The Workforce Identity Model That Actually Scales

Modern enterprise identity is at a pivotal juncture. The transition away from passwords, long heralded as the weak link in authentication, has succeeded only in moving the failure point. Passkeys improve login security, but they alone do not reshape the trust model that underpins workforce identity.

This article explains the future of identity, not as better authentication, but as cryptographically verifiable proof of identity and attributes that scale across systems, contexts, and lifecycle events. It articulates a model built on two complementary pillars:

• Proof-based authentication (passkeys, public-key cryptography)
• Verified Credentials (cryptographically signed attestations of identity claims)

Together, these establish a new foundation for secure, user-centric, scalable workforce identity.

Why Public-Key Authentication (Passkeys) Is Only Half the Solution

In the last few years, passkeys have emerged as a mainstream alternative to passwords. A passkey is a credential based on public-key cryptography: a private key is stored securely on a device, and a corresponding public key is stored with the service. When a user authenticates, their device signs a challenge with the private key, no password is transmitted, no secret shared, and nothing reusable is exposed .

This fundamental shift from knowledge-based to proof-based authentication does two things:

1. Eliminates passwords entirely
2. Provides phishing resistance and replay resistance

The FIDO Alliance and W3C standards like WebAuthn underpin this movement, helping organisations reduce reliance on passwords and dramatically lower credential abuse risk .

However, there’s a structural limitation in how passkeys are typically deployed in enterprises: Passkeys authenticate that a user controls a key and typically via creation using a password, but they do not inherently prove who the person is or what they are authorized to do. They are also prone to the same issues Passwords have been subject to as referenced in previous articles.

Authentication and identity are related but distinct:

• Authentication confirms possession of a credential (e.g., a passkey).
• Identity asserts who that credential belongs to and often what else is true about that person.

This distinction is essential for onboarding, access decisions, compliance, and auditability.

Identity At Scale Requires Verifiable Claims

To move beyond mere authentication, organisations need verified assertions about identity and attributes, statements about a person that can be cryptographically verified across contexts.

This is where Verified Credentials (VCs) enter the picture.

 

What are Verified Credentials?

Verified Credentials are digital, tamper-evident attestations defined by W3C open standards. They allow issuers to make claims about a subject and cryptographically sign those claims so that any verifier can check authenticity without needing direct access to the issuer’s internal systems.

A simple VC might state: “This person has been identity proofed at assurance level X” and/or “This person holds role Y in organisation Z”.

Once issued to a holder (typically stored in a digital wallet or secure store), that credential can be presented selectively to different systems. The verifier checks the cryptographic proof and accepts it without contacting the issuer in real-time.

This model mirrors physical credentials (like a passport or driver’s licence) but with two key advantages:

1. Tamper resistance: Cryptographic signatures ensure authenticity.
2. Selective disclosure: Users can reveal only what’s needed without over-sharing data.

VCs are not limited to identity claims; they can represent certifications, authorisations, attributes, or any verified fact that matters for access decisions.

How Passkeys and Verified Credentials Complement Each Other

To understand the full stack of modern identity, it’s helpful to think of passkeys and VCs as serving different but complementary roles in identity:

Capability	Passkeys	Verified Credentials
Purpose	Authentication	Attestation of attributes
What it proves	You control a key	A trusted authority asserts something about you
Scope	Login and session establishment	Identity, role, status, entitlement
Standards	FIDO2/WebAuthn	W3C Verified Credentials
Typical Usage	Frequent daily authentication	Contextual decisions (onboarding, access entitlements, compliance)

Passkeys answer: “Are you authentically the person presenting this key?”

VCs answer: “What verified facts about you can we trust?”

Together, they allow you to build systems that are not just passwordless but also identity aware.

For example:

• Passkeys let you sign in securely without a password.
• VCs let a system determine whether that user is allowed access to a resource based on proofed attributes.

This solves a key limitation in traditional authentication: identity attributes are often siloed, user-managed, or manually verified — leading to friction, risk, and operational overhead.