For five+ years I have watched the digital identity movement struggle to grow up. I followed every pilot, every revision, every startup that claimed to fix what passwords and federated identity platforms broke.
I kept asking the same questions. When will this kill the password? When will the same identity exploit stop showing up in breach reports? When will digital identity work at population scale instead of trapped in labs and conferences?
That time has arrived. Maybe.
Governments are training citizens on wallet interfaces. Companies are moving from proof of concept to production. The infrastructure exists. The standards are stable. The ground has shifted. Digital identity is no longer an experiment. It is becoming a global necessity.
Denmark Shows What's Possible
Denmark's MitID proves that national-scale digital identity works when done with discipline and commitment. It runs the full stack: onboarding, step-up authentication, recovery, and support, all at population scale. Citizens use it to access government, banking, telecom, and energy services and to sign documents digitally.
I live here. When I had to complete a New Zealand legal signing process, I had to print forms, get certified copies, and hold my passport on a video call. Archaic. In Denmark, that process would have taken seconds. The behaviour is embedded. The system works.
One gripe at Denmark: a different app for each credential. So close, so far away. However, AltID is coming which should hopefully fix this.
Denmark solved national identity with a purpose-built system. The EU now demands continental interoperability, and that means wallets must speak multiple credential formats. EUDI chose both: SD-JWT for attributes, ISO 18013-5 for driving licences. The standards divide doesn't disappear, it moves into the verification layer.
The Standards Divide
W3C and ISO both claim to solve the same problem: trust. But their assumptions about who deserves trust could not be more different.
ISO mDL / mDOC
Built on PKI infrastructure governments have used for decades. The authority issues, the reader verifies, the root certificates define the chain of trust.
- Legal equivalence guaranteed
- High-assurance proofing (IAL3, eIDAS "high")
- Predictable, safe, slow to change
The spec supports offline presentation, credential on device, verification via NFC or BLE, no callback required. But server retrieval remains an option, and nothing in the architecture prevents issuers from building phone-home infrastructure around it. Privacy depends on deployment choices, not the standard itself.
W3C Verifiable Credentials
You hold your data. Credentials stay on your device. The architecture supports self-generated keys and decentralised identifiers, but doesn't require them.
- Flexible: works with DIDs, HTTPS URLs, or any resolvable identifier
- Lower infrastructure cost than centralised registries
- Selective disclosure possible—but only with the right proof format (BBS+, SD-JWT)
Cost: Trust anchor discovery remains unsolved. A VC is only as valuable as the verifier's ability to resolve and trust the issuer. DID methods proliferate; universal resolution doesn't exist. Plain JWTs reveal everything.
Developers prefer the W3C model for its flexibility, privacy, and speed. Governments distrust it for the same reasons. Too much autonomy means too little control. Lost keys can mean lost identities. And decentralised identifiers are cheap to generate, Sybil resistance depends entirely on issuance controls, which VCs impose none of by default.
Both systems move trust around rather than removing it. ISO says trust the government. W3C says trust the math, then quietly requires you to trust whoever publishes the DID method registry. Neither eliminates surveillance. Privacy depends on execution, not ideology.
The real question is not technical but political: who holds the keys, and who decides when they stop working?
In the real world, both standards will coexist. Wallets will issue and present both formats. Relying parties will verify both through policy engines. The market rewards what works. It rewards interoperability, not purity.
The Ground Has Shifted
Digital identity has moved on from platforms. The fight now is for acceptance.
Acceptance is not technical verification. It is social and legal trust between systems. It means a bank in Germany trusts a wallet issued in Denmark. It means a marketplace accepts verified data from any certified provider without rewriting code. It means a government service can recognise a private-sector credential and move on.
Acceptance means identity works everywhere it should, without friction, custom contracts, or vendor dependencies.
The companies that came before paid the price of progress. They wrote the specs, built the code, and kept the movement alive while nobody cared. They spent millions running pilots that proved the concept but never the business model. Their work made this possible, but now the advantage is gone. The standards are public. The SDKs are mature. Any skilled team can build what once took years.
Code no longer protects profit. Trust does. And trust is proven in the wild, not in theory, not on paper, not with compliance stamps. Distribution without trust is just burn rate. Platforms built around closed systems and proprietary APIs are done. Acceptance is the new product. Identity is now infrastructure.
Why Platforms Failed and Acceptance Won
Identity platform businesses failed because they were built for themselves, not for trust. Technology became a commodity. APIs and SDKs no longer differentiate anyone. If governments will not certify your wallet or banks will not accept your proofs, your technology is irrelevant. Replication is easy. Compliance is not.
The pattern repeated across the industry in 2024/25. Vendors signed dozens of customers. Few ever went live. The post-mortems were consistent: no interoperability, poor UX, no network effects. The technology worked. The market did not care.
The survivors pivoted. Identity acceptance networks emerged, bringing together verification providers to serve tens of millions of already-verified users. SSI platforms were sold off or shut down. The focus shifted entirely to acceptance.
The lesson is obvious. The money is in trust, not code.
What To Do Now
Build for Framework Compliance First
If you cannot certify, you cannot deploy. Align with eIDAS 2.0 and NIST frameworks. Support both W3C and ISO standards. Choosing one is choosing irrelevance.
Follow Denmark's Lead
They solved identity operations at population scale. Plan your migration from centralised login systems to wallet-based identity. Build certified readers, policy engines, and verifiable credential pipelines. Train your teams before your users. Build incrementally, test in production, and learn fast.
Build the Connective Tissue
The opportunity is no longer in building new identity platforms. It is in building the connective tissue: issuer services, wallet certification, trust registries, developer SDKs, and compliance automation. Everyone needs these things. Almost no one is building them well.
The Path Forward
The money poured into pilots, standards, and platform development was not wasted, but it was charitable. It built the foundation for what comes next. The next wave of value will come from cross-border acceptance, verified interoperability, and measurable privacy. Success will belong to those who pass framework certification on the first try and win legal trust as well as technical trust.
I genuinely believe we can fix parts of the internet with this. The web was not built for identity. We bolted it on with passwords, cookies, and federated hacks. Digital identity done right (acceptance-first, interoperable, privacy-preserving) closes that gap.
But here's the truth the industry still dodges: acceptance wins, platforms lose. Bet on technology alone, and you're the next charity case. Adapt or get left holding the bag.