What are Verifiable Credentials and Decentralized Identifiers? Digital identity

You and I, we have learned to live with identity on the Internet. We have accounts, logins, passwords, and learned to live with them and manage them. There are ways to simplify the process, mostly in the enterprises through protocols and the SSO approach.

Is login your identity? How does it express facts about you? How can you really prove who you are, what are your skills obtained at university, or which credentials you own?

Of course, you can upload pictures and PDFs to a website to process and prove facts about you. It is what KYC (Know Your Customer) is about. What’s the problem with this approach? You can’t control the data after you give it to another party and it is troublesome. Every company needs to figure out how to do it on its own.

What if we could create a mechanism to translate facts about identity, credentials, and other information into easily transferable and verifiable digital form? What if we would let people use them in the way they want and still be in control of this information?

The time comes to address these concerns and here enter Decentralized Identifiers (DIDs).

What is a Decentralized Identifier (DID)?

In the simplest terms, it’s digital information about you, in a specific form, which you can issue (via some organization or on their own), manage and store yourself, and use to prove facts about yourself to other parties.

DID is a format of data and a way to use it, but to make it practical, you can then use it to obtain so-called Verifiable Credentials (VC, more on those in a bit). They add credibility to your DID and deliver proof of various aspects of your identity. You’re not limited to just one DID, either. You can set up multiple identities if you want to – e.g. one official for employment, one for casual use (gaming accounts, gym memberships, etc.), one for tests or trials, or anything else.

If you’re new to this topic, you may wonder: if I can set up any amount of DIDs, how would anyone know who I am? How to prove it? And how will anyone know I’m not someone else? That’s where Verifiable Credentials come in.

What are Verifiable Credentials (VC)?

Verifiable Credentials are an authentication method that verifies the selected identity aspects of the holder. The selective nature of VCs is important because, unlike traditional credentials or accounts, Verifiable Credentials don’t need to store all personal or account information. This is all kept in your digital wallet. VCs only prove your specific rights with regards to the issuing service.

Source: Microsoft

Verifiable Credentials in the real world

Let’s say that you apply for work in a regulated industry, for example, healthcare. When you apply or join a company, you need to prove your credentials to do this work – proof of your MD studies, previous employment, or certificates for a given specialization.

You can of course bring a stack of papers to do it and make someone go through it. Stack of papers has validity – but it can be produced by anyone. In other words, if someone presents a diploma from university X, you put more trust towards the form of credentials (diploma) than the fact (university attendance).

What if a university could issue you with a diploma in a form of Verifiable Credentials (VC)? In the process of obtaining this VC, you would need to prove your identity, using for example your national ID schema (or a VC obtained from your government)

You can then use it digitally – by transmitting it from your wallet to the hospital website or HR department. It can be verified – the transaction is stored on a public ledger and signed by the private key of the university. To verify it, the hospital doesn’t have to integrate the data with any university system, all information needed for it is public.

It is how Verifiable Credentials work in practice at NHS in the UK.

What are other practical use cases? Let’s see:

• Enterprises: verifying employment status for access to apps or benefits
• Education: proving university credentials and diplomas (check out this case study from Keio University)
• Healthcare: proving work credentials for things like access to sensitive information for patients online, placing orders/retrieving orders from pharmacies, access to medical documentation.
• Insurance: getting access to sensitive information / claims, identification of customers and policy holders, access and proving the role of claims agents
• Government: connection to national ID schemes, proving and transferring identity online
• Enterprises/retail: frontline workers, external workers’ access to the work environment, identification.

It starts with a connection of the physical world and verification in it, and moves it to the digital realm, in a way which is easy to use, verify, and confirm in a trustless environment.

When it comes to DIDs used for everyday or professional use, they also begin with verification in the physical world.

Do we need Verifiable Credentials?

Life writes the best scenarios. The need for VCs has proven very practical in recent weeks, when refugees from Ukraine arrived in Poland, in many cases with no or incomplete documents. Verifiable Credentials could help solve this problem. Once issued, people can prove at any point in time that such a document was issued to them by the authority.

Such attempts were already made, but we still have a long way to go until the standard is accepted worldwide. If you want to read more about these use cases, here is the link.

How exactly those credentials can be verified? Here the term “Blockchain” comes into the picture.

What is blockchain?

It’s everywhere in the IT sphere right now. From Bitcoins to NFTs, everyone’s gone crazy for blockchain. And it seems the more you look into it, the more complex it gets.

But the underlying principle is actually not that complicated. It allows us to store data in a sequential and compound way. Blockchain has specific characteristics, which support some use cases:

• It can be verified by untrusted parties
• It allows permissionless (in the case of public ledgers) operations by untrusted parties
• It is hard to be modified without noticing and modifications can be easily detected.

In the simplest terms: whenever you add a new component or information about something, the “block” containing that new data also features information about all the preexisting blocks that came before it, in a hashed (i.e. cryptographically protected) way.

The basic structure of blockchain

As a result, you can’t change any part of the chain without changing all the blocks that come afterward (which is not impossible but the amount of effort required makes it unfeasible).

If you prefer the video version of the explanation, you can watch it below:

Here’s a simplified video guide to blockchain

Now that we’re more or less clear on the general idea of blockchain, let’s see how it fits into the concept of Decentralized Identifiers.

How do Decentralized Identifiers work?

A Decentralized Identifier is – in the simplest terms – a collection of Verifiable Credentials that prove certain information about you. It can be anything – from your name or date of birth to college diplomas, qualifications, or employment status.

The basis of a Verifiable Credential is formed by 3 elements:

1. Metadata – basic information about the credentials, i.e. date of issue, date of expiry, public verification key, etc.
2. Claim(s) – i.e. what is the VC supposed to prove about you
3. Proof(s) – i.e. cryptographic evidence, such as a signature, to verify authenticity and authorship of the credential

As I wrote earlier, the first Verifiable Credential needs to be obtained in the physical world, by proving your identity in person, e.g. at an office or government entity. You can of course obtain it in the digital form, as long as there is correct identity verification infrastructure in place.

Then, you can use claims contained in that credential to obtain further VCs. As a result, each one will be connected to your core DID, stored in your personal wallet.

Sample DID chain

As all of your data is securely linked, you can derive individual pieces of data from each credential to present to other parties.

For example, when applying for a job, you could submit a presentation containing the piece of data from a VC that confirms your college degree, with another VC proving your work permit, with yet another VC that stores your qualifications.

The person who reviews the presentation can verify that the claims you’ve presented were indeed issued by a specific organization (e.g. university) for a specific person (you). It can be done without the need to contact the organizations, based on the ledger with transaction information and trust to the digital signatures.

Where does blockchain come in?

Blockchain forms the basis of your trusted ledger where the proof of transactions of issuing these credentials can be stored. Once the Verifiable Credentials are issued, the fact of this transaction can be connected to and stored on the ledger.

What is important: the ledger doesn’t contain the credentials. Those are kept private and you control them.

Transaction data can contain the information from your existing credentials (for example those issued in the physical world or with correct identity verification), information about the issuer, and something that connects the transaction with the issued credential.

When you present the credentials, the receiving party can verify that they were issued, when and by whom (the issuer), based on the data stored on the ledger.

The role of blockchain here is to be the trusted ledger, storing this information for everyone to be able to independently verify the credentials, in a trustless environment.

DIDs on blockchain (Source: Microsoft)

As end-user, you won’t need to deal with blockchain directly. Access to this information is provided by the identity layer like ION Network. It is the underlying technology that will keep your identity wallet secure and consistent over time.

What’s also important is that this technology is vendor-agnostic. It means that it doesn’t matter whether you’ll use Bitcoin, Azure, Amazon, or any other provider for your ledger. The information about transactions in theory might be stored on any ledger you trust. The data might be stored in secure storage of your choice.

Blockchain gives us a storage layer, meaning that it is hard to modify the entries. It provides us with a permissionless ledger to operate with some level of trust, in a not-trusted environment.  There is no direct trust between the issuer and a validation party, but because we trust the ledger, the verification can take place.

Blockchain also validates your credentials on the issuer side. When you submit your VC, the recipient will be able to verify its authenticity by checking its public signature or key, submitted to blockchain by the VC issuer.

The best way to learn is through experience

I’m a huge fan of learning through practice. As it is a new concept, the best way might be to experience it. Here’s a cool demo to see how Verifiable Credentials work from end-user perspective – Woodgrove VC demo.

Source: Microsoft

What you need is the latest version of Microsoft Authenticator on your phone and you are good to go. Give it a try – it is much simpler than reading about it.

DID, VC, OMG

That’s a lot of three-letter acronyms to digest. I know it. But it wouldn’t be IT without acronyms!

As you can see, although blockchain can help us with DIDs, it’s not really related to the topic of cryptocurrencies. Sure, they can be one way of verifying data integrity, but they’re not the only option.

Even if it is not directly related to cryptocurrencies, the underlying concepts of DIDs and Verifiable Credentials are a linchpin of the future of those markets. For example, they are a core concept in the tbDex, a Liquidity protocol (link to PDF) proposed by Square (now Block).

Will this technology change the world? I’m not sure yet. But it’s certainly a promising idea and I will keep watching it with great interest. For today, I will leave you with some key information on the technicalities of DIDs. If you’d like to discuss any of them further, just email me.

If you’d like to discuss one of the use cases in more details and see the demo of Verifiable Credentials, sign up for a free consultation through this website. 

Further reading

Here are some resources to get you started with DIDs and VCs:

• Microsoft – Announcing Azure AD Verifiable Credentials
• Microsoft – What are Verifiable Credentials?
• Microsoft – Azure Confidential Ledger (preview)
• Tykn – Verifiable Credentials. The Ultimate Beginners Guide
• W3C – Decentralized Identifiers (DIDs) v1.0
• W3C – Verifiable Credentials Data Model v1.1
• Decentralized Identity Foundation
• How Decentralized Identifiers and Bitcoin Fix the Web – on the role of Bitcoin in VCs (although note that Bitcoin is not essential for the concept – any trusted ledger will work)
• ‘Ice phishing’ on the blockchain