What are verifiable credentials?
By Lucas Jolías
Identity and credentials
If I tell you the word "Identity," what comes to mind? In some countries, we quickly associate the idea of Identity with our ID or identification card, but in reality, a person's identity goes beyond a single official document or the certificates that a State grants us. It is true that identity can take many forms, but if we want to adopt a "practical" view of identity, we can define it as the accumulation of credentials throughout my life. What "says" that I am the father of my children? An emotional bond or a genetic resemblance? No. What affirms that I am the father of my children is a credential (or birth certificate). What "says" that I am an economist? That I know a lot about a country's macroeconomic cycles? No. What affirms that I am an economist is a university degree (a credential).
Now, in the material world, these credentials are physical elements, verified by recognized centralized organizations such as a government agency or an accredited university. But what happens in the digital world, where one can create a fictitious identity more easily or falsify a PDF with a few clicks? In the current digital world, it is increasingly important to be able to prove our identity and its qualities online safely and reliably.
Verifiable Credentials (VC) have come to solve this problem. VCs are electronically signed credentials that follow an open standard that allows for creating, owning, and managing credentials on various platforms. VCs are digital documents that contain information about an individual or entity that can be cryptographically verified as true. They are often used to represent things like educational degrees, professional licenses, government credentials, identification documents, and other types of credentials used to prove a person's identity or qualifications. One of the main benefits is that they allow people to prove their identity or qualifications safely and reliably, without having to share confidential information with others. This is because verifiable credentials are issued by a trusted issuer and cryptographically signed, allowing anyone to verify their authenticity without having to rely on the issuer.
Verifiable credentials also allow people to selectively reveal only the information that is necessary for a particular purpose, instead of sharing all their personal information with every organization or person they interact with. This helps protect privacy and reduces the risk of identity theft.
Why do we need verifiable credentials?
Throughout your digital history, you have likely registered in hundreds of applications and services with some of your personal data, such as your name, email address, or more sensitive information like your date of birth and identification number. Often, these services share your data with third parties, with or without your consent. It's hard to go back and deactivate your profiles, delete your accounts, or claim additional data that these services have collected about you. Even worse is if there is a data breach or hack in one of these services and now your data is available to anyone.
Verifiable credentials aim to solve these problems by returning the power to manage your own data to you. Imagine being able to control your personal data by only allowing access to services that require it and having the authority to deactivate services that no longer need it. Additionally, you can have multiple verifiable credentials for different use cases, such as a student ID, a driver's license, a passport, or a certificate you have obtained. You can also have a specific verifiable credential with multiple presentation layers, like a passport that presents certain metadata when used in a specific context.
How do verifiable credentials work?
Who issues a verifiable credential, how is it verified, and who verifies the verifier? Let's look at the following example from the physical world where a specific credential is issued. You have been accepted to university and now need a student credential to access various benefits the institution provides, such as online resources, discounts at the cafeteria, or a parking permit on campus. Typically, this process involves carrying physical copies of several documents, such as passport or ID, birth certificate, and driver's license. After several days of checks, the university will issue you a student credential. The university trusts the entity that issued your birth certificate, passport, and driver's license to create a student card for you. They may even search for you by the identification numbers on these documents. But what if someone in the admissions office looked up your driver's license and realized you have fines? Are they authorized to do so and could this influence their decision to grant you a parking permit? Thanks to VC, the university would perform verification checks on each provided document (passport, driver's license, birth certificate, etc.) and the credential would be limited to basic biographical data required, such as legal name, date of birth, etc. Thus, no one in the student department could see your fine history associated with your driver's license. That is, the entity requiring validation of certain aspects of your identity is limited to verifying only the information it needs and nothing more. Let's look at another example for the government case. If you have ever had to register as a vendor in a municipality or government, you know it is one of the most frustrating processes out there. To prove that you are the owner of your company, you must send a ton of information about its operation, board resolutions, certified signatures by notaries, and much more. Just to prove that a person is authorized to represent a company, governments store highly sensitive information such as board or company constitutive acts. Thanks to VC, this can change radically, as you would only need to present the credential that proves my position or ownership of the company without accessing any other type of sensitive information.
Cases of use for verifiable credentials
There are several use cases that can be performed with Verifiable Credentials, such as:
Job verification without invading privacy
Digital health records, as citizens can own their own information and decide who to share it with
Property titles, vehicle titles, land titles
Management of various forms of personal identification, such as passports, driver's licenses, etc
KYC (Know Your Customer) checks for financial institutions and companies
Permits and licenses issued by governments
University degrees or educational certificate management
Management of memberships, among many others
As we can see, the use cases can be very diverse. However, a prerequisite to advance in all these use cases is the need to create a framework for Decentralized Digital Identity (DID) to manage and associate these VCs to a specific identity.
Lucas jolías, Director of OS City for Latin America