What are Verifiable Credentials (VCs)?
Most internet users presently have a singular relationship with each service they use or subscribe to on the internet, considering the modus operandi of the web 2.0 internet. Most websites presently operate on web 2.0 at the time of this writing. Many of these websites require users to register with their platforms afresh, e.g., Amazon, Netflix, Facebook, Upwork, Airbnb, etc. Due to this singular relationship between email and passwords, users can present varying identities and credentials at different times.
Many service providers have the internet fully integrated into their services, including financially related services where KYC is needed. To reduce unnecessary bureaucracy, many service providers use e-KYC, the electronic version of KYC. As a result, users will upload digital copies of their credentials, such as social security cards, driver’s licenses, international passports, etc. Thankfully, companies have sophisticated programs in place to verify the authenticity of digital copies of these credentials, but what about organizations without the resources and manpower to do the same? Does this mean many fake credentials will go unnoticed? According to a 2019 survey by Greenhouse Treatment Center, thousands of Americans either possess fake IDs or have used one before without detection.
The example above is just one of the dozens of industries that need to confirm the authenticity of users’ identities and credentials, such as health services, social platforms, job platforms, freelancing websites, etc. The digitalization of credentials has been widely regarded as a great advantage, saving both users’ and companies’ time that could be used for other purposes. For example, it has saved companies time and resources that would have been expended on having many employees attend to hundreds of customers physically or via email just to confirm their identities and credentials. Still, this technological solution has its downsides, such as the rise in fake identities.
Can this be curbed? Is there a way to confirm a user’s credentials without any doubt that a user is who he claims to be? Did this user graduate from Harvard Business School, as claimed in the submitted certificate? This user claimed to be covid-19 vaccinated via his certificate; how true is this? Is it possible for this credential to be confirmed within seconds directly from the issuer without a phone call or email, which sometimes takes ‘forever’? Can this new development called “Verifiable Credentials” be the solution that the digitalization of credentials needs? Maybe, maybe not, but this article sheds more light on Verifiable Credentials and how they differ from old credential verification methods.
What are Credentials?
Credentials can be proof of achievements, qualifications, experience, awards, or aspects of a person’s life, especially if they indicate the holder’s quality or suitability for an office, role, employment, etc. A typical physical credential can contain the following:
- A description of the owner or subject of the credential, such as a name, photograph, identification number, etc.
- Details, trademarks, or symbols of the issuing authority, such as the U.S. great seal, state government symbols, government agencies’ logos, health centers’ logos’ and educational institutions’ trademarks.
- Specific information the credential carries, such as a health insurance card, an international passport, a receipt or proof of house ownership, or a driver’s license.
- Information about how the credential was obtained, such as a university graduation certificate, indicates the student has completed the stipulated number of years for the course.
- Evidence of grade or rating, such as students that graduated with first class, second class upper or lower according to the U.K. grading system, a student awarded with the tag of “best graduating student,” best performing actor, doctor, governor, mayor, etc.
To understand “Verifiable Credentials,” a foundation of what credentials are is crucial, and the above list spells out examples of different types of information contained in a credential. As you will discover in this article, verified credentials aren’t just credentials but a technological advancement that makes transferring and confirming credentials easier, faster, and more secure.
Verifiable Credentials (VCs) Explained
These are cryptographically enabled digital credentials. VCs aren’t just digital versions of physical credentials; they are secure and tamper-evident through digital signatures. This means they can’t be forged or faked without proof that they have been tampered with. Verifiable Credentials can be presented to organizations or individuals for verification purposes, and their validity or authenticity can be verified within seconds directly from the issuer. With this technological development, VCs are not limited to digitized copies of existing credentials; new credentials can quickly be issued.
This new technology also gives the user a greater level of privacy as the user can choose to only disclose the facts about the requested information, credential, or identity without revealing any other personal information. For example, if a user is expected to submit proof of graduating from Harvard University, the traditional procedure would be to submit a physical copy or a scanned (digital) copy of the certificate. Submitting this automatically means that the user’s graduating grade and year of graduation would be exposed. Since these are not part of the requirements, what if the user doesn’t want them known? With Verifiable Credentials, users can submit a “Yes or No” response backed by verifiable proof, e.g., Yes, I attended Harvard University, or No, I didn’t. The organization or employer can verify this credential from Harvard University using their digital signature (public key cryptography) in seconds.
What is a Verifiable Presentation?
A Verifiable Presentation is an essential component of verifiable credentials as it is mostly how users interact with the organization or entity. A Verifiable Presentation is how users combine data from one or various credentials while still making the source or authorship of the credentials verifiable. Using different credentials, a user can assemble different pieces of data to meet the needs of an asking company or party. These data are combined and presented in an organized manner without losing their authorship or authenticity as issued by the issuers.
For example, a company requested the following data when a potential customer requested a service: name, nationality, proof of education, proof of employment, and proof of insurance. A minimum of three separate credentials will be needed for this purpose. If submitted in the traditional approach, i.e., submitting physical copies of these credentials, the downside is that each of these credentials will contain additional information that is not relevant to the requirement of the asking party, such as the name of the company where the user is employed on the proof of employment. The user’s address can be seen if the user uses an international passport as proof of nationality. On the insurance card, you can also find the policy number and date of registration.
All this extra information would be exposed for no reason; this is where verified presentation comes into place. It allows users to submit only the data they need from their existing credentials. The required pieces of data would be selected and submitted as one verified presentation after it is signed with the sender’s digital signature. In addition to offering privacy, verified presentations use a digital signature to prove that the verified presentation came from the user and not a hacker or bad actor, simultaneously allowing the user to decide what information to release to the public or the asking organization.
What is a Digital Signature?
This is an electronic signature equivalent to a handwritten signature or stamped seal. It relies on public-key cryptography to authenticate a user’s identity or credentials. As a critical component of verifiable credentials (VCs), it enhances transparency, integrity, and makes credentials tamper-evident. Digital Signature is crucial to the trust model of the verifiable credential ecosystem. It assures the receiver(verifier) that the shared credential or verifiable presentation belongs to the claimed sender.
For example, a user submitted a verifiable presentation to an employer by putting together pieces of data from the credentials in his digital wallet. The user who just shared a verifiable presentation with an employer has two keys, the private key and the public key, which are used to sign the verifiable presentations digitally. Then, using the private key, which only the issuer has access to, the credential is encrypted. Using the public key, the verifier or public can decrypt and verify if the user indeed issued the credentials.
What is a Digital Wallet?
This is the electronic wallet where users or holders of VCs store their credentials and make them shareable with requesting parties. In the same way a physical wallet houses credit cards, driver’s licenses, insurance cards, etc., a digital wallet contains these same credentials but in a more secure manner through the power of blockchain. During physical interactions as a citizen, the police can ask for a form of identification, which can be presented easily from the physical wallet for authentication purposes. The same can be done with a digital wallet, but the assessment is done through cryptography via the issuer’s public key, which is more secure, trustworthy, and tamper-proof.
The Verifiable Credentials Ecosystem
Three parties are involved in the traditional procedure of credential issuing and presentation, and the same applies in the VC ecosystem. These entities must communicate with each other before a user’s credentials can be accepted as genuine at the time of presentation. Below are the three parties or entities and their roles:
- Issuer — This is the organization or authorized individual that issues a credential to a user. This entity can be a school, healthcare center, bank, company, government agency, or individual. For example, the University that issues a graduating certificate to students is the issuer. In issuing a credential to a user, the issuer uses different methods to prove their competence and authority to issue such a credential.
- Holder — The receiver of the credential issued by the issuer is the second entity in the VC ecosystem. In line with the illustration given above, each student that receives the certificate issued by the University is a holder. The holder is in complete control of the people or organizations with whom the credential(s) is shared, and this user can also revoke the access of any group with which the credential(s) was previously shared. In addition, the holder can hold the issued credential on a digital wallet locally (i.e., mobile phone) and simultaneously have them backed up online or even decide to have everything stored on the cloud.
- Verifier — This entity completes the communication circle in the VCs ecosystem. In this case, the holder presents issued credentials to the verifier, who requests credentials be submitted. To confirm the credentials’ authenticity, the verifier communicates cryptographically with the issuer to ensure the credentials come from a qualified and authorized source. Through public-key cryptography, the verifier can determine whether a credential has been altered, is still valid, or has expired all done within seconds.
How Does a Verifiable Credential Work?
As stated above, it begins with the issuer, then moves to the holder, and finally to the verifier, who confirms the credential’s authenticity. For example, a university (the issuer) awards a cryptographically signed certificate to a graduating student (holder), and the holder presents the certificate to an employer (the verifier). The employer verifies if the certificate is authentic through the blockchain decentralized database. However, blockchain does not store holders’ verifiable credentials; only the keys and information necessary to prove the certificate’s authenticity are stored.
The certificate’s authenticity would be proven if the public key attached to the certificate matched that of the issuer (the university). This process will make the employer know if:
- The issuer is authorized to award the certificate.
- The verifiable credential has been tampered with.
- The credential has expired, or the right has been revoked.
- The issuer authority matches the employer’s expectations; for example, the employer might want to hire a Harvard graduate rather than a Columbia graduate.
The Verifiable Credentials Trust Model (The Trustless System)
Without the Holder, there would be no credential to issue or verify. The Holder is what connects the Issuer and the Verifier. Verifiable credentials enable a trust model that does not require hours of communication or permission to establish. Instead, it creates a trust model where the Issuer trusts the Holder as a worthy candidate for the issued credential. More importantly, the Verifier trusts the Issuer as a competent organization, agency, or individual to have awarded the required/submitted credential. Similar to a trustless system, this mechanism makes different parties agree on a single truth and credential authenticity.
Note that these three entities that make up the VCs ecosystem and the Trust Model can be played by anyone, an organization, or even an IoT device (IoT is a component of the web 3.0 development, same web 3.0 on which the VCs Data Model is built). As anyone can play these three roles, a verifier can decide in its verification specifications whether it trusts a particular issuer to be competent enough.
For example, a law firm that only employs Harvard graduates will set a verification specification that will term credentials from other law programs or universities ineligible. This is one example of a specification that a Verifier can provide. The following are other specifications that a Verifier can request to determine the issuer’s competence and authority or to specify the type of dataset necessary from the holder. This can determine the set of data that will make up the holder’s verifiable presentation:
- The kind of credential.
- The format type of the credential.
- The use of a specific type of cryptography.
- The holder’s names (excluding the date of birth, address, etc.)
- The holder’s proof of education, excluding the graduating grade.
- The holder’s age is only without any other information.
- Credentials issued by a specific U.S. state.
- Credentials issued by a specific country, etc.
Components of Verifiable Credentials
A verifiable credential ecosystem consists of the issuer, the holder, and the verifier, but what are the different parts that make up VCs?
- Claim(s) — This tamper-proof component of VCs contains the details of the subject to whom the credential was issued, including the claims, awards, achievements, or the purpose of the credential, e.g., job title, employee number, course of study, graduate grade, date of birth, nationality, etc.
- Proof(s) — The information about the issuer of the VC is encoded here, including information proving the authenticity of the VC. It shows whether the claims conveyed by the VC have been tampered with.
The Benefit of Verifiable Credentials
The traditional procedure for issuing and presenting credentials has its flaws, one of which is the purchase and use of fake credentials, as covered by BBC News. Thousands of UK professionals were found in 2018 to have patronized globally unrecognized fake institutions for certificates. For these reasons and many more, Verifiable Credentials have developed and continue to grow. VCs, bring sanity to the world of credentials, making the use of fake credentials a strenuous adventure due to the easy verification process the verifier can carry out without stress. The following are the benefits of Verifiable Credentials:
- Instant Verification — Credential authenticity can now be verified within seconds as opposed to the traditional process that takes hours, days, or weeks. Due to these long delays or silence from the issuing organizations, some fake credentials go unnoticed. There is no communication between the issuer and verifier during this instant verification of VCs. Verification is done through the existing digital signature protocols (public key).
- Secure and Tamper-proof — The security of credentials is another benefit of VCs. There is an assurance of safety for one’s credentials, knowing that the data and the process of sharing are protected by public key cryptography (digital signature). However, due to encryption before transmission, an unwanted party cannot access the files or credentials.
- Limited Access — With a digital signature, external parties have limited access to your credentials. This means that unauthorized entities would not have access.
- Full Ownership and Control — The holder receives verifiable credentials from the issuer(s), which are then stored in a digital wallet. Based on the holder’s discretion and the requirement of the verifier, the holder can choose which information to share via a verifiable presentation.
- Privacy Protection — When privacy or data leak is mentioned, many immediately think about hackers, but primarily, hackers only exploit existing loopholes. Government agencies, internet service providers, and others can legally or illegally monitor your online activities. VCs eliminate this possibility, especially when it comes to your credentials and other personal data, since digitally signed information must be exchanged between the issuer and the holder. The same level of encryption happens when the data transmits from the holder to the verifier, thereby building layers of encryptions that bring about privacy and data protection.
- Easy to Use — Because verifiable credentials are open standards, they are easy to implement by developers and easy to use by end users. A user-focused UX will make the usage more appealing to end users as they can combine different pieces of data from different credentials as a verifiable presentation and share it with other verifiers.
- Interoperability and Compatibility With Other Systems and Credentials — As said above, you can easily combine different data from VCs as a form of presentation and use them in different situations. For example, when a service requires age confirmation, a VC can be used to prove age. A VC can be combined with information from another VC to prove age, nationality, and employment simultaneously. The same credential can be combined with another VC to establish one’s right to medical services, etc. Through your digital wallet, you can do all of these things while sharing only the type of data you wish to share.
The Role of Decentralized Identifiers (DIDs) in VCs
Contrary to the popular centralized registries used today, decentralized identifiers are unique global identifiers built on blockchain, which is a decentralized database. DIDs allow a user or an entity to be identified and verified publicly on the blockchain. Digital signatures are used alongside other web 3.0 components to verify the authenticity and integrity of entities.
DIDs are instrumental in proving the identity of entities connected to Verifiable Credentials. With the private key, the identity of an entity can be digitally and cryptographically attached permanently to every credential issued by the entity or held by the holder. Whether it is the issuer, holder, or verifier, DIDs remain the unique technology that corroborates the identity claim of any entity — are they who they claim to be? The public key attests to all VCs submitted from the holder to the verifier and the verification process between the verifier and the issuer. To learn more about decentralized identifiers (DIDs) and their importance within W3C, click here.
The development of Verifiable Credentials has brought ease, privacy, security, portability, and decentralization to transmitting and verifying credentials. Banks and financial institutions can better know their customers (KYC), while consumers can submit their credentials more quickly when needed while maintaining autonomous control. This technology built on web 3.0 is gradually penetrating the market through different large enterprises, as recorded by the 2021 Grand View Research
survey. One of the contributing factors to this fast adoption of VCs and DIDs by large enterprises is how decentralized identity eliminates the need of storing and protecting users’ data, a responsibility that enterprises have been carrying for a long time. All thanks to blockchain, the framework on which this development is hinged.
The ability to verify a user’s identity and the authenticity of their credentials has become highly urgent and crucial in the 21st century. VCs and DIDs founded on the framework of the decentralized ecosystem is breaking through the existing structures and providing new solutions. It is great news to see Identity.com contributing to this desired future as a member of the World Wide Web Consortium (W3C), the standards body for the World Wide Web.
The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please refer to our docs for more info about how we can help you with identity verification and general KYC processes.