Federated Identity, Fraud, Government, Identity, Language, PKI, Verifiable Credentials

What do verifiable credentials verify?

Posted on by Stephen Wilson
21
Aug

Verifiable credentials are one of the most important elements of digital identity today.

What exactly does a verifiable credential verify?

And while we’re on the subject, what is a credential anyway?

Let’s start with existing analogue credentials. Thanks to English, “credential” can be a verb or a noun. And the noun can take two or three very different meanings.

Photo credit: Akbar Nemati via Pexels.

Credentialing

The noun credential usually refers to “a qualification, achievement, quality or aspect of a person’s background, especially when used to indicate their suitability for something” (Ref: Oxford Languages).

There’s a subtle implication in the everyday sense of the word: a credential is generally associated with the criteria for its particular quality and suitability.

Consider professional credentials.  A budding accountant for instance must obtain a particular degree by passing certain tests set by a university; in addition, that degree needs to be deemed suitable by a professional accounting body.

So in this sense, every credential is an abstraction which represents that the holder has satisfied certain rules. A credential has meaning and context.

As a verb, “credential” means to provide someone with credentials.  This might seem obvious, but I think it’s the more important sense of the word. A credentialing process is a formal (rules-based) sequence of events, which has usually been designed to establish the holder’s suitability to undertake specific activities. There is a tight relationship between the credentialing process and the intended use of the credential.

Examples include the onboarding of new employees, enrolment in university courses, admission to professional associations (including recognition of international qualifications), approval of journalists to attend special events such political conventions, security clearances, and nations’ citizenship requirements.

Credentialing processes are famously conservative. They are the sovereign stuff of nations, academic institutions, and professional societies. Right or wrong, professional credentials are notoriously provincial and difficult to have recognised between different jurisdictions. Credentialling bodies zealously represent communities of interest and reserve the right to set rules as they see fit.

Going from physical to digital credentials

Traditionally, many credentials have been physically manifested as cards, membership tokens and other badges, used by the holder to prove their status to other parties who need to know. These items provide a number of familiar cues to assure us that a credential is genuine, the issuer is legitimate, and the credential hasn’t been modified. Some include photographs which help to show that the credential is in the right hands when presented.

By the way, the plastic card itself is sometimes called a “credential”, but it is more useful to think of it as a carrier or container of credentials, especially as we shift from analogue to digital.

Yet in the move to digital, most credentials in the abstract sense have retained their essential meaning. For example, a government authorised Medicare provider or licenced plumber should be able to assert precisely the same authority in any of their digital workflows—nothing less and nothing more—as they do in the real world.

Credit cards as credentials

A credit card is a token which signifies that the holder is a paid-up member of a payment scheme. The principal data carried by a credit card is a specially formatted number (known as the Primary Account Number or PAN) which encodes membership of the scheme, identifying the cardholder, the scheme and the issuing bank. Note that a credit card is a container that usually carries just one credential.

Credit card numbering has remained unchanged for decades. With the introduction of electronic commerce, shoppers were able to use their card numbers online, thanks to Mail Order / Telephone Order (MOTO) rules. These has been established years before e-commerce, to allow merchants to accept plaintext card numbers in card-not-present (CNP) settings.

To combat CNP fraud, the Card Verification Code (CVC) was introduced — an additional number on the back of the credit card that would not be registered by merchants’ card imprinting machines and then vulnerable to dumpster diving identity thieves.

The CVC is a classic example of security metadata — an additional signal used to confirm the data that really matters, namely the credit card number. Credit card call centre operators had access to back-office lists of PANs and matching CVCs; if a caller could quote the CVC correctly, it was assumed they had the physical card in their hands.

Enter cryptography

Verifiable credentials (sometimes “VCs” for short) are the strongest mechanism today for asserting important personal attributes, such as driver licences, professional qualifications, vaccinations, proof of age, payment card numbers and so on. VCs are central to the next generation European Union Digital Identity (EUDI), the ISO 18013-5 standard mobile driver licences (mDLs) and the latest digital wallets.

Several new VC data structure standards are under development, including the World Wide Web Consortium (W3C) VC data model and ISO 18013-5 mdocs.

All forms of VC include the following:

  • information about a particular “Subject” (usually a person, also referred to as the credential holder) such as a licence number or other credential ID
  • a name for the Subject (typically a legal name but pseudonyms are sometimes possible)
  • the digital signature of the issuer
  • usually a public key of the Subject (used to verify signed presentations of the VC made from a cryptographic container or wallet)
  • metadata about the credential (such as its validity period and the type of container it is carried in) and
  • metadata about the issuer (such as a company legal name, corporate registration number, Ts&Cs for credential usage etc.).

The digital signature of the issuer preserves the provenance of a verifiable credential: anyone relying on the VC can be assured of its origin and be confident that the credential details have not been altered.

When a VC is presented from a cryptographically capable wallet, a message or transaction incorporating the credential can also be digitally signed using a private key unique to the credential. This assures the receiver that the credential as presented was in the right hands.

Verifiable presentation proves the proper custody and control of the credential and is just as important as verifiability of a credential’s origin.

Telling the story behind the credential

Provenance and secure custody are unique assurances provided by verifiable credentials, but I think the greater power of this technology lies in the depth of the metadata.

VCs deliver rich ‘fine print’ about the credential, the issuer, the wallet and the way in which it was presented, all reliably bound together through digital signatures. So whenever you use a VC to access a resource or sign a piece of work, you leave behind an indelible mark that codifies the history of your credential.

As mentioned, a credential is issued through a formal process, and is recognised by a community of interest as signifying the suitability of its holder for something.

For a person to hold a verifiable credential in a personal cryptographic wallet, a series of specific steps must have taken place.

First and foremost, the Issuer will satisfy itself that the Subject meets all the credentialling requirements. A VC usually carries a public key unique to the Subject and their wallet; this physicality means the Issuer can be sure that it hands out its credentials only to the correct individuals. It also allows the Issuer to specify the precise type of device(s) used to carry its credentials — all the way down to smart phone model and biometric performance if those things matter under the Issuer’s security policy.

Virtual credit cards in digital wallets

Continuing our look at credit cards as credentials, the provisioning of virtual credit cards to mobile wallets illustrates the degree of control that a VC issuer has over the end-to-end process.

Typically, a virtual credit card is provisioned to a digital wallet via a mobile banking app running on the same device. Banks control over how their apps are activated. Almost anyone can download a banking app from an app store but only a genuine customer can get the app to do anything, following their bank’s prescribed activation steps (which might include e.g. entering account specific details, calling a contact centre, or even visiting a branch for additional checks). Only then will the bank send secure instructions to the device to load a virtual card. The customer will need to unlock their phone (by biometric or PIN) to complete the load.

Behind the scenes, any bank offering mobile phone credit cards must have also made prior arrangements with the phone manufacturer to gain access to the hardware. Apple and Google (the major digital wallet platforms) undertake rigorous due diligence so that only legitimate banks are granted this all-important power.

All this history is coded as metadata into the verifiable credential. When a merchant point-of-sale system receives a signed payment instruction from a digital wallet, we can all be sure that:

  • the digital wallet has been unlocked by someone who controls the phone
  • the credit card is genuine and was issued by the bank indicated in the credential
  • the card was loaded to the wallet by a customer who was approved to use the mobile banking app and was authenticated to do so (making it highly likely that the mobile phone customer and the cardholder are the same person)
  • the cardholder is a registered customer of the bank and has passed that bank’s KYC processes.

The VC can include the type of phone it is carried in; it is even possible for the VC to record if the virtual card was issued remotely or in-person.

Minimalist VCs

The acute problem with online authentication today—often given the catch-all label “identity theft”— arises from the use of plaintext credentials and identifiers.

There are countless scenarios where a counterparty needs to know you have a particular credential, but if the only evidence you can provide is a plaintext number, then businesses and individuals alike are sitting ducks because so many identifiers have been stolen in data breaches and traded on black markets.

The simplest, lowest risk solution is to conserve the important IDs we are all familiar with, but harden them in digital form, so they cannot fall into criminal hands.

That might sound complicated, but we have done it before!

The transition from magnetic stripe to chip payment cards was made for exactly the same reason: to eliminate plaintext data.  Chip cards present cardholder data through digitally signed verifiable messages — making them one of the earliest examples of verifiable credentials.

Digital wallets use the same technology as chip cards and are rapidly taking over from plastic. The Reserve Bank reports that well over one third of card payments by Australian consumers are now made through mobile wallets. Yet as we have seen, the meaning and business context of credit cards were unchanged through the course of these technology upgrades. That conservation of credentialing processes was key to the chip revolution.

Minding your business

In any digital transformation, it is not the new technology that creates the most cost, delay and risk; rather it’s the business process changes. The greatest benefit of verifiable credentials is they can conserve the meaning of the IDs we are all familiar with, and all the underlying business rules.

The real power of VCs lies not in what they change but what they leave the same!

A minimalist verifiable credential carrying a government ID means nothing more and nothing less than the fact that the holder has been issued that ID. By keeping things simple, a VC avoids disturbing familiar trusted ways of dealing with people and businesses.

Powerful digital wallets are being rapidly embraced by consumers; modern web services are able to receive credentials from standards-based devices. We are ready to transform all important IDs from plaintext to verifiable credentials. Most people now could present any important verified data with a click in an app, with the same convenience, speed and safety as showing a payment card. With no change to backend processes and credentialing, we would cut deep into identity crime and defuse the black market in stolen data.