At its heart, identity is about uniqueness. Being able to tell that things are distinguishable from each other. The real question to answer here is, how is uniqueness determined? What can anything or anyone use to be certain that they are recording against something unique? Most systems implement a UUID internally which they can guarantee is unique per entity in their system because they are the issuer of the identity. However, giving these unique identifiers out to other systems is problematic for exactly the reasons you mention. If lost, forgotten, or stolen, the original entity can no longer get them back.
For digital systems and man made things, uniqueness is relatively straightforward. Unique ID identifies the thing is who they claim, but for people this quickly gets difficult.
How does a person assert with authority they are a specific someone? What can be reliably used?
The likeliest pathway is biological factors, such as DNA, but identical twins share DNA, as do cloned things. Fingerprints are unique, assuming you have them, and if you don’t, also not reliable. Biometric data is often used but not 100% reliable. Failing that the next best identifiers are things issued by other authorities that your system is willing to trust. You might want to use a government issued document, from a reputable government, that can be verified, and is hard to forge. Not foolproof, but good enough. We rely on the government not to issue that same ID to two different individuals, and we rely on the individual retaining their government ID over long periods of time. Unfortunately, government IDs are not commonly used due to the high-risk nature of the data on them, and the low frequency of users having them handy. America tries to issue an ID to all users for this type of reason, the Social Security Number, but these have become extremely flawed over years due to data breaches and the fact they are passed around so freely that anyone could know yours.
Failing that, systems look for something else they can use that is globally unique, and stays with the user. Phone numbers aren’t adequate as they are often recycled and change frequently. The closest thing available, as you’ve already pointed out, is the email address. By necessity, emails are globally unique. We rely on them not being recycled too often, and they are most commonly (although not always) associated with an individual. Systems rely on the issuing authority to not break the system by issuing one to more than one person, and it serves a dual purpose of being able to be used to contact the owner.
No matter what system is put in place, there is a reliance on some authority maintaining and managing the integrity of the identifiers. Decentralised identity still relies on a person having access to the ID, and if that person loses it, then it’s between them and the identity provider to work out how they get it back, for the consuming applications, the same practical issues exist. A lost or changed ID results in a new entity on the application and the old one becoming unusable.
Most applications have workarounds for people losing or changing their identifiers (such as email address) but often this relies on the user changing it whilst still in passion of the old one, or relies on another method of verifying the person is who they claim, such as government identifiers, assuming they have at some point captured that information in the first place.
At its heart, identity is about uniqueness. Being able to tell that things are distinguishable from each other. The real question to answer here is, how is uniqueness determined? What can anything or anyone use to be certain that they are recording against something unique? Most systems implement a UUID internally which they can guarantee is unique per entity in their system because they are the issuer of the identity. However, giving these unique identifiers out to other systems is problematic for exactly the reasons you mention. If lost, forgotten, or stolen, the original entity can no longer get them back.
For digital systems and man made things, uniqueness is relatively straightforward. Unique ID identifies the thing is who they claim, but for people this quickly gets difficult.
How does a person assert with authority they are a specific someone? What can be reliably used? The likeliest pathway is biological factors, such as DNA, but identical twins share DNA, as do cloned things. Fingerprints are unique, assuming you have them, and if you don’t, also not reliable. Biometric data is often used but not 100% reliable. Failing that the next best identifiers are things issued by other authorities that your system is willing to trust. You might want to use a government issued document, from a reputable government, that can be verified, and is hard to forge. Not foolproof, but good enough. We rely on the government not to issue that same ID to two different individuals, and we rely on the individual retaining their government ID over long periods of time. Unfortunately, government IDs are not commonly used due to the high-risk nature of the data on them, and the low frequency of users having them handy. America tries to issue an ID to all users for this type of reason, the Social Security Number, but these have become extremely flawed over years due to data breaches and the fact they are passed around so freely that anyone could know yours.
Failing that, systems look for something else they can use that is globally unique, and stays with the user. Phone numbers aren’t adequate as they are often recycled and change frequently. The closest thing available, as you’ve already pointed out, is the email address. By necessity, emails are globally unique. We rely on them not being recycled too often, and they are most commonly (although not always) associated with an individual. Systems rely on the issuing authority to not break the system by issuing one to more than one person, and it serves a dual purpose of being able to be used to contact the owner.
No matter what system is put in place, there is a reliance on some authority maintaining and managing the integrity of the identifiers. Decentralised identity still relies on a person having access to the ID, and if that person loses it, then it’s between them and the identity provider to work out how they get it back, for the consuming applications, the same practical issues exist. A lost or changed ID results in a new entity on the application and the old one becoming unusable.
Most applications have workarounds for people losing or changing their identifiers (such as email address) but often this relies on the user changing it whilst still in passion of the old one, or relies on another method of verifying the person is who they claim, such as government identifiers, assuming they have at some point captured that information in the first place.