University to enable students to securely manage their own transcripts with Verifiable Credentials

A Japanese institution meets modern-day challenges

With six major campuses in Tokyo, 10 undergraduate faculties, and 14 graduate schools, Keio University is one of the biggest universities in Japan. Established in 1858, Keio was Japan’s first private institution of higher learning. Now, 163 years later, its reputation for excellence puts its alumni in high demand by employers. Keio has thrived under its founder’s motto of “jitsugaku,” or empirical science, as it continues to transform Japan’s contributions to education, research, and medicine.

Japanese universities face a shrinking market because of an aging population and competition with countries that lead the world in cutting-edge research. Many institutions have closed or merged with other schools. To keep up with these challenges, Keio looks toward digital transformation and emerging technologies like secure and verifiable decentralized identity (DID) solutions to offer richer services to students and alumni while increasing efficiencies.

In 2017, the university instituted an organization-wide, cloud-based identity management system. To support single sign-on to this solution, Keio set up Microsoft Azure Active Directory B2C (Azure AD B2C) as a gateway to its Shibboleth Consortium identity management system. (The university’s employees and educators use Microsoft 365 and Azure cloud services for their daily tasks.)

By January 2021, the university was planning how to use Verifiable Credentials to make university certificate processes fully digital and much faster, with no need for students to visit the campus or find a notary to deal with paper copies. With the pilot for this project set to go live in spring 2021, more than 20 organizations have expressed interest in participating. These include other universities that want to be able to exchange students’ transcripts digitally and insurance companies that want to provide special products for students who present Verifiable Credentials.

According to Shigeya Suzuki, PhD, Project Professor of the Graduate School of Media and Governance at Keio University, “Interoperability and open standards in Microsoft Verifiable Credentials technologies were crucial in getting other universities interested in using our solution to exchange graduates’ credentials digitally. Microsoft is strongly committed to open technology standards, and we can count on that to help us succeed.”

Importance of student privacy and self-managed identities

This journey to adopting Verifiable Credentials began with a common frustration. Like most universities in Japan, Keio has relied on paper-based processes to manage students’ class transcripts and graduation certificates. Before alumni can accept job offers, they must get copies of transcripts and certificates to prove their academic credentials. Thus, it’s essential that the university track and document their attendance and accomplishments during their enrollments and then make them accessible to alumni throughout the rest of their working lives.

Faced with the challenge of managing mailing lists for decades as alumni move and change email addresses, Keio considered Verifiable Credentials in Azure Active Directory and DID technologies, which help people own and manage their own identities. For example, a person’s online identity is made up of a specific collection of attributes. Organizations can track these attributes with unique identifiers in a DID, which can be linked to cryptographic keys to secure that person’s Verifiable Credentials. Students would be able to store identity data on their phones as Verifiable Credentials and manage it with tools like Microsoft Authenticator or other identity management applications. Organizations could verify those identities in a decentralized and secure manner.

In contrast, traditional processes require everyone who uses an organization’s services to create an account with a username and password, and that organization stores each individual’s personally identifiable information (PII) in its identity systems. This leaves the organization responsible for hosting and managing potentially millions of personal identities and attributes.

DIDs replace usernames and enable students to create an identity to use with multiple organizations. These identities contain student information like age and degrees as cryptographically signed cards recorded on a blockchain. Blockchains are ledger systems that are shared among a distributed network of computers by multiple providers, and they store transactions forever. Businesses that need to confirm students’ identities can check transactions that are recorded on the ledger.

“Verifiable Credentials can be distributed across servers in an identity ecosystem,” says Suzuki, who is also Associate Director and Technology Officer of the Blockchain Laboratory of the Keio Research Institute at SFC. “So, Keio won’t be the sole custodian of this data for 40 or 50 years.” Keio would be able to issue students Verifiable Credentials to confirm their graduations or other accomplishments, and organizations like potential employers could verify the credentials without the issuer needing to be involved or aware, protecting students’ privacy.

Open-source, highly secure identity self-management

In early 2020, the university joined the Keio Digital Identity Project. The goal of this collaborative project, which is run by six companies, is to create a solution that develops and issues student identity certificates through smartphone applications. Students can use the solution for enrollment, graduation, identity verification, and more. The Keio Digital Identity Project uses open-development standards like those from W3C that are based on public key cryptography. Microsoft has joined with the Fast Identity Online Alliance (FIDO) and other alliance partners like W3C to help develop safer, more secure, interoperable technologies for authentication that will work with many organizations’ DID solutions regardless of the underlying technology. When Keio University students sign in to the app, they can store their PII data in just one place—their devices—to help keep it safe from threats like phishing, man-in-the-middle, and replay attacks.

The Keio Digital Identity Project is built on Verifiable Credentials in Azure AD, Authenticator, Azure Key Vault, Azure Storage, Azure Web Apps, and CData API Server. To generate identity certificates of graduations and other academic achievements, project leaders set up CData API Server as an API gateway between Azure AD B2C and the existing student database.

When the pilot goes live, students will be able to access their certificates by using the Keio Digital Identity Project app with Authenticator or a proprietary digital wallet. When they sign in, their PII such as PINs or student ID numbers will be checked against the information stored in Azure AD B2C. The app will use the identity experience framework feature of Azure AD B2C to provide students multiple ways to sign in to web apps from other providers as they share their certificates, such as FIDO, multifactor authentication, passwords, or presenting Verifiable Credentials. After the system verifies students, it will issue proof of identity and students will manage or share their certificates.

With potentially hundreds of outside agencies using the system in the future, open standards and interoperability are important. Regardless of which technologies an employer or other outside agency uses for Verifiable Credentials and decentralized identifiers, Azure AD B2C will function as a gateway between outside organizations’ DID technologies and the OpenID Connect protocol. Keio University or its project partners will issue Verifiable Credentials, and the students will present them as needed, much as they currently present their university-issued student ID cards.

Suzuki appreciates the simplicity Azure offers. “Azure AD Verifiable Credentials services include pre-integrated platform and software development kits, which means we don’t have to write any blockchain-related code ourselves,” he says.

Implementation and future use cases

The pilot program will deploy to 1,500 students. By the time it goes live, Keio expects that all 33,000 students will use the solution, and the university’s alumni might also use it in the future. In the meantime, the university has begun working with some of the technologies involved. ITOCHU Techno-Solutions, a Gold competency member of the Microsoft Partner Network, has created a demonstration website for self-service password recovery. Students will use their digital identities to receive and scan a QR code. The website will then create an account where students can sign in using Shibboleth, add their digital IDs, and receive Verifiable Credentials. Mobile users will scan the QR code using digital wallets on their phones. Students will then be able to digitally reset or recover their passwords themselves instead of visiting the campus for help. For now, this functionality is still in the pilot stage, but the university hopes to deploy the live solution soon.

Suzuki is looking forward to improved security with the new solution and says that for developers, the technology means less code to manage and less data to store. “Technology that’s based on Verifiable Credentials is more convenient and secure. There are no passwords for students to forget, so they won’t be tempted to write them down somewhere. It’s flexible identity management that we can use across our organization with more peace of mind.”