How DDID and SSI deals with generating VCs and Digital Wallet accounts for a group of people?

Question

This is related to https://learn.microsoft.com/en-gb/entra/verified-id/ .

For example, family with children or a travel agency booking on behalf of a group of employees in an organization. Is there a possibility to create a main account (the father's for example) which will hold "sub-accounts", the mother and the son's digital wallets?

Answer 1

Hi @Samer Alrawabdeh ,

I discussed this in detail with my colleague and he confirmed that the requested functionality is not available out of the box. But this feature can be achieved with some customization, which some customers have implemented to support this exact scenario.

In a very basic scenario, here is the concept:

• you will need to register some extension attributes for the user object:
  • loyaltyId (or something similar - indicating the unique membership for the individual account)
  • FamilyManager(bool) - indicating whether this user can manage the family memberships
  • FamilyId(guid) - unique id indicating the "family"
  • FamilyMember01(guid) - the object id of another user object that is member of the family
  • FamilyMember02(guid) - same
  • ...
  • FamilyMemberNN(guid)
• You will need to robustly and reliably manage the values of those extension attributes for the users.
• Each family "member" will have a separate ("their own") user object in the directory, decorated with all these attributes for references
• "Child accounts" may well be disabled, with random passwords and just serve as "placeholders" untill some point in time (when child grows and can have their own account - at this point, a process can be triggered - e.g. password reset, where the child can have full control over their account)
• A "parent" - someone who is managing the family, can have VC issued for themselves, or for any of the members. And can save family member's VC on their own wallet (authenticator app)
  • Thus, this "parent" can later use the VC of a family member as sign-in method to sign-in and operate "on-behalf" of family member.

If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions.

Answer 2

Hi @Samer Alrawabdeh ,

There isn't an out-of-the-box way that I'm aware of to have a primary account with multiple child/sub accounts, though the Issuer to User relationship somewhat be arranged to resemble that structure. Microsoft accounts in general have the family portal for adjusting parental controls, but this doesn't sound like quite what you are looking for. https://support.microsoft.com/en-us/account-billing/parental-consent-for-children-s-accounts-393ac0f6-c60d-4903-8e03-6f3450128f8f

Verified Credentials establishes a User (person requesting the proof of credential), Issuer (organization that creates an issuance solution requesting information from a user), and Verifier (company or entity who needs to verify claims from one or more issuers they trust). The issuer proves the identity based on Authenticator, Face Check, and validation that directly identifies the user rather than a set of users.

I've reached out to a colleague on the Verified ID team to share your scenario and see if there are additional recommendations. I'll update this thread as I get a response. In the meantime you can also leave product feedback in the feedback forum where colleagues from that team reply directly. https://feedback.azure.com/

If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions.