Framework vs. Credential: Choosing the Right Model for State Identity

Digital identity is shifting from individual credentials to full ecosystems. As states modernize, the question is no longer which digital ID to issue, it’s how to build the underlying framework that every credential can rely on. A flexible, standards-aligned model provides states with room to evolve, protects resident choice, and maintains consistent privacy controls across various use cases.

This blog post examines why a framework, rather than a single credential, provides the strongest foundation for a long-term, interoperable digital identity.

The Framework Approach: Built for Evolution

We recommend that states define their digital identity initiative as a framework of technical and statutory controls, not as a single credential. A statewide identity framework would apply to many possible credentials, whether it is a digital identification card issued by the DMV, or a digital veteran's ID card issued by the UT VMA, which represent the State's highest-assurance digital identity, meeting all required protections such as unlinkability, minimal disclosure, and individual control outlined in the framework. At the same time, the framework can be referenced piecewise to guide the design of other state-issued credentials—such as professional licenses, permits, benefit eligibility records, or guardianship credentials—by allowing them to adopt relevant controls where appropriate. This framework approach ensures consistency across credential types, maximizes flexibility, enables interoperability with existing credential ecosystems, and preserves resident choice.

Under a statewide digital identity framework, these controls must apply in full to credentials appropriate for foundational identity use cases, ensuring strong privacy, unlinkability, minimal disclosure, and individual control. The same framework can also be applied piecewise to other credential types, allowing states to deploy the right safeguards for the right context. For example, a certain credential may require revocation mechanisms but not the full set of high-assurance controls, while all credential types might consistently adopt "no phone-home" verification as a baseline requirement.

Why Flexibility Matters

This approach ensures that states can deploy the right kind of framework-compliant credential for the right use case. The framework would allow for states to issue digital-only credentials that would not be practical in the physical world. It also allows the state government to move iteratively, prototyping, piloting, and refining credential types individually without requiring the entire ecosystem to be redesigned each time. By adopting a framework model, states gain the flexibility to meet federal requirements where needed, adapt to unsolved challenges like guardianship, and maintain interoperability with existing verifier ecosystems both inside and outside the state.

Contrasting Models: The Trade-offs

A composite framework model lowers barriers to entry by allowing residents to opt in to the credentials most relevant to their lives, from driver licenses and professional licenses to permits and benefit eligibility proofs.

When we compare approaches, the distinctions become clear:

Framework Model (Recommended):

• Budget: Incremental and use-case driven. New framework-compliant credential types can be introduced iteratively without disrupting existing ones, reducing long-term risk. Older credential types may be gradually deprecated as newer technologies become available, such as to add post-quantum cryptography. A subset of framework controls can be applied to additional non-framework credentials where appropriate.
• User Choice: Holders can select among framework-compliant credentials, all of which meet baseline security and privacy requirements. For example, one resident might opt for a state-endorsed Veteran ID, while another prefers a digital driver's license. States should guide residents on available options and their tradeoffs (e.g. usability, privacy, security) so individuals can make informed choices.
• Scalability: Horizontally scalable by use case. New compliant credential types can be added without disrupting existing ones, as long as they meet framework controls. Different framework credential implementations might also compete on speed and efficiency.
• Flexibility/Adaptability: Highly adaptable by adding new credential types while still enforcing common controls. Supports mirrored credentials as well as novel, unsolved use cases (e.g. guardianship) via iterative pilots and evolving standards.

Monolithic Credential Model:

• Budget: Likely lower short-term cost and complexity for a single credential. Long-term changes would require costly, system-wide redesigns.
• User Choice: Holders either accept the canonical credential or are excluded from framework benefits.
• Scalability: Scales only within the limits of the chosen protocol; new use cases may require major redesign.
• Adoption: Riskier as an all-or-nothing approach if residents resist that credential (e.g., due to privacy concerns or technical barriers) or if it fails to meet diverse needs.

Building the Market

The ultimate strength of a statewide digital identity framework approach is that the technical controls which must all be implemented for credentials, may be used piecewise as appropriate for other credential types for use cases like permitting and licensing, or even in the private sector. This also creates the opportunity for firms to specialize in managing aspects of the framework, which lowers the barriers to market entry and creates opportunities, especially for smaller and newer vendors to work on particular problem sets. It also allows deep specialization to produce best-in-class products.

We believe the framework approach would produce a larger, more diverse market, ultimately allowing states, agencies, and the private sector to have many choices from vendors, including those that are local, who can specialize in the technologies. This ability to create the best possible products extends even across non-framework credentials.

By having a composable set of framework controls that can be repurposed for other use cases as they are appropriate, we can accelerate privacy, security, and usability within government agencies and the private sector alike. This increases the level of optionality, quality, and lowers the cost for credentials and all other credentials built on an aligned framework.

Standards-Based, Vendor-Neutral

We recommend a multi-format issuance strategy that aligns with national and international standards. By relying on open, widely adopted standards, states can avoid vendor lock-in, accelerate adoption by verifiers, and maximize cross-jurisdictional acceptance.

The role of a statewide digital identity framework should be to clearly outline and encode policy goals (e.g. security, privacy, unlinkability, and minimal disclosure, use of open standards), describe technical controls ("framework controls") which have been proposed, reviewed, and confirmed to achieve those policy goals without "picking winners" in the market of technology, and leave flexibility in how they are achieved. Each foundational identity use case can then adopt the technical standard best suited to its context, provided it complies with the framework's required controls.

Governance as Public Infrastructure

Finally, we highlight the need for sustainable governance. States should treat their digital identity frameworks as public infrastructure, funded as a shared good rather than a private service. By certifying multiple wallets and issuers against a published state digital identity profile, a state can foster a healthy ecosystem of vendors, spur innovation, and ensure residents retain choice while benefiting from consistent protections.

Looking Ahead

A framework approach gives states the structure they need to modernize responsibly. It enables agencies to introduce new credential types without redesigning the entire system, fosters a healthy market of vendors, and ensures that privacy requirements are consistently applied across every use case. By grounding digital identity in open standards and clear statutory controls, states can support today’s needs while preparing for what comes next.

Treating digital identity as public infrastructure ensures it remains flexible, durable, and rights-preserving. Residents keep meaningful control, agencies gain reliable tools, and innovation can happen without compromising trust.

If your state is evaluating how to structure its digital identity strategy, SpruceID can help. We support governments building open, privacy-preserving identity frameworks, from mobile driver’s licenses to multi-credential ecosystems.

About SpruceID: SpruceID is building a future where users control their identity and data across all digital interactions. We build privacy-preserving digital identity infrastructure that empowers people and organizations to control their data. Governments, financial institutions, and enterprises use SpruceID’s technology to issue, verify, and manage digital credentials based on open standards.