Imagine you are joining a new company called Woodgrove and they need you to provide them with proof of your university degree, passport, driving license and other personal information. In the past and still continuing today we are having to send our personal documents to an employer or third party via email, upload through a website or via post. These companies carry out background checks to ensure the documentation is genuine and the process can take weeks or months.
What if Woodgrove allows you to gain discounts on new hardware such as laptops and monitors from a third party hardware provider, however, you need to prove that you are an employee of Woodgrove before the discounts are applied. Wouldn’t it be easy if you could easily verify that you work for Woodgrove in minutes and gain access to employee discounts? instead of having to send them your employee ID and photo ID.
Or what if an employer requires that you hold certain security certifications before allowing you access to an internal sensitive application? it would be great if you could verify that you hold the required certification without having to send the certificate to the employer and then waiting for approval which could delay your access to the internal application.
What about your personal data? As the owner of those personal documents,
- we have no idea how the documents are stored
- is the documentation stored in a secure location?
- what if the documents are stolen? such as the company is hacked or even stolen by an internal employee?
- is your data deleted after verification or is the company holding onto the documents for years?
- how do we get the documents back and ensure they are deleted?
- we have no control over our personal information. Our identity and all our digital interactions are owned and controlled by other parties, in some cases, even without our knowledge.
- How do we keep track of who we shared our identity information with?
Organisations are facing constant pressure to keep our personal identity information safe and carrying out checks to ensure the documentation is genuine can take time, costing organisations money.
What if there was a better way? A secure way to store and get our personal documents verified quickly.
Introducing Microsoft Entra Verified ID. Entra Verified ID is a decentralised Identity service that lets you create a digital identity that you can use to prove your qualifications and identity online. For example, you can use this service to share only the information that your new employer needs, and nothing more. It’s basically a copy of your paper based identity copied into a secure digital version that you can store on your mobile phone.
These certificates are like digital versions of your diplomas, ID cards, or certificates. They are issued by trusted organisations that can verify your education and identity. You can choose which certificates or Identity information you want to show to your new employer, and they can trust that they are authentic and valid because they have been verified by an authorised company. They do not need to hold a copy of your certifications, passports and so on.
Microsoft Entra Verified ID is based on open standards that anyone can use and verify. It gives you more security and privacy over your identity data.
Using Microsoft Entra Verified ID can benefit both the employee and the employer in many ways, such as:
- The employee can save time and hassle by not having to send or show their documents via email, mail, or in person. They can also avoid sharing more information than necessary, or risking losing or damaging their documents.
- The employer can save time and money by not having to check or verify the documents manually or through costly third-party services. They can also reduce the risk of fraud, identity theft, or human error.
- Both the employee and the employer can enjoy a smoother and more secure hiring process, and build trust and confidence with each other. They can also comply with the legal and regulatory requirements for identity and background verification.
- It’s great for staff working remotely as staff don’t have to travel to the office carrying personal documents.
- Organisation and employee can both revoke the credentials. For example when an employee leaves a company.
Furthermore, as an individual your identity remains secure, not easy to forge or hack and difficult for someone to impersonate you. You always have access to your secure digital identity and are able to recover it. Most importantly you are able to see logs of all the times you have used your digital identity, who you used it with and what it was used for. You are in control, and have the option to only disclose the specific information necessary to support the consented use.
You can also designate trusted friends and family members who can access your digital identity as needed if there was a need to do so, for example, if you are critically ill.
You as an individual control your identity and the company can confirm the identity you provide from your digital wallet is verified instantly without having to wait for weeks.
How does Verifiable Credentials work?
The below diagram provides an overview of how Verifiable Credentials work.
Let’s use an example to explain the process further. An individual named Andrew accepts a job offer at a company called Woodgrove. Prior to joining the company, Andrew must go through a pre-onboarding process where he needs to verify his Identity. The company he is working for use Microsoft Entra Verified ID.
Andrew uses the Microsoft Authenticator App on his phone to verify his ID via the Woodgrove’s company portal. He takes a selfie of himself via his phone using the Microsoft Authenticator app and is requested to provide a copy of an ID with a photo. The company uses a trusted organisation connected to their portal/Microsoft Entra Verified ID Portal to verify the selfie matches the passport. This process is computerised and verifies the photo and passport within seconds. Andrew now receives a validated verified ID which is stored in his digital wallet, in this case the Microsoft Authenticator App on his mobile phone. Andrew can now use this newly created digital identity (e.g. a digital passport) from his phone to prove his identity to his new employer and to remotely access and setup a new logon account on his first day at work. In the process Andrew has not had to pass on a copy of his Identity to prove that he is a new employee of Woodgrove, as his identity was validated by a trusted identity provider who the employer also trusts.
To explain how Verified Credentials work in a second example, we use a scenario that involves these actors:
- Woodgrove Inc, a company that employs an individual named Alice.
- Proseware, a company that gives discounts on hardware such as laptops to Woodgrove employees.
- Alice, a Woodgrove employee who wants to benefit from Proseware’s discounts.
Currently, Alice signs in to Woodgrove’s network with a username and password. Woodgrove have implemented Microsoft Entra Verified Identity to make it easier for Alice to prove her employment status. Proseware accepts verifiable credentials issued by Woodgrove as valid evidence of employment that can grant access to their corporate discount program.
Alice asks Woodgrove for a verifiable credential that confirms her employment. Woodgrove Inc verifies Alice’s identity via secure third party and issues a signed verifiable credential (in seconds) that Alice can receive and store in her digital wallet app which proves that she is an employee of Woodgrove. Alice can now use this verifiable credential as a proof of employment on Proseware’s website. After a successful verification of the credential, Proseware’s website displays discounted rates for all hardware to Alice and the transaction is recorded in Alice’s wallet app so that she can keep track of where and to whom she shared her proof of employment verifiable credential.
Demo – Microsoft Entra Verifiable ID
Let’s go further and demo the process via Microsoft Entra Verifiable ID.
This demo illustrates a new remote employee at Woodgrove being onboarded before they’re ready to start their first day on the job. A new employee would be required to go into the office, fill out forms and receive a laptop. However, the company has adopted cutting edge technology to streamline onboarding and discounted equipment purchases.
Let check out what the process looks like with Microsoft Entra Verified ID.
- Woodgrove have a portal configured to use Microsoft Entra Verified ID. Setup and configuration links are listed towards the end of this post.
- Andrew Doe visits the portal as a new employee of Woodgrove
3. Andrew types his first name and last name. He then clicks the next button
4. A trusted Identity provider named True Identity will verify Andrew’s Identity. Andrew clicks the button Verify with True Identity.
5. Andrew types his name again. First name and Last name.
6. Andrew clicks the button, Take a selfie and takes a photo of himself
7. Selfie taken. Andrew now clicks Upload a government issue ID such as his passport.
8. Andrew clicks Next
9. The true Identity solution, a trusted third party will verify Andrews selfie (photo) and Passport. This process is computerised and happens in seconds. Verification Complete. Andrew clicks ok and then clicks next.
10. Now that the identity has been verified by True Identity, Andrew can scan the QR code displayed on the Woodgrove portal and store a digital Identity of his passport in his Microsoft authenticator app installed on his mobile phone. To scan the QR Code, Andrew opens the Authenticator App on his phone, clicks the option Verified ID’s located towards the bottom right corner of the app.
11. He clicks the option Scan QR code
12. He scans the provide QR code and enters a pin in his Authenticator App. He clicks add on his authenticator app and clicks next.
13. A Digital Verified ID (digital version of Andrew’s passport) has been successfully issued to Andrew and is stored on his phone. Andrew clicks return to Woodgrove.
A reminder that at this point Andrew has a verified digital identity of his passport stored on his mobile phone. This identity was validated by a trusted party selected by Woodgrove to perform the automated computerised checks.
14. Now Andrew Doe will onboard as a new employee of WoodGrove and provide his digital verified ID (Digital Passport) to WoodGrove to prove his identity. Andrew clicks the option, Access Personalized portal. A QR code appears, Andrew must prove his identity to WoodGrove. Continue to step 14.
15. Now that Andrew has a verified Digital ID (passport) on his phone, Andrew can use the Verified ID to scan the QR code and prove his identity to Woodgrove who is his new employer. Andrew clicks Verified IDs in his Authenticator App and scans the QR code on the screen. He clicks Share.
16. Andrew clicks the button continue onboarding
17. Success, Andrew has completed the verification process and gained access to the WoodGrove Employee portal. He has proved his identity and can now continue to retrieve a second Verified digital ID to prove that he is an employee of Woodgrove. He can later use this employee verified ID to order a laptop at a discounted rate. A benefit of being an employee of Woodgrove.
Andrew clicks, Retrieve my Verified ID
18. He scans the QR code visible on the screen using the authenticator app and types in the pin when requested. He clicks add.
19. Andrew now has two digital identities in his Authenticator App. One is his digital passport verified ID and another which proves that he is an employee at Woodgrove.
20. Time to order a laptop as an employee of Woodgrove. Andrew clicks, Visit Proseware which directs him to a third party website.
21. There is a problem for now. Andrew sees hardware prices at the full price and not the discounted rates. Andrew clicks Access discounts.
22. He clicks the option Verify my Employee Credential. Andrew must use his stored digital Woodgrove employee Verified ID to prove that he is an employee of Woodgrove. He clicks Verify my employee Credential.
23. He scans the QR code presented to him using his authenticator app. He clicks the option Select a Verified ID and picks the Verified Employee ID stored in his Authenticator App. He clicks confirm and clicks share.
24. That’s it. The verified ID which proves Andrew is an employee at Woodgrove has been applied and he can now see discounted prices on all hardware. There was no requirement to prove that Andrew is a Woodgrove employee by providing Proseware his employee ID or a picture of his company badge. The process was easy and quick.
If you are wanting to setup Microsoft Entra Verified ID into a website/portal, the setup documentation is available via the Microsoft Learn website at the links below,
1. Microsoft Entra Verified ID Introduction
2. Tutorial – Manual Microsoft Entra Verified ID setup
3. Tutorial – Issue Microsoft Entra Verified ID credentials from an application
That’s it for now. I hope you found this post useful. See you at the next one.