Verifiable Credentials in Decentralized Identity

It’s an exciting time in the world of digital identity. We’re witnessing the convergence of user identification, authentication, and authorization in the palm of our hand – through our biometrically secure mobile devices and digital wallets. As an identity provider taking part in this paradigm shift (commonly referred to as decentralized identity), understanding the types, configuration, and ecosystem of verifiable credentials is crucial. Let’s start with some definitions.

A verifiable credential (VC) is a cryptographically secure digital proof containing any identity information, issued to a user's biometrically secured digital wallet. It contains important data about the issuer (who created it), who it was issued to (the user), specific identity attributes, and expiration, ensuring the provenance of the credential and a chain of trust. VCs are used for any user data that necessitates real-time verification.

At Ping, we facilitate two distinct models for managing the lifecycle of VCs: 1) API, and 2) automated credentials. Each has unique features and benefits tailored to meet varying enterprise needs and identity systems.

Learn about Ping’s verifiable credentialing solution, PingOne Credentials, which has complete interoperability with our identity platform.

Decentralized Identity, sometimes called self-sovereign identity, is a new IAM model that leverages verifiable credentials alongside user identity verification and access management. This new form of identity management is an attractive choice for enterprises because it solves many challenging use cases. Decentralized Identity (often shortened to either DCI or DID) merges physical and digital experiences, putting users in control of their personal data and whom it is shared with. Learn more about decentralized identity.

VCs are integral to authentication because they provide the necessary information to verify a user's identity in real-time, while simultaneously approving or denying access. The credential itself can also contain access permissions and controls—and act like single sign-on. In some ways, credentialing tied to identity verification in real-time is the new way to perform authentication. In traditional federated systems with a central authority, credentials like usernames and passwords are used to authenticate a user. In modern decentralized identity, VCs are digital proofs and are far more secure than usernames, passwords, and even passkeys.

Automated Credentials

Automated credentials derive their data directly from the user's datastore entry, ensuring alignment between the credential and the user's current profile information. This model allows users to select specific attributes from the user's profile to populate the digital credential and support those attributes with other static data like alphanumeric text. Throughout the credential's lifespan, any changes in the user data or profile trigger instant updates to the credential, ensuring accuracy and reliability.

Automated credentials offer the flexibility of a simplified credential lifecycle while limiting the source of the data that can be included in the credential. As automated credentials pull their values from the user’s profile, they’re able to be issued even when a user has no currently paired wallets - as soon as the user pairs their wallet these automated credentials will be available for use.

Example Use Case

Consider an enterprise issuing credentials to its employees for cybersecurity purposes. These credentials contain essential details such as department and job title, which may undergo changes during the employee's tenure. By simply updating the central user profile, the issuer effortlessly ensures that the credentials remain up-to-date.

API Credentials

In contrast, API credentials require explicit data provisioning, issuance, and lifecycle management by an external application. In the API credentials model, attributes from the user’s profile can be pulled in just like with automated credentials, but it also allows for any other data to be fetched and submitted to the credential service. This model offers flexibility by allowing data from various sources, including dynamically generated data at the point of issuance, without the prerequisite of storing it in the user's profile.

API credentials remove the restrictions on where data for a credential originates, but place responsibility for managing its lifecycle into an external orchestration component. For example, if an application wishes to update an issued credential’s values, it should explicitly submit the data required to issue a new one. Additionally, wallet-pairing must occur before API credentials are issued, as no data is retained on the servers by which to generate the credential automatically once pairing occurs.

Example Use Case

Imagine a contracted worker requiring a credential for a day's work on-site, serving the dual purposes of identification and authorization. This credential may include the worker's photograph, which isn't stored in the company's user store. As the work will only take a few hours from when the contractor begins work, the credential has a dynamically computed expiration field.

Benefits of Verifiable Credentials By Type:

Automated Credentials

• Data is sourced from the identity data store and seamlessly integrated into the credential during creation and issuance.

• Real-time updates to credential data in response to profile changes.

• Lifecycle management occurs as a downstream result of modification to the user’s profile.

• Data duplication occurs between the credential and the issuer's identity store.

• Issuance can occur at any time, even when a user has no currently paired wallet.

   

API Credentials

• Data is pushed directly into the credential during issuance from any accessible source.

• Eliminates the need for data duplication in a server.

• Credential lifecycle management (including when to issue, update, and revoke) facilitated through externally orchestrated API calls.

• Data can be purged from the issuer's system post-issuance, enhancing data security and privacy.

• Suitable for services with strict on-prem, or data residency requirements.

• Requires a digital wallet known to belong to the user to which the credential can be issued.

Understanding the nuances of automated and transactionally-issued credential models empowers enterprises to choose the most suitable approach for their credential management needs. Whether prioritizing real-time profile synchronization or flexibility in data sourcing, leveraging the right model ensures efficient and secure credential lifecycle management tailored to organizational requirements. Learn about Ping’s verifiable credentials solution, PingOne Credentials.