Verifiable Credentials vs mdocs: A Comparative Analysis
Staying informed about the latest digital identity standards and technology is more than a full-time job. Even focusing on just what’s available for the identifiers that provide a way to recognize a (digital) identity is enough to keep a person gainfully occupied for a few years. Why a few years, you ask? Because these standards are still under development in many ways – this is a bleeding edge of digital identity. Let’s talk about the two of the most influential standards under development that inform so much of the activity in this space: the ISO/IEC 18013 specifications and the World Wide Web Consortium’s (W3C’s) Verifiable Credentials.
This post has been updated as of January 2025 to reflect the publication of ISO/IEC 18013-7. Also, if you have found this article directly from a search engine, make you also read the follow-on article, More on the Options and Diversity of Verifiable Credentials.
But wait, there’s more (as of June 2025)! If you’re particularly interested in mobile driver’s license (mDL) credentials, I highly highly HIGHLY recommend you read this post from Kim Hamilton Duffy, “Even the Experts Didn’t Know: How a Simple Presentation Revealed mDL’s Latent Surveillance Problem.” Remember that there are reasons for and against phoning home, including fraud mitigation and other risk management reasons, but those reasons have to be done thoughtfully and in balance with privacy considerations.
The tl;dr
The ISO/IEC 18013 family of documents specifies the technical and operational requirements for physical and mobile driver’s licenses (mDL). The mdoc format, part of ISO/IEC 18013-5, refers to the structure and specifications for mobile driver’s licenses and similar electronic ID solutions. (18013-5 and 18013-7 are the ones most identity people focus on). If you would like to read and implement according to these standards, be prepared to pay money to access them.
W3C Verifiable Credentials is a standard developed by the Verifiable Credentials Working Group within the World Wide Web (W3C) consortium. You can use Verifiable Credentials for any type of credential, from educational degrees to government IDs. Unfortunately, the identity industry has confused matters by using the generic term “verifiable credential” to sometimes mean something more or less different from the W3C Verifiable Credential format. If you want to read and implement according to the W3C Verifiabl Credential data format, go for it. Access to the specification is free.
Verifiable credentials and mdocs may be solving similar problems but they take very different paths. If your team needs clarity on where these standards are headed and how they impact your business, I can help. 👉 See how I work with organizations on digital identity standards.
Comparing mdoc/mDL and Verifiable Credentials
| ISO/IEC 18013-5 (mdocs) | ISO/IEC 18013-7 | W3C Verifiable Credential | |
|---|---|---|---|
| Purpose | Designed explicitly to represent driver’s licenses and possibly other official IDs in a mobile format. It can be used for “secondary use cases,” such as anything you might use a physical driver’s license for that doesn’t involve driving. Most importantly, it assumes in-person use cases only. The ultimate case of YMMV. | To support remote verification of mDL credentials over the internet. | A standard that can be used for any type of credential, from educational degrees to memberships, and not limited to driving licenses or IDs. |
| Standardizing Body | ISO/IEC (a treaty-based, government-supported standards organization) Be prepared to pay to read the standard. If you’d like to participate in developing the standard, you have a few more hoops to jump through. | ISO/IEC (as you might expect) | W3C (an industry-based standards organization that uses a tiered model for membership and engagement) Access to the standards is always free. The ability to vote on approving the standard requires a (paid) membership. The ability to be a part of developing the standard or incubating an idea can be part of (paid) membership or (free) invited experts. |
| Privacy and Security | Privacy is a strong consideration, but the focus is on a government credential and how governments need to use it. Protections are built in to ensure that data is shared only when necessary and (mostly) based on individual control. Because of the complexity involved, the use of am mDL is, at least as far as the specification is concerned, an in-person action. Remote use of these credentials is still a work in progress. | Secure remote transactions with protocols like OpenID for Verifiable Presentations (OID4VP). | Privacy is a strong consideration for the W3C as well. Since this specification is designed to support a broader set of use cases, there are privacy considerations to help the individual control what data is shared. There are also considerations about what data is collected since not all use cases require the same data. |
| Interoperability | The ISO/IEC 18013-5 specification is trying to ensure interoperability across different jurisdictions, ensuring that a mobile driver’s license issued in one state or country can be read and verified in another, assuming both places follow the same ISO standard. Other use cases may take advantage of being interoperable if everyone uses the same format, but it’s worth remembering the underlying assumption of government use. | As with 18013-5, 18013-7 is focused on ensuring compatibility for remote mDL use across platforms and jurisdictions. | The W3C VC specification is, as noted, designed for broad interoperability across the web. Interoperability means ensuring that various platforms, websites, and services can understand and verify the credentials. The underlying assumption here is that these credentials must be able to support use on the web by anybody, whether they be a company, a government, or the local pizza delivery service. |
Drama! Intrigue! Big Tech!
What we appear to have here is a general versus specific-purpose identifier format. Why not just use the one that fits your use case? Why all the drama?
In part, it comes down to resource availability. The costs grow for every standard or technology an organization has to support, and that includes credential formats. Developer costs, UX designer costs, support team costs, they all add up. Even organizations the size of Google and Apple would very much like to limit what technologies they have to support. Anything else gets crazy expensive AND frustrates the individuals using their platforms with too many options.
In this case, Apple has focused on supporting the ISO specification only, which frustrates some developers. Google hasn’t decided whether it will support one or both of these standards. Outside of browser-land, the European Union is working on an entire digital identity ecosystem. It will support use cases in education, social security, and other services; their architecture specifically mentions both the W3C and the ISO work.
Let’s not forget that the technology sector loves its ideology wars. From the command line editor wars between vi versus emacs to decades of browser wars, technologists get attached to their favorite tools. This also appears to be playing out here in the mdoc versus VC drama.
Wrap Up
Both ISO’s guidelines and the W3Cs specifications are still evolving. Several critical features are still under active development, sometimes in other standards organizations (I’m looking at you, OpenID Foundation and IETF). Some of those features are raising significant concerns from privacy advocates. If you are going to implement something, be prepared to be flexible to future changes.
Exploring these formats is necessary if you’re moving to a Self-sovereign Identity (SSI) model. But that said, it’s not just about the content of the specifications. Also, review the use cases they are designed to support, what browser you expect your users to use, and even where you are in the world.
ETA: A Few More Thoughts
I love it when my posts spark discussion and feedback! Anil John offered some great insight in a thread on Mastodon that I’m sharing here (to keep it in one place) with permission:
From Anil John
âť– The starting point for the W3C VC work and the ISO mDL work were radically different; the mDL work was directly focused on in-person use cases while the W3C work was focused on remote/online use cases. Both are trying to address the other at present, but the starting point has influenced the design choices that are inherent in both standards.
âť– The W3C VCDM is a data model for describing a broad range of credentials and does not explicitly define the protocols used to move credentials defined using the VCDM from point A to Point B (provisioning and presentation)
âť– The ISO mDL is a tightly coupled mix of an explicitly defined set of data attributes that make up a digital version of a driver’s licence AND a protocol interface description for moving a credential composed of those attributes from a mobile device to a reader/verifier using NFC, Bluetooth or Wi-Fi Aware protocols (in-person presentation); how that credential is provisioned to the mobile device from an issuing infrastructure is explicitly out of scope for the ISO mDL standard.
âť– The W3C VCDM supports and encourages the use of attribute and vocabulary transparency akin to how schema.org works; the ISO mDL vocabulary is part of the standard and as such is under the control of the ISO working group.
2 thoughts on “Verifiable Credentials vs mdocs: A Comparative Analysis”
Amplifying Anil’s point: the starting conditions, initial assumptions and specific use cases from which any standard or specification starts its life constrains and shapes it’s evolution. Most of the rabid ideological fights around these two bodies of work have little to do with the actual text. The arguments start from an unwillingness of individuals to understand the context in which each standard or specification was conceived. Which is “right” – metric hex keys or SAE keys? Of course it depends on what bolt one needs to turn! Context!
Great Summary. Thank you.