Verifiable credentials
What is a credential?
A credential is evidence that proves something about a person. Every day, we use credentials to prove things about ourselves. Our identity, our qualifications, or our right to access certain services. A driver’s licence, a passport, or a student ID - these are all types of credentials.
In the real world, we’re familiar with physical credentials such as ID cards, membership/loyalty cards, property/ownership titles and others.
Typically we store these credentials in a safe place such as our wallet. This enables us to carry essential personal information and present it physically when needed to prove details about ourselves. For example, showing a driver's license to a police officer to confirm that we are authorised to drive that class of vehicle.
Digital credentials
As more of our everyday interactions shift online, it’s only natural that our credentials follow. People increasingly rely on mobile devices for everything, from banking and travel to accessing government services, and expect the same level of convenience when proving who they are or what they’re entitled to.
Digital credentials are the digital counterparts of the physical documents we use every day. They can be stored and presented through digital wallets, which function much like physical wallets but on your mobile device. A digital wallet enables you to carry, manage, and share your credentials electronically.
While this brings convenience, simply holding a digital copy of a document is not enough. A scanned ID or a digital “flash pass” might look official, but these copies are just as easy to forge or misuse as a paper document, and sometimes even easier.
In many cases, people use screenshots or low-security files to “prove” something about themselves, and these can be edited, duplicated, or faked with minimal effort. As a result, these basic forms of digital credentials cannot be relied upon for trust or security.
Verifiable credentials
That’s where verifiable credentials come in.
Verifiable credentials are digitally signed, tamper-evident digital statements that can be used to prove things like a person’s identity, age, affiliation, or qualification. They’re designed to be shared, checked, and trusted across both remote and in-person contexts.
Unlike static images or scans, verifiable credentials include cryptographic protections that allow others to independently verify their authenticity, ensuring that the credential hasn’t been altered and truly comes from a trusted issuer. They can be presented in a secure, privacy-preserving way and used to streamline interactions where trust is required.
Verifiable credentials can represent far more than identification cards. Some examples include:
- Mobile Driver's Licenses (mDLs): A Ministry of Transport can issue a digital Mobile Driver’s Licence (mDL) that citizens store in a mobile wallet and present during roadside checks or at rental car counters.
- Proof of income: A financial institution might issue a proof-of-income credential that customers can use to apply for loans across different banks.
- Educational qualifications: A university can issue digital degree certificates that graduates use to verify their qualifications with employers.
Today, when people refer to digital credentials, they often mean verifiable credentials, but it’s important to be clear about which type is being discussed. A simple digital copy and a cryptographically verifiable credential are very different in terms of security, trust, and reliability.
Unique features of verifiable credentials
The cryptographic foundations of trust
Digital credentials, and specifically verifiable digital credentials, are the foundation of the MATTR product stack, enabling organisations and individuals to issue, hold, and verify credentials in a variety of real-world settings, from online services to mobile wallets to physical checkpoints.
Verifiable credentials use a fundamentally different trust model from traditional document-based verification, and the difference is easiest to see in how trust is established.
With traditional methods, trust is created through a point-in-time check against a central system. For example, an employer may manually review a PDF degree certificate and contact the issuing university to confirm it is valid, or a business may verify a licence by logging into a government portal or using a third-party verification service. These checks rely on indirect signals—such as whether a document number exists or whether a name and date of birth match a database—and assume that the underlying system is accurate and up to date. In practice, these systems can suffer from data gaps, update delays, and human error, making trust inherently probabilistic rather than guaranteed.
Verifiable credentials work differently. The proof of authenticity is embedded directly in the credential using cryptography. For example, a digital driver’s licence or university credential can be verified instantly by a trusted verifier without contacting the issuer or querying a central database. A cryptographic signature either matches the issuer’s key or it does not. A credential is either listed as revoked or it is not. The verification result is clear, unambiguous, and does not depend on fuzzy matching, manual review, or backend system availability.
This shift reduces manual effort, removes integration silos, and enables trust to move with the data rather than staying locked inside individual systems. It results in greater confidence, clearer outcomes, and a level of assurance that traditional verification alone cannot reliably provide.
Inverting the trust model
Traditional verification systems depend on checking information with a central authority each time it needs to be verified. For example, a verifier submits a name and document number to a government service and waits for a “yes” or “no” response.
This model has two key limitations:
- The verifier must trust the authority’s response without being able to independently verify the authenticity of the underlying credential.
- Every verification request is visible to the authority, allowing correlation of data checks and concentrating privacy and operational risk in a single system.
Verifiable credentials invert this model. Instead of asking a central service to confirm validity, the credential itself carries cryptographic proof of:
- Who issued it (issuer authenticity)
- What was issued (credential integrity)
- To whom it was issued (binding to the holder)
- Whether it has been altered, tampered with, or revoked
This proof is created using digital signatures based on asymmetric key pairs. A verifier can check the signature directly, without contacting the issuer, using publicly available keys.
This results in a stronger and more privacy-preserving form of trust. Trust no longer depends on a live lookup or a third party’s response. Instead, it can be independently and mathematically confirmed by the verifier, making trust deterministic rather than probabilistic. Verifiers do not have to assume that data is genuine. They can cryptographically prove it.
Trusted issuers
Verifiable credentials still rely on a trusted issuer model, but trust is not based on brand recognition, assumed institutional authority, or static government lists. A verifier does not accept a credential simply because it carries the name of a well-known university, bank, or government agency, nor do they need to look that organisation up in a central registry at verification time.
Instead, trust is anchored in cryptographic keys and governed by explicit trust frameworks. Verifiers validate whether a credential was signed with a valid issuer key, whether that key is authorised under the relevant governance model, and whether it ultimately chains back to a recognised trust anchor. This allows trust to be evaluated consistently and independently, rather than inferred from reputation or jurisdiction.
Digital credential ecosystems can use hierarchical or mesh trust architectures. In a national system, trust may be anchored in a government root key. In an industry ecosystem—such as health or education—it may be anchored in a consortium or standards body. In cross-border or global use cases, multiple roots of trust can coexist, allowing credentials to be verified across jurisdictions without a single controlling authority.
In practice, this means a verifier can accept a digital licence or identity credential without prior knowledge of the issuing organisation. As long as the issuer’s key is trusted within the applicable framework and the signature is valid, the credential can be relied upon.
This creates a transparent, portable chain of trust that works consistently across organisations and jurisdictions, without relying on reputation or centralised control.
Revocation and credential status
Traditional verification typically provides a point-in-time yes/no result, with no artefact that can be independently checked later. For example, a verifier may confirm that an identity document or licence is valid at the moment of lookup, but once that check is complete, there is no portable proof of validity and no way to re-verify the result without repeating the process with the issuing authority.
Verifiable credentials work differently. They support built-in lifecycle and privacy controls such as revocation registries, status lists, short-lived credentials, and selective disclosure. In practice, this means a verifier can confirm that a credential is still valid, has not been revoked, and is within its intended lifetime—while the holder shares only the minimum information required, such as proving age eligibility without revealing a full date of birth.
Crucially, these checks can be performed without revealing the subject’s identity to the issuer or the wider network. For example, a verifier can confirm that a credential remains valid without notifying the issuing authority that a specific individual is being checked. This reduces correlation and surveillance risk while preserving strong security guarantees.
The result is a balanced model where security and privacy reinforce each other, rather than forcing organisations to trade one for the other.
Integrity and tamper-proof
Traditional identity documents—whether physical or digital—can be forged, altered, copied, counterfeited, or manipulated over time. For example, a PDF licence can be edited, a scanned passport can be reused, or a legitimate document can be presented by someone other than its rightful holder. While traditional checks reduce these risks, they do not eliminate them. Spoofing, synthetic identities, and presentation attacks remain persistent challenges, especially at scale.
Digital credentials address these weaknesses at the architectural level. Any modification to a digital credential—even changing a single bit—immediately invalidates its cryptographic signature. This makes tampering and forgery detectable by default, rather than something that must be inferred through visual inspection or backend checks.
As a result, organisations gain strong assurance at the moment of verification that the data is authentic, unaltered, and issued by a trusted authority. Verification requires no specialist equipment or proprietary systems—only cryptographic validation—making security inherent to the credential rather than dependent on perimeter controls.
| Fraud type | Real-world example | How verifiable credentials resist it |
|---|---|---|
| Document forgery | A fake university degree created using design tools | The credential cannot be forged without the issuer's private key; invalid signatures are immediately rejected |
| Document tampering | Editing a name or expiry date in a PDF licence | Any change invalidates the cryptographic signature, making tampering instantly detectable |
| Copy or reuse | Reusing a scanned ID or screenshot across multiple services | Credentials can be bound to the holder and verified using challenge-response, preventing reuse |
| Counterfeiting at scale | Mass-produced fake IDs that "look right" | Visual appearance is irrelevant; only valid cryptographic signatures are accepted |
| Presentation attacks | Using someone else's legitimate document | Holder binding and selective disclosure ensure the presenter controls the credential |
| Insider manipulation | An internal operator alters records in a backend system | Trust is based on signed credentials and governance rules, not mutable databases |
| Centralised data breach | Large identity databases compromised and reused | No central store of personal data is required for verification |
Digital credentials do not merely reduce fraud risk. They make entire classes of attacks cryptographically infeasible. This gives organisations assurance at the moment of verification that the data is authentic and unaltered.
Privacy by design
One of the most significant security advantages of digital credentials—often overlooked—is what does not need to be shared.
Traditional verification typically requires uploading full documents, exposing more personal data than necessary, and relying on third-party intermediaries to store, process, or validate that information. For example, proving age may involve sharing a complete identity document that reveals a full name, date of birth, address, and document number—far more than the transaction requires.
Digital credentials enable selective disclosure. A holder can prove a specific fact—such as being over 18—without revealing their exact birthdate or any unrelated attributes. The verifier receives only what is needed to make a decision, nothing more.
This approach significantly reduces data exposure, shrinks the attack surface, limits correlation across transactions, and avoids long-term retention of sensitive personal information.
Security is strengthened by minimising what organisations need to collect and hold, not by accumulating more data.
Empowering the holder
Unlike traditional methods, where verification is performed on the user, digital credentials place the user at the centre of the interaction.
The user holds their credentials, decides when and where to share them, and controls exactly what information is disclosed. Verification happens locally, allowing verifiers to confirm authenticity without broadcasting the user’s activity to central systems or third parties.
The result is a model of freedom through trust: strong assurance for organisations, and genuine agency for individuals—where security and empowerment reinforce each other rather than compete.
How would you rate this page?