Salesforce Dreampass & Safety Cloud Blaze the way for Verifiable Credentials
I’ve been making a lot of hubbub over the last year about Salesforce, Blockchain, trust, and Trailblazer ID. Here’s how Verifiable Credentials fit into it all.
Salesforce Chief Futures Officer Peter Shwartz left me thinking about the power of Verifiable Credentials (VCs) after he opened his recent post on the Salesforce blog with this:
“People’s trust in institutions, governments, and the media is at historic lows. And identity theft and digital fraud are at an all-time high. In this atmosphere, people want more control and protection over their digital identity. And organizations want more accurate, secure, and consensual methods of verifying stakeholder information. The solution? Verifiable credentials (VCs) – digital credentials people can own and control within a “digital wallet” on their smart device.”
It’s clear to me, Verifiable Credentials are worth looking at more closely due to the erosion of trust and as we put an emphasis on our own safety. People simply do not have reason to trust that their identities are safe and sound as they interact in the new digital frontier. I need look no further than how little we trust Salesforce Trailblazer ID here at Arkus, and trust is Salesforce’s number one value. I won’t even talk about the artist formerly known as Facebook beyond this one mention.
I believe as humans we inherently do not trust each other to perform transactions, this is the way it is, and the way it likely always will be. It is why we sign legal documents with one another when we agree to a partnership for various reasons (business, marriage, etc..). We even sign the papers in front of another person who has been given special powers, their title, “notary”. When I want to prove something about myself to a company, oftentimes I have to use a 3rd party document that the company trusts, for example a state-issued photo ID or driver's license, and I need to give them a copy of it.
The driver's license has a lot of information about me on it. If the company I’m transacting with only really needs to know that I am over 18 in order to meet their corporate compliance rule for example, they do not need to know my exact birth date. They certainly do not need to know my home address or anything else about me. In today’s reality, they still ask for my driver's license because we haven’t come up with a better way to resolve this, until now.
Verifiable Credentials (VCs) solve this, and allow me to own my own digital identity while providing others the ability to interact with me in a trustworthy way using a digital wallet. We all win in this trust triangle scenario.
3 Keys to the Trust Triangle
VCs are made up of three key aspects that come together to form a secure triangle of trust, this structure is very similar to that of Self-Sovereign Identity.
1 - Holder: Typically a person who holds a digital wallet full of their own Verifiable Credentials (VCs) — the holder is responsible for managing these credentials, and presenting them when challenged to prove something to a credential verifier.
2 - Credential Issuer: Issuers digitally sign attestations for the credential verifier while packaging and issuing credentials for holders. Think of a test site that tests you for covid and records the outcome by writing it in a verifiable data registry or a blockchain.
3 - Credential Verifier: A person or institution that requests proof from the holder, and verifies the issuer attestations satisfy stated requirements. Think of a company that verifies test results to allow a person who holds a Verifiable Credential (VC) into an event that requires a negative covid test for attendance.
Imagine a world where you can own your healthcare records as a holder. Super specific healthcare records. Even down to a test result for a COVID test.
Salesforce Verifies Credentials Using Dreampass and an Acquisition
Here is one example of VC in real life. This is how Dreampass (now part of Safety Cloud) works from an end user perspective, or, at least how it worked from my perspective at Dreamforce 2021:
- Attendees (like me) take covid tests from Color (vendor)
- Attendees get results via email with a QR code for that day’s event
- Upon arrival at event, we attendees present salesforce staff with QR code used to verify results from issuer
In this scenario, Salesforce does not need to store my test results, they are the credential verifier. They really just need to know that I am me, and I can verify that I have passed the covid test via Color, the issuer of this Verifiable Credential.
Salesforce seemingly integrated the workflow of knowing who I am by using Verifiable Credential Management (VCM) within Salesforce. In order to deploy VCM for Dreampass, as far as I can tell, and until someone corrects me, I’m going to go with this theory; Salesforce used an acquisition company to unveil new health and safety innovations called Credential Master.
A single place to manage and build workflows around Verifiable Credentials sounds like a really interesting theory for where CRM can go in the future. All verifiable credentials can be thought of as little micro permissions to do certain things within an organization structure, or, being granted access to specific things like an event. We can think of this internally today in our systems by drawing a parallel to Profiles, Permission Sets, and Permission Set Groups. Externally, with partners or customers, we may think of these things as literal credentials as in admin certifications, or products owned by a customer.
Using Verifiable Credentials for Mortgages — A Financial Services Use Case
I know, not exactly what you thought when you landed on the Safety Cloud blog post. I wanted to expand on how flexible VCs can be and just how groundbreaking & disruptive I feel this innovation can be.
The last time I went to get a mortgage, I had to prove so many things to the bank as a borrower. They had to go through multiple third parties to verify that what I was saying was the truth. In order to do this though, I had to provide a lot of information to the bank, like, a whole lot of information to the bank. They know every single thing about me and about my wife. They have copies of documents on their servers(?), they have my entire identity in their hands. I have to trust them to keep all of that information safe and secure because at this point the bank owns that data.
It would have been nice as a borrower had I not been required to provide my entire identity to the bank. There is a copy of that already somewhere digitally, I should be able to provide it myself by holding a series of VCs. Anything the bank needs for me to prove, I should be able to prove with a VC from my digital wallet. A VC could in theory be issued by a company like Experian. Then the bank would verify my credit score and identity in a way that could be trusted.
Everyone in the above scenario can feel secure in the fact that the transaction that occurred was safe and sound. The bank requesting and receiving credit score verification status can feel safe knowing that Experian issued the VC. I feel safe because I as the holder of my VC know the transaction of checking my credit has been done in a safe, reliable, and secure way with respect to my personal information, and more importantly, the bank doesn’t hold a copy of this data.
The information itself is verifiably correct and both the bank and I are satisfied, without ever really interacting with one another. The 3rd party in this case is rather transparent and out of the way as an issuer of truth, the company and the person are both consumers of data and they are able to use it in a very controlled manner.
Are You Thinking About Your Use Case Yet?
Here’s a few lasting visuals that I snagged from the Wikipedia article on Self-Sovereign Identity (SSI) which is the Blockchain and Metaverse perspective on identity. I like these a lot because they visualize the “holder” as a college student. This is something that a lot of people can resonate with. In this image DID = decentralized identifier where the data is all stored on a blockchain.
This is meant to get the thought juices flowing, no more, no less. This is beyond intriguing and quite possibly the most excited I’ve been for a Salesforce innovation in many many many years. Next time you are at an airport and you see that CLEAR booth, stop and think to yourself, what allows the people who go through the CLEAR line to not show their information to the TSA agent checking everyone else’s official documents?
One of the inspirations behind this blog post has been an ongoing collaboration with a former client, and current friend, Rich Dixon. He is a longtime advocate for the Open Badges standard, I felt compelled to share this in his own words as these topics and technologies overlap a great deal. I’d like to leave us with his thoughts:
“For all my observations, if, at the end of the day, folks have more ways they can meaningfully share their knowledge/skills/accomplishments in a manner that opens new doors of opportunity or validates an important claim, then I love it! My next aspiration involves aspects of interoperability so that VCs don't end up siloed and that is where I hope a Wallet could allow for something like this (a similar concept to the open badge Backpack). “
Want to chat more about Salesforce Safety Cloud, Dreampass, Verifiable Credentials, Blockchain, Web 3, NFTs, or anything else Metaverse related? Please feel free to reach out on Twitter directly at @JustEdelstein or go to our contact us form and let us know.