Solving the identity problem

Crossword Cybersecurity product director, David Chadwick, discusses the W3C Verifiable Credentials standard, how it protects all parties in an identity-based transaction, and why he believes it can become the de facto credentials mechanism for banking and far beyond in the near future. David is a co-author of the standard which was published by the World-wide Web Consortium in November 2019.


The rate of digital adoption was accelerated immensely by the pandemic amongst both businesses and consumers. Banking has been undergoing a steady evolution and adoption of digital services for some time, but even though mobile and online banking were already popular, they too saw growth. McKinsey reported in a consumer survey that the preference for handling everyday transactions digitally across Western European markets is as high as 60 to 85 percent, even for customers aged 65 or over.


Despite this digital evolution, the banking sector continues to face one of the biggest challenges that have existed online, and in the physical world, since the earliest incarnations of the Internet. Banks rely on official documents to open accounts, authorize lending and provide a range of other services. They also need to verify that those documents are genuine, current and are being presented by the genuine owner of the asset. Outside banking, the same is true for any online document, whether it be a certificate, legal document, ID, concert ticket or business document. The need to demonstrate COVID-19 vaccination status, is just one very recent example of this challenge.



It is a problem that has persisted since the earliest days of the Internet, opening up the possibility of forgery and misuse, and is the basis of much fraud and criminality. Our increased use of smartphones as the centre of our online life has only exacerbated the problem, as they become our digital wallet.



Biometrics are not a silver bullet


Banks have sought to overcome some of these challenges with the use of biometrics such as facial recognition and fingerprints. These are now more commonly used to login to, or unlock devices, and increase usability, but still leave the challenge of proving the authenticity of a document wide open to abuse.


The Verifiable Credentials standard


The World Wide Web Consortium’s (W3C) Verifiable Credentials standard seeks to address all of these challenges, maintaining privacy by ensuring that checks and verifications do not allow a credential holder to be tracked or force them to reveal more private information than is necessary. COVID passports are one very recent example, where institutions and citizens have equally valid (if different) concerns about how such credentials are managed, verified and the data is shared.


The standard is based on a trust model between three parties: the Issuer is the party that creates the document; the Holder is the party to whom it is assigned to present at a later time; and finally, the Verifier is the party that wants to verify that the issued document is genuine. The Verifier and Holder trust the Issuer, and the Holder trusts the Verifier. One of the most important aspects of this relationship is that the Holder sits between the Issuer and Verifier and controls whether verification can take place. The Issuer can only confirm that the information in the certificate is correct, by digitally signing it, when requested by the Holder. The Verifier only needs to request the data that it needs for the transaction, thereby obeying GDPR’s data minimisation principle. This model protects the privacy of the Holder whilst also giving a Verifier absolute confidence that (the relevant portion of) a document is genuine.


Banking and beyond


The Verifiable Credentials standard offers an exciting opportunity to address some of the biggest challenges that the online world has failed to fix to date, and do so in a way that puts users and holders of issued credentials back in control of their data, far beyond the banking sector. Such use cases could include:


In education – we expect all educational establishments and training companies to issue verifiable credential-based certificates of achievement. This will mean every student can present certificates to employers knowing that they cannot be forged or misrepresented. Privacy will be maintained by not allowing the issuing educational establishment to track verifications by employers, for example.


In business certifications – we expect businesses to hold key certifications and documents such as insurance cover notes as verifiable credentials, making proving their capabilities and compliance to customers easy and forgery-free. This should dramatically speed up supplier due diligence and many other B2B transactions that are currently painfully paper-based.


In digital staff passports – we see large organisations implementing credentials wallets for their staff that store their building passes, IT rights, certifications and training records – enabling the flexible workforce that many envisage as being necessary in the post-pandemic world of work.


Find out more about Verifiable Credentials based solutions from Crossword Cybersecurity