Send in your ideas. Deadline June 1, 2024
Source code :
Theme fund: NGI0 PET
Start: 2020-04
End: 2022-10

Nym Credentials

A decentralised solution for authentication

Nym Credentials provides open-source code for privacy-enhanced authentication and authorization in a decentralized environment. Today, when using "single-sign in" solutions, users hand over their personal data to third-party identity providers such as Facebook Connect and Sign-In with Google. Nym Credentials tackles this problem by allowing users to securely authenticate and transfer personal data (and proofs of private data) while maintaining privacy without a centralized identity provider. Each credential is cryptographically unlinkable between usages and multiple decentralized identity providers can verify this data. Open-source Nym credential libraries can be easily integrated into existing services, with a focus on federated and decentralized European environments.

Why does this actually matter to end users?

One of the oldest questions on the internet is: how do you adequately prove you are you? Or perhaps the reverse formulation offers a better mental model: how do you prevent others from succeeding in pretending they are you? Now lets flip this question around once more: how would you like to see this managed yourself, if you could? How heavy-weight or convenient do you want to be proven that you are you, to allow you to get into your own environment or have something done on your behalf? And what is it worth to you in terms of effort? Would you be willing to spend a minute to have some clever secure device you have in your pocket involved? Authenticate via your mobile phone? And what if you are in a rush, or on the go? Are you happy with some company like your email provider or a large social network having the ability to make that judgement, based on a user login a few hours ago? And what if that company is based in some other jurisdiction, and could be forced to let others in as well? Or would you rather choose your own identity, and formulate direct rules to have complete control at any given point?

As could be guessed, individual people have a need for different levels of confidence and security in different contexts. A security breach matters perhaps less if you just want to login to a music service to change a playlist. After all, the worst that can happen is that someone messes things up and you have to create a new one. It matters a great deal more if you want to do a significant financial transaction at work, or open the door of your house remotely to let the babysitter in while you are delayed in traffic. Perhaps you can think of scenarios where you want even more control.

So what proof to use as the basis of your trust, and the subsequent actions taken? Historically people rely on some authority they collectively trust. Such an authority has typically taken high tech countermeasures to make the channel through which that trust is conveyed hard to fraud. A passport or banknote are quite tricky to fabricate due to the use of special techniques. Online we have only a very limited amount of trust "anchors" of varying quality. The domain name system is such an anchor, digital certificates or customer relationships are another. Today, having access to a certain mail account or phone which is known to be yours is the most common proof used. Email is often called the "poor man's solution" to identity management, and it is what most organisations and businesses fall back on. Can't log in? We will send you an email to reset your login. Just click on the link. And of course, email was never designed to be safe. It kind of works, but really we can do better.

Perhaps your use cases require more strict proof than that of normal consumers, or less strict proof. Even for a single large service provider, it would be hard to figure this out satisfactorily for all users. For the same reason people write their own testament to document what should happen with things they own or control after they die, you want to document what should happen with things you own or control what happens when you are physically absent. There is no universal will that is acceptable to all, nor is there a universal policy that satisfies all use cases.

So what if you yourself would be able to create and control your own identity, and determine your own proofs and methods? In order to function in a global internet, you would need to be able to convey your requirements and demands in a portable way. There would be no central authority dictating you what to do here. That would mean you you yourself would have to make things explicit upfront in a foolproof way - so that elsewhere on the internet people and services would know what you expect them to do to distinguish the real you from fraudsters.

This project provides the tools and infrastructure for users to authenticate themselves and share personal data (and proofs of data) without a centralized authority, where your credentials are protected through modern technologies built for privacy and security. Together these tools and infrastructure provide a state of the art European alternative for authentication that puts users (and no one else) in the driver seat.

Run by Nym Technologies SA

Logo NLnet: abstract logo of four people seen from above Logo NGI Zero: letterlogo shaped like a tag

This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.