This is a chapter from the book Token Economy (Third Edition) by Shermin Voshmgir. Paper & audio formats are available on Amazon and other bookstores. Find copyright information at the end of the page.
If properly designed, a blockchain wallet could serve as the foundation for both user-centric and privacy-preserving identity management systems. In combination with Decentralized Identifiers (DIDs), blockchain networks can provide more sophisticated decentralized identity management solutions, reducing friction and costs for all participants involved.
Identity management refers to the processes by which individuals, organizations, and objects are identified and authenticated—which is the basis for trustworthy social and economic interactions. Governments issue birth certificates, IDs, passports, and driver’s licenses; schools and universities issue diplomas and licenses; healthcare providers manage personal health records; and companies manage their client, business, and employee data. Historically, such licenses, certificates, and records were mostly analog, issued and managed by governmental institutions and companies. The advent of the Internet created the need for digital identity systems; however, the Internet Protocol lacks a native identity layer because it was only designed to address and identify computers—not people, organizations, or objects.
To resolve this issue, identity management systems had to be built on the application layer of the Internet. Private computer infrastructure was used to manage the data involved in issuing identities, managing passwords, and verifying credentials of people, institutions, goods, and services. These systems rely on username–password combinations and centralized databases—a concept adapted from pre-Internet systems—that centralize all aspects of identity management, including issuing identifiers, authentication methods, credential provision, and data storage. The result was fragmented and incompatible data silos that impose significant costs and limitations on users, companies, and governments alike.
Password chaos: Today, users must manage an overwhelming number of usernames and passwords, resulting in scattered fragments of personal data across the Web. Single sign-on solutions that emerged over time—offered by companies like Google, Meta, or Apple—simplified this process but introduced significant drawbacks, as these providers can monitor and unilaterally issue and revoke access, potentially locking users out of multiple services simultaneously.
Data portability is crucial for both businesses and customers alike. Supply chains rely on data portability to trace the provenance of goods and services and to reduce document-handling costs. Individuals rely on being able to export their personal data when they change service providers. In client–server setups, however, enabling such portability entails high operational costs and technical challenges.
Control, security, and custodial costs: Users have limited control over their personal data. They are often unaware of how their data is used or shared and must trust these companies to secure their data. Their digital footprints are often stored in plain text, enabling extensive data mining for user profiling, advertising algorithms, and other profit-driven activities. This personal data has become a new form of product—an asset class in its own right—and has contributed to what privacy advocates call “Surveillance Capitalism.” Even if data is not exploited for commercial purposes, username–password combinations can still be compromised in data breaches, which occur frequently. The management of identity-related data is therefore expensive, and security largely depends on the business ethics of the service provider and the legal framework of the country where the company operates.
History of Digital Identity Management
Over the past decades, there have been many efforts to create more collectively controlled identity management systems for the Internet. In 1999, Microsoft launched “Microsoft Passport,” a federated identity solution aimed at reducing password chaos by offering a single identity service for multiple Internet services. However, this solution required a coordinator, placing Microsoft at the center of control. In 2001, Sun Microsystems introduced the “Liberty Alliance,” which distributed control across multiple institutions but still tied personal data to individual service providers. That same year, the “Identity Commons” initiative began consolidating work on digital identity, emphasizing decentralization, which later led to the creation of the Internet Identity Workshop in 2005.
Open-source developers pursued more user-centric identity solutions, such as “OpenID,” which allowed individuals to control their identities using personal domain names and data stores. These solutions countered the server-centric model by enabling users to grant permission for their data to be shared. However, these solutions never found mainstream adoption. They lacked user-friendliness and critical mass adoption to create the necessary network effects.
Around 2008, companies like Facebook embraced some ideas from OpenID and paired them with their centralized systems, offering simplified usability. “Facebook Connect” allowed users to sign in to various services by simply using their existing Facebook credentials, saving time and effort for users and reducing costs for smaller Internet startups that did not have to create their own identity systems. It centralized control over users’ digital identities, extending to their browsing histories, social media activities, and geolocations. Network effects played into Facebook’s hands because of its large user base. This model became the blueprint for other Internet providers like Google, Amazon, and Apple to offer similar services, and together they soon dominated the online identity market—including all personal data and digital footprints of their users. They simplified the processes of storing user identities, authentication details, and payment information. The usability of their services created a feedback loop in which more users attracted even more users, further entrenching the dominance of these platforms and discouraging users from engaging with smaller competitors. Consequently, the Internet has become re-centralized around a few major providers, although it was originally intended to be much more decentralized.
To counter this, decentralization advocates continued exploring user-centric alternatives. The “Web of Trust” initiative, rooted in the “Pretty Good Privacy” (PGP) movement, introduced asymmetric cryptography for identity validation. However, its reliance on email addresses as identifiers tied it to centralized institutions like “ICANN,” limiting adoption. Visionaries like Christopher Allen elevated the debate by proposing the concept of Self-Sovereign Identity. He laid out several principles of data management and data sharing over the Web, which inspired various initiatives, including “Social Linked Data, Rebooting the Web of Trust” and “WebIDs.” The aim of all these initiatives is to establish international open standards that decouple the issuance and verification of credentials, addressing the limitations of server-centric systems.
With the advent of blockchain networks, decentralization efforts gained momentum. The decentralized public key infrastructure of blockchains fully aligns with open and user-centric initiatives, without linking identities to email addresses or centralized systems. Since identification in blockchain networks is limited to pseudonymous identifiers, it needs to be complemented with more sophisticated solutions.
Key Elements of Identity Systems
The key elements relevant in any identity management system, centralized or decentralized, online or offline, are identifiers, authentication, and credentials.
Identifiers uniquely identify a person, organization, or object. Examples include email addresses, phone numbers, and social security numbers. While names are not always unique or persistent, identifiers like serial numbers or passport numbers are designed to be both unique and consistent over time. Their persistence can vary by country or institutional policy, as some document numbers may expire. Identifiers also play a critical role in tracking objects (e.g., product serial numbers) and organizations (e.g., company registration numbers used for taxes or subsidies). Blockchain networks, such as the Ethereum network, use blockchain addresses as identifiers.
Authentication refers to the process by which a person, institution, or object can prove that they are who they claim to be. A person can authenticate themselves by proving ownership of an object (such as an ID card, hardware wallet, or software wallet), demonstrating knowledge (such as a password or PIN), or presenting a personal characteristic (e.g., biometric data or a signature). Strong authentication often combines these methods. Biometrics, for instance, are among the most reliable ways to authenticate individuals. Traditional forms, such as ID cards, use analog authentication through photos and signatures, while digital systems rely on methods like passwords or public key cryptography. In most state-of-the-art systems, personal data and authentication credentials are largely managed by centralized entities. In contrast, blockchain networks use Public Key Infrastructure for authentication, which is both more user-centric and decentralized.
Claims & credentials: An identity is useless without linking relevant information to the identifier of a person (personal data), institution (institutional data), or object (object-related data). For individuals, this could involve personal claims (e.g., birthplace, address, or educational achievements) or third-party credentials confirming those claims. Personal data may also extend to information such as browsing activity, social media engagement, or geolocation, which machines authenticate and associate with the identifier. For organizations or objects, relevant data may include certifications, legal registration, or usage history.
Decentralized Identifiers
Decentralized Identifiers (DIDs) are a proposal for managing online identities such that individuals and institutions have full control over their identity-related information. Building on the principles of decentralization and privacy, DIDs provide a public, pseudo-anonymous, and unique digital identifier for a person, company, or object—giving users greater control over their data without depending on centralized institutions to host it. The specifications were formalized by a working group of the “World Wide Web Consortium” (W3C) in 2021 and offer a framework for creating identifiers that connect with metadata-rich DID Documents, thereby enabling verifiable and portable identities. To maintain independence from centralized registries, DIDs must possess the critical properties inherent to the public key infrastructure used in blockchain networks. Around these identities, credentials can be issued and verified, with the user (the identity owner) remaining at the center of these interactions and in full control of their data. Key participants necessary in the DID ecosystem include:
Identity issuers: Trusted entities such as governments, universities, or private institutions that issue verified credentials.
Identity owners: Individuals who manage credentials in their Web3 wallets and decide when and with whom to share their data.
Identity verifiers: Third parties, such as businesses or service providers, that validate identity credentials to grant access to services (for example, a movie theater might verify a government-issued credential to confirm a moviegoer’s age).
Role of Blockchains & Wallets
Blockchain wallets represent a promising avenue for the adoption of DIDs, as they align well with the cryptographic infrastructure that DIDs require. Although blockchain addresses fulfill the foundational properties of a DID, they lack the rich metadata and flexibility defined by the W3C specification. However, users can create a DID simply by setting up a blockchain wallet, which generates a pair of private and public keys. These can then be linked to credentials issued by trusted entities—such as governments, universities, or employers—attesting to identity attributes like name, address, email, age, or certifications. This means that blockchain networks can facilitate the public, verifiable registration of DIDs for all participants.
In this context, the blockchain wallet functions as the virtual counterpart of a physical wallet, securely storing digital credentials (electronic versions of driver’s licenses, bank cards, diplomas, bonus points, or memberships). By pairing a DID with a user’s private key, identity owners can create verifiable credentials in formats like QR codes. For example, when scanned by a service provider, the QR code allows all nodes in the blockchain network to verify an attestation’s validity. If the attestation matches the DID, access is granted—enabling use cases such as age verification for alcohol purchases or eligibility for renting a car. Beyond verified credentials, non-attested data—such as browsing histories or social media activities—can also be associated with a DID, granting users direct control over their broader digital footprint.
An example of this approach is the Brave browser, which integrates Web3 wallets to allow users to control their digital activities and data without relying on third-party identity providers like Google or Facebook. Users always remain in full control of their digital footprint, as they can selectively reveal digital credentials through their wallets in a privacy-preserving manner:
Selective disclosure: Users decide which data to share and with whom, thereby maintaining control and consent over their information.
Attestation: Blockchain networks serve as public infrastructure to verify claims without exposing sensitive data. Verifiers can confirm the validity of a credential and the identity of the issuing institution, while the data itself remains private.
Dynamic updates: Revocation registries enable issuers to revoke or update credentials as circumstances change (i.e., address changes or expired certifications).
As wallet developers and Web3 application developers incorporate the DID framework into their products, blockchain networks could become the foundation of decentralized identity management or blockchain-native DIDs. The blockchain ecosystem has a natural incentive to do so, as many decentralized applications rely on tokens that possess more complex properties than simple, fungible currency tokens. DID-based systems are therefore an ideal complementary solution for fungible tokens that carry extensive metadata.
Although DIDs are gaining traction in both decentralized and centralized identity management systems, widespread adoption by infrastructure and application developers remains critical for the success of the system. At the time of writing this book, some wallet developers have started to explore DID support, but it is not yet a universal feature. For the DID framework to be successful, it must be integrated across a wide range of platforms and applications to fully realize its potential—network effects matter. Mainstream adoption can only expand if all stakeholders develop compatible software and embrace the system.
Outlook
User-centric identity solutions that combine blockchain accounts with DIDs can facilitate data portability, enabling individuals and institutions to reuse credentials seamlessly across services. This reduces friction in verification processes, accelerates onboarding, and is generally more privacy-preserving. For companies, these systems lower the costs and time associated with Know-Your-Customer processes and make systems compliant with privacy laws. They can decrease customer drop-off rates and minimize other opportunity costs. However, Decentralized Identifiers and their associated frameworks are evolving. Their success depends on widespread, cross-platform adoption. Whether DIDs will be widely adopted by Web3 developers remains to be seen. Other solutions may arise, but the underlying concept of user-centric identity systems remains the same. Factors that can influence and impact the adoption of DIDs include the development of privacy-preserving on-chain and off-chain solutions, improved storage solutions, more sophisticated blockchain account abstractions, and similar endeavors:
Wallet usability: One critical challenge in user-centric identities is determining what happens if a user loses their private key. Traditional identity systems have built-in recovery processes (such as government reissuance), but decentralized systems must design secure, user-friendly key recovery or delegation mechanisms without compromising privacy or security. More user-friendly wallet solutions, such as account abstraction initiatives in the Ethereum ecosystem, could resolve the complexities of managing digital wallets, an issue essential for the real-world adoption of blockchain wallets.
Privacy vs. accountability: In applications such as finance and healthcare, regulators typically require some level of traceability or identity verification. This raises important questions about how to balance user privacy with accountability. Zero-Knowledge Proofs and other privacy-preserving tools enable users to prove the validity of specific claims (for example, age or citizenship) without revealing the underlying data, further strengthening privacy. Their increased adoption in blockchain system architecture can influence DID adoption.
Data storage: Personal data in user-centric identity frameworks can be stored securely in two primary ways. Sensitive data can be kept directly on the user’s device or in private identity hubs such as “TrustGraph” or “3Box.” Less sensitive data can be managed collectively using decentralized storage networks like the “InterPlanetary File System” (IPFS) or “OrbitDB,” reducing redundancy and enhancing interoperability. These systems help prevent data lock-in by enabling users to interact seamlessly across multiple platforms.
Modular Off-Chain Solutions: KERI (Key Event Receipt Infrastructure) has been developed as a modular off-chain consensus network designed to minimize the role of blockchain networks within the overall system architecture. By shifting some functionality off-chain, this initiative aims to enhance scalability, although scalability challenges are increasingly being addressed by blockchain ecosystems themselves.
