Detailed Capabilities of Wallets & Agents
State of Digital Wallets – Part 4/16
This post, “Detailed Capabilities of Wallets & Agents,” is an excerpt from a report entitled The Current and Future State of Digital Wallets, which is being shared here as a 16-part series. Download a copy of the report. Read a complete summary.
The earliest Digital Wallets hold a limited set of information. Mainstream Digital Wallets like Apple Pay and Google Pay allow simple data to be “carried” inside them:
- credit cards and cash
- tickets (e.g. plane tickets, event tickets)
- Other basic credentials (e.g. loyalty reward virtual card)
- A mess of receipts and slips of paper
Over time, more types of information will be helpful in a Digital Wallet. This section briefly describes some of the capabilities that Digital Wallets are beginning to (or will) support.
Credentials – Receiving, Offering, and Presenting
To use Credentials, our Wallet needs to be able to:
- accept them from others
- request them from others
- respond to requests for them
- and offer them to others
While those capabilities above seem simple, the protocols to do each of them are still developing. Most early-stage Wallets can do some of these tasks, but the user experience is so complicated that only the most dedicated users will ever attempt to perform them.
The Credential Lifecycle needs to be supported, where Credentials may be revoked, updated, and expire.
Authenticating – Logging You In
Digital wallets have the potential to revolutionize the way we log in to websites and other services, with higher levels of security and much more convenience. There are a couple of use cases in various industries, such as banking.
- Second-Factor Authentication (2FA) – 2FA combined with traditional username and password. Either as part of logging in or for high-value transactions, a Digital Wallet can be used to provide 2FA capability. 2FA increases the security and relative ease of use as most 2FA solutions require dedicated devices or software that may be difficult to use.
- Passwordless Login – Various initiatives are underway to remove the need to use a username and password. Because our Digital Wallet provides multiple factors that fit authentication, it can offer better security and replace username and password use. We’ll discuss them in Section 6.4.8. 2FA/UFA Use Cases.
Our Digital Wallets can help us transition to a much simpler and more secure way of accessing the systems we use daily.
Organizing a Digital Wallet
Managing many (hundreds or thousands) of credentials means that a Digital Wallet must be able to organize information to allow its owner to find the information they need. Organizing the stuff in a Digital Wallet is going to be one of the critical challenges for the foreseeable future – we just don’t have user experience paradigms that work with the amount of stuff we can keep in a Digital Wallet.
It is essential to access information in your Wallet quickly and easily. However, knowing what authorities may ask for identification in certain situations is also helpful. For example, if a police officer asks for your driver’s license, that is a straightforward request that can be easily satisfied. However, if someone requests your address, you may need to provide a phone bill, library card, or other verification forms, depending on the assurance required. Managing all of this information can be difficult and time-consuming.
Looking at all the other stuff in our wallets, we quickly reach the point where we need to manage hundreds or thousands of items. That is simply beyond the capacity of most folks. Our Digital Wallet needs to help us here. Our Digital Wallet and the Agents contained in it have more context – about what we are doing, what is required, what options we have, and more. Agents and the user experiences that evolve over the next few years will help manage the increasing amounts of information we hold.
W3C Verifiable Credentials specification is the current leading solution for specifying digital credentials. Even though it is still in its early days and not a full-fledged standard, it allows for rich data to be shared. However, there is no direct consideration of how W3C will share the data visually, but there is an understanding of the technical details behind sharing a credential digitally. Still, there is no agreed-upon standard for what a digital credential should look like to a human. Some people want a digital driver’s license to look just like a physical one, but others feel this would be inappropriate.
For text data, the only consistent approach is to use the key names (e.g. “date_of_birth”) and the value associated (e.g. “1970/12/31”) – which leads to a bad user experience.
For non-text data, such as images, there are no clear guidelines about how a credential should look when viewed.
Standards and best practices will evolve, likely based on a subset of HTML and CSS for simplicity and security.
When we look at our lives, we realize we aren’t a single “person.” We are different depending on who we are dealing with and what we are doing. For example, we may have multiple other relations with a particular person – a close friendship and a business partnership. Yet most systems see us as a singular being.
Digital Wallets will need to support the concept of Personas – allowing us to represent ourselves as required. The need that drives how we present ourselves may be personally driven (e.g. I decide what to share with you) or mandated (e.g. border control has a minimal set of credentials that it will accept). Regardless, we need to be able to support the multiple personas that we use on a day-to-day basis.
A digital wallet must maintain connections to various entities- people, organizations and other devices. These connections must be secure and private, so the wallet owner can keep their information safe. For this reason, digital wallets should use pairwise decentralized identifiers (DIDs) for each connection they establish. Pairwise DIDs allow each relationship or connection to be controlled independently, for example, by rotating keys or terminating DIDs. There are many benefits to using pairwise DIDs, including reducing the risk of correlation and allowing key rotation without affecting other relationships.
|Decentralized Identifier (DID)||A new type of identifier developed for decentralized systems as defined by the W3C DID specification. DIDs enable interoperable decentralized Self-Sovereign Identity management. A DID is associated with precisely one DID document. The Sovrin Technical Governance Board defines the technical specifications for a Sovrin DID in the Sovrin DID Method Specification.|
|Source: Sovrin Glossary|
A Digital Wallet will hold crucial information that may be useful in an emergency. Various types of data can be categorized and made accessible through multiple methods under multiple conditions such as:
- medical emergency – first responders and medical personnel/institutions will need access
- death or incapacitation – would potentially require legal intervention and consideration of legal authority
We see early Wallets like Apple Wallet allowing for an emergency mode. Your author provides information about a peanut allergy that anyone can use if they have access to his phone. The data is minimal, and there is no restriction on who can access the device. However, if a bona fide first responder could prove that they are a first responder (e.g. if they had a First Responder credential that our Digital Wallet could query and confirm), we may release far more information.
We need to consider what information can be provided by our Digital Wallet and under which conditions will allow release. See section 6.4.11. “Break Glass In case of Emergency” for a view of the required research and development.
To ensure the validity of the credentials stored within a digital wallet, the wallet must be able to identify and trust the credential’s issuer. As a separate entity issues each credential, it is essential to determine the trustworthiness of an issuer before considering any credentials they create to be valid. Trust Hubs and Trust Registries, which compile information on reliable issuers, can confirm the trustworthiness of a credential’s issuer.
We need to know that our Digital Wallets are using the correct sources of truth, especially in an increasingly decentralized world. As time goes on, there will be definitive sources (e.g. a Trust Hub that lists all government Issuers for a country). Still, initially, the opportunity for spoofing and fraud needs attention. An enterprising young person may easily create a series of fake Digital Identity Documents masquerading as a province that hasn’t yet started doing so.
You can find further details in Section 6.4.1. Trust Hubs.
Compliance & Monitoring
Depending on the needs of a Digital Wallet owner, there may be a need to invite Agents that monitor and comply with particular activities in a Wallet (e.g. a bank may require that an enterprise attach an audit agent that relays information about specific activities).
We, therefore, need to establish whether we bring a monitoring Agent into our Digital Wallet voluntarily or under a mandate. Consider the following examples:
Health Receipt Monitor – imagine a software agent that ensures all your health receipts go into a list that you can easily share with your health insurance provider.
Company Credential Usage Monitor – imagine your company requiring an Agent that monitors and logs any of the authentication or signing activities you are doing with the company-issued Credentials.
Schemas & Overlays
Digital Wallets will be sharing and using Credentials of all types. Like any other data-centric system (yes, a Digital Wallet is a system), we will need to get some standardization about how certain things look at the data level. Credentials like driver’s licences, passports, and receipts can use well-known Schemas. When a Credential uses a well-known Schema, our Digital Wallet can do things for us that make our lives much more manageable.
For example, using a well-known Schema (more in R&D Schemas and Overlays) will help us exchange key information – including contacts, receipts (with the owner we discussed earlier), and more.
Additionally, by using a well-known Schema, we can use a technology called Overlays to ease how we do things. Overlays allow use to protect private information, view items in standard ways, and more.
Below is a simple example of the use of an overlay. United Airlines tickets in Apple Wallet add a graphic marker (yellow “hand-drawn” circle) to indicate that a change has occurred to a Credential – in this case, a gate change.
Overlays Example – Driver’s Licence
It is common for police officers to request your driver’s licence and registration during a traffic stop. Similarly, using your driver’s licence as proof of age when buying alcohol is also commonplace. However, bars and other establishments must only verify that you are of legal drinking age and not the additional personal information included in your driver’s licence.
An Overlay can support the above case, and your Digital Wallet would handle most of this for you. When asked by a police officer for your driver’s licence, they would also provide the law-enforcement Overlay that they require. Similarly, a bar could ask for the credential with an age-of-majority Overlay, and your Wallet would handle that. Your Wallet can also protect you from privacy violations. For example, if the bar asked for your driver’s licence but asked with the law-enforcement Overlay, it would flag the activity as suspicious, warn you, and possibly even report the establishment to authorities.
Revocations & Expiries
An individual or organization holds credentials in the SSI world – not necessarily owns. As an individual with a physical driver’s license, the government agency that issued the driver’s license is the owner.
CREDENTIAL REVOCATION – we need to understand what our Digital Wallet does – does it remove that item? Does it look for a replacement (revoking a driver’s licence may just mean that a newer version was issued)? Does it automatically get removed from our Digital Wallet?
EXPIRY – similarly, some Credentials are of no utility past a particular time – such as concert tickets. Depending on what we decide is essential, our Digital Wallet may clean itself up (e.g. move expired items to a trash folder) or require us to keep things in order.
Digital Wallets may need to be able to operate under conditions where portions or all of a network are unavailable. Where there is a critical need for operations offline, multiple pieces of information will need to be cached locally:
- Cached Issuer Information – As critical issuers are offline, Wallets will need to know the latest state of their Issuing DIDs (e.g. Public Keys).
- Revocation Registries – These will allow offline use of Credentials with more trust than is currently available with physical credentials.
- State Information – Digital Wallets will maintain a state relevant for various interactions occurring offline and simultaneously online. Reconciliation of activities that occurred during being offline will be crucial.
Keys and Secrets
At its heart, a Digital Wallet manages various cryptographic keys and other items that need to be highly secure. Managing the creation, rotation, and revocation is crucial to ensuring that our Digital Wallet remains secure, and these aspects are vital to ensure that our wallets stay safe and usable.
Secure Hardware Integration
A Digital Wallet must leverage hardware capabilities such as trusted execution environments, secure enclaves, trusted execution environments, hardware security modules, etc. Using these modules increases the overall security of your Digital Wallet, and a Digital Wallet that avoids using such hardware should be considered suspect. Further, if there are secure libraries (e.g. certified FIDO U2F SDKs), they could be live-signed at runtime to ensure that they haven’t been tampered with.
One of the key uses of a Digital Wallet application is to provide information for its owner – whether a person or an organization. Messages for using Credentials, signing transactions, etc., will require notification. Depending on the use case, these notifications may need to be on the device or integrated into messaging systems for dissemination.
Notification use cases are becoming increasingly well understood, with Android and iOS providing OS-level notifications. Digital Wallets will have multiple notification modes – some of which may require a rethink:
- Receipts: message receipt, receiving Credentials and other items, etc., are relatively routine.
- Time-sensitive: When the Digital Wallet owner needs to act promptly, signing or authorizing activities will likely need this time-sensitive capability. Instances like “Press OK if you are talking to your bank.” or “Please authorize this wire transfer.”
- Modal – messages that need to interrupt the flow of any other activities with the Digital Wallet.
Backup & Recovery of a Digital Wallet
Losing your wallet is no fun, and we all get nervous when it happens. The questions immediately start flowing:
- will I find it?
- If I do find it will everything be in it?
- What did I have in it?
- How can I get all the cards and identity documents replaced?
- Is someone using my cards and info to steal my “identity”?
Recovering from a lost wallet can be a difficult and painful experience, especially if you have been the victim of fraud or identity theft.
It is essential to understand that a Digital Wallet differs radically from a Cryptocurrency Wallet. Typically a Crypto Wallet can be restored by using just a Recovery Key. The restoring is done by reading the blockchain/ledger of each cryptocurrency to rebuild a history of activities. With a Digital Wallet, the vast majority – potentially 100% – of the data are not stored anywhere publicly accessible. The contents are typically pushed to a Digital Wallet by an Issuer. This means that there is nowhere to go unless you have made backups.
In the digital world, options are evolving, but you must ensure that you have all your bases covered. Two key things differ between a Digital Wallet from a physical wallet:
- If you have a backup and recovery plan, you can recover your Digital Wallet entirely if you have the keys.
- You need the keys to unlock the backup and take it back if someone has compromised it; you may never get your Digital Wallet back if you have lost the keys.
That is the promise of the emerging Digital Wallet industry. No known examples show how someone can re-assert control of a stolen Digital Wallet. (See 6.4.9 Backup & Recovery).
But what do we need to back up?
Fundamentally there are two things that you can lose – and which need you to have a Backup available to recover your Digital Wallet:
- the keys and seed that protect the Wallet itself
- an encrypted backup of your Wallet contents
You can recover your wallet relatively quickly with your backup and keys. However, you may be in trouble if you don’t have both. Be sure to back up your wallet and keys in a trusted and accessible location.
Wallets can only hold so much – and it all isn’t great. The ability to keep some items in other places for safekeeping is crucial. Muccarrying h like in the physical world, we need to be able to move things to and from various storage areas: Vaults.
In the physical world, we keep many of our assets in various “Vaults.” We keep our cash in banks (it’s just a digital representation of a promise to provide you money, but hey), stocks with financial advisors and broker/custodians, insurance policies, and many other places.
Why wouldn’t we do this in the digital world? The pure “decentralize the world” community considers this aversion; we don’t all want the headache and worry that comes with holding everything.
Assuming we want to be able to move things from our Wallet into a Vault and from a Vault to our wallet, we need to make sure our Digital Wallet is capable of supporting a Vault.
In the R&D section (see section 6.4.10. Vault-as-a-Service), we’ll discuss in more detail what a Vault is and what we, as an industry, need to learn and develop to make these a reality.
Multiple Device Support
We often use multiple wallets in the physical world and various devices we can use as a Digital Wallet. The reasons for using numerous physical wallets are manifold:
- travel vs. day-to-day – when travelling, we may need our passports (en route) or want an utterly minimal set of things (e.g. at the beach)
- style –the rugged carry-everything wallet does not always complement more formal attire.
- purpose – some days, a bank card and a driver’s licence is all that is needed
The devices we carry often contain similar information. For example, many people have a smartphone and a tablet with sensitive data. An officer in a company may have company credentials on a particular device kept under lock and key when it is not in use.
The key to supporting multiple Wallets is the ability to synchronize information between them and with any kind of vault storage. Carrying all things simultaneously in each Digital Wallet likely doesn’t fit the bill for usability. Some devices will be purpose-driven (e.g. corporate tablet for work; personal tablet for home), and others not suitable to carry too many Credentials.
As we look at where we will have Digital Wallets and the Vaults, we see that there are many places where we will need our stuff. Similarly, there are some devices where we explicitly do not want some stuff. As examples:
- we may not want much to be available on our smartwatch
- we may wish to have our recovery keys only be in our Vault
- we may want to separate some critical information between our smartphones and tablet – to ensure that we can recover if one of those devices is lost
Over time our Agents will get more competent and handle the synchronization that we need relatively seamlessly. For now, this will be a very manual and onerous step.
Selective disclosure of credentials is a critical privacy-respecting measure that allows identity owners to control what information they share with others. By disclosing only specific attributes (or “claims”) from one or more credentials, individuals can determine what information they want to make available. Selective disclosure of credentials helps ensure that sensitive personal data remains confidential and under the control of the individual.
|Selective Disclosure||A Privacy by Design principle of revealing only the subset of the data described in a Claim, Credential, or another set of Private Data that a Verifier requires. There are many techniques for achieving Selective Disclosure. Zero-Knowledge Proof cryptography is one of the primary techniques used in Sovrin Infrastructure.|
The classic case of using a particular credential for multiple purposes can explain the utility of Selective Disclosure. Using a digital driver’s licence, one can easily imagine the following unique presentations of the credential:
- Full Disclosure – present a full driver’s licence Credential, with all Claims exposed, to a law enforcement officer
- Partial – present a minimal portion for a proof of “Age of Majority.” Alice gives only her picture and a binary value that says she is “over 19”.
The use of Selective Disclosure can be enhanced through the use of overlays (see Schemas & Overlays). For example, an overlay like a Law Enforcement overlay or Age of Majority overlay can provide additional advantages in the Driver’s Licence example.
Many groups feel governments can issue multiple credentials at once, negating the need for Selective Disclosure. What isn’t understood is that government agencies have incredibly narrow definitions of what they can put into a Credential. In the case of a DMV, they don’t have the mandate to issue an “Age of Majority” Credential. That’s a different department/ministry – and the mandates are generally quite different. Selective Disclosure allows departments to focus on their mandate while allowing people to share appropriate information.
Manage Guardianship & Delegation
Digital Wallet use implies that a person is fully able to perform all of the actions required to use it. What happens when a person isn’t capable or willing to perform what is needed – and needs someone to act on their behalf? There are two main things to consider here:
- Guardianship – where we are explicitly acting on behalf of someone who can’t act
- Delegation – where we are performing duties on behalf of someone because they have delegated the authority to us
We don’t do everything for ourselves. Often we have other people do things for us – because we have asked them to do so:
- pick up kids from school
- file our personal or corporate taxes
- guard our assets
At other times in our lives, there are needs for someone (an Identity Owner) to take over things for us – because we can’t do them. Guardianship comes into play in this instance. Guardianship applies when a Dependent can’t perform – because they are incapable or not allowed. Examples include:
- parents acting on behalf of children
- an adult acting on behalf of a mentally or physically unable person
On a technical level, the critical difference between Delegation and Guardianship is control of the keys:
- under Delegation, both Identity Owners have a set of keys;
- under Guardianship, the Guardian is the only holder of keys. (Note: a Guardian needs to have two sets of keys – their keys and keys for the Dependent.)
Digital Wallets need to be able to handle these subtle differences. The use of Personas may assist in managing the complexity.
In the physical world, we ask each other for Credentials and other things that we hold in our physical wallets. In the Digital Wallet realm, we need to parallel those messages:
- “Could I see some government identity?”
- “Do you have the receipt?”
- “Can you provide proof of address?”
These queries become much simpler when they are digitized. When someone needs your government identity to prove you are legally allowed to enter a drinking establishment, we can request things very specifically:
- we accept the following government Digital Identity Issuers – Ontario, British Columbia, and Alberta
- we will only use the “age of majority” Overlay as approved by each of those Issuers
- we will delete the information once we have logged non-identifying information
Codifying these digital interactions is crucial.
But those examples only show interactions that mimic how we use our physical wallets.
The Agents in our Wallets can do far more.
- Negotiate Payment – an Agent can offer various payment approaches and currencies.
- Consent Management – an Agent can maintain a line of connection with the consent(s) that go along with the relationship.
- Approvals – digitally signed authorizations can be provided easily when the holder of the Digital Wallet needs to authorize a transaction for themselves or others (e.g. under a Guardianship or Delegation case).
- General Communication – Digital Wallets may provide a shared messaging capability that other apps could use for decentralized messaging.
The cryptographic keys in a Digital Wallet can digitally “sign” various digital items (e.g. contracts, messages). While this capability sounds abstract, many of us already do this when we use Apple Pay or Google Pay. When we make a payment using these platforms, we digitally “sign” the payments with our secured device via the biometric or passcode that locks our phones.
So what is different about a Digital Wallet? There are several key differences:
- Who is Signing – A digital wallet allows you to determine which digital identity artifact you use to sign documents—allowing different signatures for different purposes. Imagine being an employee of a credit union that you have an account at – you may be signing things as an employee or a credit union member. You can keep those separate in your Digital Wallet (see section 4.3.5. Personas).
- It can provide a record of activities and keep documents you have signed safe.
- A Digital Wallet can use zero-knowledge proof approaches to sign without needing to identify you directly.
Things are simple when you use your wallet to sign for transactions that only invoke you. However, when you are one of the multiple people who needs to sign/approve something, your Wallet needs to handle a numerous signature (multisig) approach. Various cryptographic systems will need support in your Digital Wallet.
This post, “Detailed Capabilities of Wallets & Agents,” is an excerpt from a report entitled The Current and Future State of Digital Wallets, which is being shared here as a 16-part series. Download a copy of the report. Read a complete summary.
Also published on Medium.