David Chadwick, Crossword’s Product Director for Identiproof, outlines how the W3C Verifiable Credentials standard works and why he believes it will become the de facto credentials mechanism for public sector services in the near future.
One of the biggest identity-related challenges online, and in the physical world, remains proving that a document, whether it be a certificate, legal document, ID, concert ticket or business document, is genuine, current and is being presented by the genuine owner of that asset.
In the public sector, citizens are regularly required to prove their identity, as well as provide ‘genuine’ documents as evidence of their rights to access a service or benefit, for example. The need to demonstrate COVID-19 vaccination status is just one very recent example of this challenge, and documents are required as evidence of identity and entitlement across a range of public services.
This problem has persisted since the earliest days of the Internet, opening up the possibility of forgery and misuse, and is the basis of much fraud and criminality in the public sector. Our increased use of smartphones as the centre of our online life has only exacerbated the problem, as they become our digital wallet.
Biometric methods such as facial recognition and thumbprints which are now more commonly used to login to, or unlock devices, increase usability, but still do not address the challenge of proving the authenticity of a document, which remains wide open to abuse.
The Verifiable Credentials standard
The World Wide Web Consortium’s (W3C) Verifiable Credentials Data Model standard seeks to address these challenges and maintain privacy by ensuring that checks and verifications do not allow a credential holder to be tracked or force them to reveal more private information than is necessary.
The W3C standard is based on a trust model between three parties: The Issuer is the party that certifies the document; the Holder is the party to whom it is assigned to present at a later time; and finally, the Verifier is the party that wants to verify that the issued document is genuine. The Verifier and Holder trust the Issuer, and the Holder trusts the Verifier (at least to the level of the identity attributes that it is requesting). One of the most important aspects of this relationship is that the Holder sits between the Issuer and Verifier and controls whether verification can take place. The Issuer can only confirm that the information in the certificate is correct, by digitally signing it. The Verifier only needs to request the data that it needs for the transaction, thereby obeying GDPR’s data minimisation principle. This model protects the privacy of the Holder whilst also giving a Verifier absolute confidence that (the relevant portion of) a certified document is genuine.
Huge potential to save time and cut fraud
The Verifiable Credentials standard has the potential to become the de facto standard for addressing the identity verification and authentication challenges in the public sector and far beyond. At its core is a trust model designed to give confidence to, and protect the interests of all parties, without compromising on security and privacy. As an open and extensible standard developed by the W3C, it is gaining momentum. All that remains to be seen are the innovative ways in which public bodies and enterprises implement it.
The Verifiable Credentials standard is at the core of Crossword’s Indentiproof solution. Find out more about Identiproof here.