The CIAM Buyer's Handbook

The Future - Decentralized Identity & Verifiable Credentials

The Identity Model Is Changing

For 30 years, digital identity has worked the same way: a centralized provider (your app, Google, Facebook, an enterprise directory) stores your credentials and vouches for you. When you log in to a service, that service either checks your credentials against its own database or asks a third party (OAuth, SAML) to confirm you are who you say you are. The provider is the authority. You are the subject.

This model has worked, but it comes with fundamental problems. Data breaches expose billions of credentials because identity data is concentrated in centralized honeypots. Users have no real control over their identity data - it's fragmented across hundreds of services, each with its own terms. And cross-border identity verification is expensive, slow, and often unreliable.

Decentralized identity flips this model. Instead of centralized providers holding your identity, you hold it. Instead of trusting the provider, the relying party trusts cryptographic proofs issued by credentialing authorities. The technology to make this practical - verifiable credentials, decentralized identifiers, and zero-knowledge proofs - has matured enough that governments and enterprises are building production systems around it.

This isn't a theoretical future. The EU has legislated it. The market is investing in it. And it will change how you think about CIAM.

The EU Digital Identity Wallet Mandate (eIDAS 2.0)

In February 2024, the European Parliament approved the revised eIDAS regulation (eIDAS 2.0), requiring all EU member states to offer citizens a digital identity wallet by 2026-2027. This isn't optional. It's a legal mandate affecting 450 million people.

What the mandate requires:

  • Every EU citizen and resident will have access to a government-issued digital identity wallet
  • The wallet will store verifiable credentials: government IDs, driving licenses, educational diplomas, health records, and more
  • Large online platforms (defined as services with significant market presence) will be required to accept the EU Digital Identity Wallet for user authentication
  • Users will be able to selectively disclose attributes (prove you're over 18 without revealing your birthdate)

What this means for CIAM:

  • If your product serves EU users, you'll need to support wallet-based authentication alongside traditional methods
  • Your CIAM solution must be able to verify credentials issued by EU member states
  • The consent model changes - users present credentials from their wallet, rather than your system collecting and storing their data
  • Data minimization becomes architecturally enforced, not just policy-based

The EU Large-Scale Pilots (LSPs) - POTENTIAL, EU Digital Identity Wallet Consortium, NOBID, and DC4EU - have been testing real-world implementations since 2023. The architecture is converging on the W3C Verifiable Credentials standard with OpenID for Verifiable Presentations (OID4VP) as the presentation protocol.

Warning

If you sell software to EU-based users or enterprises, start tracking eIDAS 2.0 implementation timelines now. The regulation moves from voluntary to mandatory over 2026-2027. Companies that wait until enforcement to start implementation will face the same scramble that GDPR caused in 2018.

Verifiable Credentials and DIDs - A Practical Explanation

Let's cut through the jargon. Decentralized identity rests on two core concepts.

Verifiable Credentials (VCs)

A verifiable credential is a digital version of a physical credential - a driver's license, a university degree, a professional certification - that can be cryptographically verified without contacting the issuer.

How it works in practice:

  1. Issuer (e.g., a government, university, or employer) creates a credential containing claims about you ("Jane Doe, born 1990-05-15, holds a valid driver's license in Germany")
  2. The issuer digitally signs the credential with their private key
  3. You (the holder) store the credential in your digital wallet
  4. When a verifier (e.g., a car rental service) needs to confirm you have a valid license, you present the credential from your wallet
  5. The verifier checks the cryptographic signature against the issuer's public key (published in a registry or on a blockchain) to confirm it's authentic and hasn't been tampered with

The critical difference from traditional identity: the verifier never contacts the issuer. Verification happens cryptographically, not through a real-time API call. This means the issuer doesn't know when or where you use your credential - a significant privacy improvement.

Decentralized Identifiers (DIDs)

A DID is a globally unique identifier that you control, without needing a centralized authority to issue or manage it.

Traditional identifiers depend on centralized systems: your email depends on Gmail, your domain depends on a registrar, your social login depends on Google or Facebook. If any of these providers disappear or revoke your access, you lose your identifier.

A DID looks like this: did:web:example.com:users:12345 or did:key:z6Mkf5rGMoatrSj1...

DIDs can be anchored to different "methods" - some use blockchains (did:ion, did:ethr), some use web infrastructure (did:web), some are self-certifying (did:key). The EU Digital Identity framework primarily uses did:web and did:ebsi for its infrastructure.

Practical impact: DIDs enable portable identity. A user could have a DID that they use across multiple services, carrying their verifiable credentials with them. No more creating accounts on every new service from scratch - present your verified credentials from your wallet instead.

Zero-Knowledge Proofs for Identity Verification

Zero-knowledge proofs (ZKPs) are the technology that makes selective disclosure possible. They allow you to prove a statement is true without revealing the underlying data.

Example: A bar needs to verify you're over 21. Today, you show your driver's license, which reveals your name, address, date of birth, license number, and photo. With a zero-knowledge proof, you prove "I am over 21" without revealing any other information - not your name, not your exact age, not your address.

How this applies to CIAM:

  • Age verification without collecting birthdates - prove age range, not exact date
  • Income verification without revealing exact salary - prove "income above $50K" for financial services
  • Credential verification without storing credential data - verify a professional license is valid without copying it
  • Geographic eligibility without revealing exact location - prove "resident of the EU" without revealing country or address

ZKPs are computationally expensive, but the performance gap is closing. Modern ZKP systems (Plonk, Groth16, STARK-based proofs) can generate proofs in under a second on mobile devices. The EU Digital Identity Wallet architecture includes ZKP support for selective disclosure.

Note

Zero-knowledge proofs sound exotic, but they'll be practical infrastructure within 2-3 years. The first CIAM platforms to offer ZKP-based verification as a built-in feature will have a significant competitive advantage in privacy-sensitive markets (healthcare, fintech, government).

The $7.4 Billion Decentralized Identity Market

The decentralized identity market was valued at approximately $1.8 billion in 2024 and is projected to reach $7.4 billion by 2028, growing at a CAGR of over 40% (according to MarketsandMarkets and Grand View Research estimates). This growth is driven by:

Regulatory mandates: Beyond eIDAS 2.0, countries including Canada (Pan-Canadian Trust Framework), Australia (Digital Identity Act), India (expansion of Aadhaar ecosystem), and Brazil (GOV.BR digital identity) are building or mandating digital identity infrastructure.

Enterprise adoption: Companies are exploring verifiable credentials for supply chain verification (prove a component meets environmental standards), employee credential verification (verify professional certifications without manual background checks), and customer onboarding (KYC/AML using reusable verified credentials).

Blockchain infrastructure maturation: Hyperledger Indy/Aries, ION (on Bitcoin), Polygon ID, and the European Blockchain Services Infrastructure (EBSI) provide production-grade infrastructure for decentralized identity. The technology debate has shifted from "can this work?" to "which approach is best for my use case?"

Standards convergence: The W3C Verifiable Credentials Data Model 2.0, DID Core specification, and OpenID4VC (OpenID for Verifiable Credentials) are creating interoperable standards that reduce fragmentation.

Investment signals: Microsoft, IBM, Ping Identity, and Spruce ID have active decentralized identity products. Startups like SpruceID, Trinsic, Veramo, and Dock have raised significant funding. The acquisition of Evernym by Avast (now Gen Digital) brought self-sovereign identity technology to a company with 435 million users.

What Enterprises Need to Prepare for Now

You don't need to implement decentralized identity today. But you do need to make decisions now that won't make implementation painful later. Here's what's actionable:

1. Ensure Your CIAM Architecture Supports Credential Presentation

Traditional CIAM assumes the identity provider holds user data. Verifiable credentials invert this - the user presents data to you. Your CIAM system needs to evolve from "store and retrieve user attributes" to "verify presented credentials."

Action now: Choose a CIAM vendor that has a verifiable credentials roadmap or supports extensible authentication flows. Vendors that support custom authentication pipelines (Auth0 Actions, FusionAuth Lambdas, Descope flows) will be easier to extend for credential verification.

2. Adopt Standards-Based Protocols

If your authentication infrastructure uses standard protocols (OAuth 2.0, OIDC), extending to support OpenID4VC (the verifiable credentials extension to OpenID Connect) will be relatively straightforward. If you've built proprietary authentication flows, the migration will be harder.

Action now: Ensure all authentication flows use standard OAuth 2.0/OIDC. Eliminate proprietary token formats and authentication mechanisms.

3. Implement Data Minimization

The decentralized identity model is built on the principle that you should only collect the data you actually need. Start practicing this now, even with traditional CIAM. Don't collect birthdates if you only need age verification. Don't store addresses if you only need country-level location.

Action now: Audit your user data model. For each attribute, document why you collect it and whether you could achieve the same outcome with less data. This prepares you for credential-based flows where you'll verify attributes without storing them.

4. Build for Credential Portability

Users will increasingly expect to bring verified credentials from their digital wallets rather than re-entering information and going through verification from scratch. KYC (Know Your Customer) processes that take 3-5 days could happen instantly with pre-verified credentials.

Action now: Design your user onboarding with the assumption that, eventually, credentials will be presented rather than collected. This means building your verification logic to accept external assertions, not just self-reported data.

5. Track the EU Timeline

The eIDAS 2.0 implementation acts create a phased rollout:

  • 2025-2026: Technical specifications finalized, reference implementations available
  • 2026: Member states begin issuing wallets, early adopter services integrate
  • 2027: Large online platforms required to accept EU Digital Identity Wallet
  • 2028+: Broader adoption across sectors (banking, healthcare, education)

Action now: If you serve EU users, add eIDAS 2.0 wallet acceptance to your product roadmap for 2027. Allocate engineering resources for H1 2027 implementation.

Practical Adoption Roadmap

Phase 1: Foundations (Now - Q4 2026)

  • Ensure standards-based authentication (OAuth 2.0, OIDC) is in place
  • Implement data minimization in your current CIAM setup
  • Select a CIAM vendor with a verifiable credentials roadmap
  • Assign a team member to track W3C VC, OpenID4VC, and eIDAS 2.0 developments
  • Experiment with verifiable credential libraries (SpruceID's DIDKit, Veramo, Trinsic SDK) in a sandbox environment

Phase 2: Pilot (Q1 2027 - Q2 2027)

  • Build a proof-of-concept accepting verifiable credentials for one use case (age verification, professional credential verification, or KYC)
  • Test integration with at least one EU Digital Identity Wallet implementation
  • Develop internal capability to issue verifiable credentials (employee badges, customer certifications)
  • Define policies for which credentials you'll accept and from which issuers

Phase 3: Production (Q3 2027 - Q4 2027)

  • Deploy wallet-based authentication alongside traditional methods
  • Implement selective disclosure for privacy-sensitive attributes
  • Build user-facing UI for credential presentation (wallet connection, credential selection, consent)
  • Integrate credential verification into compliance workflows

Phase 4: Optimization (2028+)

  • Reduce reliance on traditional attribute storage as credential-based verification matures
  • Implement zero-knowledge proof verification for sensitive attributes
  • Explore issuing your own verifiable credentials (customer loyalty status, subscription tier, verified purchaser)
  • Build credential-based authorization policies (grant access based on presented credentials, not stored roles)
Tip

You don't need to become a decentralized identity expert overnight. But the companies that start building foundations now - standards-based auth, data minimization, extensible CIAM architecture - will adapt in months while their competitors spend years catching up. Treat it like GDPR: the companies that prepared early had a competitive advantage. The companies that waited scrambled.

How This Changes CIAM Selection Criteria

Decentralized identity introduces new criteria for evaluating CIAM solutions. Add these to the evaluation framework from Chapter 2:

New Evaluation Questions

  1. Does the vendor have a verifiable credentials roadmap? Ask specifically about W3C Verifiable Credentials Data Model 2.0 and OpenID4VP support. "We're watching the space" is not a roadmap.

  2. Can the platform verify externally-presented credentials? This is different from issuing credentials. Your CIAM needs to accept and validate credentials that users present from their own wallets.

  3. Does the platform support selective disclosure? Can it handle credential presentations where only specific attributes are revealed?

  4. Is the authentication pipeline extensible enough for new credential types? You need to add new verification methods without replacing your CIAM platform. Look for webhook-based or serverless extension points.

  5. How does the vendor handle the transition from stored identity to presented identity? The shift from "we hold your data" to "you present your data" is fundamental. The vendor should have a coherent vision for how this transition works.

  6. Does the vendor participate in standards bodies? Active participation in W3C, OpenID Foundation, or DIF (Decentralized Identity Foundation) indicates commitment. Passive observation indicates they'll be late adopters.

Vendors Leading in Decentralized Identity

  • Ping Identity (acquired ForgeRock): Active in standards development, has decentralized identity products in market
  • Microsoft: Entra Verified ID is in production, uses ION (Bitcoin-based DID network)
  • Okta/Auth0: Has stated interest but no production decentralized identity features as of early 2026
  • SpruceID: Open-source focused, built DIDKit and the Sign-in with Ethereum specification
  • Trinsic: Full-stack verifiable credentials platform, API-first approach

Most developer-first CIAM vendors (Clerk, Stytch, Descope, SuperTokens) have not yet announced verifiable credentials support. This is expected - their customer base (startups and growth-stage companies) has less immediate demand for decentralized identity. But as eIDAS 2.0 enforcement approaches, this will change.

The Big Picture

The transition from centralized to decentralized identity won't happen overnight. It will be gradual, messy, and unevenly distributed across geographies and industries. For the next 3-5 years, you'll need to support both models: traditional CIAM (passwords, social login, SSO) and credential-based verification (digital wallets, verifiable credentials, selective disclosure).

The CIAM vendors that will win in 2028 and beyond are the ones building bridges between these two worlds - letting enterprises serve users with traditional auth today while preparing for credential-based auth tomorrow. Your job as a buyer is to pick a vendor that's building that bridge, not one that will leave you stranded on the wrong side of it.

The identity layer you choose today will serve your product for 3-7 years. Make sure it can handle not just the authentication patterns of 2026, but the credential-based identity model that governments and standards bodies are actively building right now.

For more on the evolving identity landscape, see my articles on zero-knowledge proofs in authentication and the future of digital identity.