How to prevent a spoofed AI agent in your travel solution? AI isn’t going to work if customers can’t trust your agents — and right now legacy authentication isn’t up to the task. At Indicio, we’re making AI systems a practical, implementable reality for travel and tourism by using decentralized identity and Verifiable Credentials for secure, privacy-preserving, GDPR-compliant authentication and data sharing.
By Trevor Butterworth
Do you want your customers to be phished by fake AI agents pretending to be from your company?
Of course you don’t. That’s the stuff of nightmares.
You’re dreaming up amazing ways to use AI to help your customers and simplify your operations. And to turn that dream into reality in travel, the focus is on delivering automated performance. How do you solve the customer’s problem, meet their goal — and beat every other competitor trying to do the same thing?
Authentication isn’t even an afterthought.
Newsflash: the nightmare of spoofed agents is coming. And it’s bringing a friend, the specter of regulatory compliance.
Do you think you can just grab and projectile-share tons of customer personal data, unencrypted and unprotected, as if GDPR doesn’t exist?
Do you think legacy authentication tech, built on usernames and passwords, is up to the task of protecting these radically new customer interactions?
In one breach, you will become a global news story, lose your customers, and be lucky if you aren’t fined into oblivion.
This is why you need Verifiable Credentials for AI.
1. Making AI implementable means taking authentication seriously
The bad news is that conventional, legacy, centralized authentication technology can’t protect your AI agents and your customer interactions.
The good news is that decentralized identity and Verifiable Credentials can — faster and cheaper.
The trick is that an AI agent with a Verifiable Credential and a customer with a Verifiable Credential are able to authenticate each other before sharing data.
And they’re able to do this cryptographic authentication in a way that is resistant to the bad kind of reverse-engineering AI.
This means that if you are an airline or a hotel chain, a customer can instantly prove that they are interacting with an AI agent from that airline or hotel chain.
At the same time the AI agent can prove the customer is also who they say they are — in other words, that they have been issued with a Verifiable Credential from their airline.
This all happens instantly.
2. Making AI implementable means taking GDPR seriously
The European Union’s General Data Protection Regulation (GDPR) is the gold standard for data privacy and a model for other jurisdictional data privacy and protection law.
GDPR requires a data subject — your customer — to consent to share their data. It requires the data processor — your company — to minimize the amount of personal data it uses and limit the purposes for which it can be used.
Right now, no one appears to be thinking about any of this; It’s a personal data-palooza. But this isn’t the web of 20 years ago. You can’t say people don’t care about data privacy when GDPR came into effect in 2018.
Again, Verifiable Credentials solve this problem. They are a privacy-by-design technology providing the customer with full control over their data. For an AI agent to access that data, the person must explicitly consent to sharing their data.
They can also share this data selectively, so you can meet the requirements of data and purpose minimization.
3. Expanding AI means taking delegated authority seriously
It’s going to be a multi-agent world. AI agents will need to talk to other AI agents to accomplish tasks. To make this work, a customer will have to give a special kind of permission to the first point of agentic contact: delegated authority.
This means a customer must explicitly consent to an agent sharing data with another agent, whether that second or third agent is inside the same company or outside.
Again, Verifiable Credentials make that kind of consent easy for the customer. On the back end, decentralized governance makes it easy for a company to implement and manage these kinds of AI agent networks.
An AI agent can hold a trust list of other AI agents it can interact with. And because all these agents also have Verifiable Credentials, every agent can authenticate each other — as if they were customers.
4. The additional incredibly useful benefit of Verifiable Credentials: structured data.
The great thing about this technology is not just that it solves the problems you haven’t really thought about, it also helps to solve the problem that you’re currently focused on: the need for structured data.
Verifiable Credentials are ways to structure trustable information. If you as an airline create, say, a loyalty program credential, the information in that credential can be trusted as authentic. It comes from you; it’s not manually entered, potentially incorrectly, by the customer. It’s also digitally-signed so it cannot be altered by the user or anyone else.
So when an AI agent gets permission from a customer to access a loyalty program credential, it is able to automatically ingest that accurate, verifiable, information from the credential and immediately act on it.
Think about how easy it is now for a chatbot to interact with a passenger on a flight and provide instant access to services, or rebook a connecting flight, or connect them to a hotel agent — and then use mileage points associated with a Loyalty Program Credential to pay. (We’ve also enabled regular payments using Verifiable Credentials).
No more manual mis-typed data entry slowing things down creating frustration and customer dropoff. The customer has a user experience that works for them and delivers frictionless customer service from you. But only if you implement authentication and permissioned data access.
Indicio is leading identity authentication for AI
We’ve been recognized by Gartner for our innovation, we’ve been accepted into NVIDIA’s Inception Program, we’ve partnered with NEC to create the trust layer for automated AI systems.
Contact us to make AI a secure and compliant reality.
