Verifiable Credentials and the Story Behind a Credential
Verifiable Credentials and the Story Behind a Credential
Steve Wilson is former VP and Principal Analyst at Constellation Research, leading the business theme Digital Safety and Privacy. His coverage includes digital identity, data protection, data privacy, cryptography, and trust. His advisory services to CIOs, CISOs, CPOs and IT architects include identity product strategy, security practice benchmarking, Privacy by Design (PbD), privacy engineering and Privacy [or Data Protection] Impact Assessments (PIA, DPIA). Coverage Areas: - Identity management, frameworks & governance- Digital identity technologies- Privacy by Design - Big Data; “Big Privacy”- Identity & privacy innovation Previous experience: Wilson has worked in ICT innovation, research, development and analysis for over 25 years. With double…...
Read moreVerifiable credentials are one of the most important elements of digital identity today.
What exactly does a verifiable credential verify?
And while we’re on the subject, what is a credential anyway?
Let’s start with existing analogue credentials. Thanks to the vagaries of the English language, “credential” can be a verb or a noun.
Credentialing
The noun credential usually refers to “a qualification, achievement, quality or aspect of a person’s background, especially when used to indicate their suitability for something” (Ref: Oxford Languages).
There’s a subtle implication in the everyday use of the word. A credential is generally associated with criteria for its particular quality and suitability. These criteria are not always visible, especially to laypeople, but we sort of know they’re there!
Consider professional credentials. A would-be accountant for instance must obtain a particular degree by passing certain tests set by a university. In addition, that degree must be approved by a professional accounting body.
So, in this sense, every credential is an abstraction which represents that the holder has satisfied certain rules. Every important credential has meaning and context.
As a verb, “credential” means to provide someone with credentials. This might seem obvious, but I think it’s the more important sense of the word.
A credentialing process is a formal (rules-based) sequence of events, which has usually been designed to approve the holder for undertaking specific activities. There is a tight relationship between the credentialing process and the intended use of the credential.
Examples include the onboarding of new employees, enrolment in university courses, admission to professional associations (including recognition of international qualifications), approval of journalists to attend special events such political conventions, security clearances, and nations’ citizenship requirements.
Credentialing processes are famously conservative. They are the sovereign concern of nations, and mission critical to academic institutions and professional societies. Right or wrong, professional credentials are notoriously provincial and difficult to have recognized between jurisdictions. Credentialling bodies zealously represent their communities of interest and they reserve the right to set rules as they see fit.
Going from physical to digital credentials
Traditionally, many credentials are physically manifested as cards, membership tokens and other badges, used by the holder to prove their status to others. These items provide a number of cues that a credential is genuine, the issuer is legitimate, and the credential hasn’t been modified. Some credential cards include photographs which help to show that the credential is in the right hands when presented.
By the way, the plastic card itself is sometimes called a “credential”. It is more useful to think of it as a carrier or container of credentials, especially as we shift from analogue to digital.
Yet in the move to digital, most credentials in the abstract sense retain their essential meaning.
For example, a government-authorized Medicare provider can sign off on healthcare treatments to be reimbursed. That provider should be able to assert precisely the same authority in digital health workflows.
Credit cards as credentials
A credit card is a token which signifies that the holder is a paid-up member of a payment scheme. The principal data carried by a credit card is a specially formatted number (known as the Primary Account Number or PAN) which encodes membership of the scheme, identifying the cardholder, the scheme and the issuing bank. Note that a credit card is a container that usually carries just one credential.
Credit card numbering has remained unchanged for decades. With the introduction of e-commerce, shoppers were able to use their card numbers online, thanks to Mail Order / Telephone Order (MOTO) rules. These has been established years before e-commerce, to allow merchants to accept plaintext card numbers in card-not-present (CNP) settings.
To combat CNP fraud, the Card Verification Code (CVC) was introduced — an additional number on the back of the credit card that would not be registered by merchants’ card imprinting machines and then vulnerable to dumpster diving identity thieves.
The CVC is a classic example of security metadata — an extra signal used to confirm the data that really matters (in this case, the credit card number). Credit card call centre operators had access to back-office lists of PANs and matching CVCs; if a caller could quote the CVC correctly, it was assumed they had the physical card in their hands.
Enter cryptography
Verifiable credentials (VCs) are the strongest mechanism today for asserting important personal attributes, such as driver licences, professional qualifications, vaccinations, proof of age, payment card numbers and so on. VCs are central to the next generation European Union Digital Identity (EUDI), the ISO 18013-5 standard mobile driver licences (mDLs) and the latest digital wallets.
Several new VC data structure standards are under development, including the World Wide Web Consortium (W3C) VC data model and ISO 18013-5 mdocs. Older forms of VC include cellular network SIM cards and chip payment cards.
All forms of VC include the following:
- information about a particular “Subject” (usually a person, also referred to as the credential holder) such as a licence number, account number or other ID
- the digital signature of the issuer
- usually a public key of the Subject, used to verify signed presentations of the VC made from a cryptographic container or wallet
- metadata about the credential, such as its validity period and the type of container or digital wallet it is carried in, and
- metadata about the issuer, such as a company legal name, corporate registration number, Ts&Cs for credential usage etc.
The digital signature of the issuer preserves the provenance of a verifiable credential: anyone relying on the VC can be assured of its origin and be confident that the credential details have not been altered.
When a VC is presented from a cryptographically capable wallet, a message or transaction incorporating the credential can also be digitally signed using a private key unique to the credential and carried in the container or wallet. This assures the receiver that the credential as presented was in the right hands.
This verifiable presentation proves the proper custody and control of the credential and is just as important as verifiability of a credential’s origin.
Telling the story behind the credential
Provenance and secure custody are unique assurances provided by verifiable credentials, but I think the greater power of this technology lies in the depth of the metadata it provides.
VCs deliver rich ‘fine print’ about all sorts of things including the credential, the issuer, the wallet or container, and the way in which it was presented, all of which is reliably bound together through digital signatures.
So, whenever you use a VC to access a resource or sign a piece of work, you leave behind an indelible mark that codifies the history of your credential.
As mentioned, a credential is issued through a formal process, and is recognized by a community of interest as signifying the suitability of its holder for something.
For a person to hold a verifiable credential in a personal cryptographic wallet, a series of specific steps must have taken place.
First and foremost, the Issuer will satisfy itself that the Subject meets all the credentialling requirements. A VC usually includes a public key unique to the Subject and their wallet; this physicality means the Issuer can be sure that it hands out its credentials only to the correct individuals. It also allows the Issuer to specify the precise type of device(s) used to carry its credentials — all the way down to smart phone model and biometric performance if those things matter under the Issuer’s security policy.
Virtual credit cards in digital wallets
Continuing our look at credit cards as credentials, the provisioning of virtual credit cards to mobile wallets illustrates the degree of control that a VC issuer has over the end-to-end process.
Typically, a virtual credit card is provisioned to a digital wallet via a mobile banking app running on the same device. Banks control over how their apps are activated. Almost anyone can download a banking app from an app store but only a genuine customer can get the app to do anything, following their bank’s prescribed activation steps (which might include e.g. entering account specific details, calling a contact centre, or even visiting a branch for additional checks). Only then will the bank send secure instructions to the device to load a virtual card. The customer will need to unlock their phone (by biometric or PIN) to complete the load.
Behind the scenes, any bank offering mobile phone credit cards must have also made prior arrangements with the phone manufacturer to gain access to the hardware. Apple and Google (the major digital wallet platforms) undertake rigorous due diligence so that only legitimate banks are granted this all-important power.
All this history is coded as metadata into the verifiable credential. When a merchant point-of-sale system receives a signed payment instruction from a digital wallet, we can all be sure that:
- the digital wallet has been unlocked by someone who controls the phone
- the credit card is genuine and was issued by the bank indicated in the credential
- the card was loaded to the wallet by a customer who was approved to use the mobile banking app and was authenticated to do so (making it highly likely that the mobile phone customer and the cardholder are the same person)
- the cardholder is a registered customer of the bank and has passed that bank’s KYC processes.
The VC can include the type of phone it is carried in; it is even possible for the VC to record if the virtual card was issued remotely or in-person.
Minimalist VCs
The acute problem with online authentication today—often given the catch-all label “identity theft”— arises from the use of plaintext credentials and identifiers.
There are countless scenarios where a counterparty needs to know you have a particular credential, but if the only evidence you can provide is a plaintext number, then businesses and individuals alike are sitting ducks because so many identifiers have been stolen in data breaches and traded on black markets.
The simplest, lowest risk solution is to conserve the important IDs we are all familiar with, but harden them in digital form, so they cannot fall into criminal hands.
That might sound complicated, but we have done it before!
The payment card industry transitioned from magnetic stripe to chip for the same reason: to eliminate plaintext data. Chip cards present cardholder data through digitally signed verifiable messages — making them one of the earliest examples of verifiable credentials.
Digital wallets use the same technology as chip cards and are rapidly taking over from plastic. The Reserve Bank of Australia reports that well over one third of card payments by Australian consumers are now made through mobile wallets. Similar rates of digital wallet take-up is seen post-COVID around the world.
Through the course of this technology upgrade, the meaning and business context of credit cards were unchanged. The conservation of credentialing processes was key to the chip revolution.
Minding your business!
In any digital transformation, it is not the new technology that creates the most cost, delay and risk; rather it’s the business process changes. The greatest benefit of verifiable credentials is they can conserve the meaning of the IDs we are all familiar with, and all the underlying rules.
The real power of VCs lies not in what they change but what they leave the same!
A minimalist verifiable credential carrying a government ID means nothing more and nothing less than the fact that the holder has been issued that ID. By keeping things simple, a VC avoids disturbing familiar trusted ways of dealing with people and businesses.
Minimalist VCs could be issued by governments almost immediately, to carry for example social security numbers, national IDs, Medicare numbers, immigration status and/or health information, as applicable. Digital workflows created using these VCs are faster, more accurate, more durable, lower cost, and much much harder to impersonate, counterfeit or tamper with.
Powerful digital wallets are being rapidly embraced by consumers; modern web services are able to receive credentials from standards-based devices. We are ready to transform all important IDs from plaintext to verifiable credentials. Most people now could present any important verified data with a click in an app, with the same convenience, speed and safety as showing a payment card. With no change to backend processes and credentialing, we would cut deep into identity crime and defuse the black market in stolen data.
Digital Safety, Privacy & Cybersecurity Chief Data Officer Chief Digital Officer Chief Financial Officer Chief Information Officer Chief Information Security Officer Chief Supply Chain Officer Chief Technology Officer
Tan, speaking at VMware Explore in Las Vegas, said:
