Why Should Digital Wallets Be Open Source?
At SpruceID, we believe that any successful digital identity program must be open and interoperable, allowing many identity issuers and verifiers to share standardized technical “rails.” This opens the playing field for competitive innovation, both in technical approaches and business focus, making sure that every possible advantage of digital identity reaches the real world.
This open-network model fundamentally relies on another kind of openness: open-source code and software. The basic idea of open source is that it can be freely viewed, borrowed, and modified, an ethos that has been fundamental to the progress of digital technology as a whole. It’s sometimes referred to as FOSS, for “free and open source software.”
Open source can also provide substantive security and interoperability advantages specific to identity systems, particularly for digital wallets. Read on for a concise breakdown of those advantages and why the many new players joining the digital identity ecosystem should seriously consider an open source approach.
What is ‘Open Source’?
At root, “open source” describes a type of copyright license attached to a published piece of software. There are many types of open-source licenses, each with specific permissions and limits on how the software can be borrowed from, transformed, and used. For instance, some FOSS licenses allow reused code to be integrated into copyrighted commercial products, while some do not.
The goals of open source were first laid out in the late 1980s by pioneering hacker Richard Stallman, and one major motive was simple efficiency. Many different software packages include very similar modules or functions under the hood, and making those components freely reusable has contributed massively to the success of the software industry. SpruceID is very proud to share its work with identity developers via SpruceKit, our open-source package of tools for building identity with digital credentials, and on our extensive Github repository here. (We even just completed a full DevDoc content review & refresh here: https://www.sprucekit.dev.)
A recent study from the Harvard Business School found that this sort of efficiency amounted to a staggering $8.8 trillion in value for technology firms, which would have to spend 3.5 times more on development costs without open source. It’s important to point out that open-source isn’t simply a free lunch, though: if you’re using open-source components in a project, there’s an expectation that you’ll make your own contributions in return. That’s why SpruceID is an active supporter of open source initiatives: we’re a founding member of the Open Wallet Foundation, and we fund initiatives to support open source developers in the ecosystem.
Open Source Means Trust Assurance
The security and trust advantages of open-source software development may be even more significant than the efficiency benefits. Because open-source code is publicly viewable, it has the potential to be vetted by many more developers than would review it within a single organization. Furthermore, code components that are deployed across many software packages have a head start on “real-world” testing.
This benefit is particularly relevant - perhaps even essential - for wallet software. That’s because many of the security protections of wallet software are deep in the code, particularly including how user data is stored and shared. The ability to review the underlying code is the best way to make sure, for instance, that a wallet is interacting with a device's secure element chip correctly or that it can’t be subverted by a ‘rooted’ operating system.
It’s important to note that making code publicly viewable should not be a security risk for revealing specific tokens, passwords, or access codes. One might compare it to looking at a diagram of a lock: open source will reveal if the lock’s design is flawed in a way that could be exploited, but it won’t let you create a key that would open any specific lock.
Of course, as with all software, it’s important to apply security precautions. For open source, projects can evolve rapidly, and while the community often identifies vulnerabilities quickly, users must stay vigilant. It’s necessary to regularly update dependencies, review project activity, and verify package integrity. Automated vulnerability scanning and ensuring third-party code aligns with organizational security policies can offer further protection. With thoughtful management, open source can be leveraged confidently without compromising security.
Innovation in More Directions
Finally, the core advantage of open-source software is that it allows software builders to innovate faster by building on work that has come before. Open source licenses allow code to be freely modified, meaning a developer can borrow something close to what they’re trying to create and then add modifications specific to their goals, which may be quite different than the functionality of the library it’s built upon.
This “building on the work of others” can be particularly powerful for applications that run on open data standards, including digital credential wallets. A wallet may integrate preexisting components that handle the underlying standards and then build specific features that expand on that shared foundation for its particular use cases. This could be something as simple as tailoring the aesthetics and layout of a user interface or more nuanced details such as creating more detailed security or adding more sharing options.
This capacity for innovation then has a positive flipside, which is the freedom to not innovate. Credential wallets, in particular, can be quite basic re-uses of existing code, or experimental forks veering off into new territory. That makes the open source approach particularly appealing for state governments or other entities testing the waters: a project can be tailored to the capacity and experience of staff and constituents as needed. But for those adopters of Open-Source, no matter where the project ends up, you may already be standing on the shoulders of giants.
Let’s Build the Future of Digital Identity Together
SpruceID is committed to advancing open source solutions that empower individuals and organizations with secure, privacy-preserving digital identity tools. Whether you're developing credential wallets, integrating verifiable credentials, or exploring decentralized authentication, we’d love to collaborate.
About SpruceID: SpruceID is building a future where users control their identity and data across all digital interactions.