Verifiable credentials are key to the future of online privacy

To realize the full potential of online services, identity verification solutions are required to avoid fraud and boost trust in the systems, for both end users and organizations.

In-person data verification can be performed by a service agent easily, usually by asking for a physical ID card, like a driver’s license, and referencing it against the application documents and person present, but how can this be done online?

Enter verifiable credentials. Verifiable credentials provide a tamper-secure way for users to prove their identity online, without sacrificing their safety, privacy, or security during the process. Let’s look at how these data objects function, and the benefits they offer.

What are verifiable credentials (VCs)?

Based on a new web standard approved by the W3C in 2019, verifiable credentials are the digital equivalents of the paper documents we carry in our wallets and use to prove who we are in the physical world.

In many ways, they’re just like our physical ID cards. Individuals can hold these digital credentials securely in a digital wallet (meaning your data’s not floating in some cloud or giant database) and share them with a tap of a button. Typically, they’re even issued by the same trusted authorities that issue our paper records – a government office can issue a driver’s license as both a physical card and a digitally verifiable credential, for example.

However, they offer a few advantages that we don’t get with paper records. Whereas a physical document (let’s say, a vaccine card) can be forged and passed off as authentic, the security mechanisms behind a verifiable credential means that it can never be tampered with and that anyone shown the credential will be able to immediately verify who issued it and to whom it was issued.

Put simply, these digital records provide a secure, tamper-free, and verified way for individuals to navigate their way around the digital world.

To illustrate, let’s imagine a recent college graduate named Alice who is applying for her first job. At the time of graduation, Alice’s school issues her diploma as both a paper certificate and as a verifiable credential. She can then keep this credential on her phone and share it with a potential employer or any other party looking for a record of her achievements.

Once shared, the employer will be able to immediately verify her degree and have greater confidence in their hiring decision.

Furthermore, privacy is preserved to an extent that simply wasn’t possible before verifiable credentials:

• All the data is decentralized, meaning there’s no need for a database of student records that could be jeopardized. Alice’s data lives with her.
• The employer doesn’t need to keep a copy of Alice’s transcript to verify her education.
• The college doesn’t play intermediary and doesn’t have access to the list of organizations Alice shares her data with. Other parties have no way of correlating this data as each exchange is private and unique.
• If desired, Alice could pick and choose what she wants to share. She could prove her degree without sharing her date of graduation or GPA, for example.

Personal privacy with selective disclosure

Verifiable credentials go beyond just reducing the attack surface. In the past, digital data sharing followed a crude re-representation of traditional, person-to-person verification methods such as sharing an ID card. In the physical world this process holds less risk, as a bouncer at a bar isn’t going to make a copy or memorize all those extraneous details; but in the digital world, “data overcollection” remains a massive problem. If it can be collected, it will be collected.

Verifiable credentials offer a much more sophisticated approach. Individuals can control exactly what and how much they share, putting an end to data overcollection. Unlike that physical driver’s license where we must show the entire card, a digital version of that same document is divisible. We can show only the data points, or attributes, that we wish to share. We can share our age without our height, weight, or donor status. This is called selective disclosure.

Taking it a step further, verifiable credentials support zero-knowledge proofs, which allow organizations to ask questions about the data rather than asking for the data itself. In simpler terms, they can ask if a data point is above or below a certain required threshold without knowing the precise value. This means that the bartender would be able to verify that a customer is over 21 without needing to ask their exact age or date of birth.

Decentralizing the control of personal data

We’ve discussed how verifiable credentials allow for selective disclosure. Such functionality doesn’t just improve user control, but also changes the very dynamics of online data privacy. At present, individuals are all too often left with the choice of trusting that the service provider will handle their data with care or not engaging with the service at all.

With verifiable credentials, only the user can determine how and with whom that data is shared. Unlike in today’s centralized models of identity, an organization has no way to pull this information without the individual’s explicit consent. The individuals themselves create the data flows, meaning no intermediaries, surveillants, or cookie trails.

Contrast this with a federated model of identity, such as single-sign-on systems that allow us to log in to a website using our Facebook or Google profiles. In this example, all user interactions go through these social giants who keep a virtual cookie crumb trail of our activities and reserve the right to delete or block our accounts at any time.

With verifiable credentials, personal usage can’t be correlated. An “issuer” of a credential has no record of where we use the credential or to whom we show it. Going back to our earlier example, a university can issue a proof-of-degree credential that we can then share with prospective employers. Because the data is shared peer-to-peer the university doesn’t know that the credential was ever shared. The employer in turn can assess its authenticity without having to contact the university, because each credential is cryptographically signed by the issuing authority.

A better, more private future

While it may be hard to imagine a world where we can prove who we are as easily as we can in the physical world, there are several notable implementations of this technology already in use.

For example, many of the world’s largest airlines rely on the digitalization of health and travel records to enable the safe reopening of global travel through the IATA Travel Pass initiative. Using verifiable credentials, airlines can immediately verify that passengers meet the local COVID-19 testing or vaccination requirements of their destination, while ensuring the security and privacy of personal information and rooting out fake certificates.

Increasingly, organizations are looking to verifiable credentials to better manage their data requirements and provide their customers with safer, more private digital experiences.