SSO versus SSI
In a fast-changing workplace, education is becoming a lifelong endeavor. Several efforts are under way to establish national education platforms that aim to unify what has become an increasingly complex system of traditional and non-traditional educational offerings. These efforts frequently start with providing a single, nationwide, lifelong educational identifier in connection with Single Sign-On (SSO); SSO means the user has one username (unique ID) and one password which behind the scenes logs him or her into various services, oftentimes more or less seamlessly crossing system boundaries. Some efforts go as far as establishing central data pools for lifelong educational credentials. These centralized efforts have great potential, but they also bear risks due to their centrality:
- One unique ID can be tracked across services. Particularly when it comes to commercial services, identifiable user information may take unexpected and undesired „journeys“ in the event of corporate acquisitions.
- A central identity provider is a single point-of-failure. If the central identity provider for whatever reason becomes inoperable, the system breaks down. Decentralized and redundant systems are far less vulnerable.
- Central repositories are vulnerable to attacks. This ranges from typical breaches to ransomware and vandalism.
- National data pools do not provide sufficient international mobility. Educational systems increasingly enable students to earn and transfer credits across national lines, and an identity system would ideally support that mobility.
- National data pools are vulnerable to political instability and wars. While this seems hard to fathom and far-fetched, far too often, refugee students are arriving at universities without verifiable academic transcripts since their records are held back or worse, their home institution was destroyed.
An alternative to centralized identity management and central data pools is the concept of user self-sovereignty. Self-Sovereign Identity (SSI) represents a break from the traditional client–server model of user interaction with institutions and their online services.
Today, in most cases, a user’s client machine connects to a server using IP addresses. The server stores all relevant user data for the service. Authentication for user sessions is handled either by service-specific username/password combinations or, increasingly, by SSO identity providers, either within institutions, within federations of institutions, or worldwide by third parties (e.g., Google, LinkedIn, or Facebook).
In contrast, SSI is built around connections. Entities, be they users, institutions, or services, connect via Decentralized Identifiers (DIDs) instead of IP addresses, and these connections remain persistent across what traditionally might be called sessions. These DIDs can be specific to one particular connection and are pseudonymous, which makes the entity behind the DID untraceable across connections with different entities. Users may generate as many DIDs as they want; for example, they may choose to be different personas for different functions, like one persona for social networking and another one for educational purposes.
The endpoints of the connections are called agents and may be on an individual’s personal device (edge agent) or in the cloud (cloud agent). Data is stored with the user; where necessary, the integrity of this user-hosted data is verifiable against a crypto-secured ledger via Verifiable Credentials (VCs).
SSI is peer-to-peer, so there are essentially no rules on what can or cannot constitute an entity. Typically, an entity would be a person, but it could be a university or an office at a university, some educational service, or even an individual piece of interactive educational content. This drives the 1990s adage „on the internet nobody knows you’re a dog“ to a new level; you could also be a refrigerator (Internet-of-Things (IoT)) ordering new food when it’s empty.
The main impetus of SSI in educational ecosystems is to enable free movement and commerce, without the ever-looming and sometimes paralyzing concerns of data privacy and security. The academic records of U.S. colleges and universities represent billions of dollars in user-invested tuition. SSI enables users to take control of their own data and only reveal information—including their own identities—on a need-to-know basis. With SSI, services are not responsible for the protection and long-term security of user data, reducing their vulnerability to disasters, cyberattacks like ransomware or data breaches, and the lawsuits that can result from a compromise—for a service, being responsible for identifiable user information can be a liability. In some aspects, a self-sovereign ecosystem is a move back to a pre-digital age, when users were responsible for the management of their own paper-based credentials and paid with the untraceable currency of cash.