Verifiable credentials for enterprise identity guide

Verifiable Credentials (VCs) are W3C standard digital credentials — structured claims about an entity, cryptographically signed by a trusted issuer using their DID (Decentralized Identifier). The holder stores the credential in a digital wallet and presents it to verifiers on demand. The verifier checks the cryptographic signature against the issuer's publicly resolvable DID Document to confirm authenticity, checks a revocation registry to confirm the credential is still valid, and extracts the relevant claims. Verification requires no contact with the issuer — it is fully decentralised and offline-capable.

Selective disclosure allows credential holders to prove specific claims from a credential without revealing all its contents. For example, proving age ≥18 from a government identity credential without revealing the exact birth date, name, or address. This is implemented using cryptographic techniques: SD-JWT (Selective Disclosure for JSON Web Tokens) allows individual claims to be withheld while keeping the overall credential signature valid. BBS+ signatures enable zero-knowledge proofs — proving a claim is true without revealing the underlying value. Selective disclosure is a key privacy advantage of VCs over traditional document scanning or centralised identity databases.

Microsoft Entra Verified ID is Microsoft's managed Verifiable Credential service built on Azure AD. It provides APIs for issuing VCs (based on Azure AD user attributes or custom claims), a request service for verifiers to request and verify presentations, and integration with the Microsoft Authenticator mobile wallet for credential storage. It uses the did:web and did:ion DID methods and supports W3C VC Data Model v1.1. For Microsoft-centric enterprises, it is the lowest-friction path to VC issuance and verification — leveraging existing Azure AD investment and Microsoft Authenticator's installed base without operating additional infrastructure.

In a VC-based employee onboarding workflow: the new employee's previous employer issued a VC certifying their employment history; their university issued a VC certifying their degree; a government authority issued a VC confirming right to work. The new employee presents these credentials digitally from their wallet — the hiring company's HR system verifies each credential cryptographically in seconds, without calling references, requesting paper documents, or waiting for manual verification. This reduces credential verification from 3–10 days to minutes. The UK and EU are actively developing the ecosystem of credential-issuing institutions to enable this at scale.

OID4VC (OpenID for Verifiable Credentials) is a family of standards that extends OpenID Connect for VC issuance and presentation: OID4VCI (VC Issuance) defines how issuers deliver credentials to wallets; OID4VP (Verifiable Presentations) defines how verifiers request and receive credential presentations from wallets using standard OpenID protocols. OID4VC enables VC workflows to integrate with existing OAuth 2.0 / OIDC infrastructure, making adoption easier for organisations with existing identity platforms. It is the protocol layer used by eIDAS 2.0 EUDI wallets and is increasingly supported by commercial VC platforms.

VC revocation is handled through revocation registries referenced in the credential's credentialStatus field. The most widely implemented approach is Status List 2021 (W3C standard): the issuer maintains a compressed bitstring status list at a publicly accessible URL; each credential has an index into this list; verifiers check the bit at that index to confirm the credential is not revoked. The URL is embedded in the credential at issuance. Blockchain-based revocation registries offer decentralised revocation without dependency on the issuer's infrastructure remaining online. Revocation check must be performed on every credential presentation for security-sensitive applications.

The EU Digital Identity (EUDI) wallet is a requirement of the eIDAS 2.0 regulation — each EU member state must provide citizens with a free, government-issued digital identity wallet by 2026. The wallets store Verifiable Credentials issued by governments, professional bodies, and other trusted issuers and allow citizens to present them to public and private sector verifiers. The EUDI Architecture and Reference Framework (ARF) defines the technical standards based on W3C VCs, OID4VC protocols, and the did:ebsi DID method. Large-scale pilots (under the EU Digital Identity Wallet Consortium projects) ran in 2023–2024; national wallet rollouts are in various stages across member states in 2026.

VCs can enable KYC portability — a customer completes KYC once with a regulated KYC provider, receives a KYC VC, and presents that VC to subsequent financial institutions rather than re-running KYC each time. This reduces friction (from 3–5 days to minutes for KYC at new financial institutions) and cost (financial institutions pay per KYC instead of running it themselves). Regulatory acceptance varies by jurisdiction — UK Financial Conduct Authority and EU regulators have issued guidance supportive of reusable KYC, but specific implementation requirements for AML compliance (ongoing monitoring, reliance conditions) still require careful legal assessment. VCs simplify the initial KYC identity step but don't replace ongoing transaction monitoring obligations.