Hosted ≠ Verified
Credentials hosted on an institution’s domain may be convenient, but hosting alone is not sufficient to provide security, reliability, or longevity for recipients and verifiers.
Credentialing has been undergoing a renaissance in recent years, encouraged by the unbundling of education and a proliferation of new education providers targeting niche outcomes. This trend has yielded an explosion of digital certificates, micro-credentials, badging, and other innovative symbols of accomplishment.
Have you ever seen a person’s certification listed on LinkedIn, and then followed the link to the actual credential? It typically resides on the domain of a software vendor, or on the domain of the issuing institution, with the intention of communicating authenticity. While hosted credentials provide convenience for both credential holders and verifiers, hosting is not enough to provide a secure basis for verification.
Easy to Spoof
Many of these new credentials are simply a web page. However, as we all know from email phishing scams, websites are easy to fake and a slightly altered domain name can be hard to spot. If a motivated imposter wanted to set up a website to make fake credentials look real, this wouldn’t require much effort.
The case of Open Badges is slightly different. These are typically image files with information attached, and easily shareable as a discrete object. However, when verification occurs, it is not the visible badge which is being checked. Rather, verification is checking the hosted version of that badge, not the display that is in hand. This means the display of a badge could be completely changed and it would still successfully verify. This is what we mean when we say a credential is not “tamper evident.”
In both cases, what you have are credential displays that are easily spoofed. While this level of security may be fine for temporary or low-stakes accomplishments, it’s fundamentally problematic for higher-stakes credentials like diplomas, transcripts, identity documents, and licenses. Below are two major drawbacks of relying on hosted credentials for long-term verification.
Beyond being an untrustworthy display, websites simply aren’t reliable for the long term. Sites go down, links get moved, and so on. For instance, when Open Badge vendors go down, none of the credentials issued through those platforms will remain usable or even visible. Imagine applying for a job and only having a 404 error page when the employer clicks on your credential. It’s hard to believe that some educational institutions are trusting startups for hosting credentials that need 100% availability.
Unlikely to Survive
Even if your organization chooses to host everything itself, the maintenance of online records is a huge responsibility, and the risk of going down, causing harm, and suffering reputational damage is likely. Plus, very few organizations will last for a lifetime. Don’t you want your graduates to have the confidence that proof of their accomplishments will work for the long term, even if your organization should change or disappear? This is certainly the case with credentials that have value beyond getting one near-term job.
In short, hosting credentials provides a convenient way for people to share a link, but it doesn’t provide confidence for verifiers. If new credentials are going to gain the gravitas of traditional records, they will have to grow into a more secure format.
This is why Learning Machine provides a Blockcerts-compliant issuing system designed for issuing digital records in an independently verifiable format via any blockchain–public or private. We recommend using public blockchains for their longevity, security, and immutability. Governments, companies, and school systems with an eye toward to future are beginning to move in this direction.
Valuable credentials shouldn’t have ongoing dependency upon an issuer or vendor in order to be viewed, shared, or verified. This is what public blockchains help to correct by providing a verification network that has no single point of failure. People can hold and share their digital credentials, and this new public infrastructure allows for those credentials to have a durable and long-lasting source of independent verification.
“It’s self-sovereign, trustworthy, transparent, and impossible to destroy because it’s not simply stored on a database in some government building.”
Minister for Education and Employment, Malta
In addition to being more durable, this type of decentralized verification is instant, free, and extremely detailed when using the Blockcerts Open Standard. In addition to checking for evidence of tampering, the Blockcerts open source verification process also checks issuer signatures, recipient ownership, date of expiry, and revocation.
If your organization is issuing important records or certifications of accomplishment, you should be planning when to adopt more secure practices to protect credential owners and to protect your organization from potential liability, ongoing responsibility for credential maintenance, and reputational damage.
If you would like to learn more about how Blockcerts can become an integral part of your organization’s long-term strategic credentialing plan, reach out to us at firstname.lastname@example.org.