.png)
This is part three of our four-part series on why digital credentials are the next identity primitive. You can read part one here and part two here.
A verifiable credential is a digital attestation, issued and cryptographically signed by a trusted authority such as a government, bank, or employer. It lives on the user's device (typically a smartphone wallet) rather than in a centralised database. When needed, the user presents it to a verifying organisation, which checks the cryptographic signature in milliseconds. Tampering invalidates the credential automatically.
The same signed proof can do the work document verification does at onboarding, and the work passwords do for ongoing access, and scope carries across both stages instead of bolting on a parallel stack. It travels with the user: presented once to open an account and again whenever the service needs to confirm identity. One artefact, two moments in the journey.
Someone opens an account, logs in, moves money, proves their age, or books a flight. Each action is an intent, and each intent needs authorisation before it can be completed.
Authorisation today is split across tools. Document scanning serves onboarding intents. Passwords serve access intents. SMS one-time passcodes serve payment intents. Each channel was built for a narrow job, and each fails in its own way: documents are forgeable at scale, passwords exist in compromised sets counted in billions, and OTPs are vulnerable to SIM-swapping and phishing.
Credentials narrow that sprawl. The user holds attestations on the device and presents them when an intent arises. The receiving system verifies the credential, checks that the scope matches the request, and authorises the action. First-time identity check, daily login, payment confirmation, and proof of age can share a single verification pattern rather than a patchwork of mechanisms, each with its own failure modes and compliance overhead.
A user wants to open a bank account. Today, that often means uploading a passport photo, waiting on an automated scan or manual review, and risking timeout. 68% of consumers have abandoned sign-ups due to slow or intrusive checks, and 1 in 16 documents processed in 2025 was flagged as fraudulent. With a wallet-held government identity credential, the bank verifies the signature in seconds and sidesteps the photograph, forgery surface, and review queues typical of document uploads.
A user returns to a service they have used before. Today, they enter a password (one of an average of 191 per person) or step through MFA. The same attestation used at onboarding can serve as ongoing proof, verified each time cryptographically, without a shared secret sitting in a database waiting to be breached.
A user authorises a financial transaction. Today, that typically means an SMS code, a banking-app redirect, or another standalone flow, each adding friction and interception risk. A credential can bind identity and transaction authorisation in one present-and-verify step, without interceptable codes or redirects.
A user buys age-restricted goods online. Many age checks still require a full document upload, exposing name, date of birth, address, and photograph when only one fact matters. Selective disclosure proves a single claim (e.g., over 18) and gives the verifier a cryptographic proof of that claim, while the holder keeps the rest of the record private.
An AI agent books a flight on behalf of a user. It presents an attestation that binds who authorised the agent to what it may do (the booking scope). The airline verifies both before completing the sale. Software agents need an authorisation model that does not rely on memorised secrets or a human in front of a camera; credentials supply that.
In each example, the user (or their authorised agent) chooses which credential to present, when, and to whom. They share only what the intent requires.
Today, many services store identity data internally and grant access from their side: the individual is checked against a database. With credentials, the individual holds verified attestations and presents them on their own terms, and the organisation verifies what arrives rather than holding the full record by default.
Minimisation is built in. If an age check only needs proof of being over 18, the holder need not expose date of birth, address, or document number. Less data moves through each interaction, and less data accumulates as attack surface.
Delegated booking already runs in live products. Agents are scheduling, purchasing, and managing services on behalf of people. Each action is an intent that needs authorisation; memorised secrets and document upload paths assume a person at a keyboard or a camera, which is a poor fit for software-only actors.
Several efforts point in the same direction. World (formerly Worldcoin) launched AgentKit in March 2026, tooling for agents to carry cryptographic proof that a verified human stands behind an action. The Grantex Protocol specifies open agent identity with human-consent grants, signed tokens, and revocation. The Passport Alliance works on DID-based credentials for agent identity and delegation. OpenAgents has introduced W3C-standard decentralised identifiers for agents.
An agent's credential can show who authorised it and what it may do. The relying party checks the chain cryptographically; signatures and declared scope carry the assurance.
Agentic commerce is projected to reach USD 3 to 5 trillion by 2030, with agents possibly accounting for up to 25% of US e-commerce. At that scale, consistent intent and authorisation are a practical requirement. Credential-based verification scales for people and for software acting under delegated authority, where password-and-scan stacks break down.
What was an architecture discussion is now explicit in law. EU Regulation 2024/1183 (eIDAS 2.0) requires every EU Member State to make at least one digital identity wallet available to citizens by the end of 2026. Banks, insurers, telecoms, and very large online platforms must accept wallet-based credentials by December 2027 under Article 5f. Penalties for non-compliance can reach EUR 5 million or 1% of global turnover.
Accepting credentials brings obligations. Relying party registration is mandatory under Article 5b, with the technical and procedural details set out in Commission Implementing Regulation (EU) 2025/848. Organisations register in at least one Member State and declare which attributes they will request from wallet holders.
Implementation speed varies. France and Germany are among the more advanced, with public sandboxes already running. Czechia has said it will miss the end-of-2026 target and aims to reach full production by early 2027, citing cross-border harmonisation as the main challenge. Most Member States still publicly state that they will meet the deadline, while real readiness is harder to assess.
Verifiers need infrastructure that can receive, verify, and process credentials from multiple wallet implementations across 27 Member States, each with its own technical choices and trust frameworks. That capability is quickly moving from optional to required.
Scanned documents and stored passwords made sense when intents were simple: establish who someone is, then admit them. Intents are now more varied, more frequent, and often carried out by agents under delegated authority. The old primitives strain under that load.
Credentials offer one authorisation mechanism that can span onboarding, authentication, payment, selective disclosure, and delegation. The EU is mandating wallet infrastructure; the agent economy is pressing on authorisation at the same time. Urgent work for many organisations is to adapt verification stacks so they can accept those credentials reliably.
That acceptance layer is where the transition succeeds or fails. In the next post, we explain why we built for that side: Building for the Acceptance Side.
Have a question or want to talk about how Vidos can help? Reach out to our team of real-world practitioners today.
Author: Tim Boeckmann, CEO and co-founder of Vidos
