In this episode of Associations NOW Presents, guest host David Coriale, president of DelCor and host of the Reboot IT podcast, talks with Elena Dumitrascu, CTO of Credivera, and Tim McCreight, CEO of TaleCraft Security. Together, they explore how secure, verifiable credentials can reduce identity fraud, validate professional qualifications, and strengthen cybersecurity. Drawing on real-world use cases in industries like healthcare and safety, the discussion highlights the growing importance of global standards and the role associations can play in adopting these technologies to build trust and security in digital spaces.

Check out the video podcast here:

https://youtu.be/y5RzrCUUTzU

This episode is sponsored by Credivera.

Associations NOW Presents is produced by Association Briefings.

Transcript

[00:00:00 ] David Coriale: Hello everyone. This is Dave Corelle, president of DelCor and host of the 501 C technology podcast, Reboot IT, and I am excited to be guest hosting today. We've talked about this technology before on Reboot and I'm so happy to be talking about it again 'cause I think this community needs to talk about this more.

And I have two experts with me who are going to do 90% of the talking. I have Tim McCreight and also Elena Dumitrascu. I want  to welcome you and also have you introduce yourselves. Let's start with you, Elena. 

[00:00:34 ] Elena Dumitrascu: Thank you for having me here. It's a pleasure. I'm the co-founder and CTO of Credivera. We are a technology company that supports associations with verifiable credentials, secure identity, and secure certifications for their constituents.

I got into this business because I saw over and over again how difficult it is to prove someone's identity from a workforce perspective. The long compliance issues [00:01:00 ] that come from that, and really some of the fraud that. Sort of seeps in as well. Again, really happy to be here and to talk about this topic.

[00:01:08 ] David Coriale:  Awesome. Thank you, Tim.

Tim McCreight: Thanks folks. My name is Tim McCreight. I'm the CEO and founder of TaleCraft Security. We're a boutique security firm that focuses on developing security programs using a risk-based approach. And after 44 years of doing this, it's nice to finally get a chance to see some of the changes that we wanna make within the industry, and particularly with we're talking about today, these verifiable credentials.

It's been something we've been dealing with, trying to make sure it's Tim doing what Tim's supposed to be doing, nothing more and nothing less, and trying to get to a space where we're seeing that come through. It's great to talk about this today. It's a great opportunity to explore and identify what a verifiable credentials can do for organizations, but how it helps people like me in the security industry truly understand that we can start reducing risk by using this approach.

[00:01:56 ] David Coriale: And you are also a host of a podcast? 

[00:01:59 ] Tim McCreight: [00:02:00 ] Yes sir. I am. I have my own podcast. I co-host with Doug Lease, and it's called Caffeinated Risk. It's two self creamed grumpy security professionals talking about security and risk. And we thought throwing in coffee security and risk, how can you go wrong? So this is year five now with caffeinated risk.

[00:02:17 ] David Coriale: And I've just gotta mention, 'cause you said this earlier, that the icon for it is the caffeine molecule. Yes sir. Yeah, it's just really fun. It looks good on the mugs and the T-shirts, so it looks really good. Yeah, that's what's important. So thanks for joining. I always like to start at these conversations, kinda the start at the top.

And what are we talking about? So you've talked about verified credentials, risk in cybersecurity, in your backgrounds, and what you are trying to accomplish. I think we're all familiar with cybersecurity. Right. There's plenty of news coming at us with what's happening in cybersecurity breaches and so on.

How is this different, like when you talk about cybersecurity and verified credentials, explain the link between the two and what you mean by verified credentials. 

[00:02:58 ] Tim McCreight: That's a good one. I'll start [00:03:00 ] first and then I'll pass it on to Elena. From my perspective, one of the things that we've struggled with for years is making sure that as I access a resource, as I log onto a system, or as I gain access to different data or information across an organization, I need to make sure that Tim is actually Tim, and I need a way to validate that, and I need a way to prove that I'm given or been granted access to these different data stores data resources.

The difficulty with that is over the years we've been really restricted of what we could provide. Everyone listening knows, we first started with IDs and passwords, bringing in different factors for authentication, but there were still avenues that were open to fraudsters, to impersonate somebody. So I could log on saying that I'm Tim.

I'm not really Tim, but I have his credentials. I've got his password, so now I can gain access to the information that Tim has access to. So that became problematic and it still is. What we're finding now is there's a desire to gain greater understanding of who Tim is, [00:04:00 ] where I really can go, can you prove his background?

Can you show me the resources he should have access to? And now can you provide me that level of access and make it so that it's difficult or damn near impossible to steal those credentials or to copy those credentials by using different forms of encryption. That to me is when we're starting to talk about some real changes to how we gain access to sensitive information or to data that I need to see to do my job every day in an organization.

[00:04:26 ] Elena Dumitrascu: There's also the need for Tim to have portability. If this is his data, let him carry it with him. Obviously, if it's an email address from Tim's employer, if Tim no longer works there, that email address is no longer in his possession. But if it's a different type of identifier about Tim, like his. Digital identity, his driver's license or his university degree, or his certificate from an association, his professional designation as a security expert.

Those are all bits of [00:05:00 ] information that belong to Tim. I. He should be able to take from organization to organization and prove those statements about him as he gets onboarded, as he logs on every day to various systems that he should be allowed to log onto because he has those credentials. So it's more than just the username and a password.

It's all of these details about Tim that now finally can be given to Tim. In a secure, encrypted and portable way we can take from engagement to engagement. 

[00:05:33 ] David Coriale: So I feel like this is more important, if you will, than username and password credentials. Right? Because that's what most of us think of when you, what are your credentials, username and password?

Because we're talking about verifying somebody's credentials from a professional. You mentioned just now maybe their association certification. Right. Which could impact. Their credibility. So some of this is privacy, some of this is credibility, and then some of this could be also things like the ability [00:06:00 ] to prescribe drugs, right?

Controlled substances as a, the, what is it? The DEA, the drug enforcement administrative number that a doctor has. If I have that number, I can impersonate someone and prescribe drugs. I'm understanding you clearly that we're talking about more than just the privacy aspect. We're talking about impersonation for nefarious or illegal activities potentially as well.

[00:06:23 ] Tim McCreight: Yep. A really good example, and this is one that Ellen talking about before and it really resonates, is this idea if I have specific training in, let's say one environment, and I go back to my time I spent with oil and gas or critical infrastructure. If I'm gonna be working in a facility where I have to take two trainings, so I'm required to have safety training before I enter the facility, or before I can actually go do work with a plant, and I want to be able to move from one employer to another, but my credentials for safety stay the same.

This is an amazing opportunity to take what I have learned, what I've maintained in the background that I have, the training that I have, that I can verify that I have the training [00:07:00 ] and that I actually am qualified to work now in an environment where I have to have H two s training for safety. This is a terrific approach to do that because now that's transferable with me because I own that credential or I own that training, and that's part of my profile.

Now when I create that verifiable credential for Tim. 

[00:07:16 ] Elena Dumitrascu: Let's think about the cybersecurity team in that company. Tim is a new employee. They have to provision him with access to all sorts of things. You bet they get that information today from HR through something like ServiceNow Ticket that says onboard Tim.

But does that cybersecurity professional know that the right due diligence was done on Tim? They take it at face value. What if something changes from the moment when HR or someone else checked Tim's credentials? One of them expired or got revoked, right? That cyber team in today's world before verifiable credentials in the paper world or the unverifiable digital PDF world, we'll take it at face value and we'll go [00:08:00 ] ahead and provision Tim with the respective access and only