Digital identity and trust frameworks: 8 myths vs realities backed by recent evidence

Why It Matters

An estimated 850 million people worldwide still lack a legally recognised form of identification (World Bank, 2025), and the cost of identity fraud exceeded $52 billion in the United States alone during 2024 (Javelin Strategy & Research, 2025). Digital identity systems and trust frameworks sit at the intersection of inclusion, security, and economic growth. They determine who can open a bank account, cross a border, or prove a vaccination record. Yet the public debate around these systems is clouded by misconceptions that slow adoption, misallocate investment, and erode citizen trust. The European Digital Identity Wallet regulation (eIDAS 2.0), India's Aadhaar ecosystem, and the emerging US mobile driver's licence (mDL) programme are reshaping how governments and enterprises think about identity. Getting the facts right matters because policy choices made today will lock in architectural patterns for decades.

Key Concepts

Self-sovereign identity (SSI) gives individuals control over their credentials without relying on a single central authority. Credentials are cryptographically signed and stored in a digital wallet on the user's device. The holder decides what to share and with whom.

Trust frameworks are governance structures that define the rules, roles, and technical standards participants must follow. The EU Digital Identity Framework, the NIST Digital Identity Guidelines (SP 800-63-4), and the Pan-Canadian Trust Framework each specify assurance levels, interoperability requirements, and liability rules.

Verifiable credentials (VCs) are tamper-evident digital attestations issued by a trusted authority (such as a university or government agency) that a holder can present to a verifier. The W3C Verifiable Credentials Data Model reached full recommendation status in 2024, providing a vendor-neutral standard.

Decentralised identifiers (DIDs) are globally unique identifiers that can be resolved without a central registry. While often associated with blockchain, the W3C DID specification is ledger-agnostic and supports multiple resolution methods.

What's Working

Regulatory momentum is accelerating. The EU's eIDAS 2.0 regulation, finalised in 2024, mandates that every member state offer citizens a digital identity wallet by 2026, creating the world's largest interoperable identity ecosystem covering roughly 450 million people (European Commission, 2024). Large-scale reference wallet pilots across 27 member states have already onboarded more than 4 million test users as of late 2025 (EU Digital Identity Wallet Consortium, 2025).

India's Aadhaar system, now covering 1.39 billion enrolments, processed over 2.7 billion authentication transactions per month during 2025 (UIDAI, 2025). Its face-authentication modality reduced exclusion errors for elderly and manual-labour populations, demonstrating that biometric systems can iterate toward inclusivity when backed by continuous engineering investment.

In the private sector, the FIDO Alliance reported that passkey adoption surpassed 15 billion device registrations by Q3 2025, reducing phishing-related credential theft by 99.5% among adopting organisations (FIDO Alliance, 2025). Apple, Google, and Microsoft have embedded passkey support natively, accelerating consumer familiarity with cryptographic authentication.

What's Not Working

Interoperability gaps persist. Despite standards like W3C VCs and OpenID for Verifiable Credentials (OID4VC), wallet-to-wallet credential exchange across jurisdictions remains fragile. A 2025 interoperability test across six EU pilot wallets found that only 62% of cross-border credential presentations succeeded on the first attempt (ENISA, 2025).

Inclusion challenges endure. The World Bank (2025) notes that roughly 40% of the identity gap falls on women in low-income countries, and biometric enrolment can fail for populations with worn fingerprints or limited digital literacy. Offline verification pathways remain underdeveloped.

Governance fragmentation is another barrier. Over 30 national trust frameworks are now in various stages of development globally, but mutual recognition agreements remain scarce. Without harmonisation, organisations operating across borders face duplicated compliance costs and users carry credentials that are not universally accepted.

The eight myths below surface repeatedly in boardrooms, policy papers, and media coverage. Each is paired with the evidence that complicates or contradicts it.

Myth 1: Blockchain is required for decentralised identity. Many early SSI projects used distributed ledgers to anchor DIDs, leading to the assumption that blockchain is a prerequisite. In reality, the W3C DID specification supports over 150 DID methods, many of which use traditional web infrastructure, peer-to-peer protocols, or DNS-based resolution (W3C, 2024). The EU Digital Identity Wallet architecture intentionally avoids mandating any specific ledger technology. Several production systems, including the mDL standard (ISO/IEC 18013-5), operate without blockchain entirely. Blockchain can add value for certain auditability requirements, but it is an architectural option, not a necessity.

Myth 2: Biometrics make identity systems inherently insecure. High-profile breaches of centralised biometric databases have fuelled fears that biometric data is too risky to use. The reality is more nuanced. Modern implementations store biometric templates on-device rather than in central repositories, making mass exfiltration far harder. India's Aadhaar shifted to on-device face authentication in 2024, and Apple's Face ID processes all biometric matching in a secure enclave that never transmits raw data (Apple, 2024). The FIDO2 standard similarly keeps biometric verification local. The risk profile depends less on biometrics per se and more on whether the architecture centralises or decentralises template storage.

Myth 3: Digital wallets guarantee privacy by default. Wallets are containers; privacy depends on the protocols and governance rules they implement. A poorly designed wallet can leak correlatable identifiers, enable tracking by issuers, or transmit more data than necessary. The EU eIDAS 2.0 regulation requires selective disclosure and unlinkability, but a 2025 privacy audit by ENISA found that two of six pilot wallet implementations did not yet fully implement zero-knowledge selective disclosure (ENISA, 2025). Privacy is an engineering and governance outcome, not an automatic feature of the wallet form factor.

Myth 4: National ID programmes are surveillance tools by design. Critics often equate government-issued digital identity with mass surveillance. While the risk is real when safeguards are absent, well-designed systems can limit data collection. Estonia's X-Road infrastructure, for example, logs every government query against a citizen's data and makes those logs visible to the citizen in real time (e-Estonia, 2025). The design choice to make access auditable and to separate identity verification from transaction data creates accountability rather than unchecked surveillance. The outcome depends on legislative guardrails, independent oversight, and technical architecture choices.

Myth 5: One global identity standard will emerge and dominate. The identity landscape is structurally pluralistic. Different jurisdictions prioritise different assurance levels, legal traditions, and technological preferences. The US mDL programme uses ISO/IEC 18013-5, the EU wallet ecosystem relies on the Architecture and Reference Framework (ARF) built around OID4VC, and India's Aadhaar uses a proprietary API stack. Convergence is happening at the protocol layer (OpenID4VC, SD-JWT, mdoc) rather than at the system level. Organisations should plan for multi-standard interoperability, not a single winner.

Myth 6: Digital identity adoption is too slow to matter for business strategy. The pace of regulatory mandates suggests otherwise. By the end of 2026, EU member states must offer digital wallets; Brazil's GOV.BR digital identity platform reached 160 million users in 2025 (Brazilian Government, 2025); and Singapore's Singpass handled over 600 million transactions in 2024 (GovTech Singapore, 2025). Enterprises that ignore these shifts risk being unable to onboard customers in regulated markets. McKinsey (2024) estimated that digital ID could unlock economic value equivalent to 3 to 13 percent of GDP in emerging economies by 2030.

Myth 7: Verifiable credentials eliminate all fraud. VCs make credential forgery cryptographically difficult, but they do not eliminate fraud. A credential is only as trustworthy as the issuer's vetting process. If a university issues a degree to a student who cheated, the VC will faithfully attest to a fraudulent achievement. Replay attacks, social engineering, and device compromise remain vectors. Trust frameworks must therefore address issuance-quality assurance, revocation mechanisms, and holder-binding (proving that the person presenting the credential is the person it was issued to) alongside cryptographic integrity.

Myth 8: Developing countries should wait for mature standards before investing. Waiting carries its own costs. Countries that invested early, such as India and Estonia, now have mature ecosystems that support financial inclusion, e-governance, and economic growth. The World Bank (2025) notes that nations delaying digital ID deployment lose an average of 4.2 years of potential financial-inclusion gains compared to early movers. Modular, standards-based architectures allow countries to start with foundational identity and layer on verifiable credentials as standards mature, reducing the risk of premature lock-in while capturing near-term benefits.

Key Players

Established Leaders

• Thales Group — Global digital identity and security provider; supplies national ID programmes in over 30 countries and is a key contributor to EU wallet pilot infrastructure.
• IDEMIA — Biometric and identity solutions for governments and enterprises; processes over 5 billion identity transactions annually.
• Microsoft Entra Verified ID — Enterprise verifiable credentials platform integrated with Azure Active Directory, enabling organisational credential issuance and verification.

Emerging Startups

• SpruceID — Open-source SSI toolkit building DID and verifiable credential libraries used by US state mDL pilots.
• Procivis — Swiss startup providing the Procivis One wallet platform for government digital identity programmes across Europe.
• Anonyome Labs — Developer of the MySudo privacy-preserving identity platform enabling compartmentalised digital personas.

Key Investors/Funders

• European Commission (Digital Europe Programme) — Allocated over EUR 46 million to EU Digital Identity Wallet large-scale pilots across four consortia (2023 to 2025).
• Omidyar Network — Impact investor funding digital public infrastructure and identity inclusion projects in Africa and South Asia.
• Bill & Melinda Gates Foundation — Major funder of MOSIP (Modular Open Source Identity Platform), now adopted by over 10 countries for national ID systems.

Examples

EU Digital Identity Wallet Pilots. Four large-scale pilot consortia (POTENTIAL, EWC, NOBID, DC4EU) spanning all 27 EU member states began testing cross-border use cases in 2024, including mobile driving licences, educational credentials, and digital travel documents. By late 2025, over 4 million test users had participated, and the pilots identified critical interoperability gaps that fed back into the Architecture and Reference Framework v1.4 (EU Digital Identity Wallet Consortium, 2025).

India's Aadhaar and DigiLocker. India's identity ecosystem links Aadhaar authentication to DigiLocker, a government-hosted document wallet with over 300 million registered users. In 2025, DigiLocker processed 6.8 billion document accesses, eliminating the need for physical copies in university admissions, insurance claims, and tax filings (Ministry of Electronics and IT, 2025). The integration demonstrates how foundational identity can anchor a wider credential-sharing ecosystem.

Singapore Singpass. Singapore's national digital identity platform serves 5.5 million users (97% of eligible residents) and supports over 2,000 government and private-sector services. In 2024, Singpass processed more than 600 million transactions, including corporate filings, healthcare access, and cross-border mutual recognition with select ASEAN partners (GovTech Singapore, 2025). Its success illustrates the network effects that emerge when identity reaches near-universal adoption.

MOSIP Deployments in Africa. The Modular Open Source Identity Platform, incubated with Gates Foundation funding, has been adopted by the Philippines, Morocco, Ethiopia, and Sri Lanka, among others. Ethiopia's deployment enrolled over 5 million citizens in its first 18 months of operation, providing legal identity to previously undocumented populations at a per-enrolment cost below $2 (MOSIP, 2025).

Action Checklist

• Audit your assumptions. Review internal strategy documents for the eight myths above and correct any that are shaping procurement or policy decisions.
• Map regulatory exposure. Identify which digital identity regulations (eIDAS 2.0, US mDL mandates, sector-specific KYC rules) affect your operations and set compliance timelines.
• Adopt standards-based architectures. Prefer W3C Verifiable Credentials, OpenID4VC, and ISO/IEC 18013-5 to reduce vendor lock-in and future-proof integrations.
• Implement privacy by design. Require selective disclosure, on-device biometric matching, and unlinkability in any wallet or identity solution you deploy or procure.
• Test interoperability. Participate in cross-sector or cross-border pilot programmes to surface integration issues before production rollout.
• Plan for inclusion. Ensure offline verification pathways, accessibility features, and alternative enrolment methods are part of your deployment roadmap.
• Establish governance. Define roles, liability, and audit mechanisms in a trust framework document before issuing or accepting verifiable credentials.

FAQ

Do digital identity wallets replace passwords? Not entirely, but they significantly reduce reliance on passwords. Wallets use cryptographic key pairs and biometric device unlock rather than shared secrets. Combined with FIDO2 passkeys, they eliminate phishable passwords for supported services. However, legacy systems that have not adopted modern authentication will continue to require passwords during the transition period.

Is self-sovereign identity only relevant to individuals? No. Organisations also benefit from verifiable credentials. A company can hold a digitally signed registration certificate, a carbon-offset accreditation, or a supply-chain compliance attestation in an organisational wallet. The EU wallet pilots include legal-entity credentials as a core use case, enabling machine-readable corporate identity verification.

How do trust frameworks handle liability when a credential is fraudulently issued? Most mature trust frameworks specify liability allocation among issuers, wallet providers, and verifiers. The EU eIDAS 2.0 regulation, for example, holds qualified trust service providers liable for damages caused by failures in their issuance processes. NIST SP 800-63-4 defines assurance levels that map to risk tolerance, allowing relying parties to choose the level of identity proofing and authentication strength appropriate to their use case.

What happens if a user loses their device? Well-designed wallet systems support credential recovery through backup and restore mechanisms, often protected by hardware security modules or cloud-based encrypted vaults. The EU ARF v1.4 specifies that users must be able to recover credentials without re-issuance in most cases. Issuers can also re-issue credentials upon re-authentication through the original identity-proofing channel.

Are digital identity systems environmentally sustainable? Compared to paper-based identity processes, digital systems significantly reduce material waste and transport emissions. India's Aadhaar-based authentication eliminates an estimated 1.2 billion physical document verifications per year (UIDAI, 2025). However, the energy footprint of underlying cloud infrastructure and, where used, blockchain networks must be factored into sustainability assessments. Systems designed around lightweight protocols and edge processing minimise this impact.

Sources

• World Bank. (2025). Identification for Development (ID4D) Global Dataset: 2025 Update. Washington, DC: World Bank Group.
• Javelin Strategy & Research. (2025). 2025 Identity Fraud Study: The Shifting Landscape. Pleasanton, CA: Javelin.
• European Commission. (2024). Regulation (EU) 2024/1183 Amending Regulation (EU) No 910/2014 (eIDAS 2.0). Official Journal of the European Union.
• EU Digital Identity Wallet Consortium. (2025). Large-Scale Pilot Progress Report: Cross-Border Interoperability Findings. Brussels.
• UIDAI. (2025). Aadhaar Dashboard: Monthly Authentication Statistics, December 2025. New Delhi: Unique Identification Authority of India.
• FIDO Alliance. (2025). Passkey Adoption Metrics: Q3 2025 Report. Mountain View, CA: FIDO Alliance.
• ENISA. (2025). EU Digital Identity Wallet Security and Privacy Assessment. Athens: European Union Agency for Cybersecurity.
• W3C. (2024). Decentralized Identifiers (DIDs) v1.0: W3C Recommendation. World Wide Web Consortium.
• Apple. (2024). Face ID Security: Secure Enclave Architecture. Cupertino, CA: Apple Inc.
• e-Estonia. (2025). X-Road Data Tracker: Citizen Access Logs and Transparency Reports. Tallinn: e-Estonia.
• McKinsey Global Institute. (2024). Digital Identification: A Key to Inclusive Growth. New York: McKinsey & Company.
• Brazilian Government. (2025). GOV.BR Platform Usage Statistics: 2025 Annual Report. Brasilia.
• GovTech Singapore. (2025). Singpass Annual Report 2024: Transaction Volumes and Service Integration. Singapore.
• MOSIP. (2025). Deployment Impact Report: Modular Open Source Identity Platform Across Partner Countries. Bangalore: International Institute of Information Technology.
• Ministry of Electronics and IT, India. (2025). DigiLocker Annual Statistics: Document Access and User Growth. New Delhi.