News

Microsoft Entra Verified ID Service Now Available

• By Kurt Mackie
• 08/09/2022

Microsoft Entra Verified ID, a new service that promises a more deliberate way for individuals and organizations to share identity information, is now released at the "general availability" stage, Microsoft announced on Monday.

The concept behind Microsoft's Verified ID service is that individuals or organizations have control over the submission of their identity information, including the ability to revoke it. It's based on a decentralized blockchain electronic ledger approach, rather than relying on a service provider to store a record in a database.

The Microsoft Entra Verified ID service, now available, was described as being free for users of the Azure Active Directory service.

"With today's announcement, millions of Azure AD customers (free and premium) can now easily issue, request, and verify credentials to represent proof of employment, education, or any other claim," the announcement indicated.

The Verified ID service lets individuals or organizations issue credentials signed to cryptographic keys that are owned by the issuer. Applications can now be built by developers to request and verify those credentials, using the APIs supplied by Microsoft.

Digital Wallets
Microsoft is touting its own Microsoft Authenticator app as a so-called "digital wallet," allowing users to "manage and present credentials" using the Verified ID service. The Microsoft Authenticator app will get enhanced in the near future with additional controls, such as "selective disclosure, derived claims (e.g. proof of age instead of birth date) and measures preventing correlation," the announcement promised.

Other digital wallets besides Microsoft Authenticator can be used with the Verified ID service. To that end, Microsoft pointed to partnerships with "IBM, Workday, Ping, and Mattr," and suggested that "anyone can build compatible digital wallets."

Verified ID Use Cases
Microsoft listed some key scenarios for using the Verified ID service.

The service can be used to onboard employees at workplaces. Organizations can use the service to verify employee and partner competencies. Educational institutions can use the service to verify remote student access to educational materials.

Open Standards and Components
The Verified ID service has a lot of elements to it, which are outlined in Microsoft's 2018 white paper on the "Decentralized Identity" topic.

The service represents Microsoft's collaborations with "members of the Decentralized Identity Foundation (DIF), the W3C Credentials Community Group, and the wider identity community."

Microsoft's general availability release of the Verified ID service is arriving close on the heels of the World Wide Web Consortium's (W3C) announcement last month that Decentralized Identifiers is now a W3C recommendation, meaning its deemed ready for implementation by organizations.

Claims and Attestations
Microsoft's "Decentralized Identity" white paper had suggested that individuals or organizations could simply establish a claim, without verification. However, identity service providers appear to play a role in this scenario by attesting such claims.

Here's how the white paper described the issuance of decentralized identities (DIDs) and how they get verified by attestations:

Much like a personal reputation, DIDs begin life with no evidence of proof; they represent empty identities, and only the owner can prove possession of the DID in question. To accrue evidence of legitimacy, DIDs require endorsements from existing trust providers and processes, like businesses, educational institutions, and governments. DID-based systems provide a mechanism to create attestations that include independent verification of who issued an endorsement and when. By accumulating these attestations from multiple trust systems, an Identity can establish greater confidence over time to match the level of risk inherent in being able to access to an app or service.

Microsoft's announcement of the Verified ID service listed partnerships with a number of identity service providers that apparently will fulfill such verification roles. They include acuant, Au10Tix, Clear, Idemia, Jumio, LexisNexis, onfido and VU.

The identity service providers are part of this scheme "so enterprises can remotely verify foundational identity attributes across 192 countries, 6,000 identification documents, and 1,000's of attributes for organizational attributes and individuals," the announcement explained.

Identity Hubs for Storage
Users will store their decentralized identity information in DIF Identity Hubs which are "a multi-instance personal mesh, where data is edge-encrypted and user-permissioned to ensure privacy by design," Microsoft's "Decentralized Identity" white paper explained. These Identity Hubs are expected to "support a wide range of identity interactions and provide a foundation for serverless, provider-agnostic, decentralized apps."

The 2018 white paper added that Microsoft had planned to "offer an instance of DIF's Identity Hub as an Azure service that users can select as one of their Identity Hub instances." If that's so, it didn't get mentioned in Microsoft's Monday announcement.

Microsoft Entra Products
The Verified ID service is a third element of Microsoft Entra, which is Microsoft's relatively new branding for its identity and access management services. Microsoft had announced the Entra branding back in May. Verified ID was previously known as the Azure AD Verifiable Credentials service.

The other two elements of Microsoft Entra include Permissions Management, which reached general availability stage last month, plus the existing services that are available under the Azure Active Directory name.