AWS Public Sector Blog
Blockchain makes student achievement records safe and simple to share with portable credentials
Students’ educational achievements—including academic transcripts, work history, and skill credentialing—are often scattered across multiple institutions and disparate IT systems. These credentials, often self-reported via a resume or on LinkedIn, can be a challenge to authenticate.
For example, a high school student might need to send a transcript to colleges. Each time this transcript is shared, it needs to be authenticated and validated to verify its provenance and that it hasn’t been tampered with. Every verifying organization (in this case, each college), must perform their own due diligence on the credential. This leads to duplication of effort as the credential changes hands. Plus, as the data is siloed in one centralized location, it becomes an attractive target for hacking.
Benefits of blockchain for portable digital credentials
Blockchain technology provides several benefits to this process, including data security, credential portability, data privacy, and simplified workflows. First, the credentials are secure: every credential issued can be cryptographically verified as having been generated by the issuer. Second, the credentials are portable; the credential holder decides which parties he or she wishes to share it with, and which specific fields to disclose. Third, because data is selectively disclosed by the credential holder instead of being stored in central silos, data remains private and the attack vector is significantly reduced. Each party is only privy to the specific information they require. Finally, these simplified workflows reduce bureaucratic and communications overhead.
By enabling portable and verifiable digital credentials, blockchain allows individuals to easily share their credentials with multiple parties while maintaining privacy.
How sharing digital credentials with blockchain works
Figure 1. The relationship between DIDs: the Issuer gives, revokes, or amends credentials; the Holder receives, stores, or presents a credential; and the Verifier verifies and evaluates a credential.
There are three essential roles exercised by different entities in a system of portable credentials. Each of these roles has its own decentralized identifier (DID). In some cases, entities have a separate DID for each entity with whom they have a connection, which is referred to as a pairwise DID. Using separate DIDs for each connection prevents correlation of data that has been shared with more than one party. The three roles are:
- Issuer: An entity that issues credentials to holders. This entity has a public DID that is anchored in a blockchain for other entities to reference at will. Issuer metadata may also be stored in public registries that make it easier for other entities to find them.
- Holder: An entity (typically an end user or consumer) to whom credentials are issued. Holders keep credentials in private wallets and disclose them to third parties upon request. During disclosure, it is possible to reveal only some fields from a credential, or only some aspects of individual fields. This is referred to as selective disclosure.
- Verifier: Any third party that wishes to validate a credential establishes a connection with the credential holder using its DID and sends it a proof request. The credential holder then chooses whether or not to disclose the requested credential.
In this environment, the Issuer, Holder, and Verifier are each sovereign participants in a blockchain network that take advantage of the common characteristics of blockchain protocols to enable portable digital credentials. Blockchain networks natively rely on cryptographic mechanisms for non-repudiation, authentication, transactions, and signed proofs, which serve to enable critical processes in the execution of Issuer, Holder, and Validator roles in a digital credential ecosystem. Furthermore, a blockchain provides a single shared system of record on which cryptographic primitives are deeply rooted, creating a reliable, trustless, and open network on which credentials can be issued, used, and verified using a common set of standards that all users in the network conform to.
Each of these roles benefits from portable digital credentials using blockchain. Issuers eliminate the need for costly documentation or authentication of previously issued credentials, and no longer need to support electronic requests for credential verification, since the issuer has already given permission to the holder for select recipients. Holders gains greater data privacy, credential portability, and the ability to decide when and how much information to share. Verifiers gain rapid credential authentication, more accurate information, enhanced trust, and lower risk and severity of data breaches, because the scope of data stored tends to be more narrow and is usually encrypted with pairwise credentials.
With Amazon Managed Blockchain, customers can quickly implement scalable blockchain networks using popular frameworks like Hyperledger Fabric and Ethereum to build out robust portable credential systems. In tandem with ancillary services that complement the blockchain, such as AWS Lambda for serverless compute to execute business logic, AWS Key Management Service (AWS KMS) to store cryptographic keys for signing operations, and AWS Amplify for mobile app development tools, customers can facilitate the key operations required to interact with the blockchain network across the portable digital credentials system.
Scribbles Software uses Amazon Managed Blockchain to verify student transcripts
Scribbles Software, an education technology (EdTech) company, maintains and provides access to over 25 million student transcripts, covering 10,000 schools. Scribbles Software uses Amazon Managed Blockchain to manage student transcripts. Scribbles built a blockchain-based platform using Hyperledger Fabric, giving K12 students ownership over their student records, transcripts, choice certifications, and earned achievements.
As each student now has ownership of their own transcript, they can easily share it through the blockchain with potential employers, rather than having to go to their academic institution to issue a new certified transcript. On the verification front, Scribbles enables anyone to quickly verify the authenticity of a student record through blockchain, saving significant time and effort.
GreenLight Credentials is building a shared credentialing platform on AWS
GreenLight Credentials, another EdTech, is working with a consortium of institutions in north Texas that use a shared credentialing platform to allow students to store and share their educational records with colleges and employers.
This consortium was one of four winning teams selected through the Department of Education’s Blockchain Innovation Challenge, which is funding pilots of blockchain-enabled solutions that empower learners by giving them agency over their education and workforce data, supporting lifelong learning, and advancing economic mobility. AWS supported the Innovation Challenge by conducting Well-Architected Reviews and offering mentorship and AWS credits to the winning teams.
The Ministerio de Educación Nacional de Colombia uses Amazon Managed Blockchain for college diploma issuance and verification
AWS worked with the Ministerio de Educación Nacional de Colombia (MEN), the Colombian Ministry of Education, on their Document Digital Certification System, a proof-of-concept to allow for college diplomas to be issued and verified through blockchain.
The MEN consolidates information around student diplomas, which is reported by individual higher education institutions. However, there is often a delay in reporting updated data to the MEN. Additionally, while the MEN consolidates this information, diploma validation must ultimately come from the higher education institution itself. By using blockchain, the diplomas can be issued and stored in a real-time verifiable manner.
The future of portable digital credentials in education
Portable digital credentials are still in the early stages of development, and important standards related to portable verifiable credentials are being developed. The World Wide Web Consortium (W3C) drafted the Decentralized Identifiers (DID) Core specification, and the Decentralized Identity Foundation (DIF) drafted the DIDComm Messaging specification. These specifications determine the types of data structures and protocols that are used to store, publish, and share decentralized identifiers, credential schemata, and portable credentials, among other things. Several identity-related projects are striving to adhere to these standards for interoperability, including Hyperledger Indy and Hyperledger Aries, as well as the Sidetree Protocol.
Many institutions are exploring the use of credentials to reduce administrative costs, improve job opportunities for graduates, and more. To learn more about how they might apply to your institution, contact us here.
Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.