What Are Verifiable Credentials? Secure Digital Identity Verification (2023)

Most internet users presently have a singular relationship with each service they use or subscribe to on the internet, considering the modus operandi of the web 2.0 internet. Most websites presently operate on web 2.0 at the time of this writing. Many websites require users to register with their platforms afresh, e.g., Amazon, Netflix, Facebook, Upwork, Airbnb, etc. Due to this singular relationship between email and passwords, users can present varying identities and credentials at different times.

Many service providers have the internet fully integrated into their services, including financially related services where KYC is needed. Many service providers use e-KYC, the electronic version of KYC to reduce unnecessary bureaucracy. As a result, users will upload digital copies of their credentials, such as social security cards, driver’s licenses, international passports, etc. In this context, verifiable credentials emerge as a solution to enhance trust and security in digital identity management. This guide will explore the concept of verifiable credentials, how they work, and their potential benefits.

The Need for Verifiable Credentials

While some companies have advanced systems to confirm the legitimacy of digital credentials, many organizations lack the resources to do so. This raises concerns about fake credentials going unnoticed. In fact, a 2019 survey by Greenhouse Treatment Center revealed that thousands of Americans have used or own fake IDs.

The example above is just one of many industries that must verify users’ identities and credentials, including healthcare, social media, job platforms, and freelancing websites. Digitizing credentials has become a popular solution that saves both time and resources for users and companies.

For example, digitalizing credentials saves companies time and resources. It removes the need for many employees to attend to hundreds of customers physically or via email just to confirm their identities and credentials. However, this technological solution also has its downsides, such as the increase in fake identities. This raises the question of whether there is a way to curb this problem and confirm a user’s credentials without any doubt that they are who they claim to be.

When verifying users’ credentials, questions arise such as whether a user truly graduated from Harvard Business School or whether they have received the COVID-19 vaccine as claimed. It can be time-consuming to confirm credentials through phone calls or emails. Therefore, is it possible to confirm credentials directly from the issuer within seconds? Can Verifiable Credentials be the solution to the issues faced during the digitalization of credentials? While it’s unclear if Verifiable Credentials are the ultimate solution, this article provides insights on how they differ from traditional credential verification methods.

What are Credentials?

Credentials are often used as proof of a person’s achievements, qualifications, experience, awards, or other aspects of their life that indicate their suitability for a particular position, role, or employment. A typical physical credential can contain the following:

1. A description of the owner or subject of the credential, such as a name, photograph, identification number, etc.
2. Details, trademarks, or symbols of the issuing authority, such as the U.S. great seal, state government symbols, government agencies’ logos, health centers’ logos’ and educational institutions’ trademarks.
3. Specific information the credential carries, such as ahealth insurance card, an international passport, areceipt or proof of house ownership, or adriver’s license.
4. The way in which a credential, such as a university graduation certificate, was obtained provides information on whether the student has completed the required number of years for the course.
5. Evidence of grade or rating, such as students that graduated with first class, second class upper or lower according to the U.K. grading system, a student awarded with the tag of “best graduating student,” best performing actor, doctor, governor, mayor, etc.
6. Credentials’ limitations or constraints, such as expiration dates, conditions for validity, or terms of use.

Understanding “Verifiable Credentials” requires a foundation of what credentials are. The above list shows examples of the different types of information contained in a credential. As you will discover in this article, verified credentials aren’t just credentials but a technological advancement that makes transferring and confirming credentials easier, faster, and more secure.

What are Verifiable Credentials (VCs)?

Verifiable Credentials (VCs) are cryptographically enabled digital credentials that are secure and tamper-evident through digital signatures. VCs are not just digital versions of physical credentials. They are a technological advancement that makes transferring and confirming credentials easier, faster, and more secure. With VCs, new credentials can be issued quickly and presented to organizations or individuals for verification purposes.

One of the key advantages of VCs is that they provide users with a greater level of privacy. With verifiable credentials, users can choose to only disclose the facts about the requested information, credentials, or identity without revealing any other personal information. For instance, the traditional procedure for submitting proof of graduating from Harvard University would be to submit a physical or scanned copy of the certificate. This reveals the user’s graduation grade and year of graduation. However, with VCs, users can submit a “Yes or No” response backed by verifiable proof, e.g., Yes, I attended Harvard University, or No, I didn’t. In seconds, the organization or employer can verify this credential from Harvard University using their digital signature (public key cryptography).

What is a Verifiable Presentation?

A Verifiable Presentation is an essential component of verifiable credentials. It is mostly how users interact with the organization or entity. This type of presentation allows users to combine data from one or various credentials while still making the source or authorship of the credentials verifiable. Using different credentials, a user can assemble different pieces of data to meet the needs of an asking company or party. These data are combined and presented in an organized manner without losing their authorship or authenticity as issued by the issuers.

Advantages of Using Verifiable Presentations

For example, a company may request the following data when a potential customer requests a service: name, nationality, proof of education, proof of employment, and proof of insurance. To meet this request, a minimum of three separate credentials would be needed. However, if submitted in the traditional approach, i.e., submitting physical copies of these credentials, the downside is that each of these credentials will contain additional information that is not relevant to the requirement of the asking party. For instance, the proof of employment may show the company name, and the address may be visible if an international passport is used as proof of nationality. The insurance card may contain the policy number and date of registration.

All this extra information would be exposed for no reason. This is where verified presentation comes into place. It allows users to submit only the data they need from their existing credentials. The required pieces of data would be selected and submitted as one verified presentation after it is signed with the sender’s digital signature. In addition, verified presentations use a digital signature to prove authenticity and protect privacy. This allows the user to choose what information to share, while ensuring the presentation’s authenticity.

What is a Digital Signature?

A digital signature is an electronic signature equivalent to a handwritten signature or stamped seal. It enhances transparency, integrity, and makes credentials tamper-evident, making it a crucial component of verifiable credentials (VCs). The digital signature is essential to the trust model of the verifiable credential ecosystem. It assures the receiver (verifier) that the shared credential or verifiable presentation belongs to the claimed sender.

For instance, suppose a user submits a verifiable presentation to an employer by combining pieces of data from the credentials in their digital wallet. The user uses two keys, the private key and the public key, to digitally sign the verifiable presentations. The private key, which only the issuer has access to, is then used to encrypt the credential. Using the public key, the verifier or public can decrypt and verify if the user has indeed issued the credentials.

What is a Digital Wallet?

A digital wallet is a secure repository for users or holders of verifiable credentials (VCs) to store their credentials and share them with authorized parties. It is the electronic equivalent of a physical wallet that holds credit cards, driver’s licenses, insurance cards, and other important documents. However, a digital wallet is more secure due to the use of blockchain technology. Users can present their identification from their physical wallets when physical identification is necessary, such as when interacting with law enforcement. Similarly, the issuer can utilize a digital wallet to present verifiable credentials, increasing security through the use of cryptography and the issuer’s public key.

The Verifiable Credentials Ecosystem

1. Issuer

This is the organization or authorized individual that issues a credential to a user. This entity can be a school, healthcare center, bank, company, government agency, or individual. For example, the University that issues a graduating certificate to students is the issuer. In giving a credential to a user, the issuer uses different methods to prove their competence and authority to issue such a credential.

2. Holder

The receiver of the credential issued by the issuer is the second entity in the VC ecosystem. In line with the illustration above, each student that receives the certificate issued by the University is a holder. The holder has complete control over the people or organizations with whom they share the credential(s). They can also revoke access from any group with whom the credential(s) was previously shared. In addition, the holder can hold the issued credential on a digital wallet locally, such as on their mobile phone. They can also choose to have them backed up online or store everything on the cloud.

3. Verifier

This entity completes the communication circle in the VCs ecosystem. In this case, the holder presents issued credentials to the verifier, who requests credentials be submitted. The verifier confirms the credentials’ authenticity through cryptographic communication with the issuer. Public-key cryptography enables the verifier to detect alterations, validity, or expiration within seconds.

How Does a Verifiable Credential Work?

The process of verifying credentials starts with the issuer, then moves to the holder, and finally to the verifier, who confirms the credential’s authenticity. For example, a university (issuer) awards a cryptographically signed certificate to a graduating student (holder). The student presents it to an employer (verifier). The employer verifies the certificate’s authenticity by checking the decentralized blockchain database. However, it’s worth noting that the blockchain doesn’t store holders’ verifiable credentials. It only stores information and keys necessary to prove authenticity.

The certificate’s authenticity would be proven if the public key attached to the certificate matched that of the issuer (the university). This process will make the employer know if:

1. The issuer has the authorization to award the certificate.
2. Someone has tampered with the verifiable credential.
3. The credential has expired or the right to access it has been revoked.
4. The issuer authority matches the employer’s expectations. For example, the employer might want to hire a Harvard graduate rather than a Columbia graduate.

The Verifiable Credentials Trust Model (The Trustless System)

Without the holder, there would be no credential to issue or verify. The holder serves as the connecting link between the Issuer and the verifier. Verifiable credentials enable a trust model that does not require hours of communication or permission to establish. Instead, it creates a trust model where the Issuer trusts the holder as a worthy candidate for the issued credential. More importantly, the verifier trusts the Issuer as a competent organization, agency, or individual to have awarded the required or submitted credential. Similar to a trustless system, this mechanism makes different parties agree on a single truth and credential authenticity.

Notably, any entity, whether an organization or an IoT device, can assume any of the three roles in the ecosystem and Trust Model of VCs. Furthermore, IoT devices integrate into the development of web 3.0, which also supports the VCs Data Model. If anyone can play these three roles, the verifier can specify in its verification requirements whether it trusts a particular issuer’s competence.

The law firm that only employs Harvard graduates can set up a verification specification that disqualifies credentials from other law programs or universities. This is just one example of a specification a verifier can provide.

Verifier’s Criteria

Below is a list of other specifications that a verifier can request to assess the issuer’s competence and authority or define the required dataset from the holder. This can determine the data that makes up the holder’s verifiable presentation:

1. The kind of credential.
2. The format type of the credential.
3. The use of a specific type of cryptography.
4. The holder’s names (excluding the date of birth, address, etc.)
5. The holder’s proof of education, excluding the graduating grade.
6. The holder’s age is only without any other information.
7. Credentials issued by a specific U.S. state.
8. Credentials issued by a specific country, etc.

Key Components of Verifiable Credentials

A verifiable credential ecosystem consists of the issuer, the holder, and the verifier. However, what are the different parts that make up VCs?

1. Credential Metadata — This includes the credential identifier and any conditional information, such as terms of use and expiration date. The issuer encrypts and cryptographically signs this.
2. Claim(s) — The tamper-proof component of VCs includes details about the individual who received the credential. These details may include claims, awards, achievements, job title, employee number, course of study, graduate grade, date of birth, nationality, and other relevant information related to the purpose of the credential.
3. Proof(s) — This section encodes information about the issuer of the VC, including proof of VC authenticity. It shows if the conveyed claims have been tampered with.

The Benefits of Verifiable Credentials

The traditional procedure for issuing and presenting credentials has its flaws, one of which is the purchase and use of fake credentials, as covered by BBC News. Thousands of UK professionals were found in 2018 to have patronized globally unrecognized fake institutions for certificates. For these reasons and many more, Verifiable Credentials have developed and continue to grow. Verifiable Credentials (VCs) make it difficult for individuals to use fake credentials, bringing sanity to the world of credentials. This is due to the easy verification process that verifiers can carry out without stress. The following are the benefits of Verifiable Credentials:

1. Instant Verification

Credential authenticity can now be verified within seconds as opposed to the traditional process that takes hours, days, or weeks. Due to these long delays or silence from the issuing organizations, some fake credentials go unnoticed. There is no communication between the issuer and verifier during this instant verification of VCs. Verification is done through the existing digital signature protocols (public key).

2. Secure and Tamper-proof

The security of credentials is another benefit of VCs. Public key cryptography (digital signature) protects both data and the sharing process. This assures individuals that their credentials are safe. However, due to encryption before transmission, an unwanted party cannot access the files or credentials.

3. Limited Access

With a digital signature, external parties have limited access to your credentials. This means that unauthorized entities would not have access.

4. Full Ownership and Control

The issuer(s) send verifiable credentials to the holder, who stores them in a digital wallet. The holder decides which information to share via a verifiable presentation, based on discretion and verifier requirements.

5. Privacy Protection

When privacy or data leaks come up, people often think of hackers. However, hackers mainly exploit existing vulnerabilities or loopholes. Government agencies, internet service providers, and others can legally or illegally monitor your online activities. VCs prevent unauthorized access to personal data by exchanging digitally signed information between issuer and holder. Encryption applies during data transmission from holder to verifier, creating layers that ensure privacy and data protection.

6. Easy to Use

Because verifiable credentials are open standards, they are easy to implement by developers and easy to use by end users. Creating a user-focused UX can make the usage of verifiable credentials more appealing to end-users. They can combine different pieces of data from different credentials as a verifiable presentation and share it with other verifiers.

7. Interoperability and Compatibility With Other Systems and Credentials

As previously mentioned, one can easily merge data from VCs for presentation and use in different contexts. When confirming age for a service, an individual can utilize a VC to provide proof of age. Furthermore, combining information from multiple VCs can verify age, nationality, and employment status concurrently. Combining a single VC with another credential can establish an individual’s eligibility for medical services and other purposes. The digital wallet allows you to share only the necessary data. This helps protect sensitive information and restricts access to authorized parties.

The Role of Decentralized Identifiers (DIDs) in Verifiable Credentials

DIDs utilize digital signatures and other web 3.0 components to publicly identify and verify users or entities on the decentralized blockchain. This process ensures the authenticity of the verified identities. DIDs are unique global identifiers built on the decentralized blockchain, in contrast to the popular centralized registries utilized today.

DIDs are crucial in proving the identity of entities connected to Verifiable Credentials. Entities use the private key to cryptographically and permanently attach their identity to every credential issued or held. DIDs are unique technology that verify the identity claims of any entity, whether it is the issuer, holder, or verifier. The issuer uses the public key during verification to attest to all VCs submitted by the holder to the verifier.

Please click here to learn more about the importance of decentralized identifiers (DIDs) within the World Wide Web Consortium (W3C).

Conclusion

Verifiable Credentials have brought about a range of benefits to the transmission and verification of credentials. These benefits include ease, privacy, security, portability, and decentralization. Nowadays, banks and financial institutions possess better tools to verify the identity of their customers (KYC). At the same time, consumers can quickly submit their credentials when required, all while maintaining autonomous control.

This technology, built on web 3.0, is gradually making inroads in the market through different large enterprises, as evidenced by the 2021 Grand View Research survey. Decentralized identity plays a significant role in the swift adoption of VCs and DIDs by large enterprises. This approach removes the burden of storing and protecting user data. Enterprises have carried this responsibility for a long time. Blockchain, the framework on which this development is built, is responsible for this.

Identity.com

In the 21st century, verifying a user’s identity and the authenticity of their credentials has become increasingly urgent and crucial. Building on the decentralized ecosystem framework, VCs and DIDs are revolutionizing existing structures and offering new solutions. It’s exciting to see Identity.com playing a role in shaping this desired future as a member of the World Wide Web Consortium (W3C), the standards body for the World Wide Web.

The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please refer to our FAQs page for more info about Identity.com and how we can help you with identity verification and general KYC processes.