identity & security

What are Verifiable Credentials and Why You Should Care About Them

Verifiable Credentials can be stored on digital devices, and you can use cryptography to verify their data and authorship. Let's learn more about them and why you should care about them.

We often use physical credentials such as our passports or driver's licenses as proof of identity. Until recent years, these types of credentials have usually been used in-person or offline, but nowadays, it's possible to prove your identity through digital credentials on the web in a cryptographically secure, privacy-respecting, and machine-verifiable way. In this blog post, you'll learn about these verifiable credentials, why you should use them, and when.

What are Verifiable Credentials?

When you think about a credential, you can often think of a physical credential like a passport, a driver's license, or an employee badge. A credential refers to a set of one or more claims made by an issuer; in the passport example, the photo, name, or identification number are the claims made by a government to identify a subject.

When we talk about Verifiable Credentials (VCs), we are referring to a W3C standard for digital, cryptographically verifiable credentials. These credentials can represent the same information as a physical credential, but they add the use of digital signatures, making them more trustworthy than their physical version. You can store them on your device, which makes them more convenient and available almost everywhere.

In the verifiable credentials context, there are a few important roles:

  • Holder: it's the entity that possesses the verifiable credential. Holders could be, for example, students, employees, and customers.
  • Issuer: the entity that asserts claims about the subject, creates and transmits the verifiable credential to the holder. For example, governments, corporations, and non-profit organizations can be issuers.
  • Subject: the entity about which claims are made. For example, human beings, animals, and things.
    • Often, the holder of a verifiable credential and subject can be the same, but only sometimes. For example, a parent can be the holder of the verifiable credential of their child (subject)
  • Verifier: the entity that receives and processes verifiable credentials, such as employers, security personnel, and websites.
  • Verifiable Data Registry: the system that creates and verifies verifiable credentials schemas. For example, government ID databases and trusted databases.

VCs Roles

The image above shows how each entity interacts with each other. The issuer issues credentials to the holder as well as identifies and verifies the verifiable credentials. The holder acquires, stores, and presents VCs to the verifier. The verifier verifies VCs against the Verifiable Data Registry, which maintains identifiers and schemas.

If we think of an example, let's say you are a citizen of the Asgard country. Asgard's government can issue a verifiable credential so you can prove your identity.

Asgard country issue VC

In this example, the holder of the verifiable credential would be you because you are the owner of it and Asgard's government would be the issuer. This would be one of those scenarios where the subject would be the same as the holder because Asgard's government created claims for you, such as full name, identification number, and so on.

Later on, let's say the Asgard police stop you and ask you for your ID. You decide to use your VC, and you have it in your wallet, so you present it to them. In this case they'd act as the verifier and check against Asgard's government database (the Verifiable Data Registry) that the VC is legit.

Present VC Asgard

Verifiable Credentials Are Necessary

Verifiable Credentials have many use cases in our day-to-day life, and as we move more into an online world, we need to be able to disclose our identity without issuers knowing. Because VCs are available in your wallet, you can use them "offline", meaning the issuer doesn't know when and how often you use them. This is what makes VCs so powerful: they are convenient, and having them available in your wallet removes a lot of friction from a user's life. So, let's go ahead and explore some use cases.

Legal Identity

It's essential that you're able to prove your identity in a way that can be quickly verified, and governments are in the position to provide such identification in a verifiable digital form. Some examples are:

  • Digital Driver's License
    • You get stopped over a traffic violation; with a digital driver's license, you always have access to it, and you can use it to prove to the officers both your identity and that you can drive.
  • Digital passports
    • The electronic passport can contain a list of all the places you've visited and visas, so immigration officers can quickly and easily evaluate your suitability when visiting a new country.
  • Proof of Birth
    • Imagine asking for refuge in a country in such desperate conditions that you don't have your physical credentials. Still, you were issued a self-sovereign proof of birth, and attached to this is the proof of birth and marriage of your parents; since it's verifiable, you can show this at the border controls of the country you're seeking refuge.

Finance

In finance, we can think of banking, brokerage, insurance, etc. Some example use cases are:

  • Money transfers
    • Let's say you want to send money to your family abroad; you can share your identity profile as well as your family member's with the money transfer service. This allows them to verify the source and destination of funds automatically.
  • Opening or closing bank accounts
    • If you want to open an account, you can use your government-issued certificate to prove your identity. Later on, when you want to close the account, the bank needs to revoke the "account owner" claim as part of the closing account process.

Healthcare

In the healthcare industry, privacy is extremely important, and with VCs, we can guarantee that the holder of the credential can disclose only the information they need. Let's understand some use cases in this area:

  • Prescribed medicine
    • A pharmacy can receive a prescription for medication for a patient. The pharmacy can automatically verify the doctor's ability to write prescriptions and the patient's insurance coverage.
  • Proving Legal Disability Status
    • You can have government-issued disability credentials without having to disclose your specific disability to the service or entity you're providing. Issuers can issue verifiable credentials that support selective disclosure so holders can present proof of claims without revealing the entire verifiable credential.

Professional Credentials

You may need a prove that an entity is who they say they are, and they can do what they say. This allows you to trust universities, doctors, companies, etc.

  • Doctors
    • Health providers could provide information about the doctors they have on staff, including verifiable credentials about their education, board certification, etc.
  • University Degrees
    • You could verify someone's obtained degree from a university that has a digital certificate to issue verifiable credentials.
  • Companies
    • You can have an electronic badge that proves your identity to your company.

How Does a VC Look Like?

Let's take a look at what a verifiable credential looks like. Let's think of someone's ID card:

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1"
  ],
  "type": ["VerifiableCredential", "IDCard"],
  "id": "urn:credential:34502108-4540",
  "issuer": "did:web:asgard-state.auth0lab.com",
  "issuanceDate": "2020-07-20T13:58:53Z",
  "credentialSubject": {
    "id": "urn:id-card:personal:1",
    "personalIdentifier": "34502108",
    "name": "Hanna Herwitz",
    "dateOfBirth": "1984-09-17",
    "placeOfBirth": "Asgard City",
    "currentAddress": "24th Street 210, Asgard City, 1023",
    "gender": "Female"
  },
  "credentialStatus": {
    "id": "https://asgard-state.auth0lab.com/vcs/credential/status/14",
    "type": "CredentialStatusList2017"
  }
  "proof": {
    "type": "Ed25519Signature2020",
    "created": "2020-07-20T13:58:53Z",
    "proofPurpose": "assertionMethod",
    "verificationMethod": "https://asgard-state.auth0lab.com/keys/1",
    "proofValue": "z2ty8BNvrKCvAXGqJVXF8aZ1jK5o5uXFvhXJksUXhn61uSwJJmWdcntfqvZTLbWmQHpieyhdcrG43em37Jo8bswvR"
  }
}

This JSON represents the digital version of Hanna Herwitz's ID card. Let's take a look at some of the most relevant parts of the VC:

Type

The credential type can be used to determine if a specific credential is appropriate for a particular use case. In the example above, the type value is

["VerifiableCredential", "IDCard"]
.

Issuer

Represents the issuer of the credential and has to be a URI or an object containing an ID property. The example above is the Asgard government with the value

did:web:asgard-state.auth0lab.com
. Note that the value starts with
did
; this is a Decentralized Identifier, a new identifier enabling verifiable, decentralized digital identity. However, it's not mandatory to use DIDs.

Credential Subject

Refers to the subject of the verifiable credential; it can be a DID or an object containing an id property. In the example above, the subject data is:

"credentialSubject": {
  "id": "urn:id-card:personal:1",
  "personalIdentifier": "34502108",
  "name": "Hanna Herwitz",
  "dateOfBirth": "1984-09-17",
  "placeOfBirth": "Asgard City",
  "currentAddress": "24th Street 210, Asgard City, 1023",
  "gender": "Female"
}

Cryptographic Proof

It is one of the most essential parts and what makes this credential verifiable. Refers to cryptographic proofs (can be an object or an array) that can be used to detect tampering and verify the authorship of a credential or the data derived from the VC. In the example above:

"proof": {
  "type": "Ed25519Signature2020",
  "created": "2020-07-20T13:58:53Z",
  "proofPurpose": "assertionMethod",
  "verificationMethod": "https://asgard-state.auth0lab.com/keys/1",
  "proofValue": "z2ty8BNvrKCvAXGqJVXF8aZ1jK5o5uXFvhXJksUXhn61uSwJJmWdcntfqvZTLbWmQHpieyhdcrG43em37Jo8bswvR"
}

Verifiable Credentials in Action

Now that you know what a VC looks like, let's look at them in action.

We've developed a site, verifiablecredentials.dev, where you can play around and debug verifiable credentials.

Issue a VC

To obtain a new verifiable credential, navigate to wallet.verifiablecredentials.dev, where you'll see a demo wallet where you can start by adding your first VC.

ID Wallet Add VC

Follow the steps, and you'll create your verifiable credential! 🎉

ID Wallet VC created

Present a VC

You can use the Presentation Debugger tool to create a request that defines the characteristics you want a Verifiable Presentation to meet.

You can use ID Wallet to see your verifiable credential data in the Presentation Debugger tool.

Presentation tool

Conclusion

Verifiable Credentials are digital, cryptographically signed credentials that you can use in many aspects of your life. There are many use cases in healthcare, education, and legal contexts where VCs are extremely useful.

Users need the means to exercise their identity and disclose their claims without issuers knowing, the same way they do offline.

If you want to learn more about VCs, go to verifiablecredentials.dev, where you can play around and create and present verifiable credentials.