Future Tech/authentication
Personal Data Vaults Become the Default Identity Model
The 25-year era of giving every app a copy of your data is ending. Personal data vaults give you back the keys. Selective disclosure replaces blanket sharing.
// By 2029 · medium confidence · disruption 8/10
Prediction
// 2029
By 2029, personal data vaults with selective disclosure will be the default identity model for new consumer applications in Europe and increasingly in the US.
What dies
- → the ipod
- → third party cookies
Who wins
- → Solid/Inrupt
- → MyData
- → EU Digital Identity Wallet
The hook
The EU Digital Identity Wallet becomes mandatory for member states to offer by 2026. Every EU citizen gets a personal data vault by default. The US will follow within five to seven years.
Thesis. Personal data vaults invert the current model. Instead of every app holding its own copy of your data, the data lives in a vault you control, and apps request scoped, time-limited, selective disclosure.
The story
The current state
Every consumer app collects, stores, and exploits user data. Privacy policies are theater. Data breaches are weekly news. GDPR, CCPA, and the DMA made privacy legally enforceable but did not change the underlying model where the app is the data custodian.
The inflection point
eIDAS 2.0 was adopted in April 2024. EU member states must offer a Digital Identity Wallet by 2026. W3C Verifiable Credentials, OpenID for Verifiable Credentials, and ISO 18013-5 are all production-ready. The technical foundation is in place.
The prediction
By 2029, new consumer apps default to vault-based identity. The app requests specific claims (over 21, lives in California, can pay $500) and the vault releases a scoped, time-limited proof. The app never sees the underlying data.
Who wins, who loses
Winners: vault providers (Apple Wallet, Google Wallet, EUDI Wallet, Inrupt), credential issuers (states, banks, employers), and applications that can build on selective disclosure. Losers: the entire third-party data broker industry, ad-tech pipelines built on cross-site identifiers, and CIAM platforms that assume the app owns the user record.
Timeline and risks
The EU timeline is locked. The US timeline depends on state-by-state mDL adoption and federal action. The risk is fragmentation: ten incompatible wallet implementations would set the model back a decade. Standards convergence in 2026 to 2028 is the variable to watch.
First signals (verify today)
EU Digital Identity Wallet regulation enforced from 2026. Solid protocol production deployments. iOS App Intents normalizing app-to-app data borrowing.
Key data points
- Solid protocol launch: Tim Berners-Lee, 2018
- W3C Verifiable Credentials Data Model 1.0: November 2019
- EU eIDAS 2.0 regulation adopted: April 2024
- EU member state wallet deadline: 2026
- Apple Wallet supported state IDs: 13+ US states by 2025
Contrarian angle
The CIAM industry built billions of dollars of infrastructure on the model where the application is the identity authority. Personal data vaults invert that completely. Every CIAM platform will need to be rebuilt or it dies, and most vendors are not preparing for it.
The flip side
What this kills
The paired obituary in Tech Graveyard.
Read the obituaryFAQ
What is the difference between a password manager and a data vault?
A password manager stores credentials. A data vault stores verifiable claims and releases selective disclosures with cryptographic proof of issuer. Different problem, different primitives.
How does selective disclosure actually work?
The issuer signs a credential with many attributes. The wallet can produce a zero-knowledge or selective-disclosure proof that reveals only the requested attributes while the issuer's signature still validates. ISO 18013-5 and SD-JWT are the production specifications.
Is the EU Digital Identity Wallet mandatory for citizens?
Member states must offer the wallet by 2026. Citizens are not required to use it, but most services will accept it, and many will prefer it. Adoption follows offer plus convenience.
What is Solid and why does Tim Berners-Lee care about it?
Solid is a W3C-aligned protocol for personal data pods (vaults) hosted by user-chosen providers. Berners-Lee built it because he sees the current web's data centralization as the inverse of what the web was designed to be.
More from guptadeepak.com
Want the technical deep-dive behind this prediction?
Read the companion articleRelated predictions
More from the authentication desk.
// By 2030
medium confidencePasswordless Everything by 2030
When I founded a CIAM platform in 2013, we built password reset infrastructure handling hundreds of millions of requests yearly. By 2030 that infrastructure is a museum exhibit.
First signals: Apple/Google/Microsoft all default to passkeys. Amazon and Best Buy launched passkey-only signup in 2024. FIDO Alliance certified 1B+ deployments.
authentication · Disruption 9/10
// By 2027
high confidencePhishing-Resistant Auth Becomes the Default by 2027
CISA mandated phishing-resistant auth for federal agencies in 2022. Enterprise follows federal within 24 months. Consumer follows enterprise within 24 more.
First signals: CISA mandate for federal agencies (2022). Apple/Google/Microsoft default passkey support. SMS MFA actively deprecated in NIST guidance.
authentication · Disruption 7/10
// By 2028
high confidenceMachine Identities Outnumber Humans 100 to 1 by 2028
Enterprises are managing machine identities with tools designed for humans. Agent Identity Governance is a category that does not exist yet. It will be a $5B market by 2028.
First signals: Current enterprise ratio at 45:1 (CyberArk 2024). Anthropic, OpenAI, and Google all shipping agent platforms. MCP specification adoption growing.
authentication · Disruption 10/10