Imagine someone walks into your office, hands you a printed copy of their background check, and asks when they can start the job. Would you hire them on the spot? Of course not.

Nearly all paper documents can be easily faked, photoshopped, or forged. The same goes for PDFs and most digital documents. As a result, organizations cannot rely on digital documents as a trusted source of information.

But there is a caveat: data that is cryptographically secured and digitally signed can be trusted. Even if you’ve never verified a digital document yourself, your computer has done it for you. Every online banking portal, email login, and social media site relies on the same backbone for the secure transmission and verification of data, something known as Transport Layer Security, or TLS.

Standards for cryptographic verification


The https:// bar in your browser signals when TLS is being used. TLS encrypts your data to keep it secure, but it also authenticates the validity of the communicating parties to prevent impersonation. This authentication process involves digital certificates, which are digital IDs that get issued to the host of the website by trusted entities called Certificate Authorities (CA).

When you connect to a website using TLS, the website presents its digital certificate to your browser. This certificate contains the website's public identifier (public key) and the CA's digital signature. Your browser checks this signature against a list of trusted CAs. If the certificate is valid and signed by a recognized CA, your browser trusts the website's identity.

This mechanism ensures that you're actually communicating with the intended website and not an imposter trying to steal your information. For example, when you log into your bank's website, TLS verifies that the site is genuinely your bank's and not a fake site created by a hacker. This authentication is crucial for secure online transactions and communications.

TLS is not the only mechanism whereby this kind of cryptographic data verification can happen; there are hundreds of standards and tools, collectively known as Public Key Infrastructure (PKI), that rely on similar methods. Blockchains, digital government IDs, and vaccination credentials are some of the better-known examples. 

In recent years, regulatory and standards bodies have made significant progress towards making digital documents and identities cryptographically verifiable. Some of the widely adopted standards include eIDAS, mDLs, and Verifiable Credentials.

  • eIDAS (Electronic IDentification, Authentication and trust Services):
    • eIDAS is a European Union regulation that establishes an EU-wide framework for electronic identification (eID), digital signatures, electronic seals, time stamps, registered delivery services, and certificate services for website login authentication. This regulation ensures the secure and mutual recognition of electronic transactions and identities, facilitating cross-border business and services within the EU.
    • As one example, a business in France can securely sign a contract with a partner in Italy using legally-binding eIDAS digital signatures which are recognized by both countries. eIDAS also enables a range of other applications such as filing taxes online, enrolling in a university in another EU country using a national eID, securely accessing health records across borders, and conducting secure electronic banking transactions.
  • mDLs (Mobile Driver’s Licenses):
    • mDLs are digital forms of the traditional plastic driver's license, adapted for easy presentation on mobile devices. Several U.S. states including Louisiana, Arizona, and Oklahoma, and countries like Estonia, have already adopted the mDL standard.
    • During traffic stops, drivers present their mDL to law enforcement to minimize physical contact and share only necessary information, protecting privacy. For age verification when buying age-restricted items, mDLs allow users to prove their age without revealing extra personal details. This selective sharing enhances control over personal data and ensures convenience and security in identity verification.
  • Verifiable Credentials:
    • Verifiable Credentials are digital claims that are tamper-evident and cryptographically secured, enabling the secure and verifiable sharing of credentials by individuals or organizations.
    • In education, a university could issue digital diplomas as Verifiable Credentials. Graduates can then easily share these credentials with potential employers or other educational institutions, who can instantly verify the diploma's authenticity without direct contact with the issuing university.

The trust triangle

The “trust triangle” for Verifiable Credentials is a model for how credentials can be shared between relying parties. It hinges on three core entities: the Issuer, the Holder, and the Verifier.

The Issuer generates and signs the credential, embedding it with cryptographic proof of its origin and validity. This process guarantees that the credential comes from a reliable source, much like a driver’s license issued by a state licensing authority. Moreover, Issuers can set expiration dates on credentials or revoke them if required. This ensures that the credentials are always up-to-date and legitimate.

The Holder, typically an individual, receives and stores these credentials securely. They have the ability to present these credentials to Verifiers as needed, without compromising the underlying data's security or privacy. This role mirrors that of an individual carrying a driver's license, ready to prove their identity or permission to drive.

Verifiers are tasked with validating the credentials presented to them. They use cryptographic techniques to confirm that the credentials are not only genuine and unaltered but also issued by a trusted Issuer. This step is akin to a bartender checking a patron's ID to verify age, relying on the document's features and issuing authority's reputation.

While this model is not the only way in which Verifiable Credentials can be used, it provides a way to reason about some important kinds of credential-based interactions. For instance, in a future where Verifiable Credential interactions are the norm, a regulatory body would issue digital licenses to professionals, who would then present these licenses to employers. Employers could then directly verify the authenticity of these licenses, streamlining the hiring process and ensuring efficient compliance.

One pioneer of Verifiable Credential adoption is the Velocity Network Foundation, which is supported by entities like HireRight, Cisive, Randstad, InfoMart, SAP, IBM, and the National Student Clearinghouse. This initiative brings together various stakeholders, including employers, educational institutions, and certification agencies to create a unified, immutable record of career credentials that are backed by Verifiable Credentials. The cryptography that underlies the credentials makes it possible for career records, such as employment and education history, to be instantly verifiable and fraud-resistant. Verifiable Credential networks like the Velocity Network can streamline hiring and improve compliance posture by tying each credential back to a trusted issuer.

Identity verification and digital wallets

Verifiable credentials are a valuable technology, but without adoption, their value will remain latent. Before verifiable credentials can scale, the market needs consumer-friendly tools to store, share, and validate credentials. These tools — digital wallets — are the key to adoption. We believe that compliance credentials should only be issued to trusted individuals, which makes verified identity the foundational credential of a digital wallet. It follows that the product infrastructure built around wallet-driven identity verification will be the bridge towards mass adoption of verifiable credentials.

Reusable identity is perhaps the best term for the emerging wallet-driven identity verification space. Products in this category allow an individual to verify their identity once, and then share proof that they’ve verified their identity with other groups without having to complete another verification process. This credential reuse makes for a faster and more convenient user experience, and allows for advanced security features (such as selective disclosure, where a user maintains their privacy by only sharing relevant parts of their identity credential).

Trinsic, a provider of reusable identity solutions, recently put together a map of reusable identity products which is available here and copied below. According to Trinsic’s definition, “reusable ID products are a subset of IDtech products focused specifically on a ‘verified identity’ credential.” 


Note how many companies are active in this space. Because of the tangible and immediate advantages of reusable identity over transactional models, reusable identity is the first type of verifiable credential that is market ready and in demand.

Turning transactions into users

The most important component of the shift from transactional verification to wallet-driven verification is that the individual completing the verification becomes a user of the wallet. 

Wallet-driven identity verification transforms individuals into active participants. This stands in stark contrast to the transactional verification model, where individuals undergo verification without creating an account or forming a direct relationship with the verifying entity or organization, and are therefore represented as mere entries in a database. This system limits further interaction, making it impossible to update credentials or maintain ongoing communication for compliance or monitoring purposes.

By setting up an account and owning a wallet, users gain a tangible presence within the system. This shift not only enables direct communication and updates but also opens avenues for continuous engagement and interaction throughout the application, vastly expanding the possibilities for both the individual and the organizations involved.

This shift to a user-first model also marks a profound change in how personal data and the verification process are managed. It gives individuals unprecedented access to and control over their data, and allows for a more dynamic interaction between organizations and their individual members.

With digital wallets, individuals can now actively manage their credentials, enhancing their privacy and autonomy, and organizations gain a more reliable and engaged participant in the verification process, streamlining operations and fostering trust.

Portable and reusable credentials

Digital badges are QR-code form of credential that can be easily shared and verified in-person. Let's explore this idea further in two examples, in the context of of youth sports and healthcare.

In youth sports, safety and trust are paramount. Parents want to know that the coaches and volunteers interacting with their children are properly vetted and qualified. By issuing Verifiable Credential badges to coaches who have passed background checks, completed safety training, and met other qualifications, youth sports organizations can provide parents with an easy way to get greater peace of mind.

Picture the following workflow:

  1. The youth sports organization verifies a coach's background and qualifications.
  2. The organization issues a Verifiable Credential badge to the coach's digital wallet.
  3. At practices or games, the coach displays their badge as a QR code.
  4. Parents scan the QR code using their smartphone, instantly verifying the coach's credentials.

This system allows for quick, in-person verification without the coach needing to carry around physical documents. It also provides a secure, privacy-respecting way for parents to trust that their children are in good hands.

In healthcare settings, it's critical to ensure that only authorized personnel have access to restricted areas or sensitive patient information. Verifiable Credential badges can help manage these access controls more efficiently.

Consider this scenario:

  1. A hospital verifies an employee's role, training, and security clearances by verifying that they have a valid medical license and up-to-date specialty certifications by checking their digital wallet.
  2. The hospital issues a Verifiable Credential badge to the employee's digital wallet.
  3. The badge includes specific access privileges (e.g., access to the ICU, permission to view patient records).
  4. When the employee needs to enter a restricted area or access a secure system, they present their badge QR code.
  5. A scanner at the entry point or login screen verifies the badge and grants access accordingly.

For vendors or contractors visiting the hospital, a similar process could be used:

  1. The vendor completes the necessary security checks and training, and proof of completion is stored in their digital wallet.
  2. The hospital issues a temporary Verifiable Credential badge to the vendor's digital wallet.
  3. The badge includes restrictions on what areas the vendor can access and how long the badge is valid.
  4. Security personnel scan the vendor's badge QR code to verify their access rights.

By using Verifiable Credential badges for access control, hospitals can reduce the risk of unauthorized access and ensure that everyone on the premises has been properly vetted. The badges provide a quick, secure way to verify identities and privileges without the need for cumbersome physical badges or keys.

Across industries, in-person QR code scanning of Verifiable Credential badges offers a powerful tool for establishing trust, ensuring safety, and streamlining operations. As more organizations adopt this technology, we can expect to see a shift towards more secure, efficient, and user-friendly ways of verifying identities and qualifications in a wide range of settings.

Digital wallets for regulated industries

Even with cryptographically-verifiable credentials, there is still a need for a way to establish the trustworthiness of credential issuers. This is where trust registries come in. A trust registry is a decentralized or federated database that lists approved issuers for a particular type of credential.

For example, a trust registry for healthcare credentials might list all of the accredited medical schools, nursing programs, and certification bodies whose credentials are recognized within the industry. When a verifier receives a credential claiming to be from one of these issuers, they can check the trust registry to confirm that the issuer is legitimate.

Trust registries can be maintained by industry associations, professional societies, or consortia of stakeholders. They provide an additional layer of assurance beyond the cryptographic verification of individual credentials, helping to combat fraud and establish a common framework of trust within an ecosystem.

Energy:

  • In the energy sector, Verifiable Credentials could be used to manage certifications for workers in high-risk roles, such as oil rig operators or nuclear power plant technicians. Safety training completion records, equipment operator licenses, and environmental compliance certifications could all be issued and verified as tamper-proof digital credentials. This would help ensure that only properly qualified personnel are working in sensitive roles and that compliance records are always up-to-date.

Transportation:

  • For transportation companies, Verifiable Credentials could streamline the management of driver's licenses, vehicle registrations, and insurance records. A trucking company could verify that all of its drivers have valid commercial driver's licenses and clean driving records by checking their Verifiable Credentials. Airline pilots could use Verifiable Credentials to prove their flight training and certification status.

Gig Economy:

  • In the gig economy, Verifiable Credentials could help establish trust between workers and the platforms or customers they serve. A ride-sharing company could issue credentials to drivers who pass background checks and vehicle inspections. Freelance developers or designers could use credentials to showcase their portfolios and client reviews. Delivery drivers could have credentials attesting to their reliability and positive customer feedback.

Skilled trades:

  • For skilled trades like plumbing, electrical work, and home services, Verifiable Credentials could provide assurance of workers' qualifications and reputations. A plumbing company could issue credentials to its employees certifying their training and licensing status. Electricians could have credentials attesting to their union membership, safety record, and years of experience. Babysitters or nannies could share credentials from past employers vouching for their trustworthiness and skills with prospective clients.

In each of these cases, a digital wallet equipped with Verifiable Credentials provides a secure, privacy-respecting way to share and verify essential information about workers' qualifications, experience, and reputation. By reducing friction in the verification process and establishing a common framework for trust, digital wallets can help compliance-heavy industries operate more efficiently and with greater confidence.

Share this post