Verifiable Credentials: The Ultimate Guide 2022

Photo from Unsplash

Originally Posted On: https://blog.dock.io/verifiable-credentials/

Organizations use physical credentials like employee badges, certifications, and passports to identify people and verify claims about them like being old enough to go to a nightclub or graduating with a degree. But of course, physical credentials have their drawbacks.

Did you know that:

1. Over half of all people claiming a new PhD in the United States have a fake degree?
2. More than 1,200 vendors operating in the UK and worldwide offer fake COVID vaccine and test certificates for as little as £25?
3. 75% of university admissions staff could not spot a fake certificate?

With the increasing digitization of information, people are required to interact with thousands of businesses online. How would organizations know if a digital document is real? If organizations can’t tell if digital assets are real or fake, they are exposed to liabilities such as hiring someone who is not really qualified to do a job. Many people simply use Photoshop or change a PDF themselves to make fake certificates or licenses.

Verifiable Credentials can help individuals and organizations create and share their identities and claims reliably.

What Is a Verifiable Credential?

Verifiable Credentials are a digital, cryptographically secured version of both paper and digital credentials that people can present to organizations that need them for verification. Imagine digital and instantly verifiable versions of identity documents, academic achievements, licenses, and more.

When digital credentials conform to the Verifiable Credentials Data Model 1.0, which is a standard established by World Wide Web Consortium (W3C), they can be referred to as Verifiable Credentials. The Verifiable Credentials Data Model 1.0 is a “specification [that] provides a standard way to express credentials on the Web in a way that is cryptographically secure, privacy-respecting, and machine-verifiable.”

W3C is an international community where member organizations, full-time staff, and the public work to set international standards for the World Wide Web. They created standards for URL, decentralized identifiers, and others. Verifiable Credentials are one of the three pillars of Self-Sovereign Identity (SSI), which is an approach to digital identity that gives individuals control of their digital identities. The other two pillars are blockchain and decentralized identifiers.

The main parties involved in the use of Verifiable Credentials are the:

1. Issuer: Organization that has the authority to issue Verifiable Credentials such as a government department issuing a national ID or a college issuing a diploma
2. Holder: Someone who owns the credential and stores it in their digital wallet
3. Verifier: The person or organization validating or authenticating the credential like a hiring company needing to check a candidate’s educational credentials

Benefits of Verifiable Credentials

• Instantly verifiable anywhere at any time within seconds compared to days, weeks, or months with traditional verification processes
• Tamper-proof with cryptography, which enables people to store, protect, and share data securely
• No need to contact the issuer (e.g. a university or certifying body) to confirm the authenticity
• Creates immediate trust between parties
• ID holder have full control and ownership of their data, enabled by decentralized identifiers (globally unique identifiers) and Public key cryptography.
• Provides user privacy because they can choose which parts of their identity they want to reveal such as showing their age without showing their full name. Or proving they are above a certain age without disclosing their date of birth.
• No personal data is stored on the blockchain
• Portable as holders can store Verifiable Credentials in their digital wallet and take them anywhere while still being verifiable.

Organizations can issue their degrees, IDs, licenses, and more as verifiable digital credentials that can be stored in a digital wallet, which is a digital version of a physical wallet that people can carry around as a mobile application on their phone, computer, or even a cloud-based server.

Gartner, a technological research and consulting firm, shared five trends for identity and access management and fraud detection. One of the trends is that the decentralized identity standard will shift to being increasingly mobile and global. The term “decentralized identity” is used interchangeably with self-sovereign identity because it refers to the idea of individuals owning and managing their own identities.

Verifiable Credentials Example

In the Verifiable Credentials ecosystem, the issuer and holder are required to use Decentralized Identifiers, or DIDs. Decentralized identifiers are similar to email addresses and phone numbers in that they are unique. The DID and public key of the organization that issued the credential are stored on the blockchain. So when someone wants to verify the authenticity of the credential, they can check the blockchain to see who issued it without having to contact the issuing party.

A DID:

• Is a globally unique identifier made up of a string of letters and numbers
• Allows the owner to prove cryptographic control over it
• Comes with a private key and a public key
• Enables private and secure connections between two parties and can be verified anywhere at any time

We will go into more detail later on about how DIDs work, but here is an example that ties all of these details together.

Let’s say a government department uses Verifiable Credentials to issue passports. Whenever they issue a new passport, they will sign it with a private key while their public key and DID are on the blockchain. In this case, the data outline (schema) on the verified credential would include the name, country, date of birth, and so on.

You will be able to store your passport within your digital wallet and control precisely what you want a verifier to see. Then when a verifier like a company, for example, wants to check the Verifiable Credential, they can check to see if the government department really did sign it without contacting the issuer because the government’s public key and DID are on the blockchain.

Another benefit of a Verifiable Credential is privacy. If an on-demand driving company asks for your license if you’re applying to become a driver, you can use your phone to simply show them a verifiable presentation of the credential that proves that you have the authority to drive. With a verifiable credential, you can selectively disclose only the information required by the verifier. If a platform uses Zero-Knowledge Proof technology, you could even prove you have a valid license without showing any information from the license itself.

With Verifiable Credentials, the DMV also has the authority and ability to define an automated expiration date. They can also revoke the license if a driver breaks the law and is penalized by having their credential removed for a certain period of time.

Why Do We Need Verifiable Credentials? What’s Wrong With Our Current Verification Systems?

The main reason why Verifiable Credentials are becoming increasingly popular among people and businesses around the world is that it checks a lot of boxes when it comes to user privacy requirements and addresses several major issues associated with the current identity management system.

Problems With Our Current Traditional Verification Systems

• Proving the authenticity of documents involves a slow and difficult verification process, which often takes organizations weeks or even months
• Increased risk of breaches of data resulting from centralized data management systems storing a large amount of user information
• Paper and digital credentials are easy to forge
• Organizations store vast amounts of personal data from users which leaves users without control over who has access to their personal information, where their documents are stored, and how they are being used
• With a physical credential or PDF, people may be disclosing a lot more information than is necessary when they present it for verification

Verifiable Credentials enable people to verify their identity, only provide information that is relevant to the context, and prove their documents weren’t modified.

With a digital credential that could be in a PDF or XML document, for example, verifying the origin and authenticity of documents is complex. You’d have to confirm that:

1. The Issuer Organization effectively issued that credential and has the authority to do so like an organization that provides driver’s licenses
2. The person submitting the credential (holder) is its rightful owner
3. The credential is valid and not expired, modified, or revoked

​​In many cases, this involves manually contacting the issuing organization, which is a long, tedious, and often expensive process.

Here are just a few of many examples of how fraudulent IDs and credentials pose a risk to organizations:

Construction

New construction employees need to present credentials to an employer, especially if they will operate heavy machinery. If an employee presents fake credentials to a company, this is dangerous because this could result in a serious accident and the company could be liable for hiring someone without the right qualifications to operate the machinery and do the work safely.

Healthcare

The verification processes for providers in the healthcare industry have many inefficiencies with manual verification and gatekeepers. Traditional verification can take weeks to months which causes major delays in filling in much-needed healthcare roles and delays for people to begin working.

Supply chain

There can be severe safety issues and monetary damages that could happen from an improperly managed supply chain such as a manufacturer failing to ensure the safety of working conditions at their facilities, potentially resulting in severe injuries suffered by workers. Forged documents are also used to show the origin of goods, which can be dangerous for consumers if the products don’t meet safety standards.

How Does a Verifiable Credential Work?

The issuer (e.g. nursing program) creates the verifiable credential and digitally signs it with a cryptographic key that only the issuer can use. When the verifier (e.g. hospital) receives a credential, they will verify its authenticity instantly through a blockchain, an immutable and decentralized database.

One important thing to note is that the blockchain doesn’t actually store people’s Verifiable Credentials. It only stores information that the verifier would need to validate the authenticity of the credential like the issuer’s public cryptographic key that matches the one that signed the credential.

Using this information, the verifier will determine:

• If the issuer has the authority to issue that credential
• If the verifiable credential is still valid (not revoked or expired)
• If the credential has been tampered with

This system is trustless. The verifier no longer has to contact the issuer to confirm the validity of the credential. And the best part is that everything happens in a matter of seconds!

The 3 Components of Verifiable Credentials

1. Credential metadata: This might be cryptographically signed by the issuer and contains the credential identifier as well as properties about the credential itself such as the expiry date and who the issuer is.
2. Claim(s): A tamper-proof set of claims made about the credential subject such as someone’s employee number and job title.
3. Proof(s): Cryptographic method that allows people to verify:

• The source of the data (e.g. who the issuer is)
• That the data has not been tampered with

What Is the Role of Decentralized Identifiers (DIDs) In Making Verifiable Credentials Work?

Decentralized Identifiers Explained

We often use physical cards to provide proof of our identity and claims about us to show to other people or organizations. But in the digital world, there were no universally accepted standards for expressing, exchanging, and verifying digital credentials.

We currently use emails and phone numbers as identifiers to access websites, services, and apps. But our access to these identifiers can be removed anytime by service providers, the data is controlled by providers, and user data is vulnerable to hacks. Decentralized identifiers change all of this.

A DID:

• Is a globally unique identifier made up of a string of letters and numbers
• Is created and owned by the user
• Allows the owner to prove cryptographic control over it
• Comes with a private key and a public key that are also made up of a long string of letters and numbers
• Enables private and secure connections between two parties and can be verified anywhere at any time

Here is an example of a Dock DID:

A party can be an individual or organization and they can make as many DIDs as they want for different relationships. For example, you can have a DID for:

• Professional reasons like showing your credentials to an employer or university
• Authenticate data for your personal interests like showing you are legal age to go to a bar or a member of an organization
• Online gaming profiles

What Are Public and Private Keys?

Each DID comes with a private and public key. Keys come in private/public pairs and a DID can have multiple pairs.

Private key

• A private key (a string of letters and numbers) is like a password that allows a holder to access and manage their data.
• The owner should be the only one who knows the private key and it should never be shared with anyone else.
• Regarding DIDs, the private key allows people to prove ownership, grant permissions to share specific data, and sign documents.

Public key

• A public key (a string of letters and numbers) that can be safely shared with anyone to send and receive data
• Used for user authentication and verification purposes

To explain how public and private keys work, let’s use the example of comparing a private key to a master key of a car. The car’s owner (holder) has the master key that gives her full access to all parts of the car, including the trunk and glove compartment. She can provide restricted access to other people she chooses. The owner should never give her master key to anyone else.

Now the owner wants to make another key that gives restricted access to a valet or auto body shop to start the car. This key is like the public key. The valet and car shop worker wouldn’t be able to access the glove compartment and the trunk.

To use another example, an employer would use their private key to sign and issue a verifiable credential to confirm an employee’s job title. The employer’s public key would be shared on the blockchain so that the verifier, such as a government department that needs to authenticate someone’s work status, can confirm the authenticity of the data with that public key. Basically, the government body can check the DID on the blockchain to see who issued the credential without having to contact the issuing party.

Key Differences Between Centralized Identifiers and Decentralized Identifiers

Here is a scenario that goes through all of the steps of how DIDs and Verifiable Credentials can work:

• Issuer: Successo Institute
• Holder: Anita Ramos
• Verifier: Bubble Pearl restaurant

1. Anita creates a DID using the Certs platform for educational purposes only to interact with the university and its partners. The DID will be on the Dock blockchain.

2. Anita shares her DID with the university which allows the school to connect to her wallet and issue Anita a proof of enrolment status as a verifiable credential.

3. The university signs and issues the Verifiable Credential with their private key on Certs and emails Anita a PDF and JSON version of her credential.

4. Anita imports this credential on her Dock wallet phone app, allowing her to bring her Verifiable Credentials anywhere.

5. Partnering businesses on and off-campus give 20% discounts on products and services to university students and they trust Successo Institute as an issuer.

6. Anita goes to Bubble Pearl restaurant and they request data to confirm that she is a student of Successo Institute. They scan a QR code and she is prompted to give permission to show her credentials.

7. The cashier scans her QR code that is tied to her credentials and applies the 20% discount to her purchase.

In another example, if someone wants to buy alcohol, a cashier can scan the QR code on a customer’s verified credential to confirm that they are of legal age. In this process, the customer can use a Zero-Knowledge Proof to prove they are above a certain age, without sharing any other information like their entire birth date or name.

The Role of Blockchain in Verifiable Credentials

The DID and corresponding public key of the organization that issued a credential to a holder is stored on the blockchain, which is an immutable database. The person who wants to verify the validity or authenticity of the credential can check the blockchain to see who issued it without having to contact the issuing party.

Blockchain is a system of recording information chronologically in a way that makes it extremely difficult to change, hack, or cheat the system. It is a distributed database that is shared among nodes, which are computers in the blockchain network, that can execute certain functions like sending and receiving information. Each block on the chain has unique data that references the previous block and the blocks combine to complete a chain. Blockchain technology is also referred to as Distributed Ledger Technology (DLT).

Key Features of a Blockchain

1. Decentralized: Blockchains operate using a peer-to-peer network of computers to verify and record transactions. Whenever there is a new transaction on a blockchain, the block can’t be added to the chain until it is verified by the network. For someone to tamper with the blockchain, they would have to tamper with all of the blocks of the chain and hack every node, which is extremely difficult to do.

2. A blockchain acts as a decentralized distributed ledger: A distributed ledger is a digital database that runs on a distributed network in diverse locations rather than having one record of data in a centralized location that a person or body can control or manipulate. Each node gets a full copy of the blockchain and the information can be used to verify that everything is in order and make sure it hasn’t been tampered with.

If everything looks good, each node adds this to its own blockchain. Everyone in the network creates consensus where they agree which blocks are valid and which aren’t. Tampered blocks will be rejected by nodes in the network.

3. Immutable: Each block on a chain contains transaction data and the blocks can’t be tampered with or backdated. Unlike traditional forms of record-keeping that are easy to change and manipulate information without anyone knowing.

Verifiable Credentials Using Blockchain

In identity management, a blockchain allows everyone in the network to have the same source of truth about which credentials are valid and who authenticated the validity of the data inside the credentials. Blockchain can enable zero-knowledge proofs, meaning that someone can verify credentials without a holder revealing the actual data like their full name and address.

For example, let’s say Shelly wants to sign up to play a mobile game from her phone. The gaming company requires players to be at least 18 years old and uses Verifiable Credentials to confirm their age.

1. Shelly creates a DID with the Dock blockchain and stores it in her Dock wallet on her phone
2. The department of motor vehicles (DMV) in the US issues Shelly a driver’s license as a verifiable credential that contains her date of birth
3. The gaming company trusts the DMV as an issuer
4. Shelly signs into the gaming site with her DID and the company uses the Verifiable Credential associated with her DID to verify that she is at least 18 years old without her revealing her date of birth
5. Shelly can securely sign in to play with her DID without ever using a user name and password

In the above example, Shelly has full ownership and control of how her data is shared and used. And her information can’t be tracked or stored.

How to Show the Proof of Existence of Verifiable Credential Data and Files With Dock’s Blockchain

With Dock, issuers have the option of proving the existence of Verifiable Credentials or files to a verifier by connecting the data to a blockchain with the use of anchoring.

What is anchoring in blockchain?

An anchor is a digital fingerprint of external data that is included in a blockchain transaction to prove that the external data is authentic. The anchor makes up the credential’s proof of existence in their original form.

Anchoring works by converting data to cryptographic hashes (a long string of numbers and letters that is not readable by any human) that are written to the blockchain.

Hashes:

• Prove the existence of data on files and credentials while the content is kept private
• Maintain the privacy and security of data because only the hash is stored on the blockchain rather than the credentials themselves
• Creates immutable timestamps associated with the information and recorded on the blockchain

Let’s say there is an online course that wants to issue credentials to students who have completed the program. The issuer can use Dock’s anchoring feature to hash the credentials that they have issued. Anchors are created when the hashes are posted to Dock’s blockchain and the record can’t be changed.

Anchoring can be applied to any documents and verifiable credential data for a variety of situations.

What Is and Isn’t Stored on the Blockchain

By default, nothing gets stored on the blockchain except for an issuer’s DID and public keys. The Verifiable Credentials that contain personal details are securely stored on a decentralized digital wallet app rather than the blockchain. They don’t need to be stored on the blockchain in order to be verified as long as the keys are available.

Verifiable Credentials Use Cases

Verifiable Credentials can be applied to an infinite amount of use cases across many industries. Here are just a few of many examples of ways that Verifiable Credentials solve a variety of problems.

Dock’s Clients Using Verifiable Credentials

Dock is working with organizations to provide technological solutions to issue Verifiable Credentials and create decentralized identifiers.

Gravity Training connected with us so they could issue Verifiable Credentials in a convenient and cost-effective way to people who complete their training program in field positions. Authentic credentials are essential to keep workers and employers safe. Their courses include rigging, fall arrest, and radio frequency awareness training.

Fake credentials are a growing problem in South Africa. Many people are photoshopping credentials and showing them to employers. Gravity issues thousands of certificates a year for trainees and is manually uploading certifications on their database, which takes a lot of time and resources. They want to use Verifiable Credentials to be compliant, to manage verifications across various locations, and to enhance their record-keeping for auditability.

With Dock’s technology, Gravity is able to:

• Save a tremendous amount of time and money issuing and managing  credentials with expiry dates in bulk with Dock’s user-friendly platform that doesn’t require any code
• Allow inspectors and managers to instantly verify documents and monitor expiration dates digitally
• Provide workers with credentials they can store on a wallet with their phones

Dock has also been collaborating with Credenxia since 2021 to help them move towards a decentralized solution for creating and managing employee credentials. Credenxia is a leading global verification company that partners with businesses in a wide range of industries including construction, health care, and transport. Their technology helps with compliance for employers and workers as well as enables businesses to effectively manage the credentials of their workforce.

The company chose to work with Dock because of our expertise in blockchain, we are compliant with W3C standards, and the APIs were well-documented. Credenxia was previously running on a trust model to do manual verification. They were getting feedback from their stakeholders asking how people would know if Credenxia was compliant themselves during their verification process. There is no overarching body that checks the work and processes of document verification companies.

The collaboration with Dock allows Credenxia to:

• Provide Verifiable Credentials with blockchain technology.
• Enhance transparency with clients by adding verifiable notes that are hashed on the blockchain, making them immutable. If the notes have been tampered with, clients would be able to see it.
• Enhance the audit position of the user base and give back control to someone’s credentials and identity.
• Move towards a zero-trust model that clients are demanding.
• Retrospectively decentralize already verified credentials.

Decentralized Digital ID Wallet App

A decentralized digital identity wallet is an identity management application that allows people to securely store, manage, and share digital credentials. A digital credential can be an ID, license, background check, certification, and more. It’s the equivalent of a physical wallet that holds various IDs and cards to demonstrate claims about yourself like licenses, bank cards, and service cards.

To illustrate how a decentralized digital ID wallet can work, let’s say Carlos wants to create a new profile on an online sports shop that uses Verifiable Credentials. He can sign in and make purchases from his digital wallet without creating a user name, password, and entering credit card information. The website needs to confirm that shoppers live in Spain as they only deliver within the country and their payment method. The website verifies his credentials that were issued by a credit card company and driver’s licensing organization, which are issuers that the website trusts to authenticate the credentials.

Dock’s Decentralized ID Wallet

The Dock Wallet enables you to have full control over your digital credentials and every piece of data stored in the wallet has the ability to be shared with third parties only when you choose to do so and how much information you want to provide. You can grant and remove access to whomever at any time.

With the Dock Wallet you can import existing certificates, batches, and credentials to store all of your records and achievements in one place as long as they were issued as W3C-compliant Verifiable Credentials.

Summary of Key Terms

Anchoring

• An anchor is a digital fingerprint of external data that is recorded on the blockchain transaction to prove that the external data is authentic
• Proves the existence of verifiable credential data or files while the content is kept private
• Anchoring works by converting data to cryptographic hashes (a long string of numbers and letters that is not readable by any human) that are written to the blockchain

Blockchain

• A blockchain is a decentralized database that is shared among nodes which are computers in the blockchain network
• A system of recording information chronologically in a way that makes it extremely difficult to change, hack, or cheat the system

Decentralized Digital ID Wallet

• An identity management application that allows people to securely store, manage, and share digital credentials

Decentralized Identifier (DID)

• Is a globally unique identifier made up of a string of letters and numbers
• Is created and owned by the user
• Allows the owner to prove cryptographic control over it
• Comes with a private key and a public key that are also made up of a long string of letters and numbers
• Enables private and secure connections between two parties and can be verified anywhere at any time

Cryptographic hash

• A long string of numbers and letters that is not readable by any human
• Used in anchoring to prove the existence of data on files and credentials while the content is kept private
• Maintain the privacy and security of data because only the hash is stored on the blockchain rather than the credentials themselves
• Creates immutable timestamps associated with the information and recorded on the blockchain

Private key

• A private key (a string of letters and numbers) is like a password that allows a holder to access and manage their data
• The owner should be the only one who knows the private key and it must never be shared with anyone else
• Regarding DIDs, the private key allows people to prove ownership, grant permissions to share specific data, and sign documents

Public key

• A public key (a string of letters and numbers) that can be safely shared with anyone to send and receive data
• Used for user authentication and verification purposes

Verifiable Credential

• A digital, cryptographically secured version of both paper and digital credentials that people can present to organizations that need them for verification
• When digital credentials conform to the Verifiable Credentials Data Model 1.0, which is a standard established by World Wide Web Consortium (W3C), they can be referred to as Verifiable Credentials

Conclusion

In an increasingly digital world, the problem with physical IDs and credentials is that they can be easily forged and take a lot of time to verify for authenticity.

Verifiable Credentials are:

• Are a digital version of paper-based credentials that people can present to organizations
• Tamper-proof
• Supports data protection
• Instantly verifiable
• Secure and allow the ID holder to have full control and ownership of their data

In the Verifiable Credentials ecosystem, there is an issuer, holder, and verifier. The issuer and holder are required to use decentralized identifiers, or DIDs, which are globally unique identifiers that allow the owner to prove cryptographic control over them. DIDs allow for private and secure connections between two parties.

There are a growing number of use cases for Verifiable Credentials in diverse industries around the world. This has many benefits including speeding up the hiring process, reducing fraud, providing privacy, and improving safety in the supply chain.