Verifiable credentials are raising the bar for identity assurance

At a glance

What this is: This is an explainer on verifiable credentials and how multi-source identity proofing raises assurance beyond single-claim checks.

Why it matters: It matters because IAM teams must decide where stronger proofing improves trust, where it adds friction, and how those controls fit into broader human identity governance.

👉 Read 1Kosmos's explanation of verifiable credentials and identity assurance

Context

Verifiable credentials are a higher-assurance way to establish identity online because they do not rely on a single asserted claim. They combine documents, authoritative data sources, biometrics, and liveness checks to reduce the chance that one compromised signal can pass as trustworthy identity proofing.

For IAM and identity governance teams, the practical question is where this level of assurance belongs in the lifecycle. The answer affects onboarding, step-up verification, fraud prevention, and the confidence threshold for access to sensitive systems and regulated workflows.

Key questions

Q: How should organisations set identity proofing standards for high-risk access?

A: Start by defining the assurance level required for each use case, then require evidence that matches the sensitivity of the decision. High-risk enrolment, recovery, and privileged access should rely on multiple trusted sources, not a single document or self-asserted claim. The standard should be consistent across the identity lifecycle.

Q: Why do biometrics need liveness checks in identity verification?

A: Biometrics alone can be replayed, copied, or faked with images and video. Liveness checks add a real-time challenge so the system can confirm that a live person is present during verification. Without that layer, biometric proofing is much easier to spoof in high-risk flows.

Q: When should teams use stronger identity assurance instead of basic authentication?

A: Use stronger assurance when the cost of identity failure is high, such as onboarding, password recovery, regulated transactions, or access to sensitive systems. Basic authentication answers who is logging in, but assurance answers whether the identity was sufficiently verified before trust was granted.

Q: What do security teams get wrong about verifiable credentials?

A: The most common mistake is treating a digital credential as proof by itself. A verifiable credential is only as strong as the claims, sources, and checks behind it. Governance should focus on provenance, assurance level, and the business decision being made, not just the token or document format.

Technical breakdown

Claim validation and source of truth in identity proofing

A claim is any fact an identity asserts about itself, such as a name, date of birth, or address. Verifiable credential models do not treat claims as proof. They require those claims to be checked against trusted sources so the verifier can establish that the asserted identity aligns with independent evidence. That is why the model moves beyond one document or one database lookup. In practice, the strength comes from correlation across multiple signals, not from the presence of a digital document alone.

Practical implication: design identity proofing so that no single claim can establish trust on its own.

Document verification, authoritative checks, and assurance levels

Document verification typically starts with government-issued or bank-issued evidence, then compares data points across documents and external databases. In the article's framing, a passport and driver's licence can be cross-checked first, then validated against authoritative systems such as government records before the process is allowed to advance. That layered approach aligns with assurance thinking in NIST 800-63-3, where the verifier progressively increases confidence instead of assuming all evidence is equally reliable. The control challenge is consistency. If one channel is weak, the whole assurance level drops.

Practical implication: map each proofing step to an explicit assurance threshold and stop progression when evidence quality is insufficient.

Biometrics and liveness checks against deepfake-style fraud

Biometrics strengthen identity assurance only when they are paired with liveness testing. A facial image or stored video can be copied, but dynamic prompts such as blinking or smiling in real time create a stronger test of physical presence. That matters because modern impersonation can reuse stolen images, forged documents, or synthetic media to defeat static checks. The technical value of liveness is that it turns identity proofing from a passive comparison into an active challenge-response process. Without that layer, biometric verification can become vulnerable to replay and presentation attacks.

Practical implication: use liveness as a required control wherever biometric proofing is used for high-risk identity decisions.

NHI Mgmt Group analysis

Verifiable credentials are an assurance model, not a document format. The article correctly frames identity proofing as the combination of claims, documents, authoritative checks, biometrics, and liveness. That matters because many programmes still overvalue a single digital artefact and underweight the provenance behind it. The practitioner conclusion is simple: the credential matters less than the chain of verification behind it.

Identity assurance fails when organisations confuse stronger evidence with complete trust. A passport scan, a database match, and a facial check each reduce risk, but none of them removes the need for governance over when that assurance is sufficient. This is where IAM programmes often drift into inconsistency across onboarding, recovery, and step-up flows. The practitioner conclusion is that assurance thresholds must be explicit, not implied.

NIST 800-63-3 remains the right reference point for proofing discipline. The article's use of IAL1 and IAL2 shows why assurance levels are useful: they create a common language for comparing proofing strength across processes. That helps identity teams separate basic enrolment from higher-risk verification and avoid applying the same control depth everywhere. The practitioner conclusion is to anchor proofing policy to assurance levels, not to ad hoc business preference.

Deepfake-resistant identity checks belong in human IAM governance, not just fraud operations. Liveness testing is not a niche anti-fraud feature when identity is the gate to access, onboarding, or account recovery. It belongs in the same governance conversation as MFA, recovery assurance, and privileged access approval because weak proofing can contaminate the rest of the identity lifecycle. The practitioner conclusion is to treat proofing quality as an access control issue.

Verified identity should be tied to use case risk, not deployed as a blanket requirement. The article points toward a layered model, but not every workflow needs the same friction or the same evidence depth. High-risk enrolment, regulated transactions, and recovery paths deserve stronger checks than low-risk updates. The practitioner conclusion is to align proofing strength to the sensitivity of the decision being made.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• Another finding from the same research shows that 97% of NHIs carry excessive privileges, which is why proofing and governance often fail when they are treated as one-off events.
• For the broader governance pattern, see Ultimate Guide to NHIs , Key Challenges and Risks, which connects visibility gaps to over-privilege and unmanaged credentials.

What this signals

Identity proofing will keep getting pushed closer to access control. The more organisations rely on remote enrolment and recovery, the harder it becomes to separate identity verification from authorisation decisions. For teams building mature programmes, the signal is clear: proofing quality needs to be governed alongside access policy, not left to a separate onboarding workflow.

Verifiable credentials are most useful when they reduce ambiguity in the identity lifecycle. That means onboarding, account recovery, and step-up verification should be designed as distinct assurance moments, not generic security checks. Organisations that blur those moments end up with inconsistent trust decisions and poor auditability.

Our research shows that only 5.7% of organisations have full visibility into their service accounts. That visibility gap is a reminder that identity governance still struggles with basic inventory and assurance discipline, which makes strong human proofing even more important where trust decisions carry real risk. See the Ultimate Guide to NHIs for the broader lifecycle context.

For practitioners

• Define assurance levels for each identity journey Map onboarding, account recovery, step-up verification, and privileged access approval to distinct assurance thresholds so teams know when IAL1-style evidence is not enough.
• Require multiple independent sources for high-risk claims Do not allow a single document or self-asserted field to establish trust for sensitive use cases. Cross-check claims against authoritative data and keep a record of which sources supported the decision.
• Add liveness checks to biometric proofing Use dynamic challenge-response prompts for any flow that depends on facial or fingerprint evidence, especially where replay, deepfake, or presentation attacks would create material risk.
• Separate proofing policy from access policy Treat identity verification strength as a governed input to access decisions, recovery steps, and recertification rather than as a standalone security win.

Key takeaways

• Verifiable credentials improve identity assurance by combining claims, documents, authoritative checks, and liveness into one governed proofing model.
• The real control question is not whether the evidence is digital, but whether the organisation can defend the assurance level it assigns to each identity journey.
• IAM teams should treat identity proofing as part of access governance, with explicit thresholds for onboarding, recovery, and high-risk transactions.

Key terms

• Verifiable Credential: A verifiable credential is a digitally presented set of claims that can be checked against trusted sources. It is only meaningful when the issuer, evidence chain, and verification method are governed, because the credential itself does not create trust without proof of provenance and integrity.
• Identity Assurance Level: An identity assurance level is a way to describe how much confidence a verifier has in a person’s identity after proofing. It helps teams distinguish simple enrolment from higher-risk verification and ensures that sensitive access decisions are tied to a defined standard rather than informal judgment.
• Liveness Test: A liveness test checks that a real person is present during biometric verification, rather than a photo, recording, or synthetic replay. In practice, it turns biometric proofing into a dynamic challenge-response control that is much harder to spoof with copied media or deepfakes.
• Source of Truth: A source of truth is the authoritative system or record used to validate a claim about identity. Good identity governance relies on multiple sources of truth for high-risk decisions, because any one record can be stale, incomplete, or compromised.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by 1Kosmos: Understanding the Basics of Verifiable Credentials. Read the original.