Verifiable Credentials for Secure Digital Identity
Verified, digital identity is a key foundation to digital transformation. Verifiable Credentials is an up-and-coming method to establish digital, verified identity in a highly secure way. Applications to enterprise use cases such as new employee onboarding, providing access to sensitive applications, and account recovery demonstrate that Verifiable Credentials bring value not only to the individual, but to the organization as well.
Commissioned by Microsoft
1 Introduction / Executive Summary
Most organizations are ready to go digital, or shift even farther towards digital processes and services. With that transformation comes a fundamental need: to be identified for digital interactions, be it as employees, partners, customers, citizens, or things. Thus far there are attempts to deliver digital identities to these different roles: centralized account creation and provisioning, federated solutions, Single Sign On, and the range of CIAM solutions. But the solutions most frequently used today lack a fundamental anchor to reality: verification. Verification is what establishes trust that the person claiming to use an identity or credential is actually the person associated with the identity or credential.
Zero Trust is the stage that this story is playing out on. Its mantra, "never trust, always verify" is the logic behind anchoring digital identities to a proven entity, even a real-world identity, but trust should not be abandoned completely. Rather, the confidence with which a relationship and transaction is trusted should be increased. Every transaction needs a certain level of trust, or confidence that the parties involved can be relied upon - at least in that moment. Identities are used to establish relationships of all types; for example, between an employer and an employee where the employee ID is a functional necessity in defining the roles, access, and entitlements that the employee has in the organization. Relationships are built on the understanding of who the other party is and what their credentials are, but relationships do not always have to be a mutual understanding. Often party A only needs certain information - for example the age of party B as opposed to the date of birth - while party B only needs to know that party A reliably provides the requested service. This transactional relationship can rely on the confidence that the other party is who they claim to be, in other words, is verified. By verifying user identities, the enterprise can maintain confidence in who the other is - be it employee, partner, customer, and beyond - across the lifetime of that relationship. Know, rather than just trust.
There are strong cultural drivers at play. While the current demand from the public - supported by the wave of global privacy regulation - is overwhelmingly for data privacy, twenty years ago the pendulum had swung to the other extreme. The tragedy of the September 11th attacks caused a public preference to be positively identified when travelling and making purchases to do their part in preserving security and fighting terrorism. Although the current demand for privacy as fueled by the data economy, the rising value of personal data, and the ever-present risk of data breaches, the regulatory structure of identification for security still remains, for example in Know Your Customer (KYC) and Anti Money Laundering (AML) requirements. But these requirements now exist in a world which demands the highest protection of personal data, the right to be forgotten, and restricted usage of facial recognition, among many other trending topics.
As businesses move more and more processes online as part of their digital transformation journey, they still carry the burden of verifying identities and credentials in the paper world of business leading to overhead costs, compliance risks and most importantly, lengthy and time-consuming processes. What if there was a better way to change all that?