TL;DR: Verifiable credentials combine claims, source validation, document checks, biometrics, and liveness testing to strengthen identity assurance under NIST 800-63-3, according to 1Kosmos. The practical issue is not whether the model is stronger, but whether verification depth, fraud resistance, and false-positive handling are governed consistently across identity programmes.
NHIMG editorial — based on content published by 1Kosmos: Understanding the Basics of Verifiable Credentials
Questions worth separating out
Q: How should organisations set identity proofing standards for high-risk access?
A: Start by defining the assurance level required for each use case, then require evidence that matches the sensitivity of the decision.
Q: Why do biometrics need liveness checks in identity verification?
A: Biometrics alone can be replayed, copied, or faked with images and video.
Q: When should teams use stronger identity assurance instead of basic authentication?
A: Use stronger assurance when the cost of identity failure is high, such as onboarding, password recovery, regulated transactions, or access to sensitive systems.
Practitioner guidance
- Define assurance levels for each identity journey Map onboarding, account recovery, step-up verification, and privileged access approval to distinct assurance thresholds so teams know when IAL1-style evidence is not enough.
- Require multiple independent sources for high-risk claims Do not allow a single document or self-asserted field to establish trust for sensitive use cases.
- Add liveness checks to biometric proofing Use dynamic challenge-response prompts for any flow that depends on facial or fingerprint evidence, especially where replay, deepfake, or presentation attacks would create material risk.
What's in the full article
1Kosmos's full article covers the operational detail this post intentionally leaves for the source:
- The step-by-step verification flow used to compare claims, documents, and external databases.
- The practical use of liveness prompts and biometric checks in remote identity proofing.
- How the article maps its verification process to NIST 800-63-3 assurance thinking.
- The vendor's own description of where additional sources of truth fit into the identity journey.
👉 Read 1Kosmos's explanation of verifiable credentials and identity assurance →
Verifiable credentials and IAL scoring: are controls keeping up?
Explore further
Verifiable credentials are an assurance model, not a document format. The article correctly frames identity proofing as the combination of claims, documents, authoritative checks, biometrics, and liveness. That matters because many programmes still overvalue a single digital artefact and underweight the provenance behind it. The practitioner conclusion is simple: the credential matters less than the chain of verification behind it.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- Another finding from the same research shows that 97% of NHIs carry excessive privileges, which is why proofing and governance often fail when they are treated as one-off events.
A question worth separating out:
Q: What do security teams get wrong about verifiable credentials?
A: The most common mistake is treating a digital credential as proof by itself. A verifiable credential is only as strong as the claims, sources, and checks behind it. Governance should focus on provenance, assurance level, and the business decision being made, not just the token or document format.
👉 Read our full editorial: Verifiable credentials are raising the bar for identity assurance