
The Future of Online Identity Is Decentralized - Yolta
https://yarmo.eu/post/future-online-identity-decentralized
======
motohagiography
Have worked in the identity space for a long time. Authentication isn't a hard
problem, but identity is. It will be decentralized because if it is not
fragmented, it is literally just oppression. Trusting authentication is not
trusting identity, and the origin of identity is the Ur-problem because it
comes down to questions of recourse, collateral, risk, authority, and
legitimacy - which are all political economy questions and not technical ones.

The technology can change the economics of identity, but identity itself
reduces to how you organize to provide recourse to people within your scope.
Sure, we can use escrow systems and smart contracts, but these still require a
means to organize and provide adjudication.

All the use cases for digital identity are about enforcement and liability,
and there are almost none that anyone would volunteer for. In this sense,
identity is necessarily imposed, so all products in the space are necessarily
aimed at a customer who is imposing identity on a group. It's why I tell
identity companies who ask to find some other problem to solve because holding
out for some government to adopt your product as their source of sovereignty
is a waste of time. There is one other use case for identity, and yes, it is
decentralized and bottom-up, because it is about dividing into secure, self-
sovereign affinity groups, and the reasons for doing that are on a very short
list of uses. Super fun, but basically a weapon.

~~~
narag
_It will be decentralized because if it is not fragmented, it is literally
just oppression._

I've never understood that way of viewing things. For me identity is a right.
The government must provide me with the means to prove who I am and my
associated data like birth certificates, academic titles, health
(vaccination), real estate and indirectly verifying identity for private
contracts that use my national id card number.

In an oppressive state identity surely could be oppression, just like
everything else, but in a democratic country? Come on. In the USA goverment
and even private entities are collecting massive databases of everybody's
data. But there's this panic about a centralized service providing identity.
It makes no sense.

~~~
pmoriarty
_" In an oppressive state identity surely could be oppression, just like
everything else, but in a democratic country?"_

What makes you think a democracy can't be oppressive?

Even in perfect democracies there is something called the tyranny of the
majority, where the majority can oppress the minority.

If we're talking about the US in particular, we have to recognize first that
it's not even a perfect democracy, and there are many anti-democratic things
about it such as the electoral college, and plenty more things that hinder
democracy even where it exists (such as poor civic education, money's outsize
influence in elections, extremely biased media, branches of government which
shirk their balancing and oversight roles, etc).

Then, to get specifically to the oppressive aspects of the US, they range from
slavery and lack of women's rights from its foundation, to segregation that
existed in law up to the middle of the 20th Century (and arguably still exists
in fact to some extent and in some places in the US even now), to the
imprisonment in concentration camps of Americans of Japanese descent, to
discrimination against people who weren't heterosexual, to the War on Drugs
and police brutality which primarily impact minorities, to abuse, killing, and
imprisonment of people who come to the US from other countries.

All this oppression and more has happened in what is ostensibly a democracy,
and often likes to style itself as the world's greatest democracy.

And all of this oppression has had to do with identity, which required
identifying people's race, gender, sexual preferences, or country of origin.

Such identification is amplified and made all that much easier in the age of
computers, the internet, and gigantic databases on everyone. It's a data trove
just begging for abuse.

~~~
chrisco255
It's not meant to be purely democratic. The founders were students of history
and recognized the inherent instability of pure democracies. There were no
human rights recognized anywhere in the world in 1776. The imperial era was
still a thing and Kings and queens still had vast influence over European
politics, with various other centralized power structures in virtually all
parts of the world. I get that it's easy to point out the hypocrisy of the
phrase "all men are created equal" when slavery was still a thing in half the
states, but it was a very tenuous situation to go against the crown of England
in 1776. It was far from guaranteed. A lot of people see the human rights we
have today as some sort of inevitable outcome of progress, but China is case
in point that progress and time do not necessarily yield more rights for more
people. China is 4000 years old and they still don't even have basic freedom
of speech there.

All of human history is filled with bloodshed, tyranny, endless wars,
conquering, slavery, piracy, vandalism, raiding parties, human sacrifice,
religious battles and authoritarianism, with just a few punctuating moments of
anything resembling democracy and recognition of human rights. That goes for
every race, country, tribe, continent and creed. No heritage is innocent of
that. That's the truth. 1776 didn't have to succeed. It very much could of
ended with being squelched by the Crown and then where would we be today?
Perhaps the Nazis would of won. Perhaps the Soviets would have developed
imperial ambition in the absence of a strong US to keep them in check. Maybe
the world would be a darker place. I suspect that without the U.S. that it
would be, since that's the rule of history and not the exception.

Interning the Japanese Americans was of course wrong, but when you're fighting
a world war and tens of millions are dying at the hands of Japanese (they
slaughtered Chinese by the tens of millions)...it's very touchy isn't it? The
lesser of two evils in that particular war was certainly the U.S.

Again, prior to world war 2 the world was still filled with imperial forces
itching to conquer and enslave other people by the tens of millions. This is
just 80 years ago...not that long ago. There was no where else in the world
living up to the high ideals we seek to achieve today back then. The U.S. was
that place for so many people to escape to. The Jews being one group. The
Cubans being another. The Vietnamese being another. The Koreans being another.
If you're going to paint the picture, paint it in the context of the world at
the time and the subsequent actions in the wake of those problems. I think
individuals deserve forgiveness after some time, and the same goes with
nations, given that their behavior is corrected. There's nothing wrong with
the movement towards more civil rights. But expecting things to go from
millenia of imperialism to utopian democracy overnight, especially one saddled
with so much legacy from that era, is naive. Again, it didn't have to go so
well. It could have very gone south and ended up worse off for everyone.

~~~
pmoriarty
_" It's not meant to be purely democratic. The founders were students of
history and recognized the inherent instability of pure democracies."_

Many of the founders were also elitists who didn't want anyone but landowning
white men to run the country. They were wary of "mob rule" (ie. direct
democracy), and preferred to have the elites rule. The jury's still out on
whether they were right or whether direct democracy is actually better.
Considering how much power and wealth is being concentrated in the hands of a
tiny minority in the US, I'm siding with having more direct democracy, not
less.

 _" I get that it's easy to point out the hypocrisy of the phrase "all men are
created equal" when slavery was still a thing in half the states, but it was a
very tenuous situation to go against the crown of England in 1776."_

The existence of slavery in the US wasn't just about 1776.. it lasted until
1865. The US was one of the last countries to end slavery.

 _" All of human history is filled with bloodshed, tyranny, endless wars,
conquering, slavery, piracy, vandalism, raiding parties, human sacrifice,
religious battles and authoritarianism..."_

 _" Interning the Japanese Americans was of course wrong, but when you're
fighting a world war and tens of millions are dying at the hands of Japanese
(they slaughtered Chinese by the tens of millions)...it's very touchy isn't
it? The lesser of two evils in that particular war was certainly the U.S."_

The point of my post wasn't to say there weren't reasons (some might say
excuses) for the US to behave the way it did (extreme, widespread racism
against minorities is one such reason and excuse), nor to deny that some
countries were just as bad or even worse, but to recognize that massive,
serious oppression did in fact happen in the US, despite it being some sort of
a democracy.

Oppression in the US is still happening, is likely to continue, and will
probably be greatly enabled by the easy availability of identifying
information on the people within and without its borders.

~~~
arminiusreturns
I want to express a frustration with this type of response I have.

Inevitably, when this topic of discussion comes up, I almost always see a
response of this type, calling into question the entire foundation of the USA
on the basis of the founding brothers being white slave owners, and it really
bugs me, but I'm having a hard time trying to articulate it well...

I think it mostly centers around a very superficial understanding of the
evolution of the enlightenment and the renaissance into the culmination of
those that was the US. I would probably respond better if, when these
arguments get thrown about, I heard discussion of the philosophical
underpinnings the founders, in particular Madison, based their proposals on.
Discussion or reference to individual liberty, natural law and natural rights,
and such, as learned from study of Socrates, Plato, Aristotle, Thomas Aquinas,
Locke, Hobbes and Spinoza, Montesquieu, etc.

I almost never see these referenced in this responses though, and to me it
seems very dangerously close to "throwing the baby out with the bathwater",
and I fear that the sentiment is growing so rapidly, as shallow as it may be,
that the lack of understanding why America truly is a revolutionary country
and is exceptional in history will potent some very turbulent times in the
future.

Yes, the system was imperfect from the start, and has been even more imperfect
in implementation, but to say then that the whole system (not saying you said
this, but it seems thinly veiled to that affect often) must be thrown out is
foolhardy at best. The shining light of America is that it has, in it's
founding documents, a system designed to self-improve over time. I see our
main problem as being the lack of memory of why each piece of that system is
so important, and have allowed it to become corrupted. The path forward then
is in seeking to enforce the core foundational principles the founders thought
very hard about (such as Montesquieu's checks and balances system), and not to
discard them just because they came from people that were imperfect.

~~~
pmoriarty
My main point was that there's been plenty of oppression in the US despite it
being to some degree a democracy.

It doesn't sound like you're actually disputing my main point at all, but
wanting to shift the discussion on to whether the American system of
government needs to be replaced and why, which is really off-topic.

Still, in response to your tangential point, I want to make clear that I'm not
advocating discarding the entire American system of government, and my
dissatisfaction with parts of it as they stand now does not stem from who the
founders were.

I do think the system has proven itself to fail at meeting the high ideals
that some of the founders professed to have. The system has proven itself to
be highly corruptable, the checks and balances built in to the system have
failed, and much of the Constitution is widely ignored or reinterpreted to
mean whatever the people in power want it to mean.

These failures are not due to the founders owning slaves, but due to them
being unable to foresee or adequately prepare the nation for things such as
mass media, the internet, modern advertising and propaganda, and a slew of
consequences of modern warfare, mutually assured destruction, the military-
industrial complex, corporate dominance of the economy, enormous amounts of
money being thrown at elections, the shutting out of third party alternatives,
the poor civic education, widespread apathy and easy manipulability of the
electorate, and on and on.

Despite the founders' short-sightedness and all the fialures and weaknesses in
the American system of government, I am not an advocate of eliminating it
wholesale. I believe reform is possible, and that it could be made more
democratic, more accountable, more fair and just, and we don't have to scrap
it all to do it.

However, I very much doubt the political will or consensus is there to make
significant positive changes. If anything, I expect it to get much worse
before it gets better.. if it ever will.

~~~
mirimir
> I do think the system has proven itself to fail at meeting the high ideals
> that some of the founders professed to have. The system has proven itself to
> be highly corruptable, the checks and balances built in to the system have
> failed, and much of the Constitution is widely ignored or reinterpreted to
> mean whatever the people in power want it to mean.

It arguably failed so long ago that virtually nobody notices. For the first
~century, corporations were allowed _only_ in the public interest. To some
extent, that reflected outrage at the excesses of corporations chartered by
the English Crown. But there were also concerns about the concentration of
money and power.

But that began to fail in the mid 1800s, with the rise of the railroad
corporations, and their growing political power. And it ended with the 14th
amendment and some Supreme Court opinions, which granted many citizenship
rights and legal protections to corporations.

~~~
megameter
Overwhelmingly, I believe the issue we're facing is somewhat to do with
identity and property being tied together, and not something specific to the
US. And this is a factor that precedes 1776 in the rise of national
identities: monarchs had a strongly individualized identity, but identity
across a people via a national boundary was a more limited consideration until
trade growth had sufficiently developed a reason to use such: language,
religion and local allegiance did most of the work. The locals could often
evade legibility by obscuring their identity.

But property-based identity held a lot of currency by the time 1776 rolled
around: it established credibility as an actor with some real agency and
independence within trade relations, and therefore our modern nations have
built their legibility around property. And what we've done since is to either
try to position everyone somewhere within the property system, or to turn
towards an authoritarian model to create identity without ownership(as in the
various communist experiments, or the flat, hidden authority in "Tyranny of
Structurelessness").

So when we have the idea of something like identity theft, or corporate
personhood, that's a thing generated of having an identity to own, cascading
down into human relationships as property, personal branding, etc. And the
largest, most developed function of the legal system in the US is to make
judgments about property. But we also have systems of identification that are
imposed in an authoritative fashion(the SSN, DL, passport, etc.) - every
nation is a mixed identity market in this way.

And in this respect I think the philosophy is truly starting to fail in a
world which has so greatly automated ownership, and we will need to consider
both identity and property at the same time to reach useful alternatives.

------
kory
If anything, my bet is the future of identity is more centralized.

Decentralized solutions, as I've read about them in their current form,
require a significant amount of technical knowledge to understand. That is, to
understand both what they are and, more importantly, their benefits ("why does
this specific solution matter to me?"). Past that, the user experience is
extremely poor in comparison to clicking "log in with Google", and I'm not
convinced it can ever fully get there.

It is for those reasons that I think centralized identity is here to stay long
term. Most people aren't going to spend the time to learn about this because
they just want the easiest solution and don't care about their data being
sold. I know several people in tech that fully understand the extent of how
their data is used by internet corps, and don't mind it because they prefer
convenience for free. And I think that's OK--it's their informed choice.

Personally, I try to login with email most of the time, and that's the limit
of my drive to care about the security of my personal data. But my email is
gmail, so I doubt it really makes a difference from login with Google.

~~~
djhaskin987
In the US, everyone uses credit cards (centralized identity) to pay for stuff.

In Mexico, credit cards are stolen and reamed for all they're worth by
criminals. As a result, everyone uses cash (decentralized, anonymous,
difficult to use). Everyone could move to decentralized in the face of
significant pressure, even if centralized identity is more convenient.

~~~
kory
All central authorities are built on trust, fear, or complacency. Americans
are complacent with the credit card system and trust it for the most part. The
Experian breach has shown that breaches of trust are easily overlooked in
favor of complacency, at least to a point.

Considering how Americans view other Americans (I hear "stupid" thrown around
a lot), I strongly doubt that a decentralized authority would ever gain enough
trust in the US to take hold today without a strong historical precedent.

For what it's worth, cash is still centralized. It's made "legitimate" by the
power of the central government, and is managed & controlled by that
authority. Given, it is somewhat "decentralized" because the value of fiat
money comes from the people's agreement that the currency has value. On the
other hand, the US dollar's global hegemony exists in large part because of
global US Military presence, which is absolutely a "central authority".

~~~
maccard
> The Experian breach has shown that breaches of trust are easily overlooked
> in favor of complacency, at least to a point.

I disagree that it matters for trust in CC's. It may have damaged experians
reputation, but people still trust amex/MasterCard/visa and their banks,
despite Experian being useless. The fact that Experian is required to access
those systems is unfortunate, but most people don't deal with Experian
directly.

I think people's day-to-day trust in banks is well placed, for what it's
worth. I banked with a large bank that fell in 2008, and had less than 10,000
in my bank. My money wasn't affected, I just had to find a new provider.

I've had multiple incidents of fraudulent transactions on debit and credit
cards over the last 15 years, and in _every_ instancr, my card provider has
sided with me and refunded me the money immediately (even in the one case I
was actually wrong and it was a billing mistake). Those amounts we're almost
always in the few hundreds.

~~~
asciident
Considering that the data breach was actually at a completely different
company than the one this thread named leads me to believe that the reputation
damage is not as significant as you suggest.

------
uniqueid
In my ideal world, we have a framework for brick-and-mortar businesses to act
as internet notary service providers.

If you want a general-purpose open-id style account, you visit a notary, and
provide them with a fee and proof of your identity. You tell the notary how
much information they can share (in particular, whether they can release your
name to the internet, or just the "we verified this account is held by a real
person" boolean).

The protocol would cover much more than passport info though. You could have a
notary vouch that you're a licensed driver, or have a college degree, visited
a certain country, etc.

That might cut through some flavors of online nonsense. It would also allow
people to stay pseudonymous, and yet enable law enforcement to subpoena their
identity, if they go on a killing spree, or hack a few million dollars worth
of bitcoin.

~~~
orf
> You could have a notary vouch that you're a licensed driver, or have a
> college degree, visited a certain country, etc.

Humans, generally, are very bad at caching document fraud. It wouldn't be a
vouch for a licensed driver but instead it would be a vouch for "a bit of
plastic that looked like a driving license to me".

There is lots of sophisticated fraud and often automated solutions have a much
higher rate of detection than your average person, even with some training
against common attacks.

~~~
supertrope
Certificate authorities with brick and mortar locations would be an
improvement over the current USA situation of SSN+DOB as master password to
all IRL accounts. Checking a drivers license IRL is better than looking at an
uploaded scan or photo. They could use those box scanners casinos use.

The main issue is minimizing cost. Dot com companies and banks don't want to
pay for this so they peg online identities and account security to SMS
effectively pushing off the problem to cellular companies. Cellular companies
lack the competence to handle IAM. Opening a branch in every city is very
expensive and companies don't want to even pay ~$10 for an offshore script
reader to check a SMS code and verify "public information" off a credit
report.

Credit card companies that are already liable for fraud usually settle for
SSN+DOB, ID scans and aforementioned Equifax data verification because fraud
losses are cheaper than in person due diligence.

------
tdons
We have this in The Netherlands but it hasn't picked up yet. It's promising
though: [https://privacybydesign.foundation/irma-
explanation/](https://privacybydesign.foundation/irma-explanation/)

The system is attribute based and requires an 'authority' to give you the
attribute. After that the attribute lives on your phone and you can give it
out to organisations or businesses asking for....:

    
    
      - your name
      - whether you are >= 18
      - your address
      - etc.
    

What's great about it is:

    
    
      - you can give out minimal information
      - no 3rd party/intermediary required after you've received an attribute

------
Animats
The future of online identity is centralized.

China is already there. At age 16, you get your picture and fingerprints
taken. If you get a phone, its ID is tied to your personal ID. Your WeChat
account is tied to that ID. If you ride the subway or bus in a major city, or
a train, your ID is recorded when you pay. A combination of phone tracking and
facial recognition records where you go in some cities. It's even used to
shame jaywalkers.[1]

The US is getting there with Real ID. It's been postponed a year due to the
epidemic, but soon you will need a Real ID, checked against your birth
registration, to board even a domestic flight.

[1] [https://youtu.be/ectdRsyj-zI](https://youtu.be/ectdRsyj-zI)

~~~
jadbox
As the article mentions, centralized trust has proven that it reaches a
certain maximum before being plagued by political, legal, and corruption. I
don't know much about the China's state ID system, but based on other systems
they've rolled out, I'm sure with enough money and the right contacts you can
wipe, fabricate, or change your ID (which is also true for the US).
Centralized systems have to also undertake the same problems as decentralized
ones, like ensuring records are kept updated, which is no trivial task when
providing identity for millions of people(1)

(1) [https://www.washingtonpost.com/us-policy/2020/06/25/irs-
stim...](https://www.washingtonpost.com/us-policy/2020/06/25/irs-stimulus-
checks-dead-people-gao/)

------
Kapura
I think one of the great parts of the internet is that it promotes this
identity decentralisation (or, as i have always thought about it, identity
fragmentation). You are allowed to isolate online identity from the rest of
your life, or from separate online accounts/personae.

Which is why I am confused as to why the author spent so much time worrying
about verifying identity. To me, that feels like it's completely missing the
point of fragmenting your online experience. Is the author simply concerned
with the amount of power associated with their google login?

------
ThePhysicist
There's the "European" ID4Me project
([https://id4me.org/](https://id4me.org/)), which tries to add federation on
top of OpenID Connect / OAuth2. The idea is to give users globally valid IDs
that contain a domain name. Using a TXT record on that domain you then specify
which OpenID auth provider a service should use to authenticate the user. If
you have your own domain this enables you to switch ID providers without
having to update your accounts.

In general I like the idea but since it's a EU-style project I don't expect it
to go anywhere to be honest. And personally I don't think the benefit over
e-mail based authentication is marginal. That said there are some extensions
in OpenID Connect that can achieve something similar, and that (IMHO) are more
likely to actually get widely adopted.

~~~
rendaw
What does federation bring here? Aren't OpenID identities already collision
free?

I'd love to have SSO under my own control, and while it was theoretically
possible with OpenID 2 things have gone backwards with OIDC with everyone
supporting it but restricting login to just the big names (Google, Facebook,
Apple).

I put together a simple stateless OID2/OIDC identity provider:
[https://gitlab.com/rendaw/oidle](https://gitlab.com/rendaw/oidle) but I have
yet to find a website I can actually use it on. I still have hope though.

~~~
djsumdog
I had a classic OpenID server and every website I use to authentication
against using it has gotten rid of OpenID support. Stackoverflow was the big
one. I haven't tried OpenID Connect yet.

[https://battlepenguin.com/tech/the-decline-of-
openid/](https://battlepenguin.com/tech/the-decline-of-openid/)

~~~
rendaw
By the way I wanted to say I read that blog post a bunch of times while trying
to put together that software! OpenStreetMap and GnuSocial may really be
everything on the internet now.

I'd almost sign up for a website at this point just to get a chance to use my
OID provider...

------
mirimir
> Removing the possibility for anonymity could solve the problem of online
> toxicity.

Except that it's not possible. And worse, it's just hard enough to evade that
only those with malicious goals will manage it.

> Large internet corporations like Google and Facebook allow all to create an
> account on condition that some personally identifiable information is
> revealed, usually a phone number.

Also Signal, sadly enough :(

> The benefit is that it deters most from repeatably creating new accounts
> when older accounts have been flagged or banned due to improper behavior.
> These companies gain the function of "identity provider": they manage your
> online identity that can be used to login in different locations of the
> internet. We all know many websites that offer a "Google login" or "Facebook
> login".

Yes, it "deters most". And mainly it deters vulnerable people, who need
~anonymity to protect themselves from adversaries. It doesn't deter spammers,
trolls, scammers, bot operators, and such. There are just so many ways to use
multiple phone numbers. Ranging from free websites to SIM banks. And actually,
it's easier just to buy accounts, either fresh or old (which probably means
stolen).

So even without getting into concerns about corporate gatekeepers, it's clear
that this is a misguided approach.

------
weinzierl
_" Built for individuals, I recently launched Keyoxide which uses
cryptographic keypairs to accomplish decentralized identity verification."_

So this is about the introduction of a new identity service. From what I get
looking into Keyoxide it basically strives to be what Keybase originally
intended to be.

From their Keybase migration guide [1]:

 _" Keyoxide as a partial replacement for Keybase

It's important to moderate expectations and state that Keyoxide only replaces
the subset of Keybase features that are considered the "core" features:
message encryption, signature verification and identity proofs.

Message decryption and signing are not supported features: they would require
you to upload your secret key to a website which is a big no-no.

Encrypted chat and cloud storage are not supported features: there are plenty
of dedicated alternative services.

If you need any of these Keybase-specific supports, Keyoxide may not be a full
Keybase replacement for you but you could still generate a profile and take
advantage of distributed identity proofs."_

[1] [https://keyoxide.org/guides/migrating-from-
keybase](https://keyoxide.org/guides/migrating-from-keybase)

~~~
ocdtrekkie
The key difference is that instead of the Keybase server storing
verifications, it looks like they tell you to add the link to the proof
directly to your key as a notation.

This means the proof isn't dependent on a central server, which seems like a
significant improvement.

~~~
mirimir
Yes, I noticed that too. So yes, I believe that this improves on Keybase. Even
without the Zoom fail.

------
rasengan
I have always felt identity, including online such as domain names, should be
decentralized — it’s too much power for a central authority to dictate who
gets (and doesn’t get) a name. Further, it’s too easy for people to
impersonate others online. It even happened at reddit where the CEO
masqueraded as users by modifying their comments [1].

Handshake [2] is a great project that helps decentralize online identity. Not
only is naming distribution in the hands of the people with Handshake which
ends the deplatforming/censorship debacle the world has been facing recently,
but also, anything a name does can be verified with signatures verifiable
against the blockchain.

[1] [https://www.theverge.com/2016/11/23/13739026/reddit-ceo-
stev...](https://www.theverge.com/2016/11/23/13739026/reddit-ceo-steve-
huffman-edit-comments)

[2] [https://handshake.org](https://handshake.org)

------
identitywoman
The future is Decentralized - you have very large actors working to deploy
systems based on the Verifiable Credentials (VC) Data Model (W3C Standard) and
the Decentralized Identifiers (soon to be W3C Standard) extensive work is
being done on how the data is exchanged (Credential Handler API, OpenID
Connect Self Issued Identity Provider (OIDC_SOIP) <\- so any installed openID
can accept VCs and DID Communications (spec under development at the
Decentralized Identity Foundation). Actors supporting this work include wester
liberal governments, MSFT, IBM and many many others many cool small startups.
We gather twice a year at the Internet Identity Workshop. Our archives for the
last 10 years are online.

~~~
geonnave
I support this view.

The DID and VC specs are the most advanced tools we have now to implement
decentralized identity, plus there are many startups applying these in real
world, solving problems and generating open source implementations.

Btw, I joined the Internet Identity Workshop last spring and it was an
incredible experience.
([https://internetidentityworkshop.com/](https://internetidentityworkshop.com/))

------
ChrisMarshallNY
I hardly ever use any OAuth logins. I use my GH login in a couple of places,
but I usually create an email/site-specific ID. 1Password is a nice tool.

That said, the last couple of years, I have gone to great lengths to create a
"digital personal brand," which is deliberately designed to help people find
me, and tie all of my digital artifacts together.

I think that OAuth logins actually work against that. I want to leave
"pointers" all over the place, that point to each other in a public manner.
OAuth logins "bury" these pointers, so only "gatekeepers" can see the
information.

It definitely means that I have to be a lot more careful, these days, than I
used to be, in choosing what I write or expose online, but I don't feel it's
too difficult. I like to think that I live a lifestyle that has very little to
hide.

I was reading about that Fox writer that just committed career _seppuku_. I
think that is a visceral example, showing that we can't trust the old cloak of
anonymity to hide our trail, so it might not be a bad idea to, as Twain said,
"live that when we come to die, even the undertaker will be sorry."

It's part of a strategy that seems to be working.

Works for me. YMMV

------
upofadown
Your identity is going to come down knowledge of the private key from some
sort of public key system. Why not just standardize that?

An excellent example of something perversely non-standardized for identities
can be found in messaging. Signal, Matrix, Whatsapp and OMEMO are even
supposedly based on the same protocol. In terms of identity they are all
complete silos. All the things you establish about an identity on one system
is completely unusable on another.

Creating systems to kludge this mess together seems to be a way of avoiding
the root problem here...

~~~
supertrope
What happens when the private key is lost? We can either have certificate
authorities issue you a new one, or you would need to approach your peers and
have e.g. three of them confirm that you've changed keys.

~~~
nanomonkey
One could also use Shamir's Secret Sharing algorithm to have a number of your
peers hold your secret key without them being able to access it. When you've
lost the key, you have a subset of the peers reproduce it for you, by sharing
their portion of the secret. Cryptography is pretty great.

------
cirno
I feel like a domain is a nice way to link identities, with a small nominal
fee being a nice deterrant to botting. Not the most user-friendly for those
not tech savvy, but third-party services could help with setting up such
sites.

Make a page on your domain with rel=me links to your social media profiles,
have the social media sites link back to your site with a verified symbol next
to the link when it scans and validates the rel=me link.

This puts you in control of your verification instead of federating it to a
service like Keybase or Keyoxide.

~~~
tatersolid
Do you work for a domain registrar?

$10/year * 4 Gigapeople online.

Mandate that much free revenue to the likes of godaddy? No thanks.

------
vasilakisfil
The future of online identity is indeed decentralized and not distributed,
meaning that users will always have some super nodes to handle their identity
on behalf of them. In my opinion Facebook/Twitter/etc are not identity
providers, they are silos. Sure they are very successful ones and can even
used as identity providers at some places, but as long as they don't open up
they can easily die anytime.

The author suggests that services built on top of these Silos that provide
proofs of connection between all the identities. I welcome such initiatives
and but I doubt they will lead anywhere, cause they are built on top of silos.
And a silo, as soon as it figures out it loses money, it will cut down that
connection.

What won't die is decentralized published standards and protocols that handle
the Identity management through the internet. Starting from plain DNS, we can
get AoR for SMTP, SIP, XMPP and on top of that we have frameworks that
facilitate the identity management like Oauth2, OpenID etc. All open and
standardized. We are getting there, we just need some more time I guess.

That's why I always thought that, Google, who owns emails has much more value
than Facebook, that asks for your email. If facebook dies, you lose one aspect
of your digital social part. If you lose your email though, you almost lose
your online identity. I really can't get how Zuckerberg has missed that.

~~~
sksksk
They did offer @facebook enails once, and it would integrate with your
messages app.

It didn’t really take off though, and I guess was quietly withdrawn.

[https://techcrunch.com/2010/11/15/facebook-
messaging/](https://techcrunch.com/2010/11/15/facebook-messaging/)

~~~
vasilakisfil
yeah I remember that but it was never really pushed forward properly

------
Cantbekhan
I believe that in this day and age we probably all need at least two
identities: the birth/official transparent, trusted one for
official/professional use and an anonymous one for unofficial/online things.

But this is because I think nobody should be fired, de-platformed, banned or
"canceled" for opinions/thoughts outside of those contexts.

Sure you could be fired from your work if you started shouting your opinions
on your workplace. No you shouldn't be fired from your work for anything that
happened outside that work.

Anonymity is needed for the sake of free thinking as a shield to any
current/future mob that could ruin your life/career for just any reason at
all.

In 10 Years you might find yourself ostracized because someone found some 20yo
old snippet of code you wrote with "banned words" in them.

I used to think it was an acquired thing that you could have free opinions
with your official identity (political or anything) and not risk your
livelihood for opinions but the thought enforcing mobs are now everywhere and
most companies will bend the knee to their bidding.

And obviously this identity needs to be decentralized to also protect that
identity itself from being ruined by the various de-platforming attempts.

These days, I'm genuinely more concerned about the current mob rule mentality
than government oppression.

------
jeroenhd
Reading the comments, I learned that OpenID is not centralised but rather
provides federation support. I wish I'd known about this sooner before it
died, because it would've been fun to try and use.

I'm sure decentralized authentication won't come on commercial platforms
though. Maybe some developer-centric services will add support once the Next
Big Thing in authentication and authorization comes along, but companies want
to keep as much of their account system under their control as possible. It
might be because of data mining, it might be because of bot prevention, it
might be because of fear of trusting external providers, but I just don't see
any reason why companies would accept such an authentication system.

The closest thing I can see happening is a federated authentication platform
like the EU is implementing with EIDAS. Authentication with your home
government for EU-wide services, tied to your ID card. I don't think something
like that will be implemented for much more than government institutions and
banking, despite the idea having been proven to work.

Simply put, as long as it doesn't make business sense to trust another
provider, businesses won't offer any decentralized authentication methods.

------
dmitshur
I’m happy to support IndieAuth (a decentralized identity protocol built on top
of OAuth 2.0) on my site and give people the option to use their personal
site, if they have one, as a way of identifying themselves and performing
authentication.

I described the motivation in more detail at
[https://github.com/shurcooL/home/issues/34](https://github.com/shurcooL/home/issues/34).

------
synctext
"A Truly Self-Sovereign Identity System", our academic work with Tor-like
privacy[1].

This goes beyond owning your identity. Has government sponsorship. The EU is
currently taking the lead in this area, search terms: "ESSIF: The European
self-sovereign identity framework".

[1] [https://arxiv.org/abs/2007.00415](https://arxiv.org/abs/2007.00415)

------
brentis
Agree.It is decentralized. You need to be able to maintain your identity as a
currency whereby you get compensated for access to it vs. others who get to
monitize your persona. Google, LinkedIn, FB all do this. If you grant specific
rights you maintain your identity and get compensated directly for a business
to gain access to market, contact, or interact with you.

------
Fiahil
A post on decentralized identity without talking about the Decentralized
Identity Foundation
([https://identity.foundation/](https://identity.foundation/)), right there on
the first page when you type "decentralized" and "identity" in Google?

~~~
mirimir
Huh. Do they do more than establish standards?

~~~
geonnave
The standards [1] have several open source implementations [2] and are
currently used by several companies [2].

[1] [https://www.w3.org/TR/vc-data-model/](https://www.w3.org/TR/vc-data-
model/), [https://www.w3.org/TR/did-core/](https://www.w3.org/TR/did-core/)

[1] [https://github.com/decentralized-
identity](https://github.com/decentralized-identity),
[https://github.com/mattrglobal/](https://github.com/mattrglobal/)

[2] [https://spaceman.id/](https://spaceman.id/),
[https://www.transmute.industries/](https://www.transmute.industries/),
[https://www.evernym.com/](https://www.evernym.com/),
[https://sovrin.org/](https://sovrin.org/),
[https://mattr.global/](https://mattr.global/)

------
jadbox
I'm surprised that BrightID or 3BOX aren't mentioned for decentralized
solutions:

[https://www.brightid.org/](https://www.brightid.org/)

[https://3box.io/hub](https://3box.io/hub)

------
jariel
It won't be 'decentralized' like 'blockchain' it will be 'decentralized' like
'a hundred different versions of tech, standards, identity providers and use
cases'. Big Corps, startups, banks, and probably the slowest mover -
government.

And it'll continue to mostly be 'account management' and not 'identity
management' proper. We are going to want to 'share less' in a way, as the only
real means really to keep our privacy.

Your bank account info is effectively secure, so are your medical records. So
are your images if you store them with the right provider. The rest ... not so
much.

It's neither utopian, nor dystopian, just 'what it is'.

------
perryizgr8
> The solution is relatively simple. When you create a new account and get to
> choose between "Google login", "Facebook login" and "Email login", pick
> "Email login".

Sorry, but no. I do not trust Random Website where I create an account for
occasional usage to keep my email and password combo safe. I do trust Google
and Facebook to do that. I also enjoy the great experience they offer when I
have to delete said account: just go to google account page and delete the
website from "my logins" or whatever they call it. Most websites don't even
have a procedure to delete account.

------
mikedilger
Identity as a noun is problematic and IMHO usually reflects miscomprehension.
Identity is a relationship. The identity function maps something onto itself.
Authentication checks if the current entity is an entity you remember.

------
IbyvzOneoneh
This makes tracking slightly more difficult, but does it really make
significant difference when you consider all the tools at tracking companies'
disposal?

How does it prevent linking those identities with real identities by using
tools like browser fingerprinting, tracking preferences and stylometry?

I don't really see a way to keep my commenting (and even browsing to some
extent) user friendly and disconnected from my real persona, so I act
accordingly.

However, I'd like to be proved wrong.

------
mirimir
> Built for individuals, I recently launched Keyoxide which uses cryptographic
> keypairs to accomplish decentralized identity verification. While it doesn't
> (and shouldn't!) link an account to a person in the physical realm, it links
> accounts across platforms.

I'm glad to see this! Although it seems to be hugged to death right now :( I
had been using KeyBase for this, but after the recent sale to Zoom, I've
backed away.

------
EGreg
Working on something like this:

[https://github.com/Qbix/auth](https://github.com/Qbix/auth)

The DID spec has been the one big success so far, but implementations matter.
Our implementation has been open sourced, and is compatible with oAuth and
other specs like DID:

[https://github.com/Qbix/Platform](https://github.com/Qbix/Platform)

------
mirimir
> On today's internet, the best we can do is make fully separated accounts,
> link them using technologies like decentralized online identity proofs and
> create our own online personas, with our own open tools that ensure we
> maintain ownership over them.

That's for sure how I see it :) It gives everyone the choice of what mix of
real names and ~anonymous personas to use, and how to link them.

------
fanf2
It is tragic that Mozilla killed Persona just when it was starting to take
off. Sadly I didn’t save the link to a retrospective written by the project
lead, in which it was explained that they gave up because it was taking too
long. But internet standards aren’t like a Megabar that you can foist on
everyone within 6 months, they take years.

~~~
ahopebailie
[https://wiki.mozilla.org/Identity/Persona_AAR](https://wiki.mozilla.org/Identity/Persona_AAR)

------
cs02rm0
Feels like you'd have to lean significantly away from anonymisation to want to
leave public proofs of cross account identities lying around. Maybe that's a
more common use case for businesses and high profile people though than
wanting to link, say, a pseudo-anonymous forum account with a payment account.

------
robbrown451
"As tempting as the alternative is, making these changes will improve your
life"

I know most people on HN believe this, or want to believe this, or especially
want everyone else to believe this, but I still think the statement needs
support. Or at least a qualifier like "in my opinion."

------
totetsu
This paper on a "Decentralized Information Sharing Platform" from some Hong
Kong university students is interesting.
[https://arxiv.org/abs/2002.04533](https://arxiv.org/abs/2002.04533)

------
Trumpi
We literally had this with OpenID. If I remember correctly, it pre-dated
Facebook and the flurry of "Login with XXX" type authentications. But the
corporations like their walled gardens too much and OpenID fell out of favor.

~~~
user5994461
OpenID was replaced by OpenID Connect and SAML.

They mostly operate in federations, which is neither centralized nor
decentralized.

------
mawise
Sounds a lot like IndieAuth, but with keys and math instead of "centralized"
DNS.

[https://en.m.wikipedia.org/wiki/IndieAuth](https://en.m.wikipedia.org/wiki/IndieAuth)

------
bookmarkable
Correctly identified problem.

Far too technical and obscure a solution for 99% of the world.

I think Apple, while not a complete solution, shows a path forward with Sign
In with Apple allowing you to generate a relay email.

As always, whoever nails the user experience will win.

~~~
kevsim
Fully agree. I've had the opportunity to work on identity at 2 former
employers. We tried to push things in this direction as part of exploration
work including discussions with Mozilla around Persona and much more.
Unfortunately every time, we met a fairly insurmountable problem - most users
just don't get it, and even if they get it, they don't care.

I agree this is where things need to move, but we need to make it so simple
that users who don't care can still use it and those who do can get the most
out of it.

------
darepublic
The early internet was all about anonymity. People were actually enthused
about the lack of censorship. These days we want to connect your username to
your identity, and jail you for impure thoughts

------
mikedilger
Identitfier systems will always be distributed in that even in a world where
it is entirely centralized, someone can create another one. Now it's
distributed. The power is in your hands.

------
vjeux
Maybe I’m missing something but the author mentioned using email instead of
Facebook/Google login. Why come up with a complex crypto protocol instead of
using email as the identity key?

~~~
mirimir
Because email alone is vulnerable, without two-factor authentication. And keys
are a great second factor, except for the risk of losing them. Phone numbers
are commonly used, but that's more PII to share, and it can be bypassed. Also,
with something like Keybase or Keyoxide, you can still use multiple email
addresses.

------
Steven-Clarke
[https://www.hyperledger.org/use/hyperledger-
indy](https://www.hyperledger.org/use/hyperledger-indy)

------
mirimir
I've been advocating online ~anonymity for many years, and exploring relevant
methods. But I also can't ignore the downsides, particularly the role of
authentication.

I'll have more to say here. But for now, I'll just invite any who are
interested in further discussion to a Podaero group:
[https://podaero.com/dashboard](https://podaero.com/dashboard) with invite
code "44e5576d".

------
leorio
why isn't there an OAuth system that is purely GPG keys based. For example I
could sign some custom message from the server using only my keys, without
ever having to deal with emails.

This way sign-up is as seamless as login. Is there anything like this I can
use? Are websites not doing this because of spam and other issues?

~~~
Leace
You may be interested in
[https://indieauth.com/pgp](https://indieauth.com/pgp)

~~~
leorio
exactly what I was looking for. thanks!

------
atlgator
Isn't identity already centralized? Just about every website with a login
system has self-asserted ID.

~~~
atlgator
_decentralized_

------
burtonator
Nothing will be decentralized in the future. It's going to be Amazon all the
way down.

------
1ark
There are quite a few ideas and implementations on top of Ethereum for
decentralized identity that are interesting as well. [1]

1\. [https://docs.ethhub.io/built-on-
ethereum/identity/identity-o...](https://docs.ethhub.io/built-on-
ethereum/identity/identity-on-ethereum/)

------
alex_young
TL;DR advice is to use email as your account ID method on various sites, and
author's new service to 'verify' the accounts in a central place so people
will know they are the same user between sites.

This isn't really decentralization is it?, it's a new kind of account linking
which requires one to trust the central verification authority.

Maybe I'm missing something.

~~~
Yolta
You wouldn't need to use your email as account id. The account id could even
be completely random, as long as you manage to link back from that account to
your key (in case of twitter, a tweet with the key fingerprint), anything
works! Just add a link to that account to your key.

With regards to decentralization: keyoxide doesn't hold the proofs. Your key
does. You can take your key to any verification system, whether it is keyoxide
website or some CLI tool or an app, and have that verify the proofs. Yes, you
do need to trust the service. But that's where the open source and hopefully
one day, network effect comes into play. If enough knowledgeable people trust
it and talk about it, then less-techy people might one day too.

In the end, what is important to note is this: keyoxide is just an
implementation detail. If soon a different service becomes much more popular
and used, the "decentralized identity proofs" ecosystem still wins! I would
love to see apps get developed where anyone can at the press of a button
verify online identities. That will be the next big milestone.

------
djsumdog
I agree with a lot of this post. A lot of the left-leaning intellectuals that
are now criticizing the harder-left stances in academia; people like Brent
Weinstine, Jonathan Haidt, Sam Harris, et. al. ... I've heard all of them say
they want less anonymity and more accounts tied to real identities.

Whenever I hear this I think, "What? No! That's the opposite direction we
should be going." Identities that are hard locked to real people makes it so
easy to harass, mob, cancel and abuse people. At least in the US, most
employers are at-will, allowing for Viewpoint Discrimination.

Anonymity does have its issues. It also does allow people to harass with more
impunity. But in many ways, it also exposes more of the deep self and the
controversial ideas people have that they are less and less likely to discuss
outside of anonymity.

Even semi-anonymous platforms like Reddit are going back on previous
commitments to free expression of ideas; and the effect is that Reddit is
becoming more one-sided/one-direction, just like the platforms everyone is
fleeing into.

Always use your e-mail to sign up for things. I rarely ever allow applications
to connect via social media/OAuth. There was a time on the Internet where we
thought all identity providers could be interchangeable. I ran an OpenID IDP
for years, but fewer and fewer sites allow OpenID logins:

[https://battlepenguin.com/tech/the-decline-of-
openid/](https://battlepenguin.com/tech/the-decline-of-openid/)

~~~
clairity
how about we have a whole range of options so that we can express our full
selves via the various venues made available?

sometimes you want (pseudo-)anonymity and sometimes you don't. being able to
pick and choose seems to offer the greatest freedom, rather than pigeon-holing
everyone into one option.

~~~
jimkleiber
This! While sometimes I want to use a pseudonym, there are many times I want
to say "I am the human who I say I am," and currently, that means hoping a
platform will magically verify me (if they even verify anyone) or, I suppose,
posting a copy of my ID to the internet, and even that doesn't work so well.

While there are many routes to be semi-anonymous, there are very few to being
verified (or maybe I just don't know about them)

------
magnusmagnusson
Urbit already done it.

~~~
nanomonkey
Can someone point me to a resource that cuts through all of the jargon that
Urbit uses and describe what it does that is new? I've browsed through their
website and Hoon, the programming language, and can't find anything intriguing
besides a bunch of new names and glyphs for existing terminology.

Is it just new age cabala of decentralized tech to generate hype and intrigue?
I've seen a lot of projects fall into this techno-wizardry naming trap, and
enjoyed it myself, but I'm starting to get tired of the overhead of such
abstractions.

------
foobar_
Is it possible to add proofs for phone, credit card ?

------
charlieroth
[https://urbit.org/](https://urbit.org/)

~~~
jeroenhd
I see that they've updated their website since I last looked at it. They still
use some abstract art and meaningless pictures of nature to explain their
concepts, but at least the description makes sense now.

Sadly the system cannot be used easily for any applications storing personal
information since your identity is tied to a blockchain and the GDPR requires
companies to make information deletable.

The reliance on abstract art for trying to make their points come across are
still to vague for me to give the project a try, but who knows, maybe in
another year or two the project and its concepts will actually be
understandable enough for me to give it a shot.

~~~
nanomonkey
Urbit does seem to have an over abundance of weird jargon and glyphs that
reinvent existing technologies, it just reeks of techno-alchemy.

As to your second point, I'm curious if any decentralized system will ever
allow for full deletion of information once it has been replicated by another
client. Any gossip protocol, or decentralized CRDT document system has to take
into account that a client will go offline and retain information once it has
been released into the wild. Whether or not a request to "delete" or hide that
information is followed through with is almost impossible to regulate. It's
perhaps more important to realize that what we publish, may always exist out
there.

That being said, clients could randomly ask for "tombstoned" information to
verify that other clients comply to a delete request, but it will likely
always exist somewhere.

------
markus_zhang
Yes, it might be de-centralized, but in a different way. It will simply be
distributed to different bureaucracies/aristocracies/warlords/agencies/etc.
with each jealously holds their part and tries to grab the rest from other
players.

