How PingOne Credentials works
Users: Download a compatible wallet app and create a digital identity profile
Each user is invited to install and pair their digital wallet by installing a customer-developed app running the PingOne Neo SDK. An email or SMS notification can be sent to the user with a link that takes the users to a customer site that helps them install the customer app.
After the app is installed, clicking on the link prompts the user to complete digital wallet pairing. The SDK shares the application instance ID with PingOne Credentials and that is stored for future issued or revoked credentials.
Issuers: Create and issue a new credential in PingOne Credentials
- Creating a credential
-
In PingOne Credentials, an issuer creates a new custom credential. A credential defines the field attributes required to issue a credential, the fields displayed on the credential, and an identifying logo and relevant branding. The field values can be supplied by the issuer or taken partly from both the issuer and the user, such as their selfie and verified first and last name.
The credential can be used to issue a credential to any group or population listed in PingOne Credentials. |
- Issuing a credential to a user
-
-
The issuer creates a credential and uses the issuance rule to select a group, population, or uses a System for Cross-domain Identity Management (SCIM) filter to issue the credential to.
-
Credentials are automatically sent to a user who is a part of the issuance rule to their digital wallet.
-
If a user doesn’t have a digital wallet, a message is sent to invite the user to download the app.
-
After downloading the app, the digital wallet is paired.
-
When the user accepts the credential, it’s stored in their wallet app and can be shared with verifiers that request proof of a credential from a user.
-
- Revoking a credential
-
An issuer can revoke a user’s credentials remotely from PingOne Credentials. This ensures that wallet app credentials held by a user are always up-to-date.
Based on the issuance rule, revoking happens automatically for users if a directory attribute changes. For example, if a user is removed from the group, population, or SCIM filter, their credentials are revoked.
After a user’s credential is revoked, if a user attempts to share credential data with a verifier, the verifier will see that the data is no longer valid by the issuer. The issuer can always reissue the credential to the user if necessary.
Verifiers: Verifying a credential
When asked for proof of a credential, such as age, valid license, or insurance, the user can share some or all of the information on a credential with a verifier. If the user approves a verifier’s request, the user’s compatible wallet app shares the specific data and the signed certifications with the verifier.
The verifier can then independently assert the validity of the data by checking whether the credential’s digital signatures matches the issuer’s public-key. This is done without requiring the verifier to communicate with the issuer directly. This creates a greater level of privacy for the user because the issuer never becomes aware of the user’s interaction with the verifier. Additionally, the transaction can be done in real time.