The Quiet Corner of Web3 That Means Business

Executives are hearing a lot about Web3, a blockchain-based road map for the future internet whose building blocks include cryptocurrencies, non-fungible tokens, decentralized autonomous organizations, and, perhaps most famously, the persistent virtual worlds that the so-called metaverse comprises. It’s early days for most of these developments — but leaders who want to be out in front on emerging technologies should take note of decentralized credentials, one of the quieter but more promising applications under the Web3 umbrella.

While not every organization will need to build a brand in a metaverse or transact with cryptocurrencies, all organizations manage credentials as issuers, holders, and verifiers. Every organization issues credentials to employees, customers, suppliers, and partners; an account for identity management is the most ubiquitous credential issued. Every organization holds multiple credentials, such as a license to operate, taxpayer identification, and securities registration. Every organization verifies proof of credentials from employees, customers, suppliers, and partners. These three roles, along with a governing authority, form a credentials ecosystem. Today, organizations manage their credentialing needs with centralized databases or by paying trusted third parties. Solutions are often expensive, slow, frustrating to use, and wrought with cybersecurity risks. Let’s not forget that the 2020 SolarWinds breach that affected hundreds of U.S. government organizations and businesses was enabled by stolen log-in credentials.

Decentralization empowers holders to control their own credentials via a digital wallet. It’s up to the holder to accept a digital credential offered to them by an issuer or to provide proof of a credential to a verifier. Privacy is enhanced because holders often need to present only a part of a credential to a verifying organization. For example, customers ordering a beer at a pub can prove they are of legal drinking age without revealing other information that may be found on a driver’s license, such as their name, exact birth date, disability status, or home address.

For verifiers, decentralized credentials are efficient because digital verification happens in seconds, without the need to contact the issuer directly. One of the most promising use cases is onboarding new employees. Hiring companies spend significant resources to verify a job candidate’s background. On average, it costs $4,129 per hire, but the price tag can be as high as $40,000 per position for highly skilled workers.1 Issuers can generate credentials once, with no need to recertify unless the credential has expired or changed.

Decentralized credentials also offer enhanced privacy because they’re stored in digital wallets rather than in centralized databases, which are attractive targets for cyberthieves.

How Decentralized Credentials Work

Digital wallets are used to orchestrate interactions among issuers, holders, and verifiers of decentralized credentials. The wallets manage peer-to-peer relationships between two parties, such as an issuer and a holder, or a holder and a verifier. Both sides must agree that they want to be connected, and either side can terminate the connection at any time.

Once a peer-to-peer relationship has been established, transactions can take place. Issuers can send digitally signed credentials to holders, and holders can send proof of credentials to verifiers. The verifier’s wallet pings a distributed trust registry (normally a blockchain) to ensure that the issuer, and only the issuer, could have digitally signed the credential.

Under the hood, the digital wallets and distributed trust registries can make use of decentralized identifiers. A wallet can create as many decentralized identifiers as needed. Each identifier is controlled by a private-public key pair. The private key resides in the wallet. Issuers, holders, and verifiers use one of their public keys to establish a peer-to-peer connection; issuers create digital credentials for one of the holder’s public keys, and issuers sign credentials with one of the issuer’s private keys.2

While decentralized credentials are still early in their maturity curve, with only a few implementations, leaders should learn about them now while keeping one eye on other Web3 technologies. (See “Envisioning the Next Web.”) The main challenge — beyond concerns about the technology’s immaturity — is convincing the ecosystem participants to adopt decentralized credentials; training issuers, holders, and verifiers in new processes and technologies; and scaling the solution. Two recent standards from the World Wide Web Consortium (W3C) provide a framework for credential privacy, security, and interoperability.3 While it’s still too soon to make definitive prescriptions, our research shows that live production pilots have had encouraging results.

Below, we share stories and insights from three live but small implementations of decentralized credentials by the National Health Service (NHS) England, the Canadian province of British Columbia, and a U.S.-based consortium of financial credit unions. Each implementation addresses specific pain points in its credentialing ecosystem as part of a larger strategic initiative.

NHS England’s Digital Staff Passport for Enabling Staff Movement

Credential issuers: NHS England’s employing organizations

The reason for adoption: NHS England needed to move staff members among work sites quickly and safely during the COVID-19 pandemic. The solution, called the COVID-19 Digital Staff Passport, is part of its strategic people plan. NHS England comprises over 200 organizations (such as hospitals) operating as independent units, each with its own human resources systems. Staff members (doctors, nurses, and others) move around frequently, making more than 1 million transfers per year. In the past, each time an employee moved within the system, HR spent days verifying a slew of credentials: diplomas, training certificates, professional registration licenses, specific medical certifications, results of criminal background checks, and prior employment credentials. The paperwork involved was nightmarish. For just the doctors in training — a small segment of all transfers — the working time lost while they waited for credentials to be verified added up to a significant sum that was estimated to be in the millions of pounds sterling per month.4

The adoption journey: In 2019, NHS England convened ecosystem partners to work on the pilot solution, including NHSX (a joint unit between the U.K.’s Department of Health and Social Care, NHS England, and NHS Improvement), the U.K.’s General Medical Council, several NHS hospitals, and technology providers. The team adopted the W3C’s verifiable credential standard and used a commercial product from Avast (formerly Evernym) as the digital wallet. For the pilot, NHS England chose the Sovrin Network for verifying that the issuer had signed the credential.5 The Digital Staff Passport was launched in the summer of 2020 to help with staff movements during the pandemic.

Only existing NHS staff members are eligible to participate in the pilot, and adoption is voluntary. HR serves as the primary recruitment and training channel, since every transfer begins and ends with a visit to HR. The department is also best positioned to ensure that the hospital generates digital credentials for the correct employee, a process called identity binding.

At the exiting hospital, HR explains the benefits of the Digital Staff Passport: faster onboarding, carrying all required credentials in one convenient place on their phones, providing backup and recovery of their credentials in case their phone is lost or damaged, and controlling who sees their credentials. The NHS employee downloads the wallet onto their phone, and HR sends the employee’s wallet a request for a peer-to-peer connection. After the employee accepts the request, HR invites them to load their credentials into their wallet. Each credential essentially certifies, “This is an employee of the originating hospital, and we have already vetted their credentials for X, Y, and Z.” At this point, the employee possesses a loaded wallet and controls with whom they will share their credentials. Now the employee can easily transfer from hospital to hospital as needed. At each new hospital, the employee sends HR proof of credentials that is machine-verified to ensure that an authorized issuer digitally signed the employee’s credentials. The staff member is now ready to care for patients.

Results so far and next steps: As of November 2022, 105 NHS organizations had registered to use the system.6 NHS England has reported promising results, though it has not published any statistics. We estimate that over 1,000 employees were onboarded with the Digital Staff Passport. NHS England has achieved cost savings from reduced administrative burden, increased staffing flexibility through easier transfers, and better health care services because employees are able to spend more time with patients. The employees have reported benefits from possessing all of their credentials in one place and having the ability to control the application at every step. Philip Graham, digital program director at Blackpool Teaching Hospitals, a leading NHS organization, said, “The solution enabled the rapid movement of staff during the pandemic and is still being used as part of COVID recovery activities. One of the next steps is to implement a strategic Digital Staff Passport with the interoperability of digital wallets, based on standards, to avoid vendor lock-in and put the staff member in control.”

British Columbia’s Verifiable Credentials for Businesses and Citizens

Credential issuers: The province of British Columbia (BC)

The reason for adoption: Digital credentials are part of the province’s strategy to improve its ability to deliver services in the digital economy. John Jordan, executive director of the BC Digital Trust Service, explained that “online services” for many agencies often means emailing copies of credentials like registrations, licenses, passports, and permits, resulting in higher risks for fraud and identity theft. In such a scenario, government is not fulfilling its role to provide the digital foundation for businesses and citizens to help them easily lease property, open a bank account, apply for loans, seek insurance, and conduct other transactions that require onerous proof of registrations, licenses, or permits, Jordan said.

BC aims to create more open, trusted, and easy-to-use credentials for its businesses and citizens. It sees the move to digital credentials as the next evolution of credentials from handwritten documents decades ago and from more recent hard-to-counterfeit documents with seals and watermarks. It chose decentralized digital credentials based on the model created by the Linux Foundation’s Trust Over IP Foundation.7

The adoption journey: BC started adopting digital credentials in 2018 with business registrations. As the issuer of these credentials, the province could easily create digital versions. Importantly, business registrations are in the public domain, so there was no unease about working with personally identifiable information in the pilot project.

The team comprised a manager and several developers. They first built the BC wallet with a web-based user interface for holders and verifiers, but they ran into a snag: With millions of business registrations in the province’s wallet, searching for a particular business was slow. BC needed an enterprise-grade digital wallet, so it launched a successful 50,000 Canadian dollar ($37,000) public competition to build it as open-source software. (The province is holding the credentials on behalf of businesses for this first step. Ideally, in the future, authorized representatives of businesses will have their own wallets.) Like the NHS, the team chose the Sovrin Network to verify digital signatures. The solution, called OrgBook, was launched in 2019.8 Now anyone can search the website to find verifiable business registrations.

In addition to the province’s business registration credentialing initiative, in which it is an issuer, BC piloted a solution where the government acts as a verifier. For this credentialing ecosystem, the Law Society is the issuer of membership credentials; 100 lawyers were selected as the holders for the pilot, and the Justice Services Branch of the Ministry of Attorney General is the verifier. This initiative facilitates the credentialing process that allows lawyers to access recorded court sessions and obtain other classified documents from the government. In September 2022, BC deployed its own digital wallet as a soft launch; anyone can download the wallet app on their phone and follow instructions to practice receiving and sharing fictitious credentials in preparation for a future rollout with real credentials.9

Results so far and next steps: Jordan described the province’s decentralized credentials adoption journey as a “responsible and respectful rollout” overall. Incremental value is delivered with each step, such as providing a free public service for anyone to search, find, and validate business credentials. BC — in cooperation with other jurisdictions — plans to develop its own distributed trust registry. “When verifiable credentials take off, it becomes critical infrastructure that the government should provide for its citizens so that they can confidentially conduct their digital lives,” Jordan said.

Bonifii’s MemberPass for Credit Union Members

Credential issuers: Credit unions

The reason for adoption: Bonifii is a service organization that supports 70 U.S.-based credit unions. The credit unions sought more secure and trusted digital services. Their centralized identity systems, based on accounts and passwords, kept getting more onerous as members needed to use two- or three-step authentication. Scammers increasingly sent members fraudulent texts or email messages, increasing the risks of identity theft and fraud. Decentralized credentials offered a better way for the credit unions to verify members and for members to verify that they were in fact interacting with their credit unions.

The adoption journey: Bonifii, three credit unions, and a technology provider first tackled proof of membership and started to develop MemberPass in 2019. As in the previous two cases, the Sovrin Network serves as the public registry to verify digital signatures. Sovrin is based on the Trust Over IP Foundation’s and FIDO (Fast ID Online) Alliance’s principles.10 MemberPass claims to be “the first [Know Your Customer]-compliant member-controlled digital identity issued by credit union cooperatives.”11

The digital credential was kept simple: It provided machine-verifiable proofs of member ID number, credit union name, and membership activation date. The credit unions first recruited current members to adopt the credential when they visited a branch. Soon after launch, they enabled phone enrollment. MemberPass can now be used in person, at a branch, at ATMs, on phone calls to call centers, and online.12

Results so far and next steps: By the second quarter of 2021, seven credit unions were participating and over 22,000 members had downloaded the MemberPass wallet. By the first quarter of 2022, 10 credit unions had joined the effort and the number of adopters had increased fivefold. For members, the key benefits are convenience and confidence that they are dealing with their credit unions and not with fraudsters. The benefits for the credit unions are more efficient transactions, reduced risk of fraud, and more trusted relationships with members.

A new version of MemberPass with additional features was released in August 2022. Credit unions and Bonifii continue to work on scaling MemberPass to a target population of 6.5 million members. Overall, scaling the technology has been slow. John Ainsworth, CEO of Bonifii, said to us in 2022 that “decentralized credentials are still early days but will be a crucial part of Web3.”

Insights From the Pioneer Cases and Beyond

As the three cases demonstrate, implementations show promising results for all roles in the credentials ecosystem: Holders possess and control who sees their credentials; issuers can generate credentials once, with no need to recertify unless the credential changes or is revoked; and verifiers can validate credentials in seconds. (See “Key Roles in Credentials.”) In these cases, transaction costs are low for issuers and free for holders and verifiers.13 At the ecosystem level, cybersecurity benefits arise from managing relationships with peer-to-peer connections instead of with centralized accounts and passwords, and from storing credentials on edge devices in digital wallets rather than in centralized databases.

While these results are promising, we wondered whether a centralized solution could have delivered similar outcomes, so we asked the pioneers. For the NHS, integrating and centralizing HR records from 1,200 hospitals would be technically and politically prohibitive. Furthermore, decentralization means that hospitals do not relinquish control. Bonifii is in a similar situation, since credit unions are independent. In Canada, a centralized solution would not be appropriate, as the provinces are the authoritative issuers of credentials such as birth certificates, driver’s licenses, and business registrations.

Despite the promised value, there are significant adoption challenges to overcome, such as recruiting ecosystem partners, managing change, and scaling the solution to support increased participation and additional types of credentials. Interoperability and technical immaturity also raise concerns. Here’s our take on adoption at this point:

1. Get started with issuers, which are best positioned to lead adoption. Unlike most software applications that are adopted within organizational boundaries, decentralized credentials work only if an entire ecosystem adopts it. To jump-start a solution, there must be authorized credentials available, so it makes sense that issuers led the pilots in all three of the cases above, with support from the governing authorities. In both the NHS and Bonifii cases, the hospitals and credit unions (respectively) are simultaneously issuers and verifiers, thus reducing the recruitment effort.

2. Don’t boil the ocean: Start with a subset of issuers, holders, and verifiers. Starting with a subset of adopters allows the development team to deliver a solution fast. If successful, the team proves the value to the larger ecosystem. NHS England started with just a fraction of its 1,200 hospitals and staff members. Bonifii started with three credit unions and a small percentage of members. As the issuer, the province of British Columbia started with business registrations for its first service. For another service, it included one issuer (the Law Society), one verifier (the Justice Services Branch of the Ministry of Attorney General), and 100 lawyers.

3. Make holder adoption voluntary and onboarding easy. Holders need to understand how they would benefit from adopting a digital wallet. Once they agree to try the solution, they must download the correct digital wallet and learn how to accept connection requests, load credentials from issuers, and share proof of credentials with verifiers. Issuers in two cases recruited, trained, and performed the important first step of identity binding at the point of service. For NHS England, identity binding took place when a staff member was about to be transferred; for MemberPass, it occurred when a member visited a credit union branch. Initially, each organization recruited and trained holders one at a time. Eventually, additional communication and onboarding channels were added, such as websites, promotional videos, and email invitations.

4. Consider interoperability: Will standards save us? While all three cases used the Sovrin Network to verify digital signatures because, as multiple research participants told us, “it was the only decentralized credentials network that existed at the time,” over 100 competing networks are underway.14 Interoperability will be a problem if networks operate as islands. Also, only a few digital wallets are commercially available, with many more anticipated. Research participants fear that organizations may replace a plethora of accounts and passwords with a plethora of digital wallets. This may evolve to look like the many apps we all have on our smartphones today.

Many standards organizations are working directly or tangentially on decentralized credentials, such as for the use of biometrics for identity binding. The standards landscape includes the W3C for decentralized identifiers and verifiable credentials; the Trust Over IP Foundation for white papers, specifications, and recommendations for wallets to be interoperable with any distributed trust registry; the Decentralized Identity Foundation for an interoperable and open ecosystem; FIDO for authentication on edge devices such as smartphones; and the International Standards Organization for several related standards, including one around mobile driver’s licenses. Standards may complement or compete with one another, depending on how they develop.

5. Consider scalability: Should governments take the lead? So far, there are no scaled solutions. Because so many of society’s bedrock credentials come from governments, many experts we spoke with argued that governments must step up and invest in decentralized credentials as part of an international digital infrastructure. After all, the U.S. government assumed a similar role in the past by funding and supporting the development of the internet in its nascent stages.

Perhaps the most interesting government-led initiative is the European Digital Identity Wallet project. Cross-border identity authentication has long been a challenge in Europe, where each country issues unique credentials and privacy concerns are paramount. The European Union has taken a top-down approach in leading the charge for interoperable digital identity wallets. Early national proof-of-concept and pilot projects include the NESSI project for digital tax IDs in the German state of Bavaria, and Validated ID with CaixaBank and Aigües de Barcelona for customer identification in Spain. A currently piloted cross-border use case is European Blockchain Services Infrastructure’s digital diploma multi-university project. Revision of the EU’s Electronic Identification and Trust Services Regulation, rolling out this year, will provide identity verification and credential authentication for ID cards and driver’s licenses.

Other experts believe that even if governments catalyze some key credentials, some issuers may still resist switching to a business model where credentials are verified with public trust registries instead of with their internal databases. Some issuers, like credit reporting companies, make their money by charging for verifications, and the decentralized credentials model we described in the three cases would disrupt that model. David Huseby, who formerly worked on security at Hyperledger, believes the scaling of decentralized credentials models that rely on digital wallets and external validation has been slow because they require a “rip and replace” business model. Huseby and Rick Cranston, a cofounder of Bonifii, have cofounded Cryptid, where their new decentralized solution does not use digital wallets but instead relies on APIs to existing infrastructure. In their solution, holders still digitally control requests from verifiers, but the holders can also route requests to issuers. Issuers respond at the time of the requests to retrieve the most up-to-date proof of credentials from their internal databases. Issuers can continue to charge fees for verification, but there is a downside that should be acknowledged: Issuers can track user activity.

The modest starts we studied signal a promising future for decentralized credentials in business and society. Decentralized credentials offer a very different model for online trust. If we can solidify the technological foundations, value-added use cases abound. Entrepreneurs will be able to open a bank account and get competing offers for a business loan with the click of a button. Companies won’t need to issue W-2 forms in order for workers to file tax returns in the U.S. Running background checks and onboarding employees and suppliers will be virtually instantaneous. Employees won’t fall for phishing attacks, because it will be easy to verify the origin of a message. Increased transparency around suppliers’ credentials will inhibit money laundering and promote ethical supply chains. Streaming services will be able to quickly verify that the user renting a PG-13 movie is age 13 or older. Stores will be able to sell alcohol online, or as part of a grocery pickup order, without the risk of the buyer being under the legal drinking age. Patients will be able to share medical records with doctors in different hospital systems and order prescription medicines online.

In addition to providing credentials for humans, decentralized credentials can be used for anything that needs one, including animals, plants, pharmaceuticals, raw materials, machines, and finished products. Company or product attributes such as “woman-owned” or “certified fair trade” will be more meaningful for being verifiable.

Such possibilities are not inevitable; they will happen only if governments, businesses, and individuals learn about decentralized credentials and actively participate in the development and standardization of supportive ecosystems that can interoperate across a multitude of domains. Broad-scale cooperation and regulation will be pivotal to timely adoption and the ability to realize value from this critical Web3 component.