Learn about Sonr's decentralized identity system using DID documents and WebAuthn for secure user identification

Personal Identity in Sonr

Scope

This document covers Sonr's identity system architecture, including W3C DIDs, WebAuthn authentication, and user-controlled Vaults. It explains technical implementation, security models, and integration patterns. This document does not cover specific API implementations or code examples—see the DID Module reference for technical details.

Audience

Developers implementing identity features in applications. System architects designing authentication systems. Security engineers evaluating identity solutions. Prerequisites: Understanding of authentication concepts, basic cryptography, and web standards (W3C DIDs, WebAuthn).

Summary

Sonr implements decentralized identity through W3C DIDs and WebAuthn for passwordless authentication. Users create self-sovereign identities in 30 seconds using biometrics. Personal Vaults act as user agents, managing permissions and interactions. The system eliminates seed phrases while maintaining security through MPC and social recovery.

Identity Architecture

Core Components

Sonr's identity system consists of four integrated components:

DID Documents: W3C-compliant identifiers storing public keys and service endpoints
WebAuthn Credentials: Device-based authentication using biometrics or PIN
Personal Vaults: User-controlled agents managing permissions and data
MPC Key Management: Distributed key shares preventing single points of failure

Identity Model

Each Sonr identity follows this structure:

did:sonr:alice123
├── DID Document (on-chain)
│   ├── Public Keys
│   ├── Service Endpoints
│   └── Controller Info
├── WebAuthn Credentials (device)
│   ├── Private Key (hardware-backed)
│   └── Attestation Data
└── Personal Vault (distributed)
    ├── MPC Key Shares
    ├── Permissions (UCANs)
    └── User Data (IPFS)

Technical Implementation

W3C DID Specification

Sonr implements the W3C Decentralized Identifier v1.0 specification:

{
  "@context": "https://www.w3.org/ns/did/v1",
  "id": "did:sonr:alice123",
  "verificationMethod": [
    {
      "id": "did:sonr:alice123#key-1",
      "type": "JsonWebKey2020",
      "controller": "did:sonr:alice123",
      "publicKeyJwk": {
        "kty": "EC",
        "crv": "P-256",
        "x": "...",
        "y": "..."
      }
    }
  ],
  "authentication": ["did:sonr:alice123#key-1"],
  "service": [
    {
      "id": "did:sonr:alice123#vault",
      "type": "PersonalVault",
      "serviceEndpoint": "https://vault.sonr.io/alice123"
    }
  ]
}

WebAuthn Integration

Authentication uses the W3C Web Authentication API:

Key Management

Sonr uses Multi-Party Computation (MPC) for key security:

Key Generation: Creates key shares during registration
Share Distribution: Stores shares across validator nodes
Threshold Signing: Requires k-of-n shares to sign
Share Refresh: Periodically rotates shares for security

Security Model

Authentication Factors

Sonr implements multi-factor authentication:

Something you have: Device with WebAuthn credential
Something you are: Biometric verification
Something you control: Access to your Vault

Privacy Features

The system protects user privacy through:

Selective Disclosure: Share only required attributes
Zero-Knowledge Proofs: Prove claims without revealing data
Encrypted Storage: User data encrypted in IPFS
Minimal On-Chain Data: Only public keys and endpoints

Recovery Mechanisms

Users recover accounts through multiple methods:

Social Recovery

Trusted contacts can collectively restore access

Device Backup

Time-Lock Recovery

Pre-authorized recovery after waiting period

User Experience

Account Creation

Users create accounts in three steps:

Visit any Sonr-enabled site
Click "Create Account"
Authenticate with biometrics

No downloads, extensions, or seed phrases required.

Authentication Flow

Returning users authenticate simply:

Click "Sign In"
Approve biometric prompt
Access granted

The browser handles credential management automatically.

Permission Management

Users control permissions through their Vault:

// Service requests permission
{
  "action": "transfer",
  "resource": "wallet",
  "amount": "100 USDC",
  "recipient": "bob@sonr.id",
  "expires": "2024-12-31"
}

// User sees human-readable prompt
"Allow PaymentApp to send 100 USDC to bob@sonr.id?
This permission expires on Dec 31, 2024."

Integration Patterns

For Web Applications

Integrate Sonr identity using standard web APIs:

<!-- Simple authentication button -->
<button onclick="sonr.authenticate()">Sign in with Sonr</button>

For Service Providers

Services interact through the Vault API:

Request capabilities from user's Vault
Receive time-bound permissions
Execute authorized operations
Handle revocations gracefully

For Enterprise Systems

Sonr provides enterprise integration through:

OIDC Bridge: Compatible with existing IAM systems
SAML Support: Federation with enterprise directories
Audit Logs: Cryptographic proof of all operations
Compliance Tools: GDPR and regulatory compliance

Use Cases

Digital Credentials

Issue and verify credentials without central authority:

Education

Verify degrees without exposing transcripts

Professional

Prove licenses and certifications instantly

Age Verification

Confirm age without revealing birthdate

Cross-Platform Identity

Use one identity across all services:

Gaming: Portable achievements and assets
Social: Own your social graph
Finance: Universal KYC/AML compliance
Commerce: Unified payment preferences

Privacy-Preserving Services

Build applications that respect user privacy:

Anonymous voting with verified eligibility
Private messaging with authenticated senders
Selective disclosure for regulatory compliance
Decentralized reputation without surveillance

Implementation Guide

Creating a DID

Services create DIDs for users programmatically:

const identity = await sonr.createIdentity({
  displayName: "Alice Smith",
  authenticator: "platform", // Use device biometrics
  recovery: {
    social: ["bob@sonr.id", "carol@sonr.id"],
    threshold: 2,
  },
});

Verifying Identity

Verify user identity claims:

const verified = await sonr.verifyCredential({
  credential: userCredential,
  checks: ["signature", "expiration", "revocation"],
});

Managing Permissions

Grant and revoke permissions dynamically:

// Grant permission
const permission = await vault.grant({
  service: "app.example.com",
  capability: "read_profile",
  expiration: "24h",
});

// Revoke permission
await vault.revoke(permission.id);

Best Practices

For Developers

Use WebAuthn properly: Let browsers handle credential management
Request minimal permissions: Only ask for what you need
Handle revocations: Check permissions before operations
Respect user privacy: Implement selective disclosure

For Users

Register multiple devices: Ensure account recovery options
Review permissions regularly: Revoke unused authorizations
Use social recovery: Add trusted contacts for backup
Keep devices secure: WebAuthn credentials are device-bound

Next Steps

Ready to Implement?

Developers: Read the DID Module Reference for implementation details.

Architects: Explore Integration Patterns for system design.

Users: Create Your Identity to experience Sonr firsthand.

Learn how Sonr's identity system integrates with other components by exploring our architecture documentation or dive into specific implementation details in our reference guides.