Decentralized identity and verifiable credentials, Identity, Encryption

Identity proofing: Verifiable digital credentials in the AI era

A glowing white fingerprint is centered within a circular blue light interface on a dark digital grid background with neon blue lines.
Credit: Adobe Stock Images

In this article:

  • Verifiable digital credentials (VDCs) are emerging as smartphone-held, cryptographically signed IDs that let people prove who they are with passport-level assurance while sharing only the minimum data needed, reducing how much sensitive information companies must store.
  • Adoption has been real but uneven: mobile driver’s licenses exist in 20-odd U.S. states, although with compatibility issues, and are being more rapidly adopted Australia and Europe.
  • AI-driven fraud and deepfakes may be the "killer use case" that accelerates VDC uptake, as they provide strong, copy-resistant proof of identity with built-in biometrics.

 

For some time, the technology industry has been trying to make a new form of digital identity happen.

Whether it's called decentralized identity, reusable identity, portable digital identity, self-sovereign identity or the term we'll use here, verifiable digital credentials (VDCs), the concept is the same: A cryptographically protected form of identity that you can hold on a smartphone or other portable device and which carries the same level of assurance as a passport or an enhanced driver's license.

The key difference here is that when (or if) this system gets widely accepted, online stores and other services won't need to hold as much of your information, like your address, date of birth or Social Security number.

"Your VDC lives on your device as an end user, and you just present proof to the company you're presenting it to," explained Vivek Raman, VP of Engineering and General Manager of Okta Personal at Okta, during an interview at the Oktane conference in Las Vegas this past September. "They don't need to store anything."

Instead, that data will be kept on your phone, and you'll be disclosing only as much as you need to, depending on the circumstances. Data breaches will lose far less personal information.

"Selective disclosure with verifiable credentials lets you, the user, be in control of what data you share," added Raman. "I no longer have to show all my personal data to someone who just needs to know that I'm over 21 or that I'm a resident of a certain state."

If you've got a mobile driver's license on your phone — and about 20 states and Puerto Rico already allow them — then you're already using a form of this technology. The idea is that you can present the mobile DL to a cop, at a bar and, in certain cases, even at an airport TSA checkpoint to verify your identity and/or age.

That's convenient, but the potential use cases go way beyond physical encounters. Up until now, passwords and multi-factor authentication (MFA) have been adequate for online shopping, and banks are have been happy to let existing account holders use their dedicated apps.

Unfortunately, the whole existing online system of trust is coming under serious strain from AI-enabled deepfakes and North Korean spies posing as remote IT workers from other countries. Holding up a copy of your driver's license to the webcam doesn't cut it anymore.

"When it comes to proving who you are, we need more than MFA or security questions. We need proof," wrote Okta Staff Content Designer Emilie O'Genski in a recent company blog post. "Verifiable digital credentials allow users, employees, and systems to present cryptographically signed, privacy-preserving proof of identity, authorization, affiliation, or knowledge."

To combat deepfakes, you can buy and install deepfake detection software to try to spot inconsistencies when your company's CEO seems to be dialing in from Dubai asking for a $10 million money transfer. Or you can simply have the CEO present his verifiable digital credentials at the start of the call.

"The cool thing about this technology is that it's a cryptographically secure way to issue a credential to a person, have them hold it on their device," said Raman. "Because it's got cryptographic properties, it doesn't allow you to copy it or change it."

Combatting deepfakes and other forms of AI-enhanced online fraud may be the killer use case that finally forces widespread adoption of VDCs — barring a few compatibility issues among different formats, of course.

Not a new concept

It's been more than four years since Apple announced that the Wallet app on iPhones could hold digital driver's licenses.

Yet uptake has been slow: Only two states had fully signed up for the program then, and today, only 11 more, plus Puerto Rico, have mobile driver's licenses compatible with Apple Wallet. Google's competing Android Wallet app supports only 10 states, not all of which are on Apple's list. Samsung Wallet supports six states, although the TSA says it's eight.

"About 25 or so states in the US now either are piloting or have already launched a mobile driver's license program," said Raman.

To make things more confusing, some states that aren't on any phone maker's wallet lists, like New York, have their own digital-ID apps for iPhone and Android. (One reviewer on the App Store called New York's app "hot garbage.")

No Canadian province has yet issued digital driver's licenses, although the Canadian federal government is considering an optional national digital ID.

Outside of North America, the concept seems to be catching on more quickly. The Australian states of New South Wales, Queensland and Victoria all offer digital driver's licenses.

"In Europe," said Raman, "there's legislation coming soon to mandate a standard citizen ID that's going to be interoperable across all EU countries, and it's already adopted in a lot of Asian countries as well."

As usual, the Nordics are ahead of the game with Estonia's e-ID and Sweden's BankID.

In the U.S., digital driver's licenses are not a total replacement for the little cards you can carry in your wallet. Acceptance of digital IDs is far from total, so you'll still have a physical license card issued to you.

The same goes for passports. Apple ID lets you upload your passport information, but you should keep the physical booklet handy when you cross borders. What you've got on your phone is a digital facsimile to supplement the physical ID.

Smartphones to the rescue

Raman pointed out that for Americans, registering an online account with the Internal Revenue Service is the only well-known use case for what NIST deems as Identity Assurance Level 3 (IAL3) online digital personal verification, or "identity proofing."

"Historically, digital identity verification has been something that you do only in rare instances online," he said. "When I go to pay my taxes, for example, with the IRS, I have to go do a face scan and scan a physical document, a passport or a driver's license."

It's a process that's not easily portable to a business context, Raman added.

"That's a one-time thing if you're building an application that requires that," he said. "It's pretty costly. You have to involve third parties and it introduces a lot of user friction."

I've gone through the IRS account-registration process myself, and it feels like you're in the 1990s. Not only do you have to upload scanned physical documents, but you also do an in-person on-camera interview. If all verifiable digital credentials depended on such a cumbersome process, they'd never catch on.

The IRS doesn't seem to know that there's a handy, widely available, quite secure device that uses biometric authentication to verify your physical presence and identity. It's called your smartphone.

"I have to use the Face ID or Touch ID on my device to unlock that [verifiable digital] credential," Raman explained. "Because of that, it's got all these great properties that make it more secure than a physical document."

As with passkeys, the fingerprint- or face-reading feature on iPhones and Android phones is a boon to VDCs. Before you can use your digital driver's license, passport or credit cards, you must be logged into your device. The option of a biometric challenge bumps up the assurance level of the VDC.

"You're onboarding to an application and you want to do an ID verification check," Raman said. "We can make that more seamless by using verifiable credentials or a mobile driver's license, for example. That'll help you do it in a way that doesn't require pictures and scanning your driver's license in the camera."

Again, you can control what data is shared with the party that wants your information, he explained.

"If I want to go to the liquor store and buy a bottle of wine, which I'll probably do after this interview, I would today hand over my driver's license, which has my full name, my home address, my photo, all that stuff, where all they really need to know is, am I over 21 or not?" he explained. "In an online transaction, they can say, all we need to know is, are you over 21? Yes or no, and that's it."

There are some potential downsides to storing your IDs on your phone. When you get a new phone, most of what's in your digital wallet will be transferred to the new device via iCloud or Google or Samsung backups, but each digital ID may need to be reauthorized by the issuer, such as the DMV. (You'll also have to ask your banks to reauthorize any stored credit-card numbers.)

Likewise, if you lose your phone or it's stolen, you'll want to remotely wipe it as soon as possible lest the digital IDs get into the wrong hands.

One more thing: Like most secure online transfers of information, VDCs use public-key encryption, which will be obsolete in 10 or 15 years after quantum computers come online and can easily crack it. But fear not: Academic researchers are already figuring out how to upgrade VDCs to use post-quantum encryption.

AI changes everything

Despite the benefits to convenience and privacy, there hasn't been much demand for VDCs or digital IDs, either from consumers or businesses. Raman thinks that will soon change as, facing deepfakes that get better all the time, companies already need to more strongly verify remote hires and banks need to more strongly verify new customers for regulatory compliance.

"When you onboard a user, either in a workforce context or in a customer identity context, if you're an application developer, you should be able to verify these government IDs in a seamless way to verify your users," he said.

He also hopes that a unification of VDC standards smooths the way for greater acceptance, even though American states seem to have a hard time getting on the same page.

"The underlying technology is built on a few different standards, and those standards are starting to converge today," Raman said. "It's going to make things more interoperable in the future."

It will also return full control of personal data to the individual user, he added, instead of having it float around in the questionably secure databases of hundreds of different online services.

"You're going to have a bunch of different VDCs that you hold, and that will make your personal identity," Raman said. "It'll be my government-issued ID, my driver's license, my passport, my proof of employment, maybe some professional certifications and things like that. And I will choose what context and who I want to share it with."

Paul Wagenseil

Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.

Related

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Asymmetric CryptographyBasic AuthenticationByteCiphertextCryptanalysisCryptographic Algorithm or HashCyclic Redundancy Check (CRC)Data Encryption Standard (DES)Digest AuthenticationTransport Layer Security (TLS)

You can skip this ad in 5 seconds