David Chadwick, Crossword Cybersecurity, outlines how the W3C Verifiable Credentials standard works and why he believes it will become the de facto credentials mechanism for public sector services in the near future
One of the biggest challenges online, and in the physical world, remains proving that a document, whether it be a certificate, legal document, ID, concert ticket or business document, is genuine, current and is being presented by the genuine owner of that asset. In the public sector, citizens are regularly required to prove their identity, as well as provide ‘genuine’ documents as evidence of their rights to access a service or benefit, for example. The need to demonstrate COVID-19 vaccination status is just one very recent example of this challenge, and documents are required as evidence of identity and entitlement across a range of public services.
This problem has persisted since the earliest days of the Internet, opening up the possibility of forgery and misuse, and is the basis of much fraud and criminality in the public sector. Our increased use of smartphones as the centre of our online life has only exacerbated the problem, as they become our digital wallet.
Workarounds that control access to devices, or that use pseudo identities such as Facebook or Google logins, actually prove nothing in terms of the authenticity of identity, or documents, and actually leave users handing over data that they need not. They only prove a person has access to a device, not that they are who they say they are. They certainly provide no verification of identity, or of other documents that may have been issued by a third party, for example driving license or documents from a health authority.
Biometric methods such as facial recognition and thumbprints which are now more commonly used to login to, or unlock devices, increase usability, but still do not address the challenge of proving the authenticity of a document, which remains wide open to abuse.
The Verifiable Credentials standard
The World Wide Web Consortium’s (W3C) Verifiable Credentials Data Model standard seeks to address all of these challenges, maintaining privacy by ensuring that checks and verifications do not allow a credential holder to be tracked or force them to reveal more private information than is necessary. COVID passports are one very recent example, where institutions and citizens have equally valid (if different) concerns about how such credentials are managed, verified and the data is shared.
The W3C standard is based on a trust model between three parties: The Issuer is the party that certifies the document; the Holder is the party to whom it is assigned to present at a later time; and finally, the Verifier is the party that wants to verify that the issued document is genuine. The Verifier and Holder trust the Issuer, and the Holder trusts the Verifier (at least to the level of the identity attributes that it is requesting). One of the most important aspects of this relationship is that the Holder sits between the Issuer and Verifier and controls whether verification can take place. The Issuer can only confirm that the information in the certificate is correct, by digitally signing it. The Verifier only needs to request the data that it needs for the transaction, thereby obeying GDPR’s data minimisation principle. This model protects the privacy of the Holder whilst also giving a Verifier absolute confidence that (the relevant portion of) a certified document is genuine.
A particularly useful aspect of the Verifiable Credentials standard is that the parties undertake the specific roles of Issuer, Holder or Verifier, but they are not constrained in how many roles, or when, they can employ them. Each party can be a device, a person or an institution, meaning that verifications can take place directly between automated systems, even verifying that each other is genuine before establishing a connection to share data, for example, after verifying a user’s credentials a government department can become an issuer, giving a citizen a new government-issued verifiable credential such as a mobile driving license (mDL). There is now an ISO standard for mDL, and Apple has committed to implementing it on iPhones. Whilst the current version of the ISO standard is restricted to mDL, the next version is expected to be fully compatible with verifiable credentials. This will be extremely useful for local authorities and other government departments when all citizen documents conform to the same W3C standard.
Huge potential to save time and cut fraud
The Verifiable Credentials standard has the potential to become the de facto standard for addressing the identity verification and authentication challenges in the public sector and far beyond. At its core is a trust model designed to give confidence to, and protect the interests of all parties, without compromising on security and privacy. As an open and extensible standard developed by the W3C, it is gaining momentum in the industry and all that remains to be seen is the innovative ways in which public bodies and enterprises implement it in standards-based solutions that create a seamless and secure verification experience that restores confidence in digital identity.