Outdated IDs, lost or stolen passwords, or user wrongdoing demands the ability for both issuers and holders to revoke credentials. A centralized system relies on a main database, typically one per application. Users are able to revoke their credentials through each issuing authority. However, in a decentralized identity management framework users have complete control over how their identities are used and shared but there is no help-line or 1-800 number to call. As they say, with great power comes great responsibility.
Since issuing authorities need a way to invalidate credentials, decentralized models like Instnt use a revocation registry. This allows for swift, accurate decoupling of credentials, which is essential to maintaining a digital identity system's integrity. Learn what credential revocation is and how it benefits companies and their customers.
Credential Revocation: Definition and Methods
Credential revocation invalidates or voids digital credentials, like access badges or passwords. An individual holder or issuer may revoke credentials for several reasons. It's done after a device is lost or stolen or when an employee changes roles or leaves an organization.
In addition, a company that uses a decentralized identity solution may review credentials if a policy violation or security breach occurs or set an expiration date for revocation when issuing credentials. For example, after Instnt Access™ confirms an end user's identity, it provides a secure credential pass with an expiry date for revocation.
Decentralized identity systems use blockchain-based revocation. Distributed ledger technologies allow users to check credential status or revoke it and record actions tamper-proof and transparently.
With self-revocation (revocation by the holder), an individual cancels their credentials. It gives users control over their digital identity, letting them remove or update credentials. Conversely, revocation by the issuer means an organization that issues certificates also has the authority to manage and revoke them.
How Credential Revocation Works In Decentralized Identity
Credential revocation generally involves cryptographic tools and public key infrastructure (PKI). Once an issuer or holder revokes a credential it becomes marked as invalid by adding the associated unique identifier to a revocation registry on the distributed ledger. This registry takes the form of a cryptographic accumulator, a data structure which can be easily queried for a particular identifier without exposing other identifiers also in the registry. This action renders the certification unusable for access or authentication purposes.
The credential revocation process involves the following:
- Credential revocation lists (CRLs): Issuers publish information on the blockchain or maintain digital lists containing the revoked credentials' metadata or identifiers.
- Smart contracts: The blockchain stores self-executing contracts, which define the conditions and rules for revocation. For instance, smart contracts with an expiry date can automatically revoke credentials upon expiration and update the CRL.
- Privacy: Decentralized identity systems give users control over their personal data; credential revocation can do the same. Revoking the status without disclosing personal details or revocation reasons is possible.
- Interoperability standards: The World Wide Web Consortium (W3C) offers a framework for issuing, verifying, and revoking credentials on various decentralized identity platforms.
Credential Revocation Benefits
Credential revocation is vital for maintaining digital identity systems' security, integrity and trustworthiness. It prevents unauthorized access, and only the latest and valid credentials are used. Being able to check and remove credentials swiftly is vital, considering 82% of data breaches involve the human element, according to Verizon's Data Breach Investigations Report.
The advantages of credential revocation include:
- Enhances security: Revoking credentials quickly helps mitigate risks from unauthorized access, identity theft and data breaches. It prevents unwanted people from misusing credentials to access services or resources.
- Provides real-time updates: Identity systems that use distributed ledger technology allow for fast and up-to-date revocation checks. Companies can verify a credential's validity in real-time, reducing the risk associated with outdated information.
- Increases trust: Consumer confidence in your company is integral to your brand. By promptly revoking compromised or expired credentials, you assure those who rely on your identity system that the certificates are valid and trustworthy.
- Ensures compliance: Automating credential revocation helps organizations meet regulatory requirements for healthcare, government or finance sectors.
Successfully Manage the Credential Lifecycle
With Instnt, your company can use a revocation registry to verify credentials and easily manage them for lost devices and more. Instnt's digital onboarding solution lets customers sign up or sign on with one click, making onboarding and re-authentication seamless. Learn how credential revocation works with Instnt by booking a demo.
Jessica Elliott is a business technology writer specializing in cloud-hosted and cybersecurity services. Her work appears in U.S. News, Business.com and Investopedia.
Sources
World Wide Web Consortium – Decentralized Identifiers (DIDs) v1.0
Verizon – Data Breach Investigations Report