Wallets and Credentials Are Here. Maturity Is Not.
“I have spent more time than is probably healthy listening to conversations about digital identity wallets.”
What I’m hearing is a shift from the boundless possibilities to the actual deployment pressures in making this a production, Internet-scale tool.
Wallets and credentials are moving into the real world through government programs, regulation, mobile credentials, and age assurance mandates, even as many of the underlying standards, business cases, and trust models remain unsettled. In other words, adoption is accelerating faster than readiness.
That makes one old problem more important than ever: people still blur the line between the wallet and the credentials inside it. Even in technical circles, those two concepts are treated as interchangeable. They are not.
A wallet is a container, interface, mediator, or control point. A credential is the thing asserting something about you or another subject: your license, proof of age, employee status, membership, or some other attestation. Those are related components, but they solve different problems. If we collapse them into one idea, we end up debating the wrong things and overestimating how finished this market really is.
I have written about this before in earlier posts on wallet metaphors and the politics surrounding wallet standards. I had hoped the industry would become more precise over time. Alas, we still have a long way to go.
Still, something important has changed. The technology is arriving whether the ecosystem is fully ready or not.
You can Subscribe and Listen to the Podcast on Apple Podcasts, or wherever you listen to Podcasts.
And be sure to leave me a Rating and Review!
The debate is no longer hypothetical
For years, wallet and credential discussions could be filed under “interesting, maybe later.” Standards groups debated models. Vendors ran pilots. Conference panels promised transformation on a convenient future timeline: this technology can solve for ALL THE THINGS! Someday.
That phase is ending for consumers and citizens, and it’s getting closer for businesses. But let’s look at why.
Governments are now putting real weight behind digital wallets and associated credentials. The European Union has made wallets central to its eIDAS 2.0 agenda. Australia continues its Digital ID efforts. Mobile credentials are expanding in multiple jurisdictions. Age assurance laws are adding fresh pressure, often with an assumption that reusable digital credentials will somehow solve the problem neatly. (I wrote about that, too, if you’re interested.)
Whether every program succeeds is almost secondary. Momentum now exists. Wallets are becoming part of public infrastructure and regulated-market infrastructure. Wallets are here to stay in some form or another.
Which brings us to the obvious question
If wallets are now inevitable, is the remaining work just rollout? Are we at the point where we can just build the apps, connect issuers, onboard all the relying parties, etc, etc, etc?
Wouldn’t that be nice? Alas, the answer is <hysterical laughter>no</hysterical laughter>.
The standards are not finished either
One of the stranger features of this market is how often people talk as though deployment is starting from settled foundations. It really isn’t
The World Wide Web Consortium Digital Credentials API still has meaningful open questions. One of the more practical examples is how browsers or user agents should handle requests that may need to interact with more than one wallet.
That sounds niche until you think about what it means. If several wallets can satisfy a request, who decides which one is used? How much does the website learn? How much should the browser mediate? How do you preserve privacy, avoid dark patterns, and still make the experience understandable for normal humans?
Those are questions that correspond directly to competition, usability, and control.
At the same time, very smart people are trying to reduce fragmentation between two major ecosystems:
- International Organization for Standardization / IEC mdoc approaches, which underpin many government credential deployments
- OpenID Foundation OpenID4VC approaches for issuance and presentation
The shared hope is to avoid ending up with a third specification born mostly from frustration. That is a worthy goal. It is also difficult because these systems emerged from different assumptions, governance cultures, and deployment priorities.
This is not just engineering. It’s more like diplomacy with packet captures.
Privacy math still meets operational reality
Selective disclosure and zero-knowledge proof approaches are often presented as the elegant privacy answer. In some scenarios, they are genuinely powerful. But elegant cryptography does not automatically become elegant infrastructure.
At scale, these approaches can introduce lifecycle complexity, revocation questions, verifier burdens, performance costs, and user experience friction. A design can be technically sound and still painful to run. That gap between whiteboard success and production success deserves more attention than it usually gets.
Outside government, the ROI case is still uneven
Beyond regulated wallets and credentials, many enterprise discussions on the topic still feel suspiciously like solutions looking for problems.
A company already operating SSO, federation, lifecycle management, device management, fraud tooling, and partner access controls is entitled to ask a blunt question: Why would we rebuild this?
There may be strong answers in some sectors. Portable attestations, lower fraud, reduced data retention, smoother cross-organizational trust, and new onboarding models all have potential.
But “because wallets are coming” is not a business case in itself. Saving money is motivating, but not as motivating as making money. You can easily point to one; the other ultimately exists only on spreadsheets.
Consumer wallets may really be platform wallets
For everyday consumer use, much of the wallet experience will likely be shaped by major platform providers such as Apple, Google, and Samsung, the ones that offer both browsers and operating systems.
That means decisions about supported wallets and credentials, default flows, API access, portability, and competitive participation may be driven less by abstract market choice and more by platform policy.
So when people say users will choose their wallet, we should at least ask how much choice will actually exist.
Regulation has outrun readiness
There is also an awkward timing issue, particularly in Europe. Governments are increasingly comfortable mandating outcomes: wallets should exist, credentials should work, trust should be portable, and privacy should be protected.
I love that for them. However, there are still substantial open questions about how to certify wallets as safe enough for broad reliance. Secure storage, tamper resistance, privacy controls, update models, interoperability testing, and liability allocation are not minor details. They are the foundation of trust.
The work underway through the European Union Agency for Cybersecurity makes clear how substantial that task remains, which is why expecting a fully mature, consistently certified rollout across all EU member states on aggressive political timelines was always optimistic.
Some states will move quickly, some will move partially. And of course, some will declare success while still resolving fundamentals. That is how large infrastructure programs usually work.
The wallet itself may be the distraction
Users do not wake up wanting a wallet or even a digital credential. What they want is to get something done. They want to prove age quickly, rent a car smoothly, access a service easily, onboard faster, and maybe share less data while doing it.
The winners in this market may not be the organizations with the most impressive wallet branding. They may be the ones that make credentials useful with the least friction.
Where I think we are
Yes, wallets are here. No, that does not mean the story is over, or even stable.
We are entering the phase where incentives, governance, certification, migration cost, interoperability, and concentration of power matter more than glossy demos. It also means we’re at a point where technologists have to design in flexibility more than ever before, because this environment is both not ready and required. Ick.
📩 If you’d rather receive an email than hope you catch the social media announcement when a new post is live, I have an option for you! Subscribe to get a notification when new blog posts go live. No spam, just announcements of new posts. [Subscribe here]
Transcript
This week, we’re stepping away from AI and turning attention to something equally important—digital identity wallets and credentials.
At first glance, the topic may seem straightforward. However, as discussions continue across the industry, a recurring confusion remains. Even experienced technologists often blur the distinction between wallets and the credentials they hold.
That confusion matters more than it seems.
Wallets vs Credentials: Why the Distinction Matters
To begin, it’s important to separate two closely related—but fundamentally different—concepts.
A digital wallet is:
- A container
- An interface
- A mediator
- A control point
A digital credential, on the other hand, is:
- A claim or assertion
- Proof of identity or status
- An attestation (e.g., driver’s license, employee ID, proof of age)
While these elements work together, they solve different problems.
When they are treated as interchangeable, it leads to:
- Misguided debates
- Misaligned funding priorities
- Oversimplified assumptions about adoption
In short, clarity here is essential.
From Theory to Reality
For years, wallet discussions lived in a comfortable “future-state” space:
- Standards groups debated architectures
- Vendors ran limited pilots
- Conferences promised long-term transformation
In many ways, it was easy to delay decisions.
However, that phase is ending.
Today, digital wallets are becoming real infrastructure.
Growing Global Momentum
Governments and regulators are now actively pushing digital identity initiatives forward.
For example:
- The European Union is advancing its digital wallet agenda
- Australia continues expanding its digital ID programs
- Mobile credentials are growing across jurisdictions
- Age assurance laws are increasing implementation pressure
Whether or not these programs succeed perfectly is almost beside the point.
The key takeaway is this:
- Momentum exists
- Deployment is underway
- These systems are here to stay
The Myth of a Finished Foundation
At this stage, it might be tempting to assume that deployment is simply a matter of execution:
- Build applications
- Connect issuers
- Add relying parties
- Educate users
- Scale operations
However, that assumption doesn’t hold.
The foundation is not fully settled.
Standards Are Still Evolving
Despite progress, critical questions remain unresolved.
For instance:
- How should browsers interact with multiple wallets?
- Who determines which wallet fulfills a request?
- How is user privacy preserved?
- How do we avoid steering users toward specific providers?
- How can the experience remain simple for everyday users?
These are not edge cases.
They directly impact:
- Usability
- Competition
- Trust
Fragmentation Across Ecosystems
At the same time, efforts are underway to align major technical approaches:
- ISO/IEC mdoc standards (common in government credentials)
- OpenID for Verifiable Credentials (from the OpenID Foundation)
The goal is clear:
- Reduce fragmentation
- Enable interoperability
- Avoid creating yet another competing standard
However, achieving this is difficult.
Why?
Because each ecosystem reflects:
- Different histories
- Different governance models
- Different priorities
This is not just engineering—it’s coordination at scale.
The Promise and Reality of Advanced Cryptography
Much of the excitement around digital credentials comes from advanced privacy techniques such as:
- Selective disclosure
- Zero-knowledge proofs
These approaches offer real benefits:
- Share only necessary data
- Protect user privacy
- Meet regulatory requirements
However, technical elegance does not guarantee operational simplicity.
In practice, these solutions introduce challenges like:
- Complex lifecycle management
- Revocation difficulties
- Increased verification demands
- Performance overhead
- Compatibility issues
- User experience friction
As a result, what works well in theory may be harder in production.
Enterprise Adoption: A Practical Perspective
In enterprise environments, the conversation becomes even more grounded.
Most organizations already have:
- Single sign-on systems
- Identity federation
- Lifecycle management
- Device management
- Fraud detection tools
So naturally, they ask:
- Why rebuild existing systems?
- What is the return on investment?
This is not resistance—it’s responsible governance.
Where Wallets Add Value
That said, there are meaningful opportunities.
In the right contexts, digital credentials can:
- Reduce onboarding friction
- Improve cross-organization trust
- Lower fraud risks
- Minimize data retention requirements
However, one statement is not enough:
- “Wallets are coming” is not a business case
Adoption requires clear, measurable value.
The Role of Platform Providers
For consumers, the experience will likely be shaped by major platform providers.
These include:
- Mobile operating systems
- Device manufacturers
- Browser ecosystems
As a result, key decisions may be influenced by:
- Platform policies
- Default configurations
- Supported credential types
- API access limitations
This raises an important question:
- How much choice do users really have?
Because limited options are not the same as true choice.
Regulatory Pressure and Certification Challenges
Regulation is accelerating deployment—but also introducing complexity.
Governments are mandating outcomes such as:
- Secure digital wallets
- Interoperable credentials
- Privacy protection
However, critical certification questions remain:
- What defines a secure wallet?
- How is tamper resistance verified?
- How are updates managed?
- How is interoperability tested?
These are foundational—not optional.
And today, much of this work is still in progress.
The Reality of Large-Scale Rollouts
Given current timelines, expectations may be overly optimistic.
In practice:
- Some regions will move quickly
- Others will lag behind
- Some will declare success early
- Many will still be resolving core issues
Cross-border interoperability, in particular, may prove more difficult than anticipated.
This is typical for large infrastructure programs.
What Users Actually Care About
Amid all the complexity, it’s important to remember one thing:
Users don’t care about wallets.
They care about outcomes.
For example:
- Proving age quickly
- Renting a car
- Accessing services easily
- Completing onboarding faster
Therefore, success will depend on:
- Simplicity
- Speed
- Low friction
Not branding or technical sophistication.
Where We Are Now
So where does that leave us?
- Wallets are here
- Credentials are expanding
- Momentum is real
But:
- Standards are still evolving
- Infrastructure is still maturing
- Interoperability is still incomplete
In other words, the journey is far from finished.
Practical Guidance for Moving Forward
Given the current state of the ecosystem, flexibility is critical.
Organizations should:
- Expect change
- Design adaptable systems
- Avoid rigid dependencies
- Plan for evolving standards
Because what works today may need to change tomorrow.
Final Thoughts
Digital wallets and credentials are no longer theoretical.
They are becoming part of real-world infrastructure.
However, maturity has not yet caught up with momentum.
And that gap creates both:
- Opportunity
- Risk
Conclusion
As this space continues to evolve, the most successful implementations will not be the most technically impressive.
They will be the ones that:
- Deliver real value
- Minimize friction
- Adapt to change
Because in the end, users don’t adopt technology.
They adopt outcomes that work.
