History

History of Digital Idetntiy #

Digital Identity can be roughly explained through it’s four epochs of evolution

Epoch 1 (1950-1988): Emergence of Shared Computing #

Early Computing #

In the initial stages (1950s-early 1960s), digital identity didn’t exist as a concept. Security focused on physical access control for large, single-user mainframe computers. There was no technical need to differentiate users digitally.

Time-Sharing & First Passwords #

The introduction of time-sharing systems (like CTSS around 1961) allowed multiple users to share one computer concurrently. This created the need for user separation and led to the first password system to protect individual files, though it was initially insecure.

Multi-User Operating Systems & Local Accounts #

Systems like Unix (born 1969) and later Windows NT formalized the concept of the local user account tied to a specific machine. These accounts included usernames, User IDs (UIDs), group associations (GIDs), passwords, and home directories to segregate user data and processes.

Enhanced Local Account Security #

Recognizing the flaws of plaintext passwords, techniques like password hashing (converting passwords to non-reversible forms) and salting (adding unique random values before hashing) were developed in the 1970s to improve security.

Formal Access Control Models #

To govern what authenticated users could access, formal models emerged, including Discretionary Access Control (DAC, owner controls access), Mandatory Access Control (MAC, system-wide policies), and Role-Based Access Control (RBAC, permissions based on roles).

Epoch 2 (1990s-2000s): Evolution in Enterprises #

Enterprise Centralization #

As networks grew, managing individual local accounts became impractical. Technologies like LDAP (for directory services, c. 1993) and Kerberos (for network authentication, c. 1988) allowed organizations to manage user identities centrally from an authoritative source (like Active Directory).

Web Federation & Single Sign-On (SSO) #

The rise of the web led to users having too many passwords. Federated identity protocols like SAML (c. 2002/2005), OAuth (c. 2006/2012), and OpenID Connect (c. 2014) emerged. These allow users to log in once with a trusted Identity Provider (IdP) and access multiple independent services (SPs/RPs), enabling SSO.

Epoch 3 (2006-): Social Identity #

Delegated Authorization (OAuth) #

OAuth specifically emerged as an authorization framework, enabling users to grant third-party applications limited access to their resources (hosted elsewhere, like photos or contacts) without sharing their main password.

Standardized Web Authentication (OIDC) #

OpenID Connect (OIDC) was built on top of OAuth 2.0 to provide a standard identity layer specifically for authenticating users (proving who they are) for web and mobile applications.

Epoch 4 (2015-): Decentralization and Root of Trust #

Decentralized & Self-Sovereign Identity (SSI) #

Driven by concerns about security, privacy, and lack of user control in centralized/federated models, this current movement aims to give control back to the user. Using technologies like Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs), users can create and manage their own identifiers and credentials, storing them in digital wallets and sharing only necessary information with consent. This model decouples issuers, holders (users), and verifiers, potentially enabling offline verification.

Government Driven Frameworks #

In parallel with technological advancements, governments have increasingly played a role in shaping digital identity through various frameworks and initiatives. These efforts aim to provide trusted, secure, and interoperable digital identities for citizens and businesses.

One significant example is the eIDAS (electronic Identification, Authentication and trust Services) Regulation in the European Union. Established in 2014 and updated with eIDAS 2.0, it provides a framework for national electronic identification schemes and trust services to ensure secure cross-border electronic transactions. eIDAS 2.0 aims to establish a European Digital Identity Wallet for all EU citizens, residents, and businesses by the end of 2026, enabling users to access online and offline services, store digital documents, and create electronic signatures. The framework emphasizes user control over data sharing and aims to improve cybersecurity and fraud prevention.

In the United Kingdom, the DIATF (Digital Identity and Attributes Trust Framework) is being developed to create a secure and interoperable system for digital identity verification. It sets out standards and best practices for digital identity providers to follow, with the goal of enabling reliable digital identity or attributes to be trusted by relying parties. The DIATF is relevant to Identity Service Providers, Attribute Service Providers, Orchestration Service Providers, and Relying Parties, and certification against the framework is encouraged for various use cases, including accessing government services and right to work/rent checks.  

Another key development is the emergence of mobile Driver’s Licenses (mDLs). These are digitized versions of physical driver’s licenses and identification cards stored on mobile devices. mDLs offer the potential for increased convenience, enhanced security features like selective disclosure of information, and real-time updates. Various jurisdictions and organizations, such as the American Association of Motor Vehicle Administrators (AAMVA) and the TSA in the United States, are working on standards and implementations for mDLs to be accepted for identity verification in both online and offline scenarios.

These government-driven frameworks and initiatives highlight the growing recognition of the need for trusted and interoperable digital identity solutions to support secure and seamless digital interactions in an increasingly connected world.

References #