The IOTA Foundation and walt.id to Bring Seamless Sign-In to the World
The IOTA Foundation is developing a privacy-preserving login system based on self-sovereign identity (SSI) called Login With IOTA, which allows traditional (Web2) and decentralized (Web3) apps to easily onboard users. In this system, users remain in full control of their data and will be able to securely share information at their discretion.
In March this year, we launched a Request For Proposals to find partners to help implement Login With IOTA. We thank all participants for their submitted proposals: frankly, we were blown away by the care and thought put into all of them, and ultimately chose a proposal by walt.id that covers both Web2 and Web3 solutions.
Walt.id is a provider of identity, NFT, and wallet infrastructure for developers and enterprises, offering expertise and providing services from conception, implementation, and support for managed cloud services. The company’s products are all open-source and are used by governments, public authorities, enterprises, and decentralized autonomous organizations to build applications and use cases for Web3 identity, NFTs and wallets quickly and without much complexity.
The proposed solution will offer privacy-preserving login systems that can be easily integrated with any application and follows well-defined standards to reach maximum interoperability.
As a result of the collaboration with walt.id, IOTA Identity will be integrated into walt.id’s open-source SSI infrastructure solutions, which will be able to support the IOTA ecosystem next to other identity ecosystems like EBSI (EU Blockchain Service Infrastructure), Gaia-X, the Velocity Network, Ethereum, and more.
What is Login With IOTA?
Login With IOTA allows websites and applications to onboard users while respecting the user’s privacy, reducing friction, and offering enhanced security.
The system will be interoperable with existing standards like OpenID Connect (OIDC), which is used by over 50,000 websites with more than one billion accounts. These existing accounts are unfortunately mostly centralized around big tech providers, whose commercialization of data has been detrimental to the privacy of users.
In a previous blog post, we discussed why this centralization is problematic and why we need Login With IOTA. Feel free to go back and read the blog post if you haven't already! In this blog post, we’ll describe the proposed solutions in a little more detail and give an idea of what kind of use cases these solutions will enable.
The main goal of Login With IOTA is to develop a login system that can utilize cutting-edge digital identity approaches like decentralized SSI and bridge the gap between these approaches and today's identity infrastructure for single sign-on (SSO). As such, this project has two parts:
- Web2 SSO: this will enable backward compatibility between new, decentralized identity paradigms (SSI) and traditional, centralized identity and access management (IAM) infrastructure and tooling (e.g. KeyCloak). This part will be valuable for developers and businesses who are building and maintaining “traditional” Web2 apps.
- Web3 SSO: this will provide SSI-based user onboarding processes by utilizing the IOTA Identity framework directly. This part will be valuable for developers and businesses who are building Web3 dApps.
To pave the way for fast and widespread adoption, the project will use globally-recognized standards like OIDC for authentication and data exchange with widely-used W3C Verifiable Credentials to model identity data.
Because data security is integral to digital identity, data sovereignty, data protection, and privacy are of vital importance for the adoption of this project. That is why these areas will receive special consideration in the design and implementation of the solution. For example, the identity provider will be implemented as a blind participant, which logs and stores little to no information.
The developer experience is also essential, including factors like openness (in standards and interfaces), service composability, interoperability, complexity abstraction and ease of integration with existing infrastructure, tools for development and testing, as well as documentation. Consequently, Login With IOTA will enable easy adoption and significantly decrease time-to-market for implementations: adding new identity providers will become a matter of minutes since the solution follows well-defined standards and can be used with any compliant library.
How does it work?
The system we envision with walt.id will allow you to selectively share personal data like your email address and any other information you would normally have to repeatedly provide, such as your address, phone number, date of birth, and more. The difference is that you only have to enter this information once in your SSI wallet, creating a much smoother experience when you visit websites that enable this technology, just like with centralized providers. But in this case, you remain completely in control over the data. In addition, this also allows you to share verifiable information using the Verifiable Credentials mechanism.
With Verifiable Credentials, not only can you share information, but you can also prove the validity of the information. The information you share would have to be signed by a trusted third party such as a governmental agency, a bank, or another trustworthy entity, but you decide who to share this information with. It will be the responsibility of the requester to prove that they need this information from you and explain what you will get in return.
As briefly described, the outcome of the implementation will be two solutions, one targeting existing ecosystems, which we call Web2 SSO, and another that targets forward-looking standards, which we call Web3 SSO.
The Web2 solution will be fully compliant with the widely-adopted OIDC standard, allowing adopting applications to onboard identities with a simple configuration change. One outcome of the project will be the delivery of an identity provider that acts as a bridge between SSI and the traditional Web2 world. This component can be hosted by anyone, allowing multiple trustworthy providers to exist side by side. This is important because the Web2 login will still require the identity provider to be reachable under a stable domain, which must ultimately be controlled by someone. So choosing who you trust to relay your SSI information to traditional apps is still important.
The developed solution will work alongside traditionally-centralized identity providers, so application developers can mix and match identity providers and thereby identity ecosystems as they like.
From a more technical perspective, the proposed solutions will work as follows. Once a wallet user wants to use their identity credentials to sign into a service (e.g. they click on a “connect wallet” button), existing identity and access management solutions forward the user to the identity provider through a process called “federation”. The identity provider then connects with the user’s wallet and requests identity credentials, which can then be verified against customizable policies. The verification result is sent back to the identity provider and translated into a format (such as a JSON Web Token) that can be used by traditional IAM tools.
While the IDP Kit will be able to integrate with existing OIDC IAM solutions, it can also be used directly for simpler use-cases where a fully-fledged IAM tool might not be needed. From a user's perspective, the experience will be exactly the same.
The Web2 approach will be useful for existing applications that already integrate OIDC and are looking to offer more privacy-preserving options.
The Web3 solution is built around an emerging standard called Self-Issued OpenID Connect Provider (SIOP), which allows users to sign up and sign in in a fully privacy-preserving manner. Centralized identity providers are not needed for this approach, since each identity wallet or agent functions as their own provider. This allows users and applications to establish authentication peer-to-peer while utilizing self-sovereign identities.
Additionally, it is possible to share claims or credentials through this authenticated channel, allowing rich interactions beyond the scope of authentication. For example, a credential providing an age-proof may be shared for purchasing age-restricted goods and services.
The Web3 approach will be very interesting for newly-built applications that want to get privacy right from the start or for existing applications to transition into.
In close collaboration, walt.id and the IOTA Foundation will implement the project over the coming months and officially launch the first version in autumn 2022. We would love to hear what you want to build with this project! Join the IOTA Discord and hop on the #identity channel.
If you want us to keep you updated about the progress and launch of this project, register your interest here. We’ll also organize a free webinar to provide you with more details about the project, including solution design, demos, and a Q&A.
Walt.id builds identity, NFT, and wallet infrastructure for developers and enterprises.
The company’s products are already used by governments, public authorities, enterprises, and decentralized autonomous organizations to build applications and use cases with web3 identity, NFTs and wallets fast and without much complexity.
All products are open source (Apache 2) and industry-leading experts provide holistic services from conception over implementation and support to managed cloud services.