Introduction to PingOne Credentials
The PingOne Credentials service is a part of the PingOne Neo decentralized identity solution that allows an issuer to create verifiable credentials that they can issue to a compatible wallet app, eliminating cost and management of issuing physical credentials. For more information, see PingOne Neo.
The three parties that enable decentralized identity are:
- Issuer
-
The proprietor and issuer of official sources of data, such as college transcripts, vaccination status, or employment history.
- Verifier
-
Any individual or institution (service provider) with which a user chooses to share data that requires verification, such as sharing a driver license as proof of age or credit card information when applying for a loan.
- User
-
An individual who matches the issuance rule of a group, population, or SCIM filter with a PingOne Credentials profile. Users can receive credentials from issuers, store them securely in their compatible wallet app, and use it to share their credentials with verifiers.
Issuers and verifiers can be any entity that the user engages with, such as a university, an insurance company, employer, health provider, or a financial institution.
Users that need to receive or provide proof of a credential to these institutions might already have a record of their activity with that institution, which won’t change. However, if the user needs to share that record with another entity, traditionally they must allow the other entity (a verifier) to contact the original institution (the issuer) to get the information and confirm that it’s valid. This can be cumbersome, expensive, and time-consuming and could violate the user’s privacy if not managed properly.
Using decentralized identity, it’s possible for an issuer, such as a university or employer, to provide a verifiable credential about the user’s qualifications or employment to the user in the form of a digital credential that the user can store in their compatible wallet app. Because the credential is always with the user, the user can share that information with the new business to seek employment. The potential employer can verify the data for its authenticity in real-time without contacting the issuer, so there’s no further friction or exposure of privacy.
The issuer creates a credential in PingOne Credentials using the automated issuance rules that automatically issues a verifiable credential to all users who match a provided filter. The filter is based on Groups, Populations, or a SCIM filter. The issuer can also define individual fields on the credential in the form of key-value pairs to provide the appropriate details for the service credential they are offering to their users.
Credential details will vary according to the industry and the specific credentials the issuer wants to offer. For example, in addition to name and date of birth, an insurance company might want to provide the type of insurance, policy number, and expiry date. A bank might want to include the bank account number and date of issue, and a university might want to include the type of degree obtained.
The PingOne Credentials service maintains a unique private-key for each issuer within the PingOne environment. It uses the PingOne Neo SDK to allow creation of verifiable credentials in the backend.
To simplify the creation and issuance of credentials, PingOne Credentials wraps the API calls in a more consumable and user-friendly interface within the PingOne administrator console. This service also provides APIs that allow customers to interact programmatically and with additional customizations.
Credentials issued by this service can be shared:
-
With other users through a compatible wallet app
-
With custom QR codes that can be generated with the API calls
The following diagram shows examples of three different issuers, providing credentials to an individual user and the various ways a user can provide information to verifiers using these credentials:
-
A medical provider issues a primary provider credential that includes details of the provider, date of last vaccination, and personal medical details. The user stores the certificate as a credential in their compatible wallet app. When a blood drive event requests proof of a primary care provider, the user can send it to them without providing all of the personal details it contains.
-
A car insurer provides an insurance policy as a credential to a user. Credentials might include the user’s ID, date of birth, and medical status, but when a car rental service asks for the user’s insurance policy, the user can share just the policy number and expiry date.
-
A university provides a degree certificate as a credential to the user. The user stores the credential in their compatible wallet app. The user can provide a potential employer with the full degree certificate (as well as any other qualifications their wallet app holds) immediately.
PingOne Credentials, along with a compatible wallet app, makes this verifiable exchange of data possible. You can use PingOne Credentials through the PingOne unified administrator console or through its API.
How PingOne Credentials works
Users: Download a compatible wallet app and create a digital identity profile
Each user is invited to install and pair their digital wallet by installing a customer-developed app running the PingOne Neo SDK. An email or SMS notification can be sent to the user with a link that takes the users to a customer site that helps them install the customer app.
After the app is installed, clicking on the link prompts the user to complete digital wallet pairing. The SDK shares the application instance ID with PingOne Credentials and that is stored for future issued or revoked credentials.
Issuers: Create and issue a new credential in PingOne Credentials
- Creating a credential
-
In PingOne Credentials, an issuer creates a new custom credential. A credential defines the field attributes required to issue a credential, the fields displayed on the credential, and an identifying logo and relevant branding. The field values can be supplied by the issuer or taken partly from both the issuer and the user, such as their selfie and verified first and last name.
The credential can be used to issue a credential to any group or population listed in PingOne Credentials. |
- Issuing a credential to a user
-
-
The issuer creates a credential and uses the issuance rule to select a group, population, or uses a System for Cross-domain Identity Management (SCIM) filter to issue the credential to.
-
Credentials are automatically sent to a user who is a part of the issuance rule to their digital wallet.
-
If a user doesn’t have a digital wallet, a message is sent to invite the user to download the app.
-
After downloading the app, the digital wallet is paired.
-
When the user accepts the credential, it’s stored in their wallet app and can be shared with verifiers that request proof of a credential from a user.
-
- Revoking a credential
-
An issuer can revoke a user’s credentials remotely from PingOne Credentials. This ensures that wallet app credentials held by a user are always up-to-date.
Based on the issuance rule, revoking happens automatically for users if a directory attribute changes. For example, if a user is removed from the group, population, or SCIM filter, their credentials are revoked.
After a user’s credential is revoked, if a user attempts to share credential data with a verifier, the verifier will see that the data is no longer valid by the issuer. The issuer can always reissue the credential to the user if necessary.
Verifiers: Verifying a credential
When asked for proof of a credential, such as age, valid license, or insurance, the user can share some or all of the information on a credential with a verifier. If the user approves a verifier’s request, the user’s compatible wallet app shares the specific data and the signed certifications with the verifier.
The verifier can then independently assert the validity of the data by checking whether the credential’s digital signatures matches the issuer’s public-key. This is done without requiring the verifier to communicate with the issuer directly. This creates a greater level of privacy for the user because the issuer never becomes aware of the user’s interaction with the verifier. Additionally, the transaction can be done in real time.
PingOne Credentials example
As an issuer, BX Insurance Company, wants to issue a car insurance policy as a credential to their customers (users) digitally. They want to include the customer’s picture, driver license ID, car insurance policy number, and the expiration date for the insurance policy.
The insurance company creates a credential in PingOne Credentials that includes the company logo, company branding, and all of the fields that they require for the type of insurance that they’re issuing.
They use the credential to issue insurance policy digital credentials that the user stores in their compatible wallet app.
If the user wants to rent a car, they can share digital insurance credential details with the car rental company. Likewise, if the user is involved in a traffic accident, they can share details with the other driver (verifiers) to prove that they have insurance and to verify that their policy is valid.
If the user’s insurance coverage stops before the expiration date specified during issuance, such as because of a lack of payment that renders the insurance invalid, BX Insurance Company can revoke the credential given to the user in real-time.
Sharing information from a digital wallet gives the verifiers the additional assurance that the information is up-to-date and represents the real-time status of the person’s insurance, something that a paper copy can’t provide.
PingOne Credentials allows BX Insurance Company to create numerous custom credentials for all the insurance policies that they want to cover, including:
-
House insurance
-
Health insurance
-
Travel insurance
-
Mortgages
After they create these credentials, they can issue them to their users.