When we look at our online world today, whether by quick scan or in-depth survey, there is little doubt that we have entered the Age of Verification – and Verifiable Credentials will be key players in this new age.
Propelled in large part by the eroding levels of trust in major societal institutions – including government, media, and even NGOs – and made necessary by the increasing amount of time we spend online, the expanding scope of digital transactions in both personal and business realms, and the worrying implications of an AI-generated future, we are moving deeper into an age where in order that we trust anything online – a social media post, an image, a video, a business claim, an email from a ‘contact’ … we have no choice but to somehow, some way, try to verify it.
The age of verification is indeed upon us, evidenced by the increasing presence of messages, tags and ‘trust’ marks announcing that a person, account, or some other thing has been verified; or new digital interaction patterns that force us to verify our very human existence (see: reCAPTCHA, I’m not a robot) in order to access a website.
Today, we have built the notion of verification into almost every digital transaction, and the term verified has become code for ‘trust me’.
There are verified buyers on eBay. Verified artists on Spotify. Verified translations on Google. Verified product reviews. Verified hosts and verified guests on AirB&B.
We repeatedly verify our phone numbers and or our email addresses in order to prove that we are still who we were when we last logged into a website just a few days ago.
And of course you can now get a verified blue checkmark on the app formerly known as Twitter, or a verified badge on LinkedIn.
Verified signatures are beginning to show up on email clients, and even back in the brick and mortar world we see credit card receipts where it is written “PIN verified, signature not required”.
And the list goes on…
This, of course, is a good thing. We have taken an important first step, which is to recognise that we have a problem – a trust problem. Websites, apps and digitally-enabled platforms seem to be lining up to take digital trust seriously, and in one way or another they are addressing these challenges.
But one important nuance merits mentioning, and that is the distinction between past-tense verified and present-tense verifiable.
Past-tense verified solutions address customer concerns and convey a sense of assurance based on the idea that at some point in the past, under some vetting procedure, something has been verified, and therefore, you can now trust it.
However, as end customers and consumers, we generally don’t have a clue as to what’s behind the verification process. How rigorous is it? Is it pay-to-play? And the reassuring words on the website – how true, or trustworthy can they be? How hard can it be to simply write ‘VERIFIED’ on a website?
Many of the VERIFIED claims online today are closer to trustwashing than trustworthy.
Which is why, in this Age of Verification, we are moving towards specific digital interaction patterns that satisfy the desire, the need, or even the mandate, to proactively verify.
We want evidence.
Without the ability to proactively engage in the present-tense verification process, we will have difficulty establishing digital trust.
In other words, rather than relying on solutions that are past-tense verified, we need solutions that are present-tense verifiable. This will become even more important as our digital world moves towards trustless, or zero-trust architecture.
And that’s where VERIFIABLE CREDENTIALS (VCs)come in.
Verifiable Credentials are one of a handful of emerging technologies that promise to lead the internet and our digital infrastructure into its next, more trustworthy iteration.
According to Gartner, verifiable credential technology is “transformational” and currently on the path towards a “plateau of productivity”.
Verifiable credentials achieved W3C recommendation status in 2022, and got a boost at the start of the pandemic due to their utility in digital vaccination certificates. Since then, verifiable credentials are being battle-tested in a wide range of pilot projects, from digital ID cards, to drivers licenses, business registration, trade documents, and school diplomas, and more.
We’ll go into further depth about specific verifiable credential use cases in later posts, and in the meantime, read on for some high level questions and answers about Verifiable Credentials.
What are Verifiable Credentials?
Verifiable Credentials are, in essence, digital versions of the physical credentials we use regularly in the physical world in order to gain access, prove qualifications, qualities, ownership, or control, and otherwise help establish trust. When we refer to “credentials”, we also include certificates, attestations, claims, and assertions.
Because we are so familiar with these physical certificates, it’s an easy jump to imagine their digital versions.
Typical examples are a driver’s license, school diploma, employee ID, or proof of vaccination. Digital versions of these credentials contain all of the same information and attributes that a physical version of the credential contains.
What makes them verifiable?
The digital versions of these credentials, if they adhere to the W3C standards, are verifiable in that they are digitally, cryptographically signed by an issuer whose public key is stored on a trusted ledger or registry.
We can verify that the display signature we are seeing corresponds to the public key of the issuer, and we can check that the information contained in the credential that we are verifying is the same as when it was digitally signed, i.e. it has not been tampered with or otherwise corrupted.
So when we verify a credential, we can be assured of the identity of the issuing entity, and that the information we are seeing is exactly as it was when the credential was issued.
Other than being verifiable, what else makes Verifiable Credentials so special?
There are several qualities which add transformational value to verifiable credentials, notably:
Transitive trust: This is perhaps one of the most underappreciated aspects of verifiable credentials. As long as information is packaged in a verifiable credential format and cryptographically signed, we can be assured of the integrity of that data as it flows throughout a digital ecosystem, even when the credential is no longer under direct control of the issuer or holder. Verifiable Credentials allow for the trust which is established in the act of issuing a credential to circulate within an ecosystem, to be passed on from issuer to holder and verifiers.
Machine readability: Verifiable Credentials are machine-readable in that they are written in simple W3C standard code, and structured in a way that allows automated systems (or their agents / wallets / verifiers) to easily process and interpret the information they contain.
Enforced data harmonization: A key part of a verifiable credential is its schema, which prescribes a data structure specific to the credential type, so that there is absolutely no ambiguity as to the contents and meaning of the credential. The schemas promote consistency within credential types and support interoperability and seamless data exchange.
Automated auditability: Because Verifiable Credentials are signed, with structured data, and are machine-readable, they allow for a high degree of automation of auditing processes which collect, analyze, and verify information. Automated audits can generate an audit trail of documentation to provide, for example, a record of activities, changes, or compliance status.
Portability: An important element in the value of data is its ability to flow through an ecosystem with integrity, i.e., with a high degree of assurance that it is “good” data. Verifiable credentials have been described as “shipping containers for data,” and when we exchange data in the format of a verifiable credential, we bring integrity to the information supply chain.
What role do Verifiable Credentials play in Digital Identity infrastructure?
Verifiable Credentials are being used in Digital Identity infrastructure to digitally represent the different physical identity certificates that we use today, such as a national ID card, organizational ID, employee ID, school ID, driving license…
These digital representations can enhance the security of digital identity infrastructure by improving privacy, security, and user control in digital interactions.
Verifiable Credentials, when bound to Verifiable Identifiers, form a robust foundation for trusted digital identity.
BY ERIC DRURY, Digital Identity & Trust Advisor