tion™, applies  machine learning techniques. These   10. Protection: The right of entities must be protect-
            algorithms  process  and  analyze large  quantities  of   ed, when there is a conflict between the needs of
            previously observed logins and additional contextu-  the network and the right of entities, the priority
            al data. They learn the characteristics and patterns   should be the latter.
            which enable them to classify requests and detect
            abnormal activity and possible threat actors.      Most central-authority identity solutions today have
                                                               limited support for every principle, in particular,
            6�7  Decentralized Identity and Distributed Ledgers  control over identity, transparency and portability.
            Traditional identity management systems are built    The following sections describe key components
            on top of centralized authorities such as corporate   of these new decentralized identity systems: verifi-
            directory services, certificate authorities, or domain   able credentials, decentralized identifiers, decen-
            name registries. Each of these organizational central-  tralized identifier authentication and resolution, and
            ized authorities serves as their own root of trust.   personal cryptographic key wallets.
            Identity federation emerged as a stopgap solution
            that enabled identity management systems to work   6.7.1   Decentralized Identity Definition of Terms
            across systems with different roots of trust.      The emerging decentralized identity system stan-
               The  emergence of  distributed ledger  technolo-  dards use modernized, refined definitions of key
            gy (DLT) provides the opportunity for developing a   terms. This section has definitions from the W3C
            new approach to decentralized identity systems. In a   Verifiable Credentials [12] specification. Note that
            decentralized identity system, entities are able to use   some of these newly-defined terms may conflict with
            any shared root of trust. Distributed ledgers provide   older definitions of the same terms, or definitions in
            a  means  for managing a  root  of trust with neither   other standards.
            centralized authority nor a single point of failure. In
            combination, DLTs and decentralized identity sys-  subject
            tems enable any entity to create and manage their   An entity about which claims are made.
            own identifiers on any number of distributed, inde-
            pendent roots of trust [10].                       claim
               One approach to decentralized identity systems   An assertion made about a subject.
            has been labeled “Self-Sovereign Identity”. The pro-
            ponents of this approach have developed a set of   credential
            design principles [11]:                            A set of one or more claims made by an issuer. A veri-
                                                               fiable credential is a tamper-evident credential that
            1.  Existence:  Entities  must  have  an independent   has authorship that can be cryptographically veri-
               existence                                       fied. Verifiable credentials can be used to build veri-
            2.  Control: Entities must be able to control their   fiable presentations, which can also be cryptographi-
               identities, they should be able to refer, update or   cally verified. The claims in a credential can be about
               hide it.                                        different subjects.
            3.  Access: Entities should have access to their own
               identity and related data.                      decentralized identifier
            4. Transparency: The system and its logic must be   A portable URL-based identifier, also known as a DID,
               transparent in how they function.               associated with an entity. These identifiers are most
            5.  Persistence: Identities must be long-lived, at least   often used in a credential and are associated with
               for as long the user desires but it should not con-  subjects  such  that  a  credential  itself  can  be  easily
               tradict the “user” right to be forgotten.       ported from one repository to another without the
            6.  Portability: Information about identities must be   need to reissue the credential. An example of a DID
               transportable.                                  is did: example: 123456abcdef.
            7.  Interoperability: Identities should be as widely
               usable as possible.                             identity
            8.  Consent: Entities must agree to the use of their   The means for keeping track of entities across
               identities and the sharing of related data.     contexts. Digital identities enable tracking and
            9.  Minimization: Disclosure of claims must be mini-  customization of entity interactions across digital
               mized.                                          contexts, typically using identifiers and attributes.
                                                               Unintended distribution or use of identity informa-



           34    Implementation of Secure Authentication Technologies for Digital Financial Services