Self-sovereign identities (SSI) are digital identities that are managed in a decentralized manner. This technology allows users to self-manage their digital identities without depending on third-party providers to store and centrally manage the data. Bosch Research is part of the IDunion consortium initiated by the German Federal Ministry of Economics. Policymakers and industry are working together to establish an open digital ecosystem for decentralized identity management so that people, companies and machines can interact safely and reliably in the Internet of Things based on artificial intelligence (AIoT). Already today, companies can use SSI for their corporate identity and master data management.

In the analog world, anyone who wants to prove or confirm their identity usually pulls out their ID card. When going to the authorities, visiting the bank or checking into a hotel, we can confirm our identity this way. After presentation, the ID card usually goes back into the wallet, which means we retain control over our data. Anyone who moves around on the Internet, whether shopping online, consulting with a bank or in contact with the administration, identifies themselves digitally. This takes place via different procedures such as Postident, video identification or entering our data in online forms. When placing an order online, replying to an e-mail or using social media accounts, users leave behind data that the provider stores and manages. “What sounds convenient, however, can be a security risk, because we are not only presenting our data, but it is being stored,” says Nik Scharmann, Project Director “Economy of Things” at Bosch.

The user does not keep this digital identity in his wallet. In most cases, users have no control over what happens to the data and who can view it. Even those who log into websites or apps with their social media accounts are revealing more about themselves than they might like. With every login, information is stored on what it was used for and when. What applies to private individuals also applies to companies: Data exchange between business partners usually takes place via third-party providers who store the information. A trustworthy and reliable system is needed so that individuals, companies and machines can interact and network digitally and securely. The future solution: Self-sovereign identities.

The aim of the network IDunion is the user-friendly, secure, economical and data-protection-compliant use of identity data. For this purpose, a digital infrastructure is being created that enables the transmission of data and is compatible with other global networks. The infrastructure is characterized by its decentralized structure. The participants of the system can use several providers. “We need to create a digital identity system that does not require centralized databases and is operated in a distributed manner by many participants,” says Nik Scharmann. The Economy of Things team is developing software based on SSI technology as part of the network.

Nik explains the principle of the system in a simplified way: “At the heart of the software is a digital wallet. It’s stored on mobile devices, so the data is always at your fingertips.” Every participant in the ecosystem – human, company, machine – has such an e-wallet in which they can collect their proofs of identity, certificates or other verifiable information about their person, function or service. They thus control the most current identity data at all times. But where does the digital evidence come from? It is issued by authorities, institutions, companies or even individuals – trustworthy issuers of proofs of identity. The third role in this digital ecosystem is played by the verifier, the person who needs or wants to verify the digital identity when interacting with the holder. The bottom line: The holder chooses whether to allow the verifier to access the evidence in his e-wallet each time it is requested. For inspection purposes, because he keeps all the information with him in his digital wallet.

A server that is controlled by a third party, as is the case with logins or passport proofs by means of video identification, does not exist with SSI technology. With SSI, all public identifiers of an identity can be stored on a blockchain, which is operated in a decentralized manner by many independent servers, which better protects against tampering by individuals. Identities can be created in any quantity – encrypted and pseudonymized. SSI technology connects people, businesses and machines and breaks down barriers in digital interaction. Instead of having to re-identify themselves for every action – buying a train ticket, driving a rental car, checking into a hotel – users pull out their digital wallet, allow access and master all the stages of their journey without unnecessarily handing over data. SSI allows selective disclosure of identity attributes, i.e. data owners can choose which data they are willing to share under specific circumstances. By leveraging cryptography it can be still be proven, that the selective representation is truly pointing to the right identity.

SSI is just picking up speed in Germany, driven by the emergence of European data spaces, for example in Gaia-X. Digital identities also figure prominently on the German government’s agenda. The IDunion network started its second project phase on 1 April 2021, which is scheduled for three years. During this period, more than 40 pilot applications of SSI technology will be implemented. Bosch is participating with its Economy of Things team. Industry expert Werner Folkendt and his team are developing an internationally deployable SSI application that is already having a practical benefit for companies: in corporate identity and master data management. Until now, companies have maintained information on products, services, customers or suppliers in their own IT systems and managed the master data of all suppliers (more than 100,000 at Bosch) themselves.

Their own master data must also be maintained in customer portals. In order to achieve a high level of data quality, a great deal of effort is required for data maintenance – which in turn generates high costs. In addition to the master data, there are certificates or other company identity features that companies must present to customers, for example. “With an SSI solution, the master data is based directly on electronic evidence (e.g. excerpt from the commercial register, or bank cards) from accredited issuers and each legal entity can decide which data is automatically accessible to whom and is thus sovereign of its data at all times,” says Werner Folkendt.

Werner and his team are working to develop a corporate agent software equivalent to a digital certificate wallet that represents each legal entity to the outside world. Each legal entity has a DID, a decentralized, self-managed ID number. Behind this are the company identity documents. “A corporate identity card is similar to a digital ID card for companies and is used as a digital business card,” says Werner. If required, it can be presented to business partners together with other electronic IDs such as bank cards or tax numbers.

The effort required by companies for master data management with SSI is low, because they do not necessarily need their own agent software to manage or exchange data and certificates in a decentralized manner. For Bosch’s many legal entities and, where applicable, smaller companies, the Bosch team is developing solutions in which a service provider takes over the operation of the corporate agent software. The principle remains the same: The company still has data sovereignty, only the transfer takes place externally via the secure provider. “What excites me about SSI is the innovation part and the possibility to then develop a business from the innovation,” says Werner Folkendt. In the IDunion network, he appreciates the community of partners and the non-profit nature. In the course of this year, a European cooperative will be established out of the publicly funded IDunion project. “The cooperative will run the data network but will be open to all participants, so it won't form a cartel or exclude anyone,” Werner said.

This is important in order to build up confidence in the project and the technology among industry and politics in order to make the network larger and more efficient through the participation of many companies and also states. The members of IDunion are already developing and testing applications of SSI technology in the fields of education, e-commerce, mobility, e-government, e-health, finance, identity & access management and industry/IoT. An overarching pilot project started in April 2021: contactless hotel check-in. “In the short term, SSI is about cost savings,” says Werner Folkendt. In the longer term, however, the technology offers opportunities for new product business. This requires trust and vision. “But if you start small, set up the necessary infrastructure and have a lot of participants, it will go quickly,” Werner says.