What Is the Difference Between Remote and In-Person Identity Proofing?
Before a government program can deliver trusted digital services, it has to decide how residents will prove they are who they say they are.
When you hand a physical ID to a border agent or a pharmacist, they trust it partly because of what they can see: a hologram, a barcode, microprinted text, the feel of the card. Those physical security features are the result of decades of investment in tamper-evident materials.
A verifiable digital credential lacks those physical properties. There is no hologram or tamper-evident material. And because what appears on a screen can often be copied or screenshotted, the central question becomes: what stops someone from creating a fake credential, changing the data in a real one, or presenting a copied credential as their own?
What a Digital Signature Does
A digital signature ties the contents of a credential to the identity of the issuer in a way that is mathematically verifiable and practically impossible to forge.
Here is the concept in plain terms. The issuer (such as a state DMV, a federal agency, or a licensing board) holds two related keys: a private key that only they possess, and a public key that anyone can look up. When the issuer creates a verifiable digital credential, they use their private key to generate a signature that is mathematically bound to both the key and the exact contents of that credential. Change a single signed field, like a name or date of birth, and the signature no longer matches.
When a verifier receives that credential, they use the issuer's public key to check the signature. If it validates, they know two things: the credential was signed by whoever holds that private key, and the signed contents have not changed since it was signed. They do not need to call the issuer to confirm this. This is why the integrity and issuer signature on verifiable digital credentials can often be checked offline, at speed, without contacting the issuing agency during verification, provided the verifier already has the necessary trusted issuer keys or certificates. The trust is encoded in the credential itself.
What the Signature Does Not Prove on Its Own
Like any security property, a digital signature has a defined scope, and knowing that scope helps set accurate expectations.
A valid signature proves that the credential was issued by the keyholder and that the signed contents have not been altered. It does not prove that the person presenting the credential is the one it was issued to. That is a separate property called device binding. It requires an additional mechanism, such as a cryptographic proof of key possession or a biometric match, to tie the credential to the specific individual holding it. A well-designed system applies zero-trust principles at every layer, treating signature verification and holder verification as two distinct requirements rather than assuming one covers both.
It also does not, by itself, answer every lifecycle question. Whether a credential has been revoked, whether an issuer key has been retired, or whether the holder's circumstances have changed are all questions that depend on the credential lifecycle as a whole. Expiration can often be checked from signed credential metadata, but deciding whether a credential is currently valid may depend on lifecycle rules and verifier policy. The signature guarantees integrity, not ongoing validity.
Why Key Management Matters
The strength of a digital signature is only as reliable as the care taken with the private key behind it. For high-assurance issuer keys, well-designed systems typically store private keys in dedicated cryptographic hardware, such as hardware security modules (HSMs), that are purpose-built to protect key material and limit access. Keys are managed under documented lifecycle and rotation policies, and documented processes are in place for when a key needs to be retired or replaced.
These are standard practices in mature credential infrastructure, and most established vendors have clear answers to the relevant questions: where keys are stored, who has access, how rotation works, and what the recovery process looks like. They are worth asking about early in any procurement conversation.
What This Means for Procurement and Policy
For those evaluating credential systems, one of the most useful questions is whether the system implements signing in conformance with recognized, published standards. The W3C Verifiable Credentials Data Model 2.0, together with associated securing mechanisms and profiles, as well as relevant standards for its credential type, define auditable approaches that have been reviewed by the broader technical and policy community. A vendor whose system conforms to those standards has made choices that are auditable, comparable, and not proprietary.
For legislators and policy teams, the practical implication is similar. Requirements that reference specific security properties (for example, that credentials must be cryptographically signed, high-assurance keys should be stored in validated cryptographic hardware, rotation must follow a documented process) are more durable than requirements that simply mandate "verifiable digital credentials" without specifying what that means technically. The goal is language clear enough that implementing agencies can hold vendors accountable to it.
Building Trust That Lasts
The goal of a digital signature, ultimately, is the same as the goal of the security features on a physical card: to give the person checking a credential a reliable basis for trust. Understanding how that trust is established enables agencies and policymakers to build systems that remain reliable over time.
If your agency is working through these questions, evaluating credential systems, drafting technical requirements, or assessing the security of an existing deployment, SpruceID can help. Get in touch with us to start the conversation.
Building digital services that scale take the right foundation.
About SpruceID: SpruceID builds digital trust infrastructure for government. We help states and cities modernize identity, security, and service delivery — from digital wallets and SSO to fraud prevention and workflow optimization. Our standards-based technology and public-sector expertise ensure every project advances a more secure, interoperable, and citizen-centric digital future.
