One of the biggest challenges online, and in the physical world, remains proving that an electronic document, whether it be a certificate, legal document, ID, concert ticket or business document, is genuine, current and being presented by the genuine owner of that asset. The need to demonstrate COVID-19 vaccination status is just one very recent example of this challenge.
It is a problem that has persisted since the earliest days of the Internet, opening up the possibility of forgery and misuse, and is the basis of much fraud and criminality. Our increased used of smartphones as the centre of our online life has only exacerbated the problem, as they become our digital wallet.
Workarounds that control access to devices, or that use pseudo identities such as Facebook or Google logins, actually do little other than prove that the person who logged in knows the credentials of an account. They certainly provide no verification of identity, or other documents that may have been issued by a third party using that account. Biometric methods such as facial recognition and thumb prints which are now more commonly used to login to, or unlock devices, increase usability, but still leave the challenge of proving the authenticity of a document wide open to abuse.
Pseudo-identities as mentioned above are convenient but create problems of their own, particularly around privacy. If I choose to share information with a third party to prove I am over 18 or that a professional certificate is genuine, the issuer of that information (the ‘identity provider’) should have no right to know who is requesting the validation or any other information related to the transaction. Equally, when the requestor confirms the authenticity of the requested information, I should not have to share any additional information with the requestor that might be in my certificate but is not relevant to the transaction, such as my residential address.
Fixing the weaknesses of identity-first security
The World Wide Web Consortium (W3C)’s Verifiable Credentials standard seeks to address all of these challenges, maintaining privacy by ensuring that checks and verifications do not allow a credential holder to be tracked or force them to reveal more private information than is necessary. COVID passports are one very recent example, where institutions and citizens have equally valid (if different) concerns about how such credentials are managed, verified and the data is shared.
The standard is based on a trust model between three parties: The Issuer is the party that creates the document; the Holder is the party to whom it is assigned to present at a later time; and finally, the Verifier is the party that wants to verify that the issued document is genuine. The Verifier and Holder trust the Issuer, and the Holder trusts the Verifier. One of the most important aspects of this relationship is that the Holder sits between the Issuer and Verifier and controls whether verification can take place. The Issuer can only confirm that the information in the certificate is correct, by digitally signing it, when given permission by the Holder. The Verifier only needs to request the data that it needs for the transaction, thereby obeying GDPR’s data minimisation principle. This model protects the privacy of the Holder whilst also giving a Verifier absolute confidence that (the relevant portion of) a document is genuine.
The Verifiable Credentials Data Model standard has been designed to ensure that credentials are digitally signed and extensible, so that new properties can be applied to the schema to suit any industry specific use — but it stops there. Implementers have to decide which other standards to employ with it in order to build a functioning system, such as FIDO2, which enforces cryptographic security and strong web authentication. In fact, a particularly useful aspect of the Verifiable Credentials standard is that the parties are limited to specific roles. Each party can be a device, a person or an institution, meaning that verifications can take place directly between automated systems, even verifying that each other are genuine before establishing a connection to share data, perhaps to automate the bulk verification of individuals in a data set.
Data ethics: how to work out what’s right for your business
This new standard offers an exciting opportunity to address some of the biggest challenges that the online world has failed to fix to date, and do so in a way that puts users and holders of issued credentials back in control of their data. Such use cases could include:
- In education – we expect all educational establishments and training companies to issue verifiable credential-based certificates of achievement. This will mean every student can present certificates to employers knowing that they cannot be forged or misrepresented. Privacy will be maintained by not allowing the issuing educational establishment to track verifications by employers, for example.
- In business certifications – we expect businesses to hold key certifications and documents such as insurance cover notes as verifiable credentials, making proving their capabilities and compliance to customers easy and forgery-free. This should dramatically speed up supplier due diligence and many other B2B transactions that are currently painfully paper-based.
- In digital staff passports – we see large organisations implementing credentials wallets for their staff that store their building passes, IT rights, certifications and training records – enabling the flexible workforce that many envisage as being necessary in the post-pandemic world of work.
The Verifiable Credentials standard has the potential to become the de facto standard in the identity verification and authentication arena. At its core is a trust model designed to give confidence to, and protect the interests of all parties, without compromising on security and privacy. As an open and extensible standard developed by the W3C, it is gaining momentum in the industry and all that remains to be seen is the innovative ways in which institutions, public bodies and enterprises implement it in standards based solutions that create a seamless and secure verification experience that restores confidence in digital identity.