Verifiable Credentials (VCs): The Future of Secure Digital Identity Verification

Most internet users presently have a singular relationship with each service they use or subscribe to on the internet, considering the modus operandi of the web 2.0 internet. Most websites presently operate on web 2.0 at the time of this writing. Many websites require users to register with their platforms afresh, e.g., Amazon, Netflix, Facebook, Upwork, Airbnb, etc. Due to this singular relationship between email and passwords, users can present varying identities and credentials at different times.

Many service providers have the internet fully integrated into their services, including financially related services where KYC is needed. Many service providers use e-KYC, the electronic version of KYC to reduce unnecessary bureaucracy. As a result, users will upload digital copies of their credentials, such as social security cards, driver’s licenses, international passports, etc.

Thankfully, companies have sophisticated programs to verify the authenticity of digital copies of these credentials, but what about organizations without the resources and workforce to do the same? Does this mean many fake credentials will go unnoticed? According to a 2019 survey by Greenhouse Treatment Center, thousands of Americans either possess fake IDs or have used one before without detection.

The example above is just one of the dozens of industries that must confirm the authenticity of users’ identities and credentials, such as health services, social platforms, job platforms, freelancing websites, etc. Digitalizing credentials has been widely regarded as a great advantage, saving both users’ and companies’ time that could be used for other purposes.

For example, it has saved companies time and resources that would have been expended on having many employees attend to hundreds of customers physically or via email just to confirm their identities and credentials. Still, this technological solution has downsides, such as the rise in fake identities. Can this be curbed? Is there a way to confirm a user’s credentials without any doubt that a user is who he claims to be?

Did this user graduate from Harvard Business School, as claimed in the submitted certificate? This user claimed to be covid-19 vaccinated via his certificate; how true is this? Can this credential be confirmed directly from the issuer within seconds without a phone call or email, which sometimes takes ‘forever’? Can this new development called “Verifiable Credentials” be the solution that the digitalization of credentials needs? Maybe, maybe not, but this article sheds more light on Verifiable Credentials and how they differ from old credential verification methods.

What are Credentials?

Credentials are often used as proof of a person’s achievements, qualifications, experience, awards, or other aspects of their life that indicate their suitability for a particular position, role, or employment. A typical physical credential can contain the following:

1. A description of the owner or subject of the credential, such as a name, photograph, identification number, etc.
2. Details, trademarks, or symbols of the issuing authority, such as the U.S. great seal, state government symbols, government agencies’ logos, health centers’ logos’ and educational institutions’ trademarks.
3. Specific information the credential carries, such as a health insurance card, an international passport, a receipt or proof of house ownership, or a driver’s license.
4. Information about how the credential was obtained, such as a university graduation certificate, indicates the student has completed the stipulated number of years for the course.
5. Evidence of grade or rating, such as students that graduated with first class, second class upper or lower according to the U.K. grading system, a student awarded with the tag of “best graduating student,” best performing actor, doctor, governor, mayor, etc.
6. Credentials’ limitations or constraints, such as expiration dates, conditions for validity, or terms of use.

To understand “Verifiable Credentials,” a foundation of what credentials are is crucial, and the above list spells out examples of different types of information contained in a credential. As you will discover in this article, verified credentials aren’t just credentials but a technological advancement that makes transferring and confirming credentials easier, faster, and more secure.

Verifiable Credentials (VCs) Explained

Verifiable Credentials (VCs) are cryptographically enabled digital credentials that are secure and tamper-evident through digital signatures. VCs are not just digital versions of physical credentials but a technological advancement that makes transferring and confirming credentials easier, faster, and more secure. With VCs, new credentials can be issued quickly and presented to organizations or individuals for verification purposes.

One of the key advantages of VCs is that they provide users with a greater level of privacy. With VCs, users can choose to only disclose the facts about the requested information, credentials, or identity without revealing any other personal information. For instance, if a user is expected to submit proof of graduating from Harvard University, the traditional procedure would be to submit a physical or scanned copy of the certificate, revealing the user’s graduation grade and year of graduation. However, with VCs, users can submit a “Yes or No” response backed by verifiable proof, e.g., Yes, I attended Harvard University, or No, I didn’t. In seconds, the organization or employer can verify this credential from Harvard University using their digital signature (public key cryptography).

What is a Verifiable Presentation?

A Verifiable Presentation is an essential component of verifiable credentials, as it is mostly how users interact with the organization or entity. This type of presentation allows users to combine data from one or various credentials while still making the source or authorship of the credentials verifiable. Using different credentials, a user can assemble different pieces of data to meet the needs of an asking company or party. These data are combined and presented in an organized manner without losing their authorship or authenticity as issued by the issuers.

For example, a company may request the following data when a potential customer requests a service: name, nationality, proof of education, proof of employment, and proof of insurance. To meet this request, a minimum of three separate credentials would be needed. However, if submitted in the traditional approach, i.e., submitting physical copies of these credentials, the downside is that each of these credentials will contain additional information that is not relevant to the requirement of the asking party. For instance, the company name where the user is employed may be on the proof of employment. If the user uses an international passport as proof of nationality, their address can be seen. On the insurance card, the policy number and date of registration can be found.

All this extra information would be exposed for no reason. This is where verified presentation comes into place. It allows users to submit only the data they need from their existing credentials. The required pieces of data would be selected and submitted as one verified presentation after it is signed with the sender’s digital signature. In addition to offering privacy, verified presentations use a digital signature to prove that the verified presentation came from the user and not a hacker or bad actor. This allows the user to decide what information to release to the public or the asking organization while simultaneously ensuring that the presentation’s authenticity is maintained.

What is a Digital Signature?

A digital signature is an electronic signature equivalent to a handwritten signature or stamped seal. It enhances transparency, integrity, and makes credentials tamper-evident, making it a crucial component of verifiable credentials (VCs). The digital signature is essential to the trust model of the verifiable credential ecosystem, as it assures the receiver (verifier) that the shared credential or verifiable presentation belongs to the claimed sender.

For instance, suppose a user submits a verifiable presentation to an employer by combining pieces of data from the credentials in their digital wallet. In that case, the user has two keys, the private key and the public key, which are used to digitally sign the verifiable presentations. Then, using the private key that only the issuer has access to, the credential is encrypted. Using the public key, the verifier or public can decrypt and verify if the user has indeed issued the credentials.

What is a Digital Wallet?

A digital wallet is a secure repository for users or holders of verifiable credentials (VCs) to store their credentials and share them with authorized parties. It is the electronic equivalent of a physical wallet that holds credit cards, driver’s licenses, insurance cards, and other important documents. However, a digital wallet is more secure due to the use of blockchain technology. When physical identification is required, such as when interacting with law enforcement, users can easily present their identification from their physical wallets. In the same way, a digital wallet can be used to present verifiable credentials, but with the added security of cryptography and the issuer’s public key, which makes it more trustworthy and tamper-proof.

The Verifiable Credentials Ecosystem

Three parties are involved in the traditional credential issuing and presentation procedure, and the same applies to the VC ecosystem. These entities must communicate with each other before a user’s credentials can be accepted as genuine at the time of presentation. Below are the three parties or entities and their roles:

1. Issuer — This is the organization or authorized individual that issues a credential to a user. This entity can be a school, healthcare center, bank, company, government agency, or individual. For example, the University that issues a graduating certificate to students is the issuer. In giving a credential to a user, the issuer uses different methods to prove their competence and authority to issue such a credential.
2. Holder — The receiver of the credential issued by the issuer is the second entity in the VC ecosystem. In line with the illustration above, each student that receives the certificate issued by the University is a holder. The holder is in complete control of the people or organizations with whom the credential(s) is shared, and this user can also revoke the access of any group with which the credential(s) was previously shared. In addition, the holder can hold the issued credential on a digital wallet locally (i.e., mobile phone) and simultaneously have them backed up online or even decide to store everything on the cloud.
3. Verifier — This entity completes the communication circle in the VCs ecosystem. In this case, the holder presents issued credentials to the verifier, who requests credentials be submitted. To confirm the credentials’ authenticity, the verifier communicates cryptographically with the issuer to ensure the credentials come from a qualified and authorized source. Through public-key cryptography, the verifier can determine whether a credential has been altered, is still valid, or has expired within seconds.

How Does a Verifiable Credential Work?

The process of verifying credentials starts with the issuer, then moves to the holder, and finally to the verifier, who confirms the credential’s authenticity. For instance, a university (the issuer) may award a cryptographically signed certificate to a graduating student (the holder), who then presents the certificate to an employer (the verifier). The employer verifies the certificate’s authenticity by checking the decentralized blockchain database. However, it’s worth noting that the blockchain doesn’t store holders’ verifiable credentials; it only stores the necessary information and keys to prove the certificate’s authenticity.

The certificate’s authenticity would be proven if the public key attached to the certificate matched that of the issuer (the university). This process will make the employer know if:

1. The issuer is authorized to award the certificate.
2. The verifiable credential has been tampered with.
3. The credential has expired, or the right has been revoked.
4. The issuer authority matches the employer’s expectations; for example, the employer might want to hire a Harvard graduate rather than a Columbia graduate.

The Verifiable Credentials Trust Model (The Trustless System)

Without the Holder, there would be no credential to issue or verify. The Holder is what connects the Issuer and the Verifier. Verifiable credentials enable a trust model that does not require hours of communication or permission to establish. Instead, it creates a trust model where the Issuer trusts the Holder as a worthy candidate for the issued credential. More importantly, the Verifier trusts the Issuer as a competent organization, agency, or individual to have awarded the required/submitted credential. Similar to a trustless system, this mechanism makes different parties agree on a single truth and credential authenticity.

Note that these three entities that make up the VCs ecosystem and the Trust Model can be played by anyone, an organization, or even an IoT device (IoT is a component of the web 3.0 development, same web 3.0 on which the VCs Data Model is built). As anyone can play these three roles, a verifier can decide in its verification specifications whether it trusts a particular issuer to be competent enough.

For example, a law firm that only employs Harvard graduates will set a verification specification that will term credentials from other law programs or universities ineligible. This is one example of a specification that a Verifier can provide. The following are other specifications that a Verifier can request to determine the issuer’s competence and authority or to specify the type of dataset necessary from the holder. This can determine the set of data that will make up the holder’s verifiable presentation:

1. The kind of credential.
2. The format type of the credential.
3. The use of a specific type of cryptography.
4. The holder’s names (excluding the date of birth, address, etc.)
5. The holder’s proof of education, excluding the graduating grade.
6. The holder’s age is only without any other information.
7. Credentials issued by a specific U.S. state.
8. Credentials issued by a specific country, etc.

Components of Verifiable Credentials

A verifiable credential ecosystem consists of the issuer, the holder, and the verifier, but what are the different parts that make up VCs?

1. Credential Metadata — This consists of the credential identifier and any conditional information about it, such as its terms of use and expiration date. This is encrypted and cryptographically signed by the issuer.
2. Claim(s) — This tamper-proof component of VCs contains the details of the subject to whom the credential was issued, including the claims, awards, achievements, or the purpose of the credential, e.g., job title, employee number, course of study, graduate grade, date of birth, nationality, etc.
3. Proof(s) — The information about the issuer of the VC is encoded here, including information proving the authenticity of the VC. It shows whether the claims conveyed by the VC have been tampered with.

The Benefits of Verifiable Credentials

The traditional procedure for issuing and presenting credentials has its flaws, one of which is the purchase and use of fake credentials, as covered by BBC News. Thousands of UK professionals were found in 2018 to have patronized globally unrecognized fake institutions for certificates. For these reasons and many more, Verifiable Credentials have developed and continue to grow. VCs, bring sanity to the world of credentials, making the use of fake credentials a strenuous adventure due to the easy verification process the verifier can carry out without stress. The following are the benefits of Verifiable Credentials:

1. Instant Verification — Credential authenticity can now be verified within seconds as opposed to the traditional process that takes hours, days, or weeks. Due to these long delays or silence from the issuing organizations, some fake credentials go unnoticed. There is no communication between the issuer and verifier during this instant verification of VCs. Verification is done through the existing digital signature protocols (public key).
2. Secure and Tamper-proof — The security of credentials is another benefit of VCs. There is an assurance of safety for one’s credentials, knowing that the data and the process of sharing are protected by public key cryptography (digital signature). However, due to encryption before transmission, an unwanted party cannot access the files or credentials.
3. Limited Access — With a digital signature, external parties have limited access to your credentials. This means that unauthorized entities would not have access.
4. Full Ownership and Control — The holder receives verifiable credentials from the issuer(s), which are then stored in a digital wallet. Based on the holder’s discretion and the requirement of the verifier, the holder can choose which information to share via a verifiable presentation.
5. Privacy Protection — When privacy or data leak is mentioned, many immediately think about hackers, but primarily, hackers only exploit existing loopholes. Government agencies, internet service providers, and others can legally or illegally monitor your online activities. VCs eliminate this possibility, especially when it comes to your credentials and other personal data, since digitally signed information must be exchanged between the issuer and the holder. The same level of encryption happens when the data transmits from the holder to the verifier, thereby building layers of encryptions that bring about privacy and data protection.
6. Easy to Use — Because verifiable credentials are open standards, they are easy to implement by developers and easy to use by end users. A user-focused UX will make the usage more appealing to end users as they can combine different pieces of data from different credentials as a verifiable presentation and share it with other verifiers.
7. Interoperability and Compatibility With Other Systems and Credentials — As said above, you can easily combine different data from VCs as a form of presentation and use them in different situations. For example, when a service requires age confirmation, a VC can be used to prove age. A VC can be combined with information from another VC to prove age, nationality, and employment simultaneously. The same credential can be combined with another VC to establish one’s right to medical services, etc. Through your digital wallet, you can do all of these things while sharing only the type of data you wish to share.

The Role of Decentralized Identifiers (DIDs) in VCs 

Decentralized Identifiers (DIDs) are unique global identifiers built on the decentralized blockchain, contrasting the popular centralized registries used today. DIDs allow users or entities to be identified and verified publicly on the blockchain using digital signatures and other web 3.0 components to ensure authenticity and integrity.

DIDs are crucial in proving the identity of entities connected to Verifiable Credentials. The private key is used to attach the identity of an entity cryptographically and permanently to every credential issued by the entity or held by the holder. Whether it is the issuer, holder, or verifier, DIDs remain the unique technology that verifies the identity claim of any entity – are they who they claim to be? The public key is used to attest to all VCs submitted from the holder to the verifier and during the verification process between the verifier and the issuer.

Please click here to learn more about the importance of decentralized identifiers (DIDs) within the World Wide Web Consortium (W3C).

Conclusion

The development of Verifiable Credentials has brought about a range of benefits, including ease, privacy, security, portability, and decentralization, to the transmission and verification of credentials. Banks and financial institutions are now better equipped to verify the identity of their customers (KYC). At the same time, consumers can quickly submit their credentials when required, all while maintaining autonomous control. 

This technology, built on web 3.0, is gradually making inroads in the market through different large enterprises, as evidenced by the 2021 Grand View Research survey. Decentralized identity is one of the contributing factors to the rapid adoption of VCs and DIDs by large enterprises, as it eliminates the need to store and protect users’ data, a responsibility that enterprises have long borne. This is thanks to blockchain, the framework on which this development is built.

Identity.com

The ability to verify a user’s identity and the authenticity of their credentials has become highly urgent and crucial in the 21st century. VCs and DIDs founded on the framework of the decentralized ecosystem is breaking through the existing structures and providing new solutions. It is great news to see Identity.com contributing to this desired future as a member of the World Wide Web Consortium (W3C), the standards body for the World Wide Web.

The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please refer to our docs for more info about how we can help you with identity verification and general KYC processes.