Note: At Trinsic, we are driven by our passion to make it easy for developers to implement self-sovereign identity (SSI). We cherish feedback and implement new features regularly. We are excited to start providing our community with regular updates on our products and API. Below is the first of many future blog posts that will take a deeper look at the features we are most excited about.
The Trinsic team is excited to introduce connectionless credentials and verifications in our API and Trinsic Studio. The term connectionless credentials may raise the eyebrows of even the SSI experienced, so I hope this post will shed some light on what they are and why they matter.
Connectionless credentials, or ephemeral verifiable credentials, stand to change the self-sovereign identity (SSI) space for the better by providing a more natural user experience during verifiable credential exchange.
The Value of Connections
When I first learned about SSI, I remember completing the Alice Gets a Loan Indy-SDK walkthrough. Going through that step-by-step tutorial made me realize there is a common paradigm associated with SSI interactions—a connection must be made before any additional information is shared.
In the SSI context, “Connection” refers to private, pairwise DID exchange. It means you’ve created a new identifier and private keys for this relationship, and the counterparty has done the same for you. When you send information to one of your connections, you can be certain only the receiver can decrypt the payload.
In the Alice Gets a Loan example, Alice must first make a connection with Faber College before receiving a credential. She must then make a connection with ACME Corp in order to send proof of her credential.
Connections can replace the account creation process in seconds without needing to worry about a username or password. They also enable a peer-to-peer, mutually authenticated, fully encrypted channel with no intermediary facilitating the communication. In short, connections create cryptographic trust between two endpoints.
Connectionless Credential Exchange
While connections are fantastic and useful, the reality is that organizations already have ways to authenticate people, servers, and devices that they interact with. These approaches are myriad and have varying degrees of security and convenience—tradeoffs that each application makes for itself. It is wise to leverage these existing authentication and communication channels to facilitate credential exchange.
For example, a newsletter may have enabled you to sign up via Facebook, a subscription web service via username/password, and an employee portal via 2FA. In each of these cases, you’ve already been authenticated (or, ‘connected’) to the company through a means they’ve deemed acceptable.
In each of these cases, connectionless credentials and verifications can be used to eliminate extra steps in the user experience or integration complexities for developers. Because the two parties already trust one another, the marginal benefit of creating an extra connection through which credentials are issued is possibly not worth the added complexity to the user. In both online and offline interactions, connectionless credentials can be used when the issuer and holder already have trust in their channel of communication.
We consider establishing a connection to be best practice for security. However, there are other great ways to securely interact and communicate as well that we can build on. At Trinsic, we focus on building the best tools and leaving it up to the application developers to decide what is best for their situation. In general, we recommend establishing a connection when you intend to frequently exchange verifiable credentials between two parties and using connectionless credentials when the interaction is transactional. Otherwise, in a world of ubiquitous SSI interactions, end users will end up managing keys to all of the smart door locks, public transportation, and government bureaucracies (DMV) that they ever meet.
Trinsic’s Use of Connectionless Credentials and Verification
We use connectionless credentials to let users log in to the Trinsic Studio. We do this by sending a credential offer directly to users’ email inboxes. When they log in to their email provider and scan the QR code to accept the credential, they have proven ownership over their email, and we issue a credential to their digital wallet.
Then we can display a connectionless verification on the Trinsic Studio login page, and anyone who can prove possession of a login credential issued by Trinsic can log in to the account that is tied to their email.
Here’s an example of connectionless credentials in action:
The Trinsic Studio allows anyone to begin issuing verifiable credentials within minutes. Self-sovereign identity and verifiable credentials open up a world of possibilities for developers. If your project would benefit from a seamless user experience and added security, consider integrating connectionless verifiable credentials. You can start for free at https://studio.trinsic.id/.