.svg)
.svg)
Introduction
Verifiable credentials are transforming how we establish trust in digital interactions. Central to maximizing their utility is the method of presentation. While these methods are commonly segmented into "online" and "in-person" channels, such terminology is insufficiently precise for the technical standards community, which seeks to foster a nuanced understanding of these flows.
Recent developments, including significant contributions from industry leaders, highlight the need for refined terminology to keep pace with evolving technologies. This article delves into these presentation frameworks, proposing a clearer vocabulary and understanding of different use cases and their underlying technologies.
Understanding Presentation Flows: Same-device vs. Cross-Device
Credential presentation flows involve two parties—the holder of a verifiable credential (typically stored in a digital wallet application), and the verifier (or relying party), who verifies the credential presentation shared by the holder’s digital wallet. One practical approach to understanding credential presentation flows is to categorise them into two main types: same-device and cross-device flows.
Same-device flows are when the verifier and wallet applications are housed on the same device. Conversely, cross-device flows involve two distinct devices: one with a verifier application sending a presentation request, and the other with a wallet application providing the requested information in response.
Same-device flows
Same device flows typically have few variations and predominantly make use of platform features such as redirects to enable a verifying application to interface with a wallet application. Generally, the technical protocols underlying this flow allow both the verifier and wallet applications to be either platform-native or web-based applications.
For example, consider a scenario where a user attempts to execute a financial transaction through their mobile banking app. Upon initiating the transaction, the banking app requests a proof of the user's identity. The digital wallet receives this request and seeks the holder's consent to send a presentation response with a matching credential, such as a drivers' license, national ID card or passport.
Upon receiving consent, the presentation response is signed using a private key of which the credential was bound to when the issuer issued the credential. This private key is typically stored in the mobile platform secure key store, which in order to use must be unlocked through an authentication method like FaceID or TouchID.
The wallet then sends the presentation response to the verifier, who verifies both the credential as well as the presentation's signature. If the private key used to sign the presentation matches the one attested by the issuer who issued the credential, the verifier can confirm the presentation of the credential has come from the device it was issued to.
With authentication confirmed, the transaction proceeds, all within the confines of the user's single mobile device.
Cross-device flows
Cross-device flows cater to a wider array of use cases and, although they all fall under the umbrella of cross-device interactions, they possess distinctive characteristics. These differences are defined by the specific capabilities each flow enables, the foundational assumptions they rely on, the technological infrastructure they utilize, and their inherent limitations.
Device control
Cross-device flows can involve two devices which are in control of the same person or different people. As long as there are two different devices, they are all still considered cross-device flows
One such typical cross-device presentation flow involves a verifier operating a mobile device with a verification app to verify a credential stored in a digital wallet on a holder's mobile device. For example, a police officer can use a verification application installed on their mobile device to inspect and verify a drivers’ licence presented as a digital credential from the driver’s own mobile device.
It is important to call out that variations in device control does not change the classification of a flow as cross-device. One such example to highlight this, might be a user who uses a web browser on their laptop to initiate a financial transaction on their bank's online portal. When required to provide proof of address as part of the interaction, they can use their mobile device to present a matching credential. Despite a single user owning and controlling both devices, this interaction should still be categorized as a cross-device flow.
Applications variability
Cross-device flows offer substantial versatility across varying technological platforms, supporting a broad spectrum of applications from native mobile apps to web applications and even bespoke hardware systems. While they are all used to implement cross-device flows, each employs distinct underlying technologies and capabilities.
For example, one of the current hurdles is that web applications are unable to tap into platform-specific APIs, posing notable security challenges for web-based cross-device flows. Efforts by industry leaders are underway to bridge this gap by enhancing the web to be able to interact with underlying platform APIs, but until these advancements are rolled out, any implementations will need to navigate these constraints.
Cross-device flows in web applications are currently limited from a security perspective because it is challenging to establish physical proximity between devices without platform access
Connectivity requirements
Cross-device flows support both online and offline interactions
Variability in cross-device flows often extends to their internet connectivity needs, which are dictated by the particular demands of the use case or by anticipated usage patterns. For instance, certain applications, like real-time data verification, necessitate an uninterrupted online connection, while others, such as the verification of a mobile driver’s license in remote areas, may be designed to function offline. It’s crucial to recognize this aspect as distinct from the general concept of cross-device flows; an offline cross-device flow presents a set of challenges and capabilities that differ markedly from those of an online-dependent implementation.
Cross-device flows exhibit versatility through their ability to integrate a mix of technological approaches and connectivity modes, adaptable to the functional requirements of the task at hand. While this adaptability allows for the creation of nuanced, application-specific patterns, it is important to identify the similarities and differences between each pattern, as these are likely to influence implementations architecture and development.
Where Standards fit in
The diversity of presentation flow patterns, particularly in cross-device scenarios, can complicate the development of sturdy verification systems. Here, the role of standards becomes pivotal. Well-crafted and implemented standards should ensure the seamless operation of cross-device flows, regardless of device ownership, the applications in use, and the availability of internet connectivity. Two emerging standards are OpenID for Verifiable Presentations (OID4VP) and ISO 18013-5 which establishes interface specifications for mobile drivers’ licences (mDLs).
OID4VP
This specification is designed to accommodate both same and cross-device flows. All cross-device flows are inherently vulnerable to phishing. When both parties use native apps this risk is mitigated by verifying physical proximity between the two mobile devices during the verification flow. However, as OID4VP supports cross-device flows in a web context, it is hard to establish proximity assurance due to limitations in web applications access to platform resources. This limitation is expected to be addressed with the forthcoming integration of CTAP, a component of the FIDO protocols. This integration will allow browser APIs to transmit credentials over the internet and use Bluetooth to confirm user proximity, implying a dependency on internet availability for such presentation flows.
ISO 18013-5
This specification is tailored for cross-device flows that facilitate the presentation and verification of mobile driver’s licenses using two mobile devices, with an emphasis on offline functionality. Nonetheless, with the potential integration of CTAP, subsequent updates to this specification may introduce support for online presentation capabilities.
Bridging Technology and Business needs
As the landscape of verifiable credentials expands, understanding and correctly implementing the underlying technology becomes crucial. Stakeholders often focus more on use cases and implementation patterns, potentially overlooking how these choices map to technical capabilities. This section aims to map common business terminology with their corresponding technological considerations and presentation flows:
- Online presentation: Commonly denotes a pattern where the verification is conducted via a web application, independent of the user’s physical location. It accommodates both same-device and cross-device flows, with prerequisite internet access.
- In-Person presentation: Typically refers to a pattern where a cross-device flow takes place between two devices who are controlled by two different people (i.e. a holder and a verifier). This workflow can take place either with or without internet connectivity.
- Supervised presentation: This phrase is often associated with scenarios where a verifier physically oversees the verification results as part of the process. This oversight can be carried out either in person or remotely.
Summary
As we advance, refining our approach to credential presentation frameworks is vital. By aligning technical standards with business applications, we can enhance interoperability and user experience. This alignment not only simplifies technology adoption but also clarifies the potential and limitations of different frameworks for all stakeholders involved.
