Building a secure credential management platform

Over the last ten years, we have seen a massive trend to digitalise everything that fits in your wallet. Credit cards, identity cards, keys, and even your scribbled-down passwords – digital wallets offer the ability to store an encrypted digital version of your credentials on your phone.

But why stop at what fits in your wallet? What if you could keep all of your data secure and only share what’s strictly necessary with third parties?

The potential for digital credentials has never been stronger than right now in the coronavirus crisis. Issuing third-party credentials to a citizen’s phone could hold the answer to the health passports that have been much discussed as key to getting society back on its feet again.

But before we get ahead of ourselves, let’s look at what issuing third-party credentials looks like from a technical standpoint.

 

Structures, standards and protocols

In order for data to be understood and interoperable across systems and products, some standards need to be implemented to ensure the data is structured and exchanged in a compatible way. You also want this data to come with a high level of assurance that the information belongs to the holder.

Let’s look at some of the more technical components of what this might look like.

 

Data structure standards

X509 certificates

Standardised by the ITU-T (International Telecommunications Union), X509 certificates have been around for quite some time and power many widely-adopted internet protocols, such as HTTPS. They are also used in national identity cards and government digital signatures.

 

W3C Verifiable Credentials

W3C verifiable credentials are much newer and were only standardised November last year. Verifiable credentials represent statements made by an issuer in a tamper-evident and privacy-respecting manner. They are more web-friendly than certificates and more specific to credential use cases.

 

Yoti’s data structure

At Yoti, we use X509 certificates and our own open data structures, which can be mapped onto other data models such as W3C verified credentials through an extension to our SDKs.

We are working towards enabling this to be done natively too.

A helpful way of understanding how we deal with different data structures and standards in the Yoti app is comparing it to a Swiss Army knife that can support multiple data models which can coexist together. All data items are secured with Yoti technology, ready to be exchanged following the integration party’s supported set of standards.

Identity data exchange protocols

The section above addressed some of the data structures standards available, but this data is not very useful unless its exchanged in a secure way.

Some widely-adopted identity protocols and standards that Yoti supports through our partner Forgerock are:

However, many of these standards don’t yet cover some of the more sophisticated privacy and security capabilities that we have built into our platform, such as:

  • the use of Hardware Security Modules (HSM) ;
  • mobile secure elements and Trusted Execution Environments (TEE);
  • biometric authentication;
  • QR code based multi-factor login/authentication; and
  • anonymous selective disclosure for data exchange minimisation.

 

Anti-spoofing technology

Anti-spoofing technology is fundamental in order to give the necessary assurance that a digital certificate belongs to the holder. There are many different anti-spoofing mechanisms that can be used, which offer differing levels of assurance.

 

A digital hologram

A dynamic pattern that changes continuously with the movement of the device can be useful for a first glance. However, being able to challenge the validity of the digital credential by scanning it with a trusted device is what ultimately provides the evidence that the data hasn’t been tampered with.

 

A challenge QR code

A live QR code can be scanned by a trusted device to authenticate the validity of the credential.

Our digital ID cards harness both a ‘digital hologram’ and a QR code.

Biometric binding

Some credentials need to be linked to a biometric to ensure they are not transferred to the wrong subject.

When this subject is a person, this check can be carried out by simply looking at someone’s face and comparing it to a photo.

In an unmanned scenario, such as at the self-checkout, an automated, anti-spoofing method is necessary to ensure that the credential belongs to the individual. Here, facial recognition technology is used with a liveness test, which takes a scan of a person’s face in order to verify they’re a real person. This anti-spoofing technology is very effective at detecting presentation attacks, such as pictures, videos and masks.

ISO provides a framework for this type of technology assessment on ISO/IEC 30107-1:2016 and some NIST-approved testing laboratories certify compliance with them.

 

Covid credentials and health passports

As illustrated through our NHS staff digital ID cards, Yoti is uniquely positioned to issue secure, verifiable credentials to the public at scale through our digital identity app.

We have applied to join the Covid Credentials Initiative (CCI), a collaboration of more than 60 organisations working to deploy verifiable credential solutions to tackle the coronavirus crisis.

We invite anyone working in this area to get in touch at covid19@yoti.com and join us to help enable society to return to normal in a safe, controlled and privacy-preserving way.