A blog about Blockchain technology

Distributed Digital Identity

In a new post today, Microsoft announced their embrace of public blockchains for use in decentralized identity systems. Initially, Microsoft will support blockchain-based decentralized IDs (DIDs) through the Microsoft Authenticator app. Today, the Microsoft Authenticator app is already used by millions of people to prove their identity every day. As a next step, Microsoft will experiment with Decentralized Identities by adding support for them into to Microsoft Authenticator. With consent, Microsoft Authenticator will be able to act as your User Agent to manage identity data and cryptographic keys. In this design, only the ID is rooted on chain. Identity data is stored in an off-chain ID Hub (that Microsoft can’t see) encrypted using these cryptographic keys.

Unlike the forms of identification used in the world today, a decentralized identity system is not controlled by any single, centralized institution such as a government or large tech company. The idea is that a decentralized identity system removes the possibility of censorship and gives an individual full control over their identity and reputation.
After looking at various types decentralized identity systems, Microsoft turned to public blockchains due to their ability to enable privacy, self-ownership, and permissionless access. Identity is one of the long-touted use cases of blockchain technology that does not have anything to do with payments or currency. Dozens of blockchain projects related to identity have popped up over the years, with Blockstack ID ( and uPort ( being two of the most well-known examples.
Microsoft plans to work with DID method implementations, which follow a specific standard outlined by a W3C working group ( However, no specific DID method integration has been disclosed at this time.
Blockchain Identity
A blockchain identity (or blockchain ID) is a generic term used to refer to any identity on the blockchain. Users can have one blockchain identity or many and can register them just like one would register domain names or accounts on Facebook or Twitter.
The main difference between blockchain identities and accounts on any other service is that blockchain-based systems have strong ownership. Blockchain identities can't be confiscated by any service because the system defines ownership according to ownership of public-private keypairs, just like ownership of coins on Bitcoin. This is in direct contrast to Twitter or Facebook usernames, which could be confiscated or censored at any time by the respective companies that they belong to.
As many of us experience every day, the world is undergoing a global digital transformation where digital and physical reality are blurring into a single integrated modern way of living. This new world needs a new model for digital identity, one that enhances individual privacy and security across the physical and digital world. Microsoft’s cloud identity systems already empower thousands of developers, organizations and billions of people to work, play, and achieve more. And yet there is so much more we can do to empower everyone. We aspire to a world where the billions of people living today with no reliable ID can finally realize the dreams we all share like educating our children, improving our quality of life, or starting a business.
To achieve this vision, the folks at Microsoft believe it is essential for individuals to own and control all elements of their digital identity. Rather than grant broad consent to countless apps and services, and have their identity data spread across numerous providers, individuals need a secure encrypted digital hub where they can store their identity data and easily control access to it.
Each of us needs a digital identity we own, one which securely and privately stores all elements of our digital identity. This self-owned identity must be easy to use and give us complete control over how our identity data is accessed and used. To that end, Microsoft is sharing their best thinking based on what they have learned from an initial decentralized identity incubation, an effort which is aimed at enabling richer experiences, enhancing trust, and reducing friction, while empowering every person to own and control their Digital Identity.
In summary, blockchain-based identities will bring the following benefits:
  • Own and control your Identity.
Today, users grant broad consent to countless apps and services for collection, use and retention beyond their control. With data breaches and identity theft becoming more sophisticated and frequent, users need a way to take ownership of their identity. After examining decentralized storage systems, consensus protocols, blockchains, and a variety of emerging standards we believe blockchain technology and protocols are well suited for enabling Decentralized IDs (DID).
  • Privacy by design, built in from the ground up.
Today, apps, services, and organizations deliver convenient, predictable, tailored experiences that depend on control of identity-bound data. We need a secure encrypted digital hub (ID Hubs) that can interact with user’s data while honoring user privacy and control.
  • Trust is earned by individuals, built by the community.
Traditional identity systems are mostly geared toward authentication and access management. A self-owned identity system adds a focus on authenticity and how community can establish trust. In a decentralized system trust is based on attestations: claims that other entities endorse, which helps prove facets of one’s identity.
  • Apps and services built with the user at the center.
Some of the most engaging apps and services today are ones that offer experiences personalized for their users by gaining access to their user’s Personally Identifiable Information (PII). DIDs and ID Hubs can enable developers to gain access to a more precise set of attestations while reducing legal and compliance risks by processing such information, instead of controlling it on behalf of the user.
  • Open, interoperable foundation.
To create a robust decentralized identity ecosystem that is accessible to all, it must be built on standard, open source technologies, protocols, and reference implementations. For the past year we have been participating in the Decentralized Identity Foundation (DIF) with individuals and organizations who are similarly motivated to take on this challenge.
  • Ready for world scale.
To support a vast world of users, organizations, and devices, the underlying technology must be capable of scale and performance on par with traditional systems. Some public blockchains (Bitcoin [BTC], Ethereum, Litecoin, to name a select few) provide a solid foundation for rooting DIDs, recording DPKI operations, and anchoring attestations. While some blockchain communities have increased on-chain transaction capacity (e.g. blocksize increases), this approach generally degrades the decentralized state of the network and cannot reach the millions of transactions per second the system would generate at world-scale. To overcome these technical barriers, we are collaborating on decentralized Layer 2 protocols that run atop these public blockchains to achieve global scale, while preserving the attributes of a world class DID system.
  • Accessible to everyone.
The blockchain ecosystem today is still mostly early adopters who are willing to spend time, effort, and energy managing keys and securing devices. This is not something we can expect mainstream people to deal with. We need to make key management challenges, such as recovery, rotation, and secure access, intuitive and fool-proof.
Self Sovereign Identity
There is currently no widely used self-sovereign, privacy-enhancing standard for expressing and transacting verifiable claims (aka: credentials, attestations) via the Web. It is asserted that being able to do this must be one of the fundamental building blocks of identity on the next generation Web. There is work that is being incubated at the World Wide Web Consortium (W3C) in the Credentials Community Group as well as the Verifiable Claims Task Force, a part of the W3C Web Payments Interest Group, to identify what a self-sovereign architecture would look like for the Web as well as a number of technical requirements of such an architecture.
Microsoft is collaboratively developing the following key components to address the requirement for a self-sovereign identity:
A W3C spec that defines a common document format for describing the state of a Decentralized Identifier.
An encrypted identity datastore that features message/intent relay, attestation handling, and identity-specific compute endpoints.
A server that resolves DIDs across blockchains
A W3C spec that defines a document format for encoding DID-based attestations.
The following diagram provides an overview of the self-sovereign identity architecture.
For more information and technical papers about Decentralized Identity and Verifiable Claims, please visit

Go Back