Can a metaphor be too good?

Bulging leather wallet

Digital wallets are necessary but not nearly sufficient for effective verifiable credentials. Here I look at the essential details for verifying credentials that have nothing to do with wallets.

We use metaphors to make sense of novel phenomena in everyday terms. In technology, successful metaphors reduce non-intuitive concepts to concise, clear mental images. Metaphors shape how we think about things (noting that shape is itself a metaphor!)

Really catchy metaphors can capture our imagination to the extent that we stop thinking about how things really work. A powerful metaphor can distract instead of illuminate.

For example, the passport metaphor has dominated digital identity. In the early 2000s, Microsoft even named its e-commerce single-sign-on service “Passport”. It has taken the industry many years to wean itself off the single global identifier implied by that metaphor and graduate to a more nuanced model of contextualised credentials (see also “No such thing as a passport”).

So now I wonder if the popular metaphor of digital wallets is similarly diverting attention from the important work that needs to be done to make verifiable credentials truly verifiable at scale.

Renowned payments and digital identity commentator David Birch sees digital wallets as “the central organising principle for consumers [in the metaverse]”. But I think the real organisation of payments and credentials is done well outside the digital wallet.

Digital wallets are certainly necessary, as personally controlled stores of credentials and secure carriers of our all-important private keys. The wallet is the graphical user interface to what is essentially a container of credentials and private keys. But wallets are not nearly sufficient to enable digital credentials to be meaningful and verifiable. If we focus too much on the container then we may overlook where the hard work remains to be done.

What are wallets for?

The wallet metaphor of course is all about cards. Our traditional wallets hold lots of them: payment cards, driver licences, government and professional IDs, employee IDs, transit cards, health cards, student cards, loyalty cards, club membership cards and so on. Most of these are candidates for analog-to-digital conversion.  Indeed, payment cards and driver licences are the leading examples of cryptographically verifiable credentials. The Apple and Google wallets started with payments and are now adding driver licences (slowly and carefully).

Digital wallets will become quasi-standard doorways into much of cyberspace, perhaps as crucial as web browsers have been. With big tech poised to monopolise the way consumers exercise their digital credentials, the “wallet wars” are looming.

The real action is outside the wallet and beyond the cards!

Credit cards are a modern-day miracle when you think about it: I can present an Australian credit card to almost any merchant in almost any country to buy most anything.  The merchant doesn’t know me but what really matters is it doesn’t need to know my bank either or anything at all about the Australian financial system.

How is it possible? The answer illuminates the real role of the card and wallet, and the unsung power of the business networks.

A credit card is just a container of data which is issued by a customer’s bank and which needs to be conveyed to the merchant’s bank. It is clearly one instance of a general pattern: the card carries data about its holder, provided by a recognised issuer, to be presented to and ingested by a relying party.

But there is more to the story than carrying data. The essential complexity goes unnoticed by cardholders and extends way beyond the card:

  • card manufacture and customisation, in specially managed secure production plants
  • secure distribution and activation of cards (not to mention the test of the card lifecycle including renewal, replacement and retirement)
  • anti-counterfeiting technology to assure the merchant that the card presented is valid
  • a choice of standardised interface technologies for presenting cards to diverse retail systems (e.g. merchant terminals, kiosks, and remote card-not-present arrangements)
  • and above all, the legal and business arrangements whereby branded cards are accepted by merchants and payments then cleared between customer and merchant banks.

So a wallet is just a container of containers.

The network effects

Card schemes are more about business networks than the cards.

A card scheme operates a two-sided network which caters to both cardholders and merchants, via their respective banks. The scheme sets a raft of participation rules for the issuance of cards to customers and the acceptance of cards by merchants.

Cardholders and merchants are joined to the scheme via their respective banks. An issuing bank creates credit accounts for its customers and issues branded cards under a given scheme, such as Mastercard or Visa.

An acquiring bank provides merchants with credit card acceptance equipment and/or software services under a standardised merchant services agreement and takes care of the payment processing.

(A credit card acquirer does a whole lot more, such as providing payment guarantees, deposit timing, additional layers of security and fraud controls, to name a few, but these extras do not concern us right now; the current discussion is just about card acceptance.)

What made digital credit cards so much better?

The credit card has just one job to do: securely convey a copy of the cardholder’s details to the merchant together with signals to give the merchant confidence that the customer presenting the card is legitimate.

Over several decades, credit card technology has evolved to make the presentation of cardholder details more reliable, especially in regards to theft and illicit replay or tampering.

Old fashioned magnetic stripe cards store cardholder data in a short ferrite tape, much like a cassette tape stores music. There is no encryption; the data is held in a standard plaintext format, making it easily scanned and copied using commonplace equipment. This is what enabled large scale criminal skimming and carding to take over customer accounts.

Chip cards are very different, in two respects. Firstly, they carry cardholder details in a data structure that is digitally signed by the issuing bank when the card is manufactured, thus proving that each credit card is original and genuine.

And secondly, when cardholder details are transferred to a merchant terminal in a transaction, they are dynamically signed by the chip, thus proving that the card has been unlocked (it won’t operate to produce the signed transaction otherwise) and is therefore likely to be in the right hands.

The static and dynamic cryptographic functions make counterfeiting or copying chip cards infeasible.

Upgrading credit cards from magnetic stripe to chip was the single most important enhancement in the history of card payment security. 

Mobile virtual credit cards share the same cryptographic security techniques as chip cards, but the crucial details are hidden from the cardholder; all they see is the skeuomorphic wallet user interface and its familiar images.

The lessons of credit cards for verifiable credentials

As mentioned, digital wallets are getting all the attention in the move to cryptographically verifiable credentials.  But why do we spend so much time designing digital experience and trust frameworks around a component that has played no part in system security?

Why do we bother with the wallet metaphor at all? Real world wallets are actually an uninteresting part of the payments system.

It is the credit card network that critically enables digital credentials from vetted issuers to be securely loaded to a customer’s card.

Being prepared to accept credentials requires extensive arrangements to be made in advance, including knowing what types of credentials to expect, and having the right public keys with which to verify the various digital signatures on the credentials and the presentations.

It’s this last aspect that needs the most attention for verifiable credentials to scale. Verifiable credentials need to be legible when the RP is at arms’ length from the issuer and can’t afford to make its own arrangements regarding all the different credentials and issuers, and which of them are fit for purpose.

I agree wallets are important, yet carrying cards is the easy part of payments and credentialing systems. The wallet metaphor does not illuminate much of the real problem to be solved in verifiable credentials, omitting the essential underlying infostructure needed to (a) load the right verifiable credentials from the many issuers coming onto the market, and (b) make credentials legible at scale.

To probe further …

Authentication for Everything: How to Make Good on the Promise of Digital Wallets” Steve Wilson & George Peabody, Authenticate Conference 2023.

Making Data Better podcast.

Lockstep’s proposed Data Verification Platform for distributing the meaning and fitness of digital credentials and data.

And subscribe here for updates on the Data Verification Platform.