KuppingerCole Report
By Anne Bailey

Verifiable Credentials for Secure Digital Identity

Verified, digital identity is a key foundation to digital transformation. Verifiable Credentials is an up-and-coming method to establish digital, verified identity in a highly secure way. Applications to enterprise use cases such as new employee onboarding, providing access to sensitive applications, and account recovery demonstrate that Verifiable Credentials bring value not only to the individual, but to the organization as well.
By Anne Bailey

Commissioned by Microsoft

1 Introduction / Executive Summary

Most organizations are ready to go digital, or shift even farther towards digital processes and services. With that transformation comes a fundamental need: to be identified for digital interactions, be it as employees, partners, customers, citizens, or things. Thus far there are attempts to deliver digital identities to these different roles: centralized account creation and provisioning, federated solutions, Single Sign On, and the range of CIAM solutions. But the solutions most frequently used today lack a fundamental anchor to reality: verification. Verification is what establishes trust that the person claiming to use an identity or credential is actually the person associated with the identity or credential.

Zero Trust is the stage that this story is playing out on. Its mantra, "never trust, always verify" is the logic behind anchoring digital identities to a proven entity, even a real-world identity, but trust should not be abandoned completely. Rather, the confidence with which a relationship and transaction is trusted should be increased. Every transaction needs a certain level of trust, or confidence that the parties involved can be relied upon - at least in that moment. Identities are used to establish relationships of all types; for example, between an employer and an employee where the employee ID is a functional necessity in defining the roles, access, and entitlements that the employee has in the organization. Relationships are built on the understanding of who the other party is and what their credentials are, but relationships do not always have to be a mutual understanding. Often party A only needs certain information - for example the age of party B as opposed to the date of birth - while party B only needs to know that party A reliably provides the requested service. This transactional relationship can rely on the confidence that the other party is who they claim to be, in other words, is verified. By verifying user identities, the enterprise can maintain confidence in who the other is - be it employee, partner, customer, and beyond - across the lifetime of that relationship. Know, rather than just trust.

There are strong cultural drivers at play. While the current demand from the public - supported by the wave of global privacy regulation - is overwhelmingly for data privacy, twenty years ago the pendulum had swung to the other extreme. The tragedy of the September 11th attacks caused a public preference to be positively identified when travelling and making purchases to do their part in preserving security and fighting terrorism. Although the current demand for privacy as fueled by the data economy, the rising value of personal data, and the ever-present risk of data breaches, the regulatory structure of identification for security still remains, for example in Know Your Customer (KYC) and Anti Money Laundering (AML) requirements. But these requirements now exist in a world which demands the highest protection of personal data, the right to be forgotten, and restricted usage of facial recognition, among many other trending topics.

As businesses move more and more processes online as part of their digital transformation journey, they still carry the burden of verifying identities and credentials in the paper world of business leading to overhead costs, compliance risks and most importantly, lengthy and time-consuming processes. What if there was a better way to change all that?

2 Highlights

  • Digital transformation relies on a secure means of exchanging identity information

  • Verified identity adds credibility to digital identities

Login Get full Access

3 The Problem of Establishing Verified Digital Identity

Just because there is a need does not mean it is always satisfied. To verify that a digital identity is being actively used by the one who created it ...

Login Get full Access

4 How Identity Verification and Verifiable Credentials Address this Challenge

There are two parts to bringing this vision to life. One is to anchor the digital identity to the real-world identity, and the other is to make that v ...

Login Get full Access

4.1 Anchoring the digital identity to the real-world

First, the individual sets up their identity wallet. Up until this point, and information provided is self-attested. The provided name, address, or an ...

This verified digital identity must be in a form which enterprises and other parties can accept. While the biometric and identity data may remain in t ...

Login Get full Access

4.2 Enabling Reusable Verified Identity for Enterprise Use

A Verifiable Credential can be issued by an entity about any other entity, including an employer issuing employment credentials to an employee, a university issuing enrollment information to a student, and much more. When the holder of the Verifiable Credential presents this to access a service -- for example the employee presents their employment credential to access their workstation and the student presents their student ID at a bookstore to receive a student discount -- the relying party verifies the credential before granting access to the service, checking that the credential is valid and that its public key on the decentralized ledger.

Verifiable Credentials can be integrated into the services and infrastructure that enterprises already use, such as Active Directory and OpenID Connect (OIDC) protocol. Verifiable Credentials can be auto-populated and issued based on claims already made about the subject by the enterprise's OIDC identity provider to connect Verified Credentials with identities that are already federated.

Presentation and verification of the Verifiable Credential is a digital process, where the relying party requests information from the holder in the form of a QR code or push notification to an authenticator app, and the holder consents to sharing the credential by scanning the QR code or following the prompts of the authenticator app. Presentation and verification of digital credentials opens up many doors for secure and private interactions, authentication, and much more not just within the enterprise, but across industry ecosystems.

5 Compelling Use Cases for Verifiable Credentials

There are several compelling use cases in the enterprise for Verifiable Credentials. Issuing and accepting Verifiable Credentials streamlines and digi ...

Login Get full Access

5.1 Onboarding

New employee or partner onboarding is a business topic rather than an IT topic, typically managed by HR to request and verify paper documents and prov ...

Login Get full Access

5.2 Providing Access to Sensitive Applications

Access management for sensitive applications is a main function of identity management systems, but often takes a step down in security compared to th ...

Login Get full Access

5.3 Account Recovery

Account recovery is an issue that is typically routed to the IT department or uses a self-service mechanism to reset the account. In a way, account re ...

Login Get full Access

6 The challenges still to come

Verifiable Credentials for secure digital identity show clear promise, but still have some challenges to overcome. Compliance is one: even though the ...

Login Get full Access

6.1 Compliance

The use of Verifiable Credentials to enable end users - be it employees, consumers, or an individual in any other role - to hold and control the shari ...

Login Get full Access

6.2 Mitigating bias in biometric data

Collecting and accurately matching biometric data to verify identities during onboarding or for authentication use cases is critical to Verifiable Cre ...

Login Get full Access

6.3 Hypothetical compromise of Verifiable Credentials

Although Verifiable Credentials have not yet been leaked to the dark web, it is a scenario that must be considered and prevented. Compromise of a user ...

Login Get full Access

6.4 Preference for anonymity

There is a tradeoff between security and the choice to preserve some level of anonymity. This is of course dependent on the situation. An employee mus ...

Login Get full Access

7 The current state of Verifiable Credentials

Verifiable Credentials are in use today, integrated into decentralized identity solutions, identity verification and proofing solutions, and as enterp ...

Login Get full Access

7.1 A Dynamic and Collaborative Market

This is a highly collaborative market where the majority of vendors participate in developing standards, partner together to extend services, and acti ...

Login Get full Access


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.