Verifiable Credentials
The Ultimate Beginners Guide!

As conceptualised and standardised by the W3C, the Verifiable Credentials protocol is one of the three pillars of Self-Sovereign Identity, together with the Decentralized Identifiers protocol and Distributed Ledger Technology (or Blockchain).

For the past 4 years Tykn has been developing Self-Sovereign Identity solutions for organisations such as the Turkish Ministry of Foreign Affairs and the United Nations Development Programme. In this blog, our team of Verifiable Credentials experts compiled everything you need to get started on this technology.

After this post you’ll know exactly what Verifiable Credentials are, their characteristics, benefits and use-cases.

Let’s dive in.

Verifiable Credentials Meaning

According to W3C, “Verifiable credentials represent statements made by an issuer in a tamper-evident and privacy-respecting manner.”

What are Verifiable Credentials?

The physical credentials we use in our daily lives – like ID Card, Driver’s license, Health Insurance Card or even a University Diploma – rarely have a counterpart in the digital world. How could a digital credential, a digital asset, be as trustworthy as the physical ID Card that your Government issued to you?

Verifiable Credentials, in essence, allow for the digital watermarking of claims data through a combination of public key cryptography and privacy-preserving techniques to prevent correlation (more on these two later!). The effect of this is that now, not only can physical credentials safely be turned digital, holders of such credentials can selectively disclose specific information from this credential without exposing the actual data (imagine proving you are above the age of 21 without having to show your ID card!), where third-parties are instantly able to verify this data without having to call upon the issuer.

In the following graphic, we can see clearly the relationship between ID Issuer, ID Owner and ID Verifier and how a Verifiable Data Registry (the blockchain) is used to verify the credentials’ data without the need to contact the issuing party.

The 3 Components of Verifiable Credentials

Verifiable Credentials have 3 basic components:

Metadata

Cryptographically signed by the issuer. It “describe[s] properties of the credential, such as the issuer, the expiry date and time, a representative image, a public key to use for verification purposes, the revocation mechanism, and so on.” (W3C)

Claims

A statement made about a subject. Example: “Janice’s date of birth is 01/01/1990.”

Proofs

A proof is data about yourself (the identity holder) that allows others to verify the source of the data (i.e the issuer), check that the data belongs to you (and only you), that the data has not been tampered with, and finally, that the data has not been revoked by the issuer.

Benefits of Verifiable Credentials

  • Verifiable Credentials are private.
    1. The ID Holder can choose what attributes of their identity they want to disclose. For example, they could show their birth year without disclosing the day and month they were born in.
    2. The ID Holder is always in control of the relationship with ID Verifiers. They know what data was shared and when (there’s an audit trail) and can revoke that relationship at any time.
  • They are tamper-proof through the use of cryptography.
  • Verifiable Credentials can be verified anywhere, at any time. Even if the issuer does not exist anymore (with the exception of situations where the issuance of credentials happened using Private DIDs and the DID of the issuer was not written to the ledger).
  • Portable. Verifiable Credentials are yours to store in your wallet and share with whomever you want. The ID Holder is not “locked-in” to the organisation who issued the credential.

Decentralized Identifiers and Verifiable Credentials

Decentralized Identifiers (DIDs), alongside Verifiable Credentials, are an integral part of Self-Sovereign Identity.

How do DIDs work together with Verifiable Credentials? 

Tl:dr: DIDs are a type of globally unique and persistent identifiers. They create a secure connection for data exchange between parties and their decentralized nature makes credentials always available for verification.

If you’d like to read more, check out our Beginner’s Guide to Decentralized Identifiers!

Verifiable Credentials and Blockchain

How do Verifiable Credentials leverage Blockchain technology?

Tl;dr: Blockchain, an immutable record of data, is used to store the Public DID of the organisation who issued the Credential. When someone wants to verify the authenticity/validity of the Credential, they can check the blockchain to see who issued it without having to contact the issuing party.

The Blockchain acts as a verifiable data registry. A “phonebook” that anyone can consult to verify what organisation a specific Public DID belongs to.

Long version:

Distributed Ledger Technology (DLT), commonly simply called “Blockchain Technology”, refers to the technology behind decentralized databases providing control over the evolution of data between entities through a peer-to-peer network, using consensus algorithms that ensure replication across the nodes of the network.

More simply put: Imagine a book (or ledger) that anyone could obtain, free of charge, where anything written on its pages would be there forever, and at the same time, would be cross-referenced with the other books to check whether what was written to be valid and true; this is the essence of DLT.

In identity management, a distributed ledger (a “blockchain”) enables everyone in the network to have the same source of truth about which credentials are valid and who attested to the validity of the data inside the credential, without revealing the actual data.

Through the infrastructure of a blockchain, the verifying parties do not need to check the validity of the actual data in the provided proof but can rather use the blockchain to check the validity of the attestation and attesting party (such as the government) from which they can determine whether to validate the proof.

For example, when an identity owner presents a proof of their date-of-birth, rather than actually checking the truth of the date of birth itself, the verifying party will validate the government’s signature who issued and attested to this credential to then decide whether he trusts the government’s assessment about the accuracy of the data.

Hence, the validation of a proof is based on the verifier’s judgement of the reliability of the attestor.

By leveraging blockchain technology, Verifiable Credentials establish trust between the parties and guarantees the authenticity of the data and attestations, without actually storing any personal data on the blockchain.

This is crucial as a distributed ledger is immutable, meaning anything that is put on the ledger can never be altered nor deleted, and thus no personal data should ever be put on the ledger.

So… what is stored on the blockchain?

  • Public DIDs

DIDs are a new type of unique identifiers for verifying digital identities, and are entirely controlled by the identity owner. DIDs are independent of centralised registries, authorities or identity providers.

  • Credential Definitions

The different (often tangible) proofs of identity or qualification issued by authorities; such as drivers licenses, passports, identification cards, credit cards, etc. Hence, credential definitions are — as the name suggests — merely the definitions of these different credentials to be stored on the ledger.

  • Schemas

The formal description for the structure of a credential. More simply: a template outlining the verified data you can issue or verify from your users.

  • Revocation Registries

An option for issuers to be able to revoke the claim. The revocation registry is what tells the rest of the world how the issuer will publish the revocation information.

  • Proofs of consent for data sharing

In order to prove consent or reception of data (basically saying the data has been received and checks have been executed on it), these consent receipts (i.e. proofs of consent) let people do so.

Trust on the Internet

``Cryptographically verifiable credentials will become the ``lingua franca`` of trust on the Internet—the standard way any two parties can establish the specific trust relationship they need in their specific context. VCs will be as fundamental to the future of the Web as HTML pages were to building the Web itself.``

Drummond Reed

CTO at Evernym

Privacy and Verifiable Credentials

The are two different levels for preserving the privacy:

  • Selective Disclosure
    1. In selective disclosure you can generate proofs from a few attributes from a credential.
    2. E.g If you have to prove your age from a Driver’s License and if you are not comfortable with sharing the address that comes in the driver’s license credential, you can prove your age by skipping the address from the credential.
  • Zero Knowledge Proof
    1. In ZKP you can prove the attribute from a credential without actually revealing the value.
    2. From the above example of the Driver’s license, you can prove that you are above 18 without revealing your date of birth.

A Zero-Knowledge Proof is a method of authentication that, through the use of cryptography, allows one entity to prove to another entity that they know a certain information or meet a certain requirement without having to disclose any of the actual information that supports that proof. The entity that verifies the proof has thus “zero knowledge” about the information supporting the proof but is “convinced” of its validity. This is especially useful when and where the prover entity does not trust the verifying entity but still has to prove to them that he knows a specific information.

Verifiable Credentials, and Self-Sovereign Identity, uses this to allow a person to prove that their personal details fulfil certain requirements without revealing the actual details. 

For example, one could prove that she is over 18, without showing her exact date of birth.

The following W3C graphic demonstrates this. How two credentials could be presented as to prove that the ID holder is over 18 years of age and has a University degree:

Verifiable Credentials Wallet

There are two types of Wallets: Mobile Wallets and Web Wallets.

Mobile Wallet

Mobile Wallets, also known as Edge Wallets, store Verifiable Credentials on your mobile device. From a Verifiable Credentials issuer’s perspective, the Mobile Wallet is the ideal option if they don’t want any Personal Identifiable Information stored on their servers or the cloud. All personal data is stored on the users’ mobile phones.

Let us give you a real-world example of Verifiable Credentials and Mobile Wallets in action. Recently we piloted this technology in Turkey with the Ministry of Foreign Affairs, the United Nations Development Programme and the Istanbul Chamber of Commerce.

The objective? With more than 3 million refugees in the country, Turkey wants to implement Self-Sovereign Identity to help increase refugee employability and financial independence.

Syrian entrepreneurs using Tykn's Mobile Wallet to receive a Verifiable Credential

This is how the pilot played out:

  1. (Syrian) Entrepreneurs need to complete a Work Permit application in order to hire refugees. Currently, this process is lengthy and paper-based.
  2. Several Syrian Entrepreneurs physically verified their ID with the Chamber of Commerce. The Chamber of Commerce used our SSI Portal to issue them a digital cryptographic proof, a Verifiable Credential, attesting that they have a registered business.
  3. The Syrian Entrepreneurs stored those credentials in their digital identity wallets. Our SSI Mobile Wallet.
  4. Without leaving the Mobile Wallet, the Entrepreneurs were able to start a Work Permit Application and use their Verifiable Credentials to prove their identity and that they own a registered business.

A demo of Tykn’s SSI Mobile Wallet.

In the future, job-seeking refugees may also be able to request digital credentials such as the Work Permit itself or their Residence Permit. They’ll be able to hold those credentials in their Mobile Wallet as Verifiable Credentials and use them to prove their identity and access services directly from their mobile phone. Turning time-consuming, bureaucratic and costly processes into easier and fast ones.

Using Self-Sovereign Identity, applying for a Work Permit becomes simpler and faster. With just a few taps.

In this case Tykn uses Self-Sovereign Identity to:

  • make the credentials issued by the Chamber of Commerce become digital, tamper-proof and verifiable anywhere, at any time.
  • establish a secure and digital peer-to-peer connection between the Chamber of Commerce and the Entrepreneur. Not even we can see what is exchanged between them.

Web Wallet

Depending on your use-case, you might not want your users to have the increased friction of downloading an app. In those scenarios, a Web Wallet might suit you better. 

A Web Wallet seamlessly integrates into your current user journeys letting you and your users take advantage of the benefits of Verifiable Credentials. 

Data is encrypted and saved in a secure personal cloud vault controlled by the user. Verifiers can easily connect to the user’s Web Wallet and request the data directly from the user.

A great real world example of how a Verifiable Credentials Web Wallet could be implemented is the Financial Services Marketplace one.

Lets say a user, Janice, signs up at the Perks website. As usual, she will have to verify her email address.

Because Perks implemented a Verifiable Credentials Web Wallet, once Janice verifies her email address, she will be asked if she wants to save her verified credential (email address) for later re-use. Janice accepts.

Later on, Janice decides to open a bank account with the digital bank BBing. BBing also implemented a Web Wallet. So when Janice starts onboarding, BBing pings Tykn’s APIs and notices that Janice has her verified email address saved in a Wallet. They ask her if she wants to re-use it. She accepts and does not have to verify her email address again. BBing trusts the verification done by Perks and accepts it.

Once Janice finishes her onboarding process, BBing asks her if she would like to save all her newly verified onboarding details – Address, Name, Passport, Selfie – into her Web Wallet. Janice accepts.

Like many digital banks, BBing has a Financial Services Marketplace. BBing focuses on savings accounts and offers services like loans and insurance through marketplace partners. Janice decides she wants a loan. Within BBing’s marketplace she picks ULoan as the loan provider she wants. ULoan asks her if she would like to use her saved verified details to apply for the loan.

Janice accepts and all her details – from her Verifiable Credentials – are shared with ULoan without Janice having to fill any new forms. 

A Verifiable Credentials Web Wallet is a great way to optimize onboarding processes within partner ecosystems.

Verifiable Credentials Use-Cases

Notable Verifiable Credentials use-cases are identity related. Mainly within the Banking, Government Education, Human Resources and Humanitarian spaces.

Banking

KYC – Know Your Customer

Since 2016, Rabobank, one of The Netherlands’ biggest banks has been researching Self-Sovereign Identity and Verifiable Credentials.

Rabobank believes that with their extensive “Know Your Customer” – KYC – and due diligence processes, they could provide “directly verifiable data” that the customer could provide to third parties or use verifiable credentials in order to onboard new customers.

Mortgage Application

Another use case that Rabobank believes can bring added value to customers is in regards to Mortgages.

Mortgage flows require a lot of time and documents from several different sources. Most of those documents are not verifiable. Verifiable Credentials would allow for the direct verification of that data and the source.

Human Resources

Rabobank also wants their employees to be in control of their own data.

Reusing “certificates or assessments they achieved or did at Rabobank everywhere else. Therefore we do projects in order to save certificates, diplomas, trainings and employment credentials”. They believe Verifiable Credentials would “drastically improve employee onboarding times”.

Government

Canada

The government of British Columbia, Canada, is using an open-source blockchain framework, Hyperledger Indy, to streamline their services and cut red tape.

Canadian companies claim they waste more than 6 billion dollars (CAD) every year on unnecessary bureaucracy. This governmental project – The Verifiable Organizations Network – believes decentralized identities and trusted credentials are the solution.

Each Canadian business owner has to use three different tax numbers and navigate three different levels of governmental bureaucracy: local, provincial and federal.

Using Self-Sovereign Identity, one trusted organisation within the value chain – such as the provincial government – can issue a digital Verifiable Credential to the business owner and the other organisations – such as the federal government or a financial institution – can verify that credential and trust the attestation made by the first organisation.

According to Product Lead John Jordan, their team wanted to show that this innovative technology can even be applied to more than just identity.

Use cases such as “professional associations that register members like doctors, nurses, or engineers; standards groups that certify food as organic or kosher; or businesses that need to prove their facilities have been inspected”. It can be used “to support private and secure P2P connections where verifiable credentials can be used to build trusted relationships. This can help streamline any process that involves trust.”

Turkey

The Turkish Ministry of Foreign Affairs, in collaboration with the United Nations Development Programme, is piloting Tykn’s Self-Sovereign Identity solution to optimize the process of issuing Work Permits to refugees.

Using Tykn’s platform, the Istanbul Chamber of Commerce was able to issue a Proof of Business Ownership as a Verifiable Credential. Refugee entrepreneurs could store those credentials in their Mobile Wallets on their phones and use it during the Work Permit application process.

We go deeper into this here.

Education

The Digital Credentials Consortium was created by 12 Universities, including MIT, Harvard and Berkeley, to develop “infrastructure for issuing, sharing, and verifying digital credentials of academic achievement”.

They are using Verifiable Credentials to create a “verifiable record of your lifelong learning achievements to share with employers”.

As reported by CNBC in 2020, “The survey findings from Checkster, a reference checking company, show that 78% of candidates who applied for or received a job offer in the last six months admit they did or would consider misrepresenting themselves on their application.”

Verifiable Credentials, always verifiable and tamper-proof by nature, would help to greatly reduce resume fraud.

Skill Credentials

``Portable, interoperable skill credentials, enable individuals to find fulfilling jobs and careers, while removing traditional barriers that may have excluded them. Verifiable Credentials offer a powerful and flexible mechanism to deliver this functionality.``

Kim Hamilton Duffy

Architect of the Digital Credentials Consortium at the MIT

W3C and Verifiable Credentials

The World Wide Web Consortium, W3C, is the main international standards organization for the World Wide Web. They are the ones that created the URL standard, amongst others.

As conceptualised and standardised by the W3C, the Verifiable Credentials protocol is one of the three pillars of Self-Sovereign Identity, together with the Decentralized Identifiers protocol and Distributed Ledger Technology (or Blockchain).

The Verifiable Credentials Data Model 1.0 is a “specification [that] provides a standard way to express credentials on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable.”

Here is an example of the attributes contained in an Employment Certificate issued as a Verifiable Credential by Tykn to Mohammad Sami, our Sr. Sovrin Engineer.

Verifiable Credentials Schema

Per the W3C, “The Credential Schema is a document that is used to guarantee the structure, and by extension the semantics, of the set of claims comprising a Verifiable Credential. A shared Credential Schema allows all parties to reference data in a known way. (…) A large part of the integrity of a verifiable credential is how to structure the credential so that all three parties (issuer, holder, verifier) may have a singular mechanism of trust into what they are using. We call that document a Credential Schema.”

To put it more simply, a Schema is a template, outlining the verified data you can issue or verify from your users. 

A Credential Schema for a University Diploma may include Name of Student, Degree Name, Date of Completion, Grade, etc. The University would use this schema to issue the Diploma Credential. A verifier, like an employer, would use the schema if they want to verify if the job candidate has a valid University diploma and what degree they did.

The following is the Schema corresponding to the Employment Certificate Verifiable Credential we showed above.

The id is a reference to identify the Schema on the ledger.

Additional Resources

Would you like to dive deeper into Self-Sovereign Identity?

Take a look at our other guides: