Verifiable credentials and IAL scoring: are controls keeping up?

TL;DR: Verifiable credentials combine claims, source validation, document checks, biometrics, and liveness testing to strengthen identity assurance under NIST 800-63-3, according to 1Kosmos. The practical issue is not whether the model is stronger, but whether verification depth, fraud resistance, and false-positive handling are governed consistently across identity programmes.

NHIMG editorial — based on content published by 1Kosmos: Understanding the Basics of Verifiable Credentials

Questions worth separating out

Q: How should organisations set identity proofing standards for high-risk access?

A: Start by defining the assurance level required for each use case, then require evidence that matches the sensitivity of the decision.

Q: Why do biometrics need liveness checks in identity verification?

A: Biometrics alone can be replayed, copied, or faked with images and video.

Q: When should teams use stronger identity assurance instead of basic authentication?

A: Use stronger assurance when the cost of identity failure is high, such as onboarding, password recovery, regulated transactions, or access to sensitive systems.

Practitioner guidance

• Define assurance levels for each identity journey Map onboarding, account recovery, step-up verification, and privileged access approval to distinct assurance thresholds so teams know when IAL1-style evidence is not enough.
• Require multiple independent sources for high-risk claims Do not allow a single document or self-asserted field to establish trust for sensitive use cases.
• Add liveness checks to biometric proofing Use dynamic challenge-response prompts for any flow that depends on facial or fingerprint evidence, especially where replay, deepfake, or presentation attacks would create material risk.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• The step-by-step verification flow used to compare claims, documents, and external databases.
• The practical use of liveness prompts and biometric checks in remote identity proofing.
• How the article maps its verification process to NIST 800-63-3 assurance thinking.
• The vendor's own description of where additional sources of truth fit into the identity journey.

👉 Read 1Kosmos's explanation of verifiable credentials and identity assurance →

Verifiable credentials and IAL scoring: are controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →