Here David Chadwick from Crossword Cybersecurity, outlines how the W3C Verifiable Credentials standard works, how it protects all parties in an identity-based transaction, and why he believes it can become the de facto credentials mechanism for banking and far beyond in the near future. David is a co-author of the standard which was published by the World-wide Web Consortium in November 2019.
The rate of digital adoption was accelerated immensely by the pandemic amongst both businesses and consumers. Banking has been undergoing a steady evolution and adoption of digital services for some time, but even though mobile and online banking were already popular, they too saw growth. McKinsey reported in a consumer survey that the preference for handling everyday transactions digitally across Western European markets is as high as 60 to 85 percent, even for customers aged 65 or over.
Despite this digital evolution, the banking sector continues to face one of the biggest challenges that have existed online, and in the physical world, since the earliest incarnations of the Internet. Banks rely on official documents to open accounts, authorize lending and provide a range of other services. They also need to verify that those documents are genuine, current and are being presented by the genuine owner of the asset. Outside banking, the same is true for any online document, whether it be a certificate, legal document, ID, concert ticket or business document. The need to demonstrate COVID-19 vaccination status, is just one very recent example of this challenge.
It is a problem that has persisted since the earliest days of the Internet, opening up the possibility of forgery and misuse, and is the basis of much fraud and criminality. Our increased use of smartphones as the centre of our online life has only exacerbated the problem, as they become our digital wallet.
Workarounds that control access to devices, or that use pseudo identities such as Facebook or Google logins, actually do little other than prove that the person who logged in knows the credentials of an account. They certainly provide no verification of identity, or other documents that may have been issued by a third party to the person using that account.
Biometrics are not a silver bullet
Banks have sought to overcome some of these challenges with the use of biometrics such as facial recognition and fingerprints. These are now more commonly used to login to, or unlock devices, and increase usability, but still leave the challenge of proving the authenticity of a document wide open to abuse.
Pseudo-identities as mentioned above are convenient but create problems of their own, particularly around privacy. If I choose to share information with a third party to prove I am over 18 or that a professional certificate is genuine, the issuer of that information (the ‘identity provider’) should have no right to know who is requesting the validation or any other information related to the transaction. Equally, when the requestor confirms the authenticity of the requested information, I should not have to share any additional information with the requestor that might be in my certificate but is not relevant to the transaction, such as my residential address.
The Verifiable Credentials standard
The World Wide Web Consortium’s (W3C) Verifiable Credentials standard seeks to address all of these challenges, maintaining privacy by ensuring that checks and verifications do not allow a credential holder to be tracked or force them to reveal more private information than is necessary. COVID passports are one very recent example, where institutions and citizens have equally valid (if different) concerns about how such credentials are managed, verified and the data is shared.
The standard is based on a trust model between three parties: The Issuer is the party that creates the document; the Holder is the party to whom it is assigned to present at a later time; and finally, the Verifier is the party that wants to verify that the issued document is genuine. The Verifier and Holder trust the Issuer, and the Holder trusts the Verifier. One of the most important aspects of this relationship is that the Holder sits between the Issuer and Verifier and controls whether verification can take place. The Issuer can only confirm that the information in the certificate is correct, by digitally signing it, when requested by the Holder. The Verifier only needs to request the data that it needs for the transaction, thereby obeying GDPR’s data minimisation principle. This model protects the privacy of the Holder whilst also giving a Verifier absolute confidence that (the relevant portion of) a document is genuine.
The Verifiable Credentials Data Model standard has been designed to ensure that credentials are digitally signed and extensible, so that new properties can be applied to the schema to suit any industry specific use. But it stops there. Implementors have to decide which other standards to employ with it in order to build a functioning system, such as FIDO2 which enforces cryptographic security and strong web authentication.
In fact, a particularly useful aspect of the Verifiable Credentials standard is that the parties undertake the specific roles of Issuer, Holder or Verifier, but they are not constrained in how many roles, or when, they can employ them. Each party can be a device, a person or an institution, meaning that verifications can take place directly between automated systems, even verifying that each other are genuine before establishing a connection to share data, for example, after verifying a user’s credentials a bank can become an issuer and provide the user with a new bank-issued verifiable credential. This could be extremely useful for financial institutions wishing to validate documents provided by a customer, whether that be an employee providing their pay slips, or identity documents from a body such as a tax or driving license authority.
Banking and beyond
The Verifiable Credentials standard offers an exciting opportunity to address some of the biggest challenges that the online world has failed to fix to date, and do so in a way that puts users and holders of issued credentials back in control of their data, far beyond the banking sector. Such use cases could include:
- In education – we expect all educational establishments and training companies to issue verifiable credential-based certificates of achievement. This will mean every student can present certificates to employers knowing that they cannot be forged or misrepresented. Privacy will be maintained by not allowing the issuing educational establishment to track verifications by employers, for example.
- In business certifications – we expect businesses to hold key certifications and documents such as insurance cover notes as verifiable credentials, making proving their capabilities and compliance to customers easy and forgery-free. This should dramatically speed up supplier due diligence and many other B2B transactions that are currently painfully paper-based.
- In digital staff passports – we see large organisations implementing credentials wallets for their staff that store their building passes, IT rights, certifications and training records – enabling the flexible workforce that many envisage as being necessary in the post-pandemic world of work.
The Verifiable Credentials standard has the potential to become the de facto standard in the identity verification and authentication arena. At its core is a trust model designed to give confidence to, and protect the interests of all parties, without compromising on security and privacy. As an open and extensible standard developed by the W3C, it is gaining momentum in the industry and all that remains to be seen is the innovative ways in which banking institutions, public bodies and enterprises implement it in standards-based solutions that create a seamless and secure verification experience that restores confidence in digital identity.