Token Binding with Verifiable Credentials

Update: 21 July '22
Our Identity for All hackathon submission was runner up finalist.

It’s only been four months since the last Microsoft Hackathon targeted at my area of expertise. And Microsoft are back with another one. This time it is the Microsoft Identity for All Hackathon again hosted by DevPost. This hackathon is targeted more at developers than security experts with the challenge of building a solution on the Microsoft Identity Platform. I put the call out to the team from our last win to see who was up to the task to give up nights and a couple of weekends. Elias Ekonomou, Christian Chung-Tak-Man, Farzan Akhtar were up for the challenge.

After a number of brainstorming sessions to define what we’d like to build we agreed on building an Azure Web App for an online Metaverse Event. The Web App would be built entirely on the Azure Platform. It would combine Bring Your Own IDentity (BYOID), Identity Proofing and Decentralised Identity. The key component though was to implement a rudimentary implementation of token binding with verifiable credentials.

Token binding is the concept of ensuring that an actor using a credential is the one to which it was issued and for the purpose (resource) it was intended.

Event Web App Overview

To set the scene for the purpose of the Event WebApp we conceived an upcoming event from Orange Interstellar Corporation. Orange Interstellar is ready to unveil their latest Interstellar Sports Utility Vehicle. Rumour has it the Interstellar Sports Utility Vehicle can also come with an optional interstellar jetbike.

The event will be an online event in the Metaverse. It would be attended by industry A-Listers and interstellar transportation influencers who are the recipients of an exclusive and illustrious personalised platinum ticket invitation.

Event Web App Architecture

The architecture below shows the flows of enrolling (redeeming) a platinum invite. Enrolling uses Self-Service Sign-Up to an Azure AD Web App utilising Azure Active Directory External Identities. They would then be issued a VerifiedID Verifiable Credential that will also include a facial biometric. The facial image is our form of token binding with verifiable credentials.

The event entry flow is also shown below. The attendee presents their verifiable credential after taking a selfie which is compared to the image taken during enrolment. The Azure Cognitive Services FaceAPI determines if the facial images are a match. If they are and the verifiable credential is valid the attendee is admitted to the event.

Demo’s

Here is a demo of the end solution showing an invitee redeeming their invite and receiving a verifiable credential with associated facial biometric.

Of course, there will be people that try to sign up and attend the event that aren’t invited. Here is a demo of what happens when someone who isn’t on the guest list attempts to sign up.

What about all the technical details?

Want to know more? Our submission here on DevPost goes into a lot more detail including all the Azure services we used to build this solution. The code is also on GitHub in a repository here.