Verifiable Credentials — beyond the Hello World
I write this blog with a bit of concern that after years dabbling with emerging technologies, the global companies of the world have been slow to embrace the concept of empowering people to control their identity. Information leakages and hacks are on the rise citizens are at risk as large-scale data farming agencies harvest this information without consent from the users. Technically, though solutions exist, lack of evidence of real-life use cases is preventing our ability in convincing consumers that it is a good step to being in control of your personal information.
Let’s start with Verifiable Credentials (VC), a W3C recommendation on describing a set of attributes or claims regarding a subject. A VC is digitally signed by an issuing entity and can claims can be verified cryptographically. With all the goodness in the W3C standard, the only use case that has been floating around is anonymously verifying the age of a person. It is undoubtedly a good use case to prove the point, a “Hello World”, an experiment, but consumer-ready products have to go beyond the basic use cases. Awareness and real-life use cases demand participation from many entities, governments, financial institutions, healthcare systems, universities, etc.
In this post, and subsequent ones, I would like to present a multi-party scenario where several untrusted parties come together and verify information digitally, transparently and more importantly securely. The implementation details are immaterial and the only reason I mention the Verifiable Credentials is to present it as an enabling technology and not the only way to verify the information.
Credit Lending — Home Mortgage (ouch!)
The US housing market was anything but normal in 2021. Increased demand for homes, low mortgage rates and lets add remote work and inability to execute transactions in person made the anxiety of going through the home buying experience anything but normal.
Even before the pandemic, a typical mortgage application process had taken around 49 days on an average. It is a constant back and forth of repetitive request for documents such as latest information relating to identity, income and underwriting verification statements. There are many parties involved with a lot of paperwork.
What is worse is most information and document collection goes towards the underwriting process to establish the credit worthiness of the applicant. Lenders lose a lot of time in the process.
Why the delay?
Multi-party contracts and verification is not trivial. It is complex due to the simple fact that parties do not trust each other and each party spends enormous time in assessing risk and verifying information. A rough timeline could easily look like this below:
Reimagine with Verifiable Credentials
The complexity of real world is not unfounded. Years of business interactions have led to some deeply intricate policies, standards and rules that drive business decisions. A genuine problem is that of trust:
- The Lender needs to trust the Credit Score to pre-qualify
- The Lender needs to trust the employer and other bank information to qualify the user.
- The Underwriter needs to trust the county and appraiser to value the house
- The Lender needs to trust the Underwriter to release money to the Builder.
- The Title Company needs all parties to sign a multi-party agreement with Lender, Homeowner and the Builder.
Who does what?
The table below summarizes a set of Verifiable Credentials acquired by potential buyers from various entities, government agencies and enterprises. Each credential is a tamper-proof evidence, signed by the issuer and issued to the subject, the buyer in this case.
Verification rulesets may be easily embedded into current mortgage platforms to accelerate the lending process. Verification of credentials happens in real-time and the cost to perform the tasks can be cut down significantly.
At this point in time, I must step back and acknowledge that ecosystems take time to evolve. This transformation of integrating a wide range of entities, possibly across the world, is a major effort and most likely a goal that may be too ambitious for a single network. Interoperability is the key and standards for normalizing data formats and transport protocols are essential.
The questions naturally are:
- Who are these issuers and how are they qualified?
- What credentials can they issue and how does the user acquire them?
- How are these credentials verified?
- Can you verify these credentials from only a few trusted partners?
- How is consent captured and who owns the risk?
- Where does information reside and can we meet compliance goals?
In a separate post, I will explain the role of Accountable Digital Identity (ADI) Association, the technical and governance aspects to onboard business and human entities and the operational benefits in enabling a network-of-networks ecosystem to exchange identity and verifiable credentials.
Going back to my earlier comment, it is imperative that enterprises embrace emerging standards to improve business processes. The foundational technologies can accelerate digital transformation efforts while not sacrificing security aspects.