Decentralized and Self-Sovereign Identity: Systematic Mapping Study

Self-Sovereign Identity is an emerging, user-centric, decentralized identity approach utilizing some form of decentralized technology. It provides a means for digital identification without reliance on any external authority, enabling entities to control their identity and data flow during digital interactions while enhancing security and privacy. With the rise of blockchain technology, Self-Sovereign Identity is gathering momentum in academia and industry while the number of research papers increases rapidly. However, Self-Sovereign Identity is still a young unstructured field in its early stages of research. Thus, a systematic mapping methodology was adopted to provide a coarse-grained overview of decentralized and Self-Sovereign Identity and structure the research area by identifying, analyzing, and classifying the research papers according to predefined parameters, which is to say according to their contribution, application domain, IT field, research type, research method, and place of publication. Furthermore, the nature and scope of the research were determined, while existing research topics, gained insights into trends, demographics, challenges, gaps, and opportunities for future research were also presented. The results suggest that validation research and solution proposals prevail, addressing decentralized identity in a general matter. Papers mainly propose systems/solutions, architectures, and frameworks, focusing on authentication, security, privacy, and trust, while there are hardly any studies researching usability, user experience, patterns, and good practices.


I. INTRODUCTION
There is a growing interest in decentralized technology, especially blockchain, and its application in different domains, including identity management [1], [2]. In the spring of 2015 [3], the identity community recognized blockchains' potential for utilizing an identity layer on the internet as its underlying infrastructure can facilitate an exchange of assets and enable trust in relationships between entities without the need for a centralized intermediary. Although blockchain initialized developments in the field of decentralized identity, it is not always required for implementation, as peer decentralized identifiers (peer DIDs) can standalone and present a method that is entirely off-ledger.
Unlike centralized systems, where control and power are in the hands of central authority, decentralization entails the distribution of control among the participants in the system, The associate editor coordinating the review of this manuscript and approving it for publication was Chunming Gao. thus, represents a shift of power from central authorities to entities, e.g. users/identity holders, enabling user-centric systems. The latter is crucial, especially in the field of identity management, where currently sensitive, Personal Identifiable Information (PII) is stored in centralized repositories, posing a threat to privacy and security. Due to personal data misuse and data breaches that have led to countless concerns, such as PII leaks and identity thefts, the decentralized identity approach, more narrowly Self-Sovereign Identity (SSI), is gathering momentum and interest in academia and industry. In addition, it is being considered by many organizations and governments around the world [4]. Moreover, it is being standardized by World Wide Web Consortium (W3C) [5], [6] and Decentralized Identity Foundation (DIF) [7], striving to establish a new decentralized identity ecosystem. Another important initiative worth mentioning is the European Commission's framework proposal for trusted, secure, and widely usable European Digital Identity, which will enable all Europeans to digitally prove their identity and VOLUME 9, 2021 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ provide certain personal attributes, to access digital services across the Union. Meanwhile, it will empower users to be in control of their data through identity wallets [8].
As the field is gaining momentum and becoming popular in academia and industry, the number of research articles, initiatives, and solution proposals is increasing rapidly. Yet, there is still some ambiguity, misunderstanding, and disagreement about key principles and concept definitions. The core of the decentralized identity, precisely the Self-Sovereign Identity concept, lies behind the objectives to provide a means for digital identification, with minimizing or even eliminating reliance on a central authority, eliminating a single point of failure. Allowing entities to create identifiers independently of any external party, gather identity claims from various sources, securely and autonomously store, manage and distribute/share them while remaining in full control of identifiers and associated identity data. Furthermore, with the use of decentralized technologies and cryptographic primitives, security and privacy are enhanced, and transparency and data minimization can be achieved. However, SSI is still a young unstructured field in its early stages of research, with many research opportunities and challenges that need to be tackled. Thus, this study aims to gain a broad insight into existing knowledge by conducting a Systematic Mapping Study, classifying research papers into pre-defined categories, providing a coarse-grained overview, and structuring the research area. Furthermore, we aim to identify research trends, demographics, and potential research gaps, that can serve as a starting point for further research.
The remainder of this paper is structured as follows. In section II, the general concepts of decentralized and Self-Sovereign Identity are outlined. Section III presents related work regarding secondary studies and highlights the differences to our work. The research methodology is described in Section IV, and respective results are presented in Section V. Section VI discusses the results of the systematic mapping study concerning the research question. Last but not least, Section VII presents conclusions and future work.

II. DECENTRALIZED IDENTITY
The decentralized identity model is enabled by the emergence of decentralized technologies, providing the ability to eliminate intermediaries. Therefore, the goal of decentralization is to minimize or even fully eliminate a single point of compromise or failure by minimizing or even removing a central authority [9] that serves as an identity provider (IdP) and is responsible for identity administration and management. In traditional identity management systems, personal data, i.e. identity attributes, are centrally stored under the control and management of IdP. Influenced by IdPs' internal privacy and security policies that greatly affect data usage and its safety. Meanwhile, requesting parties as well as entities themselves must trust the IdP regarding the availability, integrity, and confidentiality of attributes. Alternatives to maintaining centralized storage are decentralized approaches [10]. Some are similar to traditional identity solutions, where existing trusted credentials from third parties are used for identity verification or authentication. However, the central IdP is accompanied by decentralized storage, where validated attestations are stored on a distributed ledger for later validation, presenting the main differentiation [11].
On the other hand, decentralized approaches do not rely on any centralized IdP. In contrast with traditional, centralized, and federated approaches that are account-based or digital certificate-based and require entities, e.g. users to trust and rely on identity providers, the latter is based on peer-to-peer relationships between interacting parties. Hence, the ecosystem consists of various entities that enact roles formerly performed by a central authority [9]. It enhances decentralization, transparency, and user control [12] in transactions involving identity information. It usually relies on some form of decentralized ledger technology (DLT), blockchain, distributed file system, or another decentralized system, such as Hashgraphes and Tangle [13]. Open-source Hyperledger projects can also be used, as Hyperledger Indy was specifically built for the implementation of decentralized identities. Thus, it can be used standalone or with other blockchains [14], [15]. The use of blockchain is the most popular, however not mandatory for the implementation of decentralized identity as it can also be achieved with mentioned alternatives [13]. Nevertheless, blockchain may facilitate the implementation of decentralized identity, and it coincides with some desirable properties of Self-Sovereign Identity [16].
A. SELF-SOVEREIGN IDENTITY Self-Sovereign Identity (SSI) is an emerging, decentralized identity approach that enables entities (e.g. individuals, organizations, and objects) to fully control their digital identity without reliance on any external authority, eliminating a single point of failure. SSI presents a paradigm shift, a shift in power and control, from identity and service providers to users, who must be central to the administration of identity and information flow during digital interactions [17], [18]. Therefore, SSI is user-centric [19], allowing users to generate and manage unique decentralized identifiers (DID) independent of any third party [20] and acquire identity attributes from third-party issuers. Moreover, identifiers and associated personal data can be securely stored by them and presented freely when proof of identity is required. That way, personal data is no longer kept in third-party databases, enhancing security and privacy, and reducing risk, connected to data leakage and other identity-related cybercrimes [21]. This can be enabled by an ecosystem (i) facilitating the acquisition and storage of verifiable claims and credentials containing identity attributes, (ii) facilitating the sharing of verifiable presentations, including zero-knowledge proofs and data minimization, (iii) allowing the verification of claims and identities, and (iv) establishing trust among entities (i.e. trust triangle), or issuers, identity holders, and verifiers that interact with each other and can encompass various roles, depending on the situation.
The paradigm is still in its infancy, and there is no consensus on an exact definition of SSI. However, initiatives to describe [20] and formally define the concept [22], essential architectural components [19], and principles [23] that are important for its implementation exist.
The position paper presented by Wagner et al. [20] involves cooperation between experts from different institutions and companies, addressing SSI and showing agreement on the future directions regarding standardization, interoperability, regulation, privacy, and security.
Mühle et al. [19] provided a high-level overview of SSI architecture and key components of the SSI system, mainly identification, authentication, verifiable claims, and attribute storage. Ferdous et al. [22] have mathematically formalized the concept of SSI, using mathematical notions and properties, and have presented various envisioned flows.
Allen [23] proposed ten guiding principles of SSI, laying out the requirements for an SSI system, highlighting the importance of independent existence, user control, data access, transparency, persistence, portability, interoperability, consent, data minimization, and protection. The Sovrin Foundation grouped Allen's principles into three categories security, controllability, and portability [19], while Toth and Anderson-Priddy [24] validated them and suggested five additional principles, namely usability, counterfeit prevention, identity verification, identity assurance, and secure transactions. Furthermore, Ferdous et al. [22] analyzed existing definitions, extracted properties, and classified them into five categories, foundational, security, controllability, flexibility, and sustainability.
The aforementioned principles can be viewed as a set of objectives that SSI systems should achieve. Thus, SSI is not dependent on a specific technology and implementation but can be realized in various ways. However, it can be best achieved by utilizing decentralized ledger technology (DLT), usually blockchain technology [17], decentralized identifiers (DID) [5], and verifiable credentials (VC) [6] standardized by The World Wide Web Consortium (W3C).
DLT provides a cryptographic root of trust [21] and serves as a trustless, decentralized public-key infrastructure (DPKI) [25]. It acts as a replacement for a centralized registration authority in traditional identity management systems, where the pairing of identifier and authentication method is maintained [19].
DIDs are globally unique decentralized identifiers, providing a means for authentication using cryptographic proofs. Allowing entities to prove control over them, without requiring permission from any third party [5], [13]. VCs are digital credentials issued by the issuer to a holder, whereby the issuers attest to certain attributes, containing information related to identity subject, issuing authority, type of credential, asserted attributes or properties, constraints of identity, and evidence related to its derivation [6]. DIDs and VCs are directly managed and controlled by the identity holder. They are stored in the user-controlled off-chain storage and can be presented to any relying party when needed [19].
Several distinctions between decentralized and Self-Sovereign Identity can be drawn from the literature and existing implementations. Usually, there are differences in the method of registration, precisely identifier registration, and identity attribute aggregation.
1) Decentralized identity can be derived from existing government-issued identity documents and is provided by services performing identity proofing based on existing third-party trusted credentials, such as passports, driving licenses, etc. After verifying, validated identity attestations are recorded on a distributed ledger for later verification by third parties [11], [18], [26]. On the other hand, SSI does not rely on any existing documents. Each entity can create an unlimited number of identities without relying on documents, as identity information can be self-attested or preferably obtained later by gathering credentials from different issuers. 2) In some decentralized proposals [27], [28], a single identity is allocated for every entity and stored in the blockchain for authentication purposes. Otherwise, SSI allows for the generation of an unlimited number of identifiers depending on the situation and requirements. These solutions are common, especially for IoT implementations, where devices can authenticate each other without a central authority.
3) The decentralized identity system does not meet the requirements of SSI regarding control, or other important criteria relating to controllability, portability, security, or the other principles addressed above.

III. RELATED WORKS
Several secondary studies dealing with aspects of decentralized and Self-Sovereign Identity (SSI) have been published over the years. Rouhani and Deters [29] have presented a review of five studies related to the application of smart contracts in the field of decentralized identity, and categorized them into seven groups: (i) healthcare, (ii) IoT, (iii) identity management, (iv) record keeping, (v) supply chain, (vi) BPM, and (ii) voting.
Maesa and Mori [2] have surveyed six applications of blockchain, specifically (i) electronic voting, (ii) healthcare records, (iii) identity management, (iv) access control, (v) decentralized notary, and (vi) supply chain. For each, they have analyzed the problem, provided blockchain-based proposals, and presented existing solutions from the literature. As for identity management, an SSI system was brought to the forefront, and its properties were discussed in the context of blockchain-based implementation. The former explored a broader field of blockchain applicability and argued that desired SSI properties can be satisfied by blockchain-based implementation, [30], [31] focused on the domain of healthcare, while also recognizing blockchain's potential for implementing an identity system.
Both conducted a survey on blockchain-based SSI solutions. Houtan et al. [31] collected solutions from academia VOLUME 9, 2021 and industry and classified them into five categories, namely (i) data control and protection, (ii) digital identity, (iii) social insurance, (iv) social data governance, (i) healthcare and patient data. They investigated the potential of blockchain technology and concluded that its characteristics are suitable, or even beneficial, when realizing a standardized, interoperable healthcare ecosystem that supports SSI and allows patients to regain control over their data, which has been gathered from various sources, while simultaneously remaining in the center of the ecosystem. The authors also highlighted some challenges regarding security and privacy, lack of standardized implementation methods, and the fact that existing solutions are mostly in beta or test stages, not ready for real-world use. Shuaib et al. [30] have also stated several requirements for adopting SSI in healthcare and have presented some advantages and a use case involving different stakeholders.
Mundhe et al. [32] conducted a survey, studying various authentication and privacy-preserving techniques in VANETS, including decentralized blockchain-based schemes, and providing scheme classification, strengths, and weaknesses. The study revealed that most of the existing schemes require centralized entities, e.g. trusted authorities who assign identity or certificates to vehicles and store them in the blockchain.
Zhu and Badr [33] conducted a survey on traditional and blockchain-based identity management systems focusing on IoT, identifying solutions and challenges including access control, privacy, trust, and performance. Bartolomeu et al. [34] also focused on the IoT and provided a review of use-cases, technology, and challenges of SSI, including a discussion regarding technical challenges, best practices, and standardization.
Gilani et al. [35] and Kaneriya et al. [36] described and analyzed existing blockchain-based identity management solutions that claim to fulfil self-sovereignty. Gilani et al. [35] recognized a lack of evaluation criteria, e.g. a scale for solution assessment. While many solutions have been compared and evaluated based on the law of identity [18], [25], [37] or SSI taxonomy [22], [38], they performed a technical evaluation, disclosing differences in design and implementation, such as a network or blockchain type and data storage, key management, selective disclosure, smart contracts, and GDPR compliance. They also discussed the key concepts and architecture of SSI and pointed out research gaps and challenges. Challenges and future research directions were also discussed by Bernabe et al. [21], who surveyed the current state of the art on privacy-preserving solutions, providing an overview of privacy and blockchain concepts in general. The authors also presented identity management systems, which is to say SSI on the blockchain. They analyzed and compared existing solutions, their features, and privacy aspects with an emphasis on GDPR. Providing a comparison of compliance with GDPR principles, such as lawfulness, fairness, transparency, data minimization, integrity, and confidentiality.
Kuperberg [39] has conducted a systematic survey of existing blockchain-based identity and access management solutions and provided an evaluation framework consisting of 75 criteria for the evaluation of decentralized and SSI management systems. The criteria were applied to 43 offerings, which were analyzed in detail and evaluated in terms of enduser functionality, mobility, overhead aspects, compliance, regulations, standardization, and integration.
Liu et al. [25] reviewed three solutions, namely Sovrin, uPort, and ShoCard, and compared them based on Cameron's law of identity. They also provided a comprehensive review of 50 existing blockchain-based identity management papers and patents published between May 2017 and January 2020 across various academic databases (ACM Digital Library, IEEE Explore, ScienceDirect, and Springer Link) and Google Scholar. The study focuses on classifying research papers into three main categories: authentication, privacy, and trust. Throughout the analysis, they identified research gaps and opportunities and highlighted few identity-related challenges that include identity wallet leakage and identity changes.
Rathee and Singh [40] carried out an extensive systematic literature mapping of identity management using Blockchain technology. They identified and analyzed 30 primary studies published between 2009 and 2020 with the objective of (i) finding out research trends (ii) and challenges, (iii) scrutinizing identity management frameworks, (iv) identifying initiatives and (v) research projects that use blockchain in the field of identity management, and (v) determining popular consensus algorithms. Once again, they concluded that the integration of blockchain has the potential to overcome the limitations of conventional identity management. Hence, some privacy and interoperability challenges remain.
In contrast to the aforementioned studies, our research includes a larger set of papers, provides more extensive classification and data visualization. It includes both blockchain-based and non-blockchain-based implementations while excluding papers that rely on a central authority for identity registration.
Although all the secondary studies presented above are connected to our research to some extent, the studies [25], [40] are the most related. However, they do not: (i) include non-blockchain-based implementations, (ii) distinguish between decentralized and Self-Sovereign Identity, (iii) classify papers based on their contributions, domain, IT field, and research type.

IV. RESEARCH METHODOLOGY
Most studies presented in the previous section performed a Survey or Systematic Literature Review (SLR), the aim of which is to analyze primary studies on a given research topic in detail and provide an overview of a specific research area. Unlike SLR, in order to get a coarse-grained overview and gain insights into the trends and demographics of existing studies on a broader research topic, a Systematic Mapping Study (SMS) can be performed [41], [42].
Its objective is to (i) structure a field of interest and research type of identified studies, (ii) build a classification scheme, (iii) categorize existing studies within the field, (iv) display frequencies of publications for classification categories and (v) provide result visualization with classification maps. Thus, the main result of the SMS process are classification maps that map identified studies according to research questions and determine coverage in a certain category.
Since decentralized identity, precisely Self-Sovereign Identity, is still in its infancy, the research field is not structured yet. A lot of research has to be done in the future before its wide acceptance can be considered. At this point, we believe SMS is desirable and useful to identify gaps and provides opportunities for further research. Moreover, it can also serve as a starting point for further investigations. Therefore, we decided to follow the guidelines provided by Petterson et al. [41], [42] and conducted an SMS process, performing the following steps: 1) defining research questions (section IV-A and IV-B), 2) determining the search strategy and conducting a search (section IV-C and IV-D), 3) paper screening (section IV-D), 4) keywording and constructing classification scheme (section IV-E), 5) data extraction, classification, and mapping of the studies (section V). Each step results in an outcome, displayed in Fig. 1, and is described in detail in the following sections.

A. RESEARCH OBJECTIVES
This SMS aims to gain a broad insight into existing knowledge/studies in the field of decentralized and Self-Sovereign Identity. The goal is to provide a coarse-grained overview of research papers and classify them according to predefined parameters. Additionally, the hope was to determine the nature and scope of the research and get insights into trends, demographics, challenges, and gaps in the field of decentralized and Self-Sovereign Identity. The main research objectives that should be achieved at the end of the study are: (i) identify a research subject of interest regarding decentralized and Self-Sovereign Identity.   In the following section, the research strategy is presented. It includes a selection of scientific databases, identification of keywords, and construction of search strings. Afterward, a search for relevant papers was conducted.

C. SEARCH STRATEGY
After defining the research questions, we identified the keywords and formed a search string. The latter was structured in a way that allows a broad overview of the entire research space.

1) KEYWORDS
The identified keywords are Self-Sovereign Identity, Self Sovereign Identity, decentralized identity, decentralised identity, blockchain identity, block-chain identity, blockchain based identity, block-chain based identity, decentralized identifier.

(''SELF-SOVEREIGN'' OR ''SELF SOVEREIGN'' OR ''DECENTRALI*ED'' OR ''BLOCKCHAIN'' OR ''BLOCK-CHAIN'') AND (IDENTITY OR IDENTIFIER).
We have limited our search to two of the biggest and most important scientific databases in the field of computer science, IEEE Xplore and the Science Direct. The decision on limitation is based on sole interest in (peer-reviewed) scientific papers, trying to distance ourselves from expert and common/popular papers. Furthermore, Scopus includes papers from IEEE Xplore and Science Direct.
Another thing worth noting regarding search strategy is search string adjustment. Since Science Direct does not allow wildcards, we had to switch DECENTRALI*ED to DECEN-TRALIZED. However, other aspects of the string remain the same in both databases.
The search string was then used in selected databases while taking into account the results (i) in the field of computer science, (ii) and the period between 2012 and 2021.
The second can be justified by the fact that decentralized and Self-Sovereign Identity have only become a general topic of discussion since 2015. Due to growing interest in decentralized technology, especially blockchain, the Internet Identity Workshop (IIW) started a discussion about blockchain identity in the spring of 2015. Recognizing its potential in the field of identity management [3] as blockchain can facilitate some desired features of digital identity, solving some problems that traditional IdM systems entail. Therefore, we decided to consider papers published after 2012, taking a two year buffer time.

3) LIMITATIONS
The study was limited to (i) two databases, (ii) English papers (iii) published between January 2013 and January 2021. Relevant papers were identified exclusively by searching databases. Thus, another limitation is that we (iv) did not utilize the snowballing effect nor add additional resources while studying the full text.

D. INCLUSION AND EXCLUSION CRITERIA
To filter out relevant papers, obtained from the previous step, a set of inclusion and exclusion criteria have been defined ( Table 1).
The screening process was carried out gradually, as presented in Fig. 2. Firstly, papers were obtained based on (i) the search string application in defined databases. Then, eliminated based on (ii) year and publication type, (iii) title, abstract, and keywords, and finally, based on (iv) full-text screening.
Following the application of the criteria, 120 studies were collected in the final phase and are listed in the appendix.

E. CLASSIFICATION SCHEME
While screening research papers, a classification scheme was defined based on key concepts extracted from the titles, keywords, and abstracts. Screening allowed us to determine the context of individual research and gain a broader insight into the research field. We focused on several aspects that reflect pre-defined research questions and serve as representative categories, namely: (i) contributions, (ii) domains,  (ii) IT fields, (iv) place of publication, (v) type of research, and (vi) research methods used. Categories and subcategories were then used as a basis for paper classification and result visualization (systematic maps) and can be seen in Table 2. Each identified paper was classified into one or more categories, respectively.
Research papers included can introduce several contributions in the field of decentralized identity (novel system/solution, architecture, model, scheme, framework, method, etc.) and can focus on different IT fields (IoT, security, privacy, and trust, usability, user experience, etc.) in various domains (education, healthcare, transport, supply chain, banking, and finance, etc.). Based on identified research activities, and the researched methods used (analysis and synthesis, prototyping, experiment, survey, etc.), papers can be categorized according to the classification proposed by Wieringa et al. [43], which have proposed the classification of research papers with evaluation criteria extension. They have identified six types of research papers: Solution proposal, Validation research, Evaluation research, Philosophical/conceptual papers and Experience/experiential papers.

1) Solution proposals contain a proposal for a novel or sig-
nificantly improved solution, like architecture, model, framework, etc., without full-blown validation or implementation of the proposed solution. 2) Validation research contains validation of the proposed solution, either by prototyping, conducting an experiment, simulation, mathematical analysis, mathematical proof of properties, etc., but has not been used in realworld scenarios. 3) Evaluation research, unlike validation research, contains the proposed solution that solves a problem and has been implemented and tested in real-world scenarios. 4) Philosophical/conceptual papers focus on concepts and include a new way of looking and thinking. They usually contain proposals for new perspectives on a theoretical level. Unlike Wieringa et al. [43], we slightly modified evaluation criteria. Since primary and secondary papers were included in our research, surveys, SLRs, and SMS were mainly classified into this category. 5) Opinion papers contain the author's personal viewpoint on a given subject, either positive or negative. 6) Experience/experiential papers consist of lessons learned and a description of the author's personal experience in using, for instance, a framework, a tool, a system, or other solutions.
By analyzing papers, we were able to classify them accordingly.

V. RESULTS AND SYSTEMATIC MAPS
After obtaining papers that meet the inclusion criteria and after classification scheme definition, we have begun with information extraction and categorization of papers according to their contribution type, domain, IT field, research type, research method, and place of publication. We also recorded whether the article addresses SSI or whether it was merely a decentralized identity and noted if it mentioned the term Self-Sovereign Identity, decentralized identifier, and verifiable credentials.

A. CONTRIBUTION
Finally, we carried out a systematic mapping process which resulted in several maps and visualizations addressing different research perspectives. The final classification map shown in Fig. 3 gives an overview of the number of studies regarding contribution research type, domain, and IT field. It shows which contributions have been introduced in the field of . Classification map focusing on the demarcation between decentralized and Self-Sovereign Identity, regarding contribution, domain, and IT field, as well as a representation between papers addressing decentralized versus Self-Sovereign Identity.
decentralized identity (RQ1.1), what type of research has been conducted in relevant research papers (RQ1.3), in which domains were decentralized identity studied/applied (RQ1.4) and which IT fields are the most often addressed regarding decentralized identity (RQ1.5). Therefore, the result of the classification map answers the first research question, except for the second sub-question (RQ 1.2.), which addresses the ratio between Self-Sovereign Identity and decentralized identity solutions proposed or validated. The latter is displayed in the classification map in Fig. 4.

B. DEMOGRAPHY
To answer RQ2.1, the number of papers published each year has been counted and is displayed in Fig. 6. To address RQ2.3., we have also recorded active countries, according to the organizational affiliation of the authors. The results of the analysis are displayed in Fig. 7.
In order to answer RQ2.2, regarding relevant papers dissemination, we recorded the publication title for each analyzed study and categorized them as journal, magazine, conference, symposium, summit, forum, workshop, or congress. Fig. 8 shows the share of published papers in each category and mapping between papers contribution and its place of publication is presented in 5.

VI. DISCUSSION
By analyzing and visualizing the results obtained from the SMS, we can draw some conclusions and answer the research questions defined earlier.
The number of included papers (RQ2.1.) regarding decentralized identity has increased over the years. Exponential growth can be observed in Fig. 6. However, note that the search was conducted in January 2021. Therefore, there were less papers published in 2021. Consequently, we assume that new papers have been added to the databases as we continued the SMS process.
From 2017 to 2018, the number increased by 83.3%, from 2018 to 2019 by 58.6% and from 2019 to 2020 by 50.0%. If we consider overall growth, from 2017 to 2021, the number of papers grew by 96.7%.
The distribution between databases is as follows. Overall, 120 papers were identified and included in this study, 108 papers (90%) from IEEE Xplore, and 12 papers (10%) from the Science Direct database. 68 papers (56.7%) have been published in conference proceedings, 29 (24.2%) in journals, and 10 in Symposiums (8.3%). The rest were published in summits, magazines, forums, workshops, and congresses, respectively, as displayed in Fig. 8 (RQ2.2).
Based on the analysis, 82 publications were identified, while the following are only publications in which three or more relevant studies were published ( From the perspective of the organizational affiliation of the researchers (RQ2.3), the country that has contributed the most in the field of decentralized identity is the United States VOLUME 9, 2021 of America (23 studies -19.2%). It is followed by China (16 studies -13.3%), the United Kingdom and Germany (14 studies each -11.7%), Canada (12 studies -10.0%), France (8 studies -6.7%), India (7 studies -5.8%), Greece and Saudi Arabia (5 studies each -4.2%), the United Arab Emirates, Portugal, Japan and Australia (4 studies each -3.3%), Switzerland, and Malaysia (3 studies -2.5%). The states listed above contributed more than two studies, while in the Appendix, a list of all countries is provided.
As previously mentioned, Fig. 3 indicates the study's contribution intersecting the IT field, domain, and research type.
By analyzing the papers' contributions to the field of decentralized identity (RQ1.1.), it can be concluded that the largest amount of primary studies proposed system/solution (32 studies -26.7%), architecture (22 studies -18.3%) and framework (22 studies -18.3%). On the other hand, there are just a few papers addressing methods and defining the concept (7 studies -5.8%), protocols (5 studies -4.2%), specifications i.e. evaluation criteria (4 -3.3%) and just one paper that proposed patterns (1 study -0.8%). Secondary papers mostly compare or evaluate existing solutions (22 studies -18.3%), provide an overview of the field (among the results in the other category) ether in a systematic on the nonsystematic way, and present challenges, opportunities, and future research directions.
From the pool of papers that have conducted validation research, evaluation research, or proposed solutions, 66.7% of papers addressing SSI while 33.3% of papers are decentralized but not self-sovereign (RQ1.2). On the other hand, among all papers, secondary and primary ones, 82 papers (68.3%) used the term ''Self-Sovereign Identity'', while 68 papers (56.7%) discussed the use of decentralized identifiers (DIDs) and/or verifiable credentials (VCs), indicating the recognition of the concept and the potential of DIDs and VCs for the implementation of SSI.
Besides the differentiation between decentralized and Self-Sovereign Identity, across the examined research, different levels of decentralization were also observed. For example,   the solution proposed by [44] uses a central server for storing key-pairs, while [45] mentioning an approach to key backup and recovery using trusted third-party repositories. Some solutions rely on gateways that can introduce centralization to a certain extent [46], [47] and some utilize centralized servers that are responsible for mediating between involved entities and serve as intermediaries for storing encrypted identity attributes [18]. Moreover, solutions use different types of blockchains and vary in the number of nodes, therefore possessing different levels of decentralization.   of decentralized and Self-Sovereign Identity is well known. However, implementation independence is reflected in the absence of precisely defined architecture. Therefore, many studies propose and present proofs-of-concept for different IT architectures. However, the best implementation is still a matter of research, circumstances, and the application domain. The absence of studies addressing user experience (UX) and usability in decentralized identity systems is not surprising. Before tackling the latter, a strong foundation with an emphasis on security and privacy is needed. Without strong fundamentals and good architecture, there cannot be patterns and good practices.
Most of the included papers have studied decentralized identity in general (69 studies -57.5%), not focusing on a specific domain (RQ1.4.). We believe the generalization is a consequence of the novelty. Within any new research field, it is necessary to first objectively and generally define basic principles, concepts, and architecture. Only then can the findings be applied to other areas and be explored further. However, application in some domains is already happening.
With the COVID-19 outbreak, the potential and the need for decentralized and Self-Sovereign Identities was further recognized [48]- [52]. Especially as it can be used for the identification of individuals who have already been vaccinated or tested negatively within a stipulated time and can mitigate the spread of the virus. Furthermore, it can ensure privacy and security of personal information, and therefore quickly gain trust within a society. Shuaib et al. [48] reviewed the aspects of SSI application. Meanwhile, Gans et al. [49] focused on SSI possibilities for undocumented individuals during the pandemic. Hasan et al. [50] designed, implemented, and evaluated digital medical passports with immunity certificates for COVID-19 test-takers, employing Self-Sovereign Identity. Similarly, Xin [51] introduces GreenPass, a solution utilizing DLT, decentralized identity, verifiable credentials, and distributed storage. Bandara et al. [52] developed Connect, an identity wallet  for storing digital identities and activity trace data on the blockchain utilizing Self-Sovereign Identity proofs.
Concerning research type (RQ1.3), the emphasis is mainly on validation research (57 studies -47.5%) and solution proposals (36 studies -30.0%) providing new solutions. On the other hand, there is very little evaluation research (1 study -0.8%), which could be linked to the fact that decentralized and Self-Sovereign Identity is still in its early stages of research. Conceptual papers (22 studies -18.0%) provide overviews of the research area and/or describe and analyze existing decentralized solutions while providing a list of opportunities and challenges that need to be addressed in the future.

VII. CONCLUSION
Decentralized identity, narrowly Self-Sovereign Identity (SSI) is a new, user-centric approach to digital identity on the internet that has emerged with the rise of decentralized technologies. It is gathering momentum in academia and industry, as it can solve some of the problems of traditional identity management approaches, primarily related to the aspects of security and privacy. It provides a means for digital identification while enabling users to remain in control of their identifiers and associated identity data by minimizing their reliance on third parties.
With the rise of blockchain technology and its application in different domains, the identity community recognized its potential as blockchain features coincide with some desired properties of digital identity. Thus, since the first discussions in 2015, the number of research papers addressing decentralized and Self-Sovereign Identity has increased rapidly, accumulating knowledge and paving the way for a new era of digital identity. However, the field is still new, unstructured, in the early stages of research, with many research opportunities and challenges. Therefore, this study presented a systematic mapping study with the aim of structuring the research area, identifying existing research topics, gaps, challenges, and opportunities for future research. It provides a broader insight into the field of decentralized and Self-Sovereign Identity by gathering, analyzing, and classifying the research papers according to their contribution, application domain, IT field, research type, and method, as well as a place of publication.
An analysis of the results suggests that the number of papers has been growing exponentially over the years, while distribution in conference proceedings predominates (56.7%) and is followed by distribution in journals (24.2%) and symposiums (8.3%). Most papers were published in the journal IEEE Access (5.8%) and the most active state, according to the authors' organizational affiliation, is the United States of America (19.2%).
Validation research (47.5%) and solution proposals (30.0%) prevail, with the prototyping method, generating proofs-of-concept, predominating (40.0%). The identified papers mainly propose systems/solutions (26.7%), architectures (18.3%), and frameworks (18.3%), some compare existing studies (18.3%), while just a few papers address the methods, protocols, patterns and specifications, i.e. the evaluation criteria to determine if a decentralized identity solution is SSI or not.
In most cases, research is conducted generally (57.5%), not focusing on a specific domain. Despite this, the potential in various areas, such as transport, healthcare, banking and finance, government, is also recognized.
With (i) the increased number of research, (ii) solid definition/understanding of the concept, architecture, and its individual components, and (iii) all efforts towards standardization, in the future, we can expect more narrowly focused research, i.e. specializations for each area with specifics accessed. Moreover, it would be useful to (i) differentiate research according to the type of entities involved in the interactions, such as individuals, organizations, things, etc. and (ii) precisely define which properties the system should utilize to be recognized as self-sovereign, while (iii) investigating the extent to which decentralization is possible at all and (iv) analyze the usability and user experience of SSI. Thus, our future research might focus on conducting an SLR or analyzing the impact of usability and user experience on SSI adoption. Table 3.

APPENDIX. PUBLICATIONS
See Table 4.

APPENDIX. INCLUDED PAPERS
ŠPELA ČUČKO received the master's degree in informatics and technology of communication from the Faculty of Electrical Engineering and Computer Science, University of Maribor, where she is currently pursuing the Ph.D. degree in computer science. She is currently a Young Researcher with the Institute of informatics and a member of the Research and Development Group named Blockchain Lab:UM. Her current research interests include digital, decentralized, and self-sovereign identities.
MUHAMED TURKANOVIĆ is currently the Head of research and development at Blockchain Lab:UM, Maribor, Slovenia; an Assistant Professor at the Faculty of Electrical Engineering and Computer Science, Institute of Informatics, University of Maribor (UM), Slovenia; the Head of operations at Digital Innovation Hub UM; and the UM's coordinator of the H2020 Project DE4A-Digital Europe for All. He was a Managing Director and a CTO of an IT Company, from 2013 to 2016. His current research interests include advanced database technologies, cryptography, digital identities, and blockchain. VOLUME 9, 2021