Explaining W3C Verifiable Credentials and biometrics a key mission for Dock Labs

All legitimate credentials can be verified – but not all credentials are Verifiable Credentials. It sounds a bit like a logical paradox, which is why experts are working to try and make the distinction more approachable, and use cases more widely understood.

On online guide from Truvera by Dock Labs puts it succinctly: A Verifiable Credential (VC) is “a tamper-proof digital file that contains verified information about a person, organization, or thing — such as an identity document, academic degree, professional license, or background check result.”

“When digital credentials conform to the Verifiable Credentials Data Model 1.0, which is a standard established by World Wide Web Consortium (W3C), they can be referred to as Verifiable Credentials.” (W3C just published Data Model 2.0.)

The VC Data Model is a specification providing “a standard way to express credentials on the Web in a way that is cryptographically secure, privacy-respecting, and machine-verifiable.”

Furthermore, “Verifiable Credentials are one of the three pillars of Self-Sovereign Identity (SSI), which is an approach to digital identity that gives individuals control of their digital identities. The other two pillars are blockchain and decentralized identifiers.”

These enable “advanced privacy-preserving technologies that give users greater control over what information they share and with whom,” including Selective Disclosure and Zero-Knowledge Proofs (ZKPs).

The guide gets downright chummy with an imagined walkthrough: “Let’s say a user goes through identity verification with a trusted provider — like an ID verification provider. Once the user’s identity is successfully verified, the provider acts as the issuer and creates a Verifiable Credential that contains the verified identity data.”

“The issuer digitally signs the credential using a cryptographic private key. This signature acts as a seal of authenticity that can be independently verified — without needing to contact the issuer again. Later, when the user presents this credential to another service within the same ecosystem (such as a bank, partner company, or internal system), that service acts as the verifier. The verifier checks the digital signature against the issuer’s public key, which is published on a blockchain.”

Balancing privacy and security tricky amid shifting biometrics regulations

So, you have your bona fide W3C Verifiable Credential. What now?

In a talk at the European Identity and Cloud (EIC) conference, Richard Esplin, head of product at Dock Labs – who oversees the Truvera decentralized identity platform – looks at the relationship between biometrics and Verifiable Credentials, and specifically at the challenge of balancing security and privacy in an environment of rapidly evolving regulations and tech.

“Many identity architects have gone crazy trying to get everything into a single platform,” Esplin says. “What makes it even more complicated is that we often have to share that information across organizational boundaries.” This can result in difficult integrations, which make attractive targets to fraudsters working with AI tools.

Regulations on biometrics add further complexity, along with the infinitely complex question of human trust.

“Fundamentally we can summarize this problem byu looking at two organizations,” Esplin says. “Both of them have a Janet Doe in their system of record. How do we know it’s the same Janet Doe? And how do we know that this Janet Doe is the person at the shop in front of us, or using our website?”

“Verifiable Credentials is an important tool to help with this.” They come from a trusted issuer, they’re tamper-proof, and because they are a W3C standard, they offer flexible integrations, which enable agility in identity architecture. “We can easily add or remove attributes we’re asking for, we can easily change issuers, we can change use cases without changing our  architecture.”

Biometrics, Esplin says, also play an important role for authentication. And, since Verifiable Credentials can help keep biometric data in a user’s control, Esplin says “Verifiable Credentials plus biometrics” is a potential solution to many identity related problems.

Article Topics

biometrics  |  digital ID  |  Dock  |  EIC 2025  |  KuppingerCole  |  self-sovereign identity  |  verifiable credentials  |  W3C  |  W3C standards  |  zero knowledge