Breaking Down Verifiable Credentials: Theoretical Base and Practical Uses

While verifiable credentials are only starting to grow in adoption, it’s already clear that this new IDV method has immense potential. Holders will be able to instantly prove their age, confirm their diploma, or verify their employee status in a controllable, secure way—and all with just one tool. At the same time, the concerns about the adoption rate and overdependence on one device are not unjustified either.

In this article, we break down what makes verifiable credentials tick—how they work, why they matter, and where they’re already being used.

A verifiable credential (VC) is a tamper-evident digital proof of certain information about an individual, similar to data fields found in a passport. Each VC is cryptographically signed by an issuer’s private key, which allows anyone in possession of the credential to verify its authenticity and integrity using the issuer’s public key. In practice, this means that verifiable digital credentials can be automatically checked for validity by software, without manual inspection, and without exposing more personal information than necessary.

A typical VC ecosystem involves three roles:

1. The issuer, a trusted entity that creates and issues the credential. The issuer is often an authoritative source for the information and will verify the subject’s ID or qualifications (e.g., as part of a background check) before issuing the credential. The issuer then cryptographically signs the credential, binding their authority to the claims it contains. 

2. The holder, the individual or entity who receives the credential and stores it in a digital wallet under their control. In many cases, the holder is also the subject of the credential, though it could be a guardian or representative holding verified credentials on someone else’s behalf. The holder decides when and with whom to share the credential.

3. The verifier, an entity that requests and validates a credential presented by the holder (e.g., a customs officer checking a digital travel credential). The verifier’s job is to ensure that the credential is authentic and assess the claims it contains for relevance and trustworthiness.

On a technical level, we can break down a verifiable credential into four key components:

Verifiable credentials are defined by a standard data model that makes sure they are structured and machine-readable. The most common representation is a JSON-LD document (JSON for Linked Data), which allows each field in the credential to be linked to a very specific context. In other words, terms like “name” or “degree” in a credential can be associated with uniform resource identifiers (URIs) in a context that defines what those terms mean, removing any ambiguity.

A typical verifiable credential contains the following components, as defined by the W3C data model:

• Context: An array of context URIs that describe the vocabulary and schemas used in the credential. 

• Type: An array specifying what kind of credential it is (diploma, driver’s license, etc.) and which schema to expect.

• Issuer: A URI or decentralized identifier for the issuing entity.

• Credential Subject: An identifier for the subject about whom the claims are made.

• Claims: The actual pieces of information the credential conveys (e.g., name, age, degree title, vaccination status, employee ID number).

• Proof: The issuer’s digital signature that makes the credential verifiable.

To be able to confirm the issuer’s authority and identity, a verifier must somehow obtain the issuer’s public key. This is what decentralized identifiers (DIDs) are for: they are URIs that uniquely represent an issuer. More specifically, DIDs can be resolved to a DID Document, a small JSON document that contains all the issuer’s public verification keys and other potential metadata like a key identifier or an endpoint for status checks. 

It’s important to note, however, that not every VC deployment uses DIDs. Some implementations use standard web identifiers: an issuer can simply use an HTTPS URL as their identifier and publish a JSON Web Key (JWK) on their website that can be fetched to verify signatures.

At the heart of every VC is a digital signature, which provides cryptographic assurance that the credential was issued by a legitimate issuer and that its contents have not been altered. The signature (typically encoded in the “proof” section of the verifiable credential) can later be checked by anyone who has the issuer’s public key.

Holders can manage their verifiable credentials using a digital wallet, which most often comes in the form of a smartphone app. The wallet’s primary functions are to safely store the credentials, let the holder organize and select their credentials, and facilitate the presentation of credentials to verifiers when required. 

When a holder needs to prove something to a verifier (e.g., a traveler approaching an airport gate), they will use the wallet to create a verifiable presentation. If supported, the wallet could even omit certain irrelevant details during the presentation (e.g., occupation), so that some part of the holder's data is kept private.

Because of its very sensitive nature, a digital wallet may itself be protected by the device's security through biometric checks to prevent unauthorized access. For instance, a solution like Regula Face SDK can be a facilitator of this process, as it can perform advanced facial recognition with liveness detection to verify users and prevent fraud.

It must be noted that digital wallets are a developing technology and, as of May 2025, the vast majority of them are at either the concept stage or the pilot stage. One notable example is the European Digital Identity Wallet (EUDI Wallet), formally adopted by the EU in 2024 as part of the revised eIDAS regulation. The new framework requires every member state to offer a digital identity wallet by 2026 and to recognize wallets from other EU countries. The EUDI Wallet will allow citizens to link their national digital IDs with other personal credentials (e.g., a driver’s license) and use them without having to rely on private identity providers or share unnecessary data.

To get the full picture of what verifiable digital credentials offer, we must examine them from multiple standpoints: from an individual’s POV (likely the holder), and an organization’s POV (likely the verifier).

Selective disclosure

Verifiable credentials allow individuals to share only the specific information required and keep everything else private. This lets a person prove a claim (such as being over 18) without revealing unrelated personal data like their exact birthdate. This way, individuals gain greater control over who sees their data.

Full ID ownership

With verifiable credentials, individuals retain full ownership and control of their credentials in a personal wallet, rather than relying on a central authority every time they need to verify something. Once a credential is issued to the user, it resides under the user’s custody and consent. As a result, users aren’t locked into a single provider and don’t have to worry about a third-party service deleting their account or losing access to their qualifications.

Portability and (potential) interoperability

Verifiable credentials are highly portable—a person can store multiple credentials (IDs, licenses, diplomas, etc.) in one digital wallet and carry them anywhere on a smartphone. Additionally, because they adhere to open standards, VCs can be potentially reused across many different services and organizations without having to re-verify them from scratch each time. For example, a university degree issued as a verifiable credential could be instantly recognized by employers, licensing boards, or foreign institutions that use the same verification standards.

Caution: Device dependence and recovery risks

On the flip side, using verifiable digital credentials typically requires a smartphone or computer, which introduces an element of dependency on devices and internet access. If a user’s phone is lost, stolen, or simply runs out of battery at a critical moment, the person could be unable to present their credentials when needed. Unlike a physical ID card that you can carry as a backup, a digital credential might not be accessible without your device (unless you’ve set up alternative access).

Instant credential verification

First of all, organizations will enjoy the ability to verify credentials instantly and automatically, as a VC presented by a user can be cryptographically validated in seconds. This speeds up processes like onboarding, customer verification, and compliance checks, leading to significant efficiency gains. For example, an employer or service provider can use software to confirm a candidate’s digital certificate or ID without calling the issuer or handling paper records.

Fraud reduction

Verifiable credentials also provide strong security guarantees that help organizations reduce fraud, as each digitally signed credential is tamper-evident. For the verifier (be it an employer, bank, or website), this means far greater confidence that “what you see is authentic”—the credential is either validated perfectly or not at all. This way, organizations can automatically reject altered or untrusted credentials, protecting themselves and their customers from fraud schemes without wasting any time.

Improved user experience

When people no longer have to endure repeated form-filling and document uploads for every new service, they are known to be less likely to abandon the onboarding process. The convenience of “bring your own credentials” makes users feel empowered and respected, since they share only what’s necessary and keep control of their data. This, in turn, fosters trust: users know the organization isn’t stockpiling all their personal details, just verifying what’s required.

Caution: Adoption uncertainty

The full benefits of VCs truly materialize at scale, when many issuers provide credentials and many verifiers accept them. In the current real-world conditions, that scale is limited. As a result, an organization that goes first may not see much immediate payoff; they are essentially betting on future network effects. Some industry experts have argued that currently, VCs often provide little added value compared to simpler alternatives, unless you anticipate future adoption growth.

While adoption uncertainty is real, verifiable digital credentials are slowly moving from theory to practice. It is hard to predict how long it will take for them to become a universal standard, but we can clearly see some progress over the past couple of years.

We have already mentioned the EU’s digital wallet initiative—and it is far from the only government VC project. In 2024, the City of Zug in Switzerland became one of the first municipal governments to roll out verifiable credentials: it provided over 500 city employees (school teachers) with digital employee certificates delivered to their eZug mobile ID app. These verifiable credentials replaced physical ID cards and allowed teachers to prove their status to get discounts at stores by presenting the digital certificate. Albeit a local effort, there is clearly potential for expansion across the country.

Another active area is travel and immigration documents. The International Civil Aviation Organization (ICAO) has been prototyping the Digital Travel Credential (DTC), a standardized VC that can augment or eventually replace a passport for border control. In 2023–2024, ICAO released specifications for DTC types: 

• Type 1 allows travelers to generate a digital passport clone on their smartphone by extracting the chip data from their physical passport (with the caveat that the physical document must still be carried as a backup). 

• Type 2 and Type 3 DTCs involve the issuance of a digital passport by authorities, with Type 3 being a fully digital passport that could one day eliminate the need for a physical passport altogether.

IDV vendors have also started to work with DTCs. For example, Regula Document Reader SDK can actively generate the Virtual Component of a DTC (DTC-VC) by extracting the data from an RFID chip and creating a digital replica of the physical document.

As for education, the European Commission has built the European Digital Credentials for Learning (EDC) infrastructure, which allows various institutions to issue official learning credentials in a verifiable format. An EDC is essentially a W3C Verifiable Credential with an EU-specific profile, digitally sealed by the issuer’s electronic seal (a qualified digital signature). Several European universities have piloted issuing diplomas through the EDC portal, where they can be shared with employers across Europe—and employers can then validate them using the Europass verification website or any tool that trusts the EU member states’ signatures.

Verifiable credentials are redefining how identity verification is handled, but it isn’t about discarding traditional methods outright; rather, it builds on them. The process of issuing a VC still requires initial proofing of identities—and this is where Regula’s technology steps in.

Complete identity verification procedures can be carried out by solutions like Regula Document Reader SDK and Regula Face SDK, which can easily integrate with your existing mobile or web applications.

Regula Document Reader SDK processes images of documents and verifies their real presence (liveness). The software automatically identifies the document type, extracts all the necessary information, cross-validates it, and confirms whether the document is genuine with a comprehensive set of authenticity checks. Regula Document Reader SDK supports all major dynamic security features, including holograms, optically variable inks (OVIs), multiple laser images (MLIs), and, most recently, Dynaprint®.

At the same time, Regula Face SDK conducts instant facial recognition and prevents fraudulent presentation attacks such as the use of static face images, printed photos, video replays, video injections, or masks.

In practical terms, Regula’s software can be integrated as the front end in an issuer’s VC creation process. Eager to learn more? Book a call, and we will help you make your identity verification compliant, secure, and customer-centric.