I remember the first time I received that notification: my email address had appeared in a data breach. The passwords were old, the accounts half-forgotten. I changed what I could and moved on, slightly unsettled but assuming it was someone else's problem to fix.
The second moment is more familiar by now. I was opening an account with a new financial service and the site asked me to hold my passport up to my phone camera, tilt it to catch the hologram, wait for the glare to pass, and then take a selfie so the system could compare my face against the photo. Several minutes later, I was still waiting for the check to complete. In 2026, proving your identity still looks like this.
Both moments are common enough to feel mundane. They also feel unrelated: one is about stolen credentials circulating on the dark web, the other about a clunky onboarding form on a Tuesday afternoon. In reality, they are two sides of the same structural problem, and understanding that connection changes how you think about identity in digital services.
Digital credentials are the next identity primitive.
Ribbit Capital's 2024 identity letter put it plainly: "The starting point of finance is not transactions, but identity." The observation extends well beyond financial services. Every digital interaction, whether it involves opening a bank account, logging into a government portal, or verifying age for an online purchase, begins with the same underlying question: who is this person, and should they be allowed to do what they are asking to do?
The infrastructure answering that question was built decades ago. It now handles orders of magnitude more interactions than it was designed for, against threats its architects could not have anticipated, and it is failing on two fronts at once.
When you onboard with a new service, you are typically asked to photograph an identity document and take a selfie. The service then tries to match the two. There is a structural problem: these documents carry no cryptographic proof of origin. A scanned passport is a JPEG, and a JPEG can be edited. Generative AI has made this cheaper and faster than ever before.
AI-generated identity document fraud rose 281% in the past twelve months across Europe, and digital document forgeries now account for 57% of all detected fraud in Europe, overtaking physical counterfeits for the first time. Meanwhile, the friction of document-heavy processes is pushing users away: 68% of consumers have abandoned digital sign-up processes because they were too slow or too intrusive, costing European financial services an estimated EUR 5.7 billion annually in lost onboarding. The system is simultaneously too easy to fool and too difficult to use.
Once onboarded, users rely on passwords for every subsequent interaction. The average employee now manages 190+ username and password combinations, while 24 billion compromised credential pairs sit on the dark web, ready to be tested against login pages at scale. Account takeover attacks in fintech saw an 800%+ year-on-year increase during 2023 alone, according to industry research. Passwords were designed for a smaller, simpler internet, and the gap between the threat and the defence grows wider every year.
These two systems feel separate in daily life. One governs the front door (the onboarding check); the other manages every room inside (the daily login). Both serve the same function: proving who someone is and whether they should be allowed to act. The onboarding scan and the password prompt are two expressions of the same underlying problem, built on infrastructure that predates the threats it now faces.
Once you see it, identity is the invisible force enabling or preventing almost everything in digital services.
Digital credentials replace both systems with a single mechanism. A credential is a digitally signed claim, issued by a trusted authority (a government, a bank, an employer, or a professional body), stored on the user's device, and presented when the user chooses to share it. Because the credential is cryptographically signed at the point of issuance, the receiving organisation can verify its authenticity in milliseconds without contacting the issuer and without needing to store the user's personal data.
A single credential can prove identity during onboarding. The same credential, or others held in the user's wallet, can authenticate the user for every interaction that follows. A person proving they are over 18 can do so without revealing their date of birth or any other personal detail, because the credential model builds selective disclosure in from the start, giving users control over exactly what they share and with whom.
The European Union has legislated for this transition. Regulation (EU) 2024/1183 requires every Member State to make at least one digital identity wallet available to citizens by the end of 2026, and mandates that banks, insurers, telecoms, and major online platforms accept wallet credentials by December 2027. Over 273,000 EU organisations fall within the regulation's scope, with penalties reaching EUR 5 million or 1% of global turnover for non-compliance.
Every interaction a user has with a digital service begins as an intent: open this account, log me in, transfer this payment, verify my age. Each intent requires authorisation to complete. Today, that authorisation is fragmented across documents, passwords, and one-time codes. Credentials unify this: a user holds credentials, presents them to fulfil an intent, and the receiving system verifies the credential and authorises the action.
We saw the acceptance gap early. Wallets are being built and credentials are being issued, with governments, standards bodies, and technology providers investing heavily in the issuance and storage layers. The infrastructure to reliably accept and verify those credentials has received far less attention. Every wallet being deployed and every credential being issued ultimately depends on reliable verification infrastructure at the receiving end. The transition succeeds or fails at that point.
That is the problem we chose to solve at Vidos. When an organisation receives a credential, it needs to determine whether the credential is authentic, whether it meets the requirements of the specific interaction, and whether to authorise the user to proceed. We built verification infrastructure for that moment, because we believe it is where this shift is won or lost.
Digital credentials are the next identity primitive.
The two systems that have carried digital identity for the past two decades, document-based verification for onboarding and passwords for ongoing access, are reaching their limits at the same time. Credentials unify both functions with cryptographic assurance, user control, and the weight of regulation that has already been enacted.
This is the first post in a four-part series exploring why this shift is happening and what it means for organisations preparing for it. Each post goes deeper on one part of the argument: the systems that are failing, the model that replaces them, and the infrastructure required to make the transition work.
Read the full analysis:
Author: Tim Boeckmann, CEO and co-founder of Vidos
