Outdated IDs, lost or stolen passwords, or user wrongdoing demands the ability for both issuers and holders to revoke credentials. A centralized system relies on a main database, typically one per application. Users are able to revoke their credentials through each issuing authority. However, in a decentralized identity management framework users have complete control over how their identities are used and shared but there is no help-line or 1-800 number to call. As they say, with great power comes great responsibility.
Since issuing authorities need a way to invalidate credentials, decentralized models like Instnt use a revocation registry. This allows for swift, accurate decoupling of credentials, which is essential to maintaining a digital identity system's integrity. Learn what credential revocation is and how it benefits companies and their customers.
Credential revocation invalidates or voids digital credentials, like access badges or passwords. An individual holder or issuer may revoke credentials for several reasons. It's done after a device is lost or stolen or when an employee changes roles or leaves an organization.
In addition, a company that uses a decentralized identity solution may review credentials if a policy violation or security breach occurs or set an expiration date for revocation when issuing credentials. For example, after Instnt Access™ confirms an end user's identity, it provides a secure credential pass with an expiry date for revocation.
Decentralized identity systems use blockchain-based revocation. Distributed ledger technologies allow users to check credential status or revoke it and record actions tamper-proof and transparently.
With self-revocation (revocation by the holder), an individual cancels their credentials. It gives users control over their digital identity, letting them remove or update credentials. Conversely, revocation by the issuer means an organization that issues certificates also has the authority to manage and revoke them.
Credential revocation generally involves cryptographic tools and public key infrastructure (PKI). Once an issuer or holder revokes a credential it becomes marked as invalid by adding the associated unique identifier to a revocation registry on the distributed ledger. This registry takes the form of a cryptographic accumulator, a data structure which can be easily queried for a particular identifier without exposing other identifiers also in the registry. This action renders the certification unusable for access or authentication purposes.
The credential revocation process involves the following:
Credential revocation is vital for maintaining digital identity systems' security, integrity and trustworthiness. It prevents unauthorized access, and only the latest and valid credentials are used. Being able to check and remove credentials swiftly is vital, considering 82% of data breaches involve the human element, according to Verizon's Data Breach Investigations Report.
The advantages of credential revocation include:
With Instnt, your company can use a revocation registry to verify credentials and easily manage them for lost devices and more. Instnt's digital onboarding solution lets customers sign up or sign on with one click, making onboarding and re-authentication seamless. Learn how credential revocation works with Instnt by booking a demo.
Jessica Elliott is a business technology writer specializing in cloud-hosted and cybersecurity services. Her work appears in U.S. News, Business.com and Investopedia.
Sources
World Wide Web Consortium – Decentralized Identifiers (DIDs) v1.0
Verizon – Data Breach Investigations Report