The Role of Verifiable Credentials In Preventing Account Compromise

As digital identity verification challenges grow, organizations need to adopt a more advanced and forward-focused approach to preventing hacks.

Granville Schmidt, CISSP, CCSP, HCISPP, & CIPT, Principal Architect & Member of the Office of the CTO, Strata Identity

March 6, 2023

3 Min Read
a digital badge with a username and password on a hook.
Source: Cigdem Simsek via Alamo Stock Photo

Online authentication is a challenge for organizations of all shapes and sizes. Despite increasingly sophisticated cybersecurity tools, hackers and criminals continually find new and more nefarious ways to enter enterprise systems.

One method gaining attention for fighting account compromise attacks is verifiable credentials. The concept refers to using digital credentials that adhere to an open standard. These credentials typically include data and elements from vetted physical artifacts, like a driver's license, passport, or digital equivalent, such as a bank account.

Verifiable credentials are appealing because they use digital signatures, making them far more resistant to tampering and theft than physical identifiers. It's possible to carry these digital credentials in a digital wallet within a smartphone or on a PC, enabling trust to be established within and across organizations.

At a time when identity theft, fraud, and malware are rampant, verifiable credentials are rapidly gaining traction. Moreover, security protections multiply when these digital artifacts are combined with a verifiable data registry. Additionally, verifiable credentials allow for selective disclosure, which means individuals can choose to share only necessary information with a specific party rather than sharing all of their personal data. This helps to protect sensitive information and reduce the risk of identity theft.

Truth or Consequences

Verifying a person's identity is a simple task in the physical world. Birth certificates, utility bills, and government IDs demonstrate that a person is who they say they are. A trusted authority has authenticated the person and presented them with an artifact they can use to verify pieces of information. This makes it possible for a person to board a flight, apply for government benefits, or open a bank account.

Online, there's no central authority for identity. Every company, website, or account requires a specific username and password. While a few large companies like Google, Apple, and Facebook have attempted to consolidate identity using their login credentials for single sign-on (SSO), there's still no central authority to verify actual identity.

Enter verifiable credentials and verifiable data registries — an approach that transforms the security of the physical world into the digital realm.

Resilience in Any Situation

Verifiable credentials can improve system resilience in an identity provider outage or network interruption. For example, if a natural disaster like a hurricane occurs — and takes an identity provider offline — it's still possible to verify a user's identity. Since the user's device holds their signed credentials, it can be presented to an application that can verify the credential using a cached copy of the user's public key. For another example, consider cruise ships, which are notorious for their satellite Internet connections dropping or becoming slow. Using the previously discussed verifiable credentials flow, onboard applications could still verify a user's identity and allow users to make dinner or entertainment reservations, or book excursions.

Making the Move

Migrating to verified credentials with verifiable data registries involves a few challenges. Typically, it's necessary to rewrite applications to support them. One way to overcome this roadblock is by decoupling identity from applications through orchestration. This makes it possible to migrate from legacy and brittle services to distributed and resilient systems without touching the codebases of those legacy applications.

Orchestration delivers a highly flexible and secure framework. For example, a company may want to establish only essential criteria like the user's citizenship and employer, or impose any other requirements, each of which may need to be validated by different identity services or systems. All these criteria and conditions can be managed seamlessly and invisibly using orchestration.

Companies looking to adopt verifiable credentials should focus on two key areas. First, ensuring that the initial verification process is secure and that the entity issuing the credential is entirely trustworthy. Second, it's essential to establish a process to handle edge cases and issues, such as when a network outage occurs. 

As digital identity verification challenges grow, many organizations are recognizing the need to adopt a more advanced and forward-focused approach. Verifiable credentials and verifiable data registries offer a path to more robust and resilient security.

About the Author(s)

Granville Schmidt

CISSP, CCSP, HCISPP, & CIPT, Principal Architect & Member of the Office of the CTO, Strata Identity

Granville Schmidt, CISSP, CCSP, HCISPP and CIPT, is Principal Architect and member of the Office of the CTO at Strata Identity. He previously served as an Architect within the Office of the CTO at F5, Inc. Granville was also Information Security Officer and Founding Engineer at medical technology provider PriorAuthNow (now Rhyme), where he played an instrumental role in taking the software platform from zero-to-one and leading all aspects of security and compliance.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights