Why Enterprises Should Care About Digital Credentials (Even If It’s Complicated)

Why Enterprises Should Care About Digital Credentials (Even If It’s Complicated)

Digital Credentials (also known as verifiable credentials) have been promoted as the next best thing for keeping individuals secure in their online as well as in-person transactions. But what about companies? What does a typical enterprise get from moving down the digital credential path? On the one hand, they get a leg up on fraud. On the other hand, they get an even more complex operating environment thanks to legacy infrastructure.

If it was easy, they’d already be doing it. So, let’s see if I can make the case for why, despite the challenges, enterprise services should absolutely adopt digital credentials.

What Are Digital Credentials?

Let’s back up for a moment and make sure we’re all clear on what digital credentials are in this context. If you have time, check out my previous post, “Digital Credentials That Can Be Verified: A Lesson in Terminology.” It’ll do a more thorough job of explaining what a digital credential is. But if you don’t want to read that post just to read this one, let’s go with the definition from the Digital Credential API: “[a digital credential is] a cryptographically signed digital document containing one or more claims made by an issuer about one or more subjects.”

The important bit in there is the ‘cryptographically signed’ part. These credentials have been created such that they are so much better than, for example, a photo of your driver’s license! The content of the credential is tamper-proof thanks to complex math. As a bonus prize, tools exist such that you can share only the parts necessary rather than an all-or-nothing scenario.

The most common use case I’ve seen supporting the value of digital credentials is age verification. The idea being that someone can share this credential to establish they are of age for whatever action they are trying to accomplish WITHOUT sharing anything else like their home address, actual date of birth, or anything else on a driver’s license or passport.

Which is all well and good, but how does that help an enterprise? The use case of an employer having to verify the age of employees or contractors is in all likelihood pretty darn small. So what can these be used for?

I have a list.

🚀 Let’s Talk Digital Credentials at EIC 2025! I’ll be diving into this topic at EIC 2025, breaking down the real-world impact of digital credentials, where they fit in enterprise IAM, and what’s next. Can’t make it? Let’s chat. I help enterprises navigate identity standards and make informed decisions about emerging technologies. Reach out to discuss how digital credentials fit into your strategy!

Digital Credentials in the Enterprise

Employment

Enterprises with large workforces onboard employees and contractors at scale, verifying work eligibility, tax IDs, and personal details. Today, this process relies on document uploads and database checks. And yet somehow, ghost employees, tax fraud, and forged work eligibility documents remain a real problem. Digital credentials offer a stronger approach: instead of uploading scanned IDs and filling out forms, new hires could present cryptographically secure credentials issued by tax authorities or immigration offices. This ensures instant verification of real identities and work authorization, reducing fraud while making onboarding faster and more secure.

In other words, payroll systems could require cryptographic proof of a valid tax ID rather than accepting a number typed into a form. Multinational companies could rely on a portable, verifiable credential to prove an individual’s work authorization instantly, reducing onboarding time.

Travel

The travel industry has all SORTS of opportunities when it comes to seeing the value of digital credentials. The identity verification checks that happen at airports and border crossings are the. most obvious. In the U.S., mobile driver’s licenses are starting to be accepted in some airports in place of a physical driver’s license. It’s a thing. But think about this use case:

Your company has 10,000 employees, and 1,500 (that’s about 15%; not unrealistic) of them travel for business. Today, travel approvals and reimbursements are handled through corporate systems (it used to be through spreadsheets. Can you imagine?). These systems, however, often require manual approvals, policy enforcement, and receipt tracking, thus introducing inefficiencies, delays, and security risks. A digital credential could embed an employee’s travel permissions, preferred vendors (complying with company policy, of course), and spending limits, allowing instant verification at the time of booking. No more unnecessary personal data sharing, out-of-policy purchases, or manual reimbursement processes, just seamless, policy-compliant travel.

Cybersecurity

But wait, there’s more! If you’re reading this, you’re almost certainly IAM curious if not a loud and proud IAM practitioner. That means you are quite aware that managing employee and contractor access can be a nightmare. Passwords remain a top attack vector, yet companies still rely on them for everything from logging into cloud services to accessing secure areas. MFA and passkeys help mitigate some of the risks, but there’s still so much room for improvement. And let’s not even talk about onboarding contractors; how many “temporary” accounts are still active long after the project ends? Don’t be ashamed. The first step is admitting your IAM environment needs help.

Digital credentials can fix this. Instead of passwords, employees present a verifiable credential to log into corporate systems. Or, oh, how about this? Rather than using keycards, employees tap their phones (after using their biometrics to unlock them) to securely access office buildings and data centers. Or, how about instead of onboarding contractors manually in every system, companies issue temporary, revocable credentials that automatically expire when no longer needed.

Digital credentials have so much potential to reduce security risks, cut IT overhead, and make access management less painful.

Why Enterprise Adoption is Challenging

It’s easy to talk about the benefits of digital credentials. I can do it All. Day. Long. Who wouldn’t want faster onboarding, more secure authentication, and seamless travel approvals? But let’s be realistic. If it were easy, enterprises would already be using them.

For many organizations, the biggest barrier isn’t the concept, it’s the complexity. The cost of implementing digital credentials doesn’t stop at issuing them; it ripples through IT systems, HR processes, and compliance workflows. It requires not just action on the part of the enterprise; vendors and business partners need to hop on the digital credential bus as well. And if an enterprise miscalculates these costs, even the most promising solution can turn into an expensive experiment that never scales. (We’ve never seen THAT happen, right? Right?)

The Cost of Complexity

Enterprises don’t make changes lightly, especially when it comes to identity and security infrastructure. Every new tool, system, or process comes with an associated cost that needs to be justified against the value it brings. Digital credentials are no exception.

  • Infrastructure Upgrades – Most enterprises already have an identity provider (IdP) like Okta, Microsoft Entra, or Ping Identity handling authentication. To implement digital credentials, they need to integrate digital into these existing systems, which isn’t a simple plug-and-play process.
  • Training & Adoption – Employees, HR teams, and IT staff need to learn how to issue, store, and use digital credentials. If they don’t understand the process (or worse, find it confusing), adoption stalls. We’ve seen this play out with MFA adoption. This is a classic organizational change problem.
  • Ongoing Maintenance & Compliance – Identity systems aren’t static. Every time a new compliance requirement comes along (GDPR, CCPA, or industry-specific rules like SOC 2), enterprises need to ensure their digital credential infrastructure remains compliant.
  • Hidden Costs & Dependencies – Even if an enterprise sees the long-term value, interoperability is a wildcard. Digital credentials need to work across different systems, vendors, and platforms. What if a company’s travel booking system, payroll provider, or cloud security tools don’t support these types of credentials yet? That means either custom integrations (which are expensive) or waiting for vendors to catch up (which takes time).

And for small or mid-sized businesses? These costs can be prohibitive. While large enterprises might have the resources to experiment, a mid-sized company operating on tight margins might look at the complexity and walk away.

ROI for Issuers, Holders, and Verifiers

For digital credentials to be worth the effort, they need to provide a clear return on investment (ROI). That ROI, however, looks different depending on who you are in the system.

Issuers: HR & Compliance Teams

These are the departments that would ultimately create and distribute digital credentials: HR departments for employment verification, IT teams for access control, and finance teams for expense management. Their main incentive? Reducing fraud, cutting paperwork, and improving efficiency.

  • Faster, More Secure Onboarding – HR can instantly verify work eligibility without manually processing scanned documents.
  • Automated Policy Enforcement – Travel and expense approvals can happen at the time of booking instead of requiring post-trip reimbursements.
  • Stronger Access Controls – IT can issue temporary credentials to vendors and contractors that expire automatically.

The challenge? Issuers need buy-in from leadership, budget approvals, and integration with existing tools. If leadership doesn’t see an immediate, measurable impact, adoption stalls.

Holders: Employees & Contractors

Employees and contractors are the users of digital credentials, the ones who present them to gain access, prove their identity, or complete transactions. Their main incentive is convenience, security, and control over their data.

  • Less Password Pain – No need to remember (or reset) yet another password for corporate systems.
  • Easier Travel & Expense Management – Travel credentials can automatically apply company policies at the time of booking.
  • More Privacy – Instead of handing over a driver’s license just to prove their age, an employee can share only the necessary details.

The challenge? Holders don’t adopt new tools just because they exist. They need a seamless user experience. If using digital credentials feels more cumbersome than their current process, they won’t bother.

Verifiers: Auditors, Vendors, & Third Parties

Verifiers are the ones to consume digital credentials. They might be auditors checking employee work eligibility, hotels verifying corporate travel approval, or IT systems enforcing security policies. Their main incentives are saving time, reducing risk, and ensuring compliance.

  • Instant Verification – No more manually checking IDs, work authorizations, or tax forms.
  • Better Security – Digital credentials are tamper-proof and harder to forge than scanned documents.
  • Fewer Compliance Headaches – Verifiable credentials help prove due diligence in audits.

The challenge? The verifier ecosystem isn’t fully built out yet. A hotel might love the idea of instantly verifying business travel credentials but if their booking system doesn’t support digital credentials yet, they’re stuck handling things manually. This means enterprises have to push adoption across multiple industries to see the full benefits.

But What About Passkeys?

I’m going to take a brief side trip into passkey land because I think people are struggling to understand when, where, and how passkeys and digital credentials overlap. Maybe this needs its own post, but for now, let’s put it here. tl;dr: passkeys and digital credentials are complementary technologies, not competing ones.

Passkeys Are for Authentication

Passkeys, both synced and device-bound, are designed to replace passwords for logging into accounts. They provide proof that you have access to a credential (like a private key stored on your device), but they don’t prove anything about who you are, your role, or your permissions.

  • Passkeys: “This device is authorized to log into this account.”
  • Digital Credentials: “This person is an employee, has security clearance, and is authorized to make a purchase.”

Why this matters:

  • A passkey might let someone log into a corporate travel portal, but it doesn’t confirm whether they’re authorized to book business-class flights or make a company purchase.
  • A digital credential could store their travel policy, spending limit, and approval status, allowing vendors to instantly verify whether the booking complies with company rules.

Passkeys Are Not for Verification

Passkeys are great for logging into accounts, but they aren’t intended for cases where third parties need to verify information beyond the fact that a user controls an account. This happens at a later step, one where digital credentials can step in to play.

So, for example:

  • Digital Credentials Can Be Shared & Verified By External Entities:
    • A hotel, tax authority, or external auditor can check a verifiable credential to confirm eligibility without needing to be part of the enterprise’s internal authentication system.
    • Example: A contractor could present a verifiable credential that proves they are legally allowed to work in the U.S., without needing to log into an employer’s HR system.
  • Passkeys Don’t Work This Way:
    • Passkeys are bound to a specific service (e.g., Google, Microsoft, or an enterprise IdP).
    • A hotel or vendor cannot use passkeys to verify your employment status, travel eligibility, or security clearance.

Passkeys are Personal

Passkeys are tied to a specific device or a cloud account that syncs across devices (like iCloud Keychain or Google Password Manager). This makes them a great replacement for passwords, but they aren’t designed to support enterprise-issued credentials that need to be shared, verified by third parties, or tied to specific roles and policies.

  • Digital Credentials Are Portable:
    • Employees can receive a verifiable credential from their employer that exists separately from personal authentication methods.
    • A contractor can use the same work credential across multiple clients without needing separate logins for each system.
    • A former employee can still use their travel history credential after leaving the company, even if their passkey-based access is revoked.
  • Passkeys Solve a Different Problem:
    • When an employee leaves a company, their passkey-based authentication is revoked, as it should be. But that doesn’t help them prove past employment or retain enterprise-issued credentials.
    • If a company relies solely on passkeys, it lacks a way to issue verifiable credentials for compliance, travel, or work eligibility.

Passkeys Do Not Support Selective Disclosure

One of the major advantages of digital credentials is that they allow selective disclosure; you can share only the necessary information instead of handing over everything.

  • Example of Selective Disclosure with Digital Credentials:
    • A hotel asks: “Are you authorized for corporate travel?”
    • The employee’s digital credential says: “Yes, per Company X’s travel policy.”
    • The hotel never sees the employee’s salary, department, or personal details.
  • Passkeys Can’t Do This:
    • A passkey is binary; it either lets you log in or it doesn’t. And that’s perfect for that very necessary action.
    • It doesn’t let a third party verify specific attributes (e.g., work status, travel privileges) without exposing everything.

And with that, enough about passkeys; let’s see where we’ve ended up with digital credentials.

So, What’s the Verdict?

Digital credentials have enormous potential, but adoption is slow because the cost and complexity can outweigh the benefits, at least in the short term.

  • Large enterprises with high fraud risk, complex compliance needs, and high employee turnover are the most likely to benefit first.
  • Smaller businesses might find the costs too high and the ecosystem too immature to justify the investment.
  • Widespread adoption depends on interoperability. If banks, travel providers, government agencies, and enterprise vendors all get on board, the ROI increases dramatically.

Enterprises that start early will be ahead of the curve. But for now, the question remains: Who will be the first to make the leap? Ultimately, every organization needs to decide this for themselves. Depending on where you are in the world, that decision may get made for you depending on local regulations.

Previous Article
Next Article

Heather Flanagan

Principal, Spherical Cow Consulting Founder, The Writer's Comfort Zone Translator of Geek to Human

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Spherical Cow Consulting

Subscribe now to keep reading and get access to the full archive.

Continue reading