Convenient authentication on Self-sovereign identity


How do you envision biometric authentication and other passwordless schemes with the present design of self-sovereign identity?

It seems to me that the potential of self-sovereign identity, especially the way it’s being designed on the Sovrin Ledger, holds a great potential for facilitating user/entity interaction a great deal on this digital age. What is being currently discussed and designed regarding authentication around the Sovrin space?


One of the most fundamental features Sovrin provides is a trusted way to determine the public key associated with a particular identifier. A secure and privacy-protective authentication mechanism can be implemented simply by having the identity owner sign a challenge with their private key to prove they really control the identifier in question. This is essentially what happens in the “Trust Ping” section of the Getting Started guide (just after Alice establishes her link with Faber College).

In a more realistic scenario, an identity owner may wish to authenticate to a website with which they have previously registered, and they’ll have a Sovrin client app on their smartphone which uses biometrics to unlock the secure enclave where their keys are stored. The website pushes the challenge to the identity owner’s agent (see The Technical Foundations of Sovrin for an overview of where agents fit in to the architecture), which in turn sends a push notification to the smartphone app prompting the identity owner to present their biometric and approve the authentication request. This diagram illustrates how that flow works:

I’d love to hear any ideas or suggestions you might have on how to optimise either the user experience or the backend integration.


Hello James, I really appreciate the detailed reply. Some questions are still lingering in my head, though:

  1. Is biometric authentication only happend on the client side (to unlock identity private key)? Does any claim/proof on the ledger play any role for biometric data?.. Maybe a claim that includes a hash of the biometric data linked to an identity?.. Or is it merely a client-side process?
  2. Step 9 in the diagram says “Verifies signature”, yet i’m not really clear about whose signature is verified in this step.