Navigating the Jungle of Digital Credential Standards

The ongoing transition towards digital identity credentials will have many benefits for users and society, from increased privacy to preventing disinformation. The first form of digital credential that’s reaching the public is the mobile driver’s license, currently being piloted by several U.S. states. But there are many other potential digital credentials, from professional licenses and degrees to simple event passes, each with its own nuances. 

The builders architecting these systems, often from the ground up, face a challenge: choosing the right technical standard for presenting data. Standards enable the open, interoperable nature of digital identity systems, making sure potentially countless credential issuers, holders, and verifiers overseeing a huge variety of digital credentials are all on the same page. 

Digital credentials will eventually include not just driver’s licenses but more niche certifications from food handling to off-road vehicle training to professional affiliations. Agents handling related credentials will have to speak the same language – that is, use the same data standard – to interact in a smooth and trustworthy way. Email is another technology that runs on a shared data standard, which is why it can be sent from a Gmail account but still be readable via Hotmail or any other email service. 

For better or worse, though, the world of digital credential standards is already wildly fragmented. For instance, there are already no fewer than two digital formats to verify educational credentials: OpenBadges and the European Digital Credential. A recent report from the European Union Agency for Cybersecurity (ENISA) describes six different formal standards for digital identity credentials, among them the International Organization for Standards’ (ISO) Mobile Driver’s License standard (mDL); standards under the EU’s eIDAS authority; and both OpenID and FIDO2 formats for online identity and security. And that’s just the tip of the iceberg. 

The choice of standard will also be shaped by the scope and nature of a project: Standards can be built for very specific and similar purposes, or they can be generalized and overlapping. Further, while some standards will grow into thriving ecosystems, others may fall to the wayside, just like the Betamax videotape standard. These and other factors can make choosing the right credential standard to build a system feel simultaneously very important and difficult.

But at SpruceID, we’ve taken a different approach to the stressful quandary of digital credential standards. Rather than choosing one standard to build our tools around, we integrate multiple standards that meet our goals for user convenience, privacy, sustainability, and security. This ensures our customers get what they need today and that our systems will still be functional tomorrow—even in the (unlikely!) event that we’re not around to maintain them.

Real Results Beat Abstract Superiority

The biggest pitfall when evaluating standards is trying to decide which one is the “best,” whether for your application or in general. The truth is that even if one technical roadmap offers clear advantages over another, parallel questions such as adoption rates and integrations can trump those concerns. The technically superior standard simply doesn’t always win—just ask BetaMax, which lost the fight with VHS despite being better in every way.

So, instead of looking for some abstract “best,” here at SpruceID, we focus on whether each standard adequately provides four things: utility, privacy, security, and sustainability. Our systems integrate multiple standards that fulfill those needs and let users issue, manage, or verify credentials in all the supported standards formats.

Privacy, in particular, is a major motive for the overall shift to digital identity, which opens up new possibilities for users to control information about themselves carefully. Our North Star is scholar Helen Nissenbaum, who emphasizes the importance of social context for our sense of privacy. Older, analog forms of identity could ‘leak’ information in the wrong context, and some early digital ID systems could reveal too much data about a user’s activities to credential issuers. 

But good digital identity standards give users control over precisely what data they’re sharing and when – including protecting them from uninvited monitoring, even from state authorities. Standards that protect user privacy and enable selective disclosure include ISO’s mDL standard and the World Wide Web Consortium (W3C) Verifiable credentials format.

Similarly, standards must allow secure implementations. That doesn’t just mean that their cryptographic verification processes are sound—that’s important but relatively straightforward to assess. More subtle risks can lurk in how a standard shapes the storage and sharing of data: as an extreme example, fully centralized identity databases present serious risks to users' privacy. 

It’s worth noting here that there’s a nuanced relationship between all these standards and their even more varied implementations – that is, the actual code and systems that use the standards. It’s not hard to take a potentially secure and private identity standard and build a system around it that undermines those virtues, but our multi-standard strategy is focused on the core architecture and making sure our own tools implement it in the best possible way.

We Can Rebuild it. We Have the Standards.

The third minimum requirement for a standard to pass muster at SpruceID is that it offers inherent resilience. Above all, this means that it doesn’t depend on any one technology operator to keep functioning and that even if our own front-end system were to vanish, users would still be able to use and trust the same credentials they had been using with SpruceID. From this perspective, a counterpart to resilience is scalability.  That is, how easy it is for a new actor to adopt the standard and provide services using it – including filling gaps that might appear if other ecosystem players were to go away.

If a digital credential system is a network that carries information, you can think of it like a 19th-century railroad. It’s made up of trains and conductors and rails and stations - things you can see and touch. But it’s also made up of standards that underpin all that hardware - technical standards like track width and signaling technology and standardized ways the railroad is scheduled and operated. 

In the old days, railroads competed fiercely, and the utility, depth, and trustworthiness of those standards, including how well they allowed different systems to interact, played a big role in which railroads survived. Railroads with strong standards would be more likely to work well with other systems and make it easier for new operators to rebuild, bailout, or take over. To pick the most obvious example, a railroad that decided its tracks would be twelve inches wide when locomotive manufacturers were churning out dining cars for tracks four feet across would be far less resilient or scalable because of that choice.

Our approach to standards is based on the idea that things can cut in the other direction, as well: If one standard disappears or loses relevance, our systems will still have a second set of rails built to other workable standards. This is a key advantage of implementing multiple standards through one tool.

But the truly big unlock is the peace of mind of not having to worry too much about which standard is “best,” maybe even before you even know what your customers and users will need.

Our priority is answering those specifics and making sure our implementation translates a general format into the best possible user experience. This includes assurances that their data is safely in their control and will be useful for the long haul, regardless of which invisible data formats win the long-term digital identity race.

Want to learn more or discuss your specific use case? Contact us to continue the conversation.

About SpruceID: SpruceID is building a future where users control their identity and data across all digital interactions.