Microsoft has developed a digital identity network based on Bitcoin – is that a good or a bad thing? What are digital identities anyway? And what does this have to do with Bitcoin? The most important answers at a glance.

Digital Identities

A digital identity is information that represents us in the digital world. A simple form is the username we use to log into an application or system. Our actions and communications are then associated with this username. Usually, some form of authentication is provided to prove that we are the owner of that identity – for example, a password. For secure applications, a second factor is required, such as a time-based code (TOTP) or smart card.

The same person can have any number of digital identities. This can be used for self-protecting your privacy. Someone who calls himself “Rumpelstiltskin_1984” in all forums and social media is not immediately unmasked by the nickname. But the combined traces on the web make him or her easily recognizable. It therefore protects privacy when social network providers allow their members to choose a pseudonym as their public nickname, regardless of their digital identity (Facebook, on the other hand, enforces a real name policy).

So even though different digital identities have advantages, the ease of use argues for being able to use the same digital identity for different services. Who wants to create a new identity and remember a new password for every service? Facebook, Google, Apple & Co., with which almost every Internet user is registered, have long recognized this. They offer the option of using the account for logging in to third-party providers’ services. Ideally, it is possible to determine which information from one’s own account is accessible to the third party.

Self-Sovereign Identities (SSI)

So the big providers are trying to occupy a key position in digital identities as “gatekeepers“. That’s fine as long as we can trust the provider in question and our data are safe there. However, it is better if we can control our digital identities ourselves without having to rely on an account with a major provider. This is the basic idea behind the concept of self-sovereign identities (SSI).

SSIs enable users to create and control their own identities. These identities then form the basis for any trust-based interaction conducted online. They enable the exchange of encrypted messages via e-mail or social media, the conclusion of sales contracts on trading platforms, online banking and much more. Proof of required characteristics to other bodies can also be provided online on the basis of digital identities in conjunction with public key infrastructures. Examples include the minimum age for purchasing alcohol, proof of a university degree in the context of an application, or a specific nationality on which the use of a government service depends.

So SSI is about nothing less than the future of our digital self – our digital sovereignty. The overriding importance of this has also been recognized by the German government and the EU. The latter is currently implementing SSI based on a public blockchain (European Blockchain Services Infrastructure, EBSI). Via a bridge to the eIDAS system for digital signatures, DID holders will be able to receive confirmations and proofs from public bodies and other certified institutions.

Decentralized identities (DID)

In order to be able to manage identities independently of central control instances such as large Internet service providers or states, a distributed infrastructure is required. This is why SSIs are regularly based on decentralized digital identities (DID). Identity information is then stored in a distributed database such as a blockchain.

There is already an international standard for DIDs from the W3C. Anyone who has a corresponding DID can use it to log in to any service that supports this standard – without the external “identity provider” that would otherwise be required. DIDs can be generated at will and stored and managed in wallets. Technically, the principle behind this is public-key encryption, in which a pair is created consisting of a secret and a public key. The secret key remains in the hands of the user and enables her to prove that she is the owner of the DID. Thus, control remains solely in her hands.

DID and ION – God’s work and Microsoft’s contribution?

The W3C DID standard itself does not yet create a DID infrastructure. This requires projects that implement distributed databases to store DIDs securely and make them available over the Internet (decentralized Public Key Infrastructures). The technical requirements for such a database are enormous. To be of global utility, it must be decentralized and secure, and yet “scale” – i.e., be able to efficiently answer a large number of queries per second. The database must be resistant to censorship and queries must be cheap enough to make it worthwhile to integrate the technology into everyday applications.

Microsoft took on this task and evaluated suitable technologies four years ago. The result is ION (the Identity Overlay Network), which has now gone live. In order to meet the high requirements for decentralization and security, ION is based on the Bitcoin blockchain as a layer 2 network. This means that the majority of the information is processed in its own globally distributed network of ION nodes (which everyone can join). It is also important to note that the ION network does not have its own consensus mechanism. Unlike with the “proof-of-work” approach, there are therefore no energy consumption issues.

To benefit from the unique security of the Bitcoin network, hash values are regularly written into the Bitcoin blockchain. In this way, ION participates in the unrivaled security of Bitcoin while providing a database with large amounts of information and many transactions per second, which would not be possible with the Bitcoin blockchain alone. This solution is comparable to the Lightning network, which is also designed as a Layer 2 network and is intended to eliminate the scaling problems of Bitcoin payments.

At first glance, there is a contradiction in the fact that Microsoft, a major player in the IT scene, supports a decentralized network. However, the way ION is designed, there are no dishonest intentions to be seen in it. ION is to be developed independently of central instances, and the source code is open and can be audited by the community. Microsoft’s contribution is reduced to contributing a lot of source code and propelling the project to its current maturity.


ION is an important enabler for the wide-scale adoption of DIDs. If enough services support the protocol, if apps and wallets are developed that allow us to easily manage our DIDs, if public authorities join in to confirm “credentials” such as university degrees, driver’s licenses, age, nationality, etc. based on DIDs – then we can regain a piece of digital sovereignty and prevent commercial enterprises from controlling our digital identity. Many ifs, but a hopeful outlook.