The FIDO Alliance Announces Standardized Digital Wallets

The FIDO alliance, in charge of authentication standards such as the FIDO2 standard widely used in hardware keys, has announced a new digital credentials initiative aimed at standardizing and streamlining the adoption of “verifiable digital credentials and identity wallets.”

The newly formed Digital Credentials Working Group (DCWG) will work closely with other standards bodies such as EMVCo,  ISO, OpenID Foundation, and W3C to align the fragmented digital identity solutions into an interoperable, secure digital wallet ecosystem.

The FIDO alliance cites their success in previous efforts to promote passkey adoption:

FIDO Alliance united the industry to solve the password problem, and the world is now embracing the simplicity and security of passkeys – with billions of accounts now leveraging this seachange in user authentication. We’re now aiming to bring that same proven, collaborative model to the adjacent digital credentials landscape

We’ve seen several governments rolling out digital IDs, such as the European Digital Identity, the Australian Digital ID, and many US states.

The FIDO alliance describes the ecosystem as it stands today as fragmented. Each country has its own digital ID program and usually an in-house app you have to install, and like what the GSMA pointed out, a lack of cooperation between countries can lead to issues.

They don’t explicitly say it, but I think that each country having its own wallet app can lead to mistakes being repeated, when governments could cooperate to make a standard that would work in any wallet users might want to use.

The friction with relying parties and issuers is explicitly pointed to as a sore spot that needs work, presumably its a big reason why governments want to make their own in-house wallet apps in the first place. In the digital ID ecosystem, an issuer is the one that issues the credential such as the government in the case of digital IDs, and the relying party is the one accepting the credential.

In their documentation on the subject, the FIDO alliance states:

[I]ssuing authorities often have additional requirements on the wallets into which they provision, covering things like device security, holder privacy, and credential life cycle management. The FIDO work will allow issuing authorities to confirm if a wallet being presented for provisioning has been certified against a profile representing the issuing authority’s protocol and other requirements.

The FIDO alliance wants to focus on three areas:

Wallet certification, drawing on their work with the FIDO certification program, will allow them to “establish certification criteria for digital wallets, ensuring they are secure, protect user privacy, and are interoperable with credential issuers and relying parties.” An issuer can be confident that a wallet certified under this program can presumably be confident that it meets a certain standard of security. It’s unclear exactly how the program will work but it would make sense to have certification “levels” like they currently do for FIDO.

Specification development is also on the docket, with explicit mention of presenting credentials across devices and new standards for things such as customer loyalty programs. A private version of a customer loyalty program sounds like a big improvement, since those currently can be used to track your purchases.

Finally, they want to make the experience as seamless and usable as possible in order to encourage adoption. They will provide the tools and guidelines to make the transition smooth.

As an example of the current fragmentation, the TSA website lists which individual digital wallets are supported in each state. This simply isn’t sustainable for an open ecosystem. Open wallet standards should allow for any certified wallet to be used with any issuing authority rather than relying on in-house apps or a few specific wallet apps. User freedom and choice is important, especially for something as sensitive as ID documents.

It’s unclear exactly what the end state will be of this program, but you can easily imagine an open ecosystem of digital wallets, certified by FIDO, that will provide a similar experience to that of current password managers. You’ll hopefully be able to choose any wallet you want as long as it meets a certain certification required by your government, and use it for everything from secure digital payments to rewards programs to private rewards programs and even things we can’t think of yet.

In an age where payment processors try to control what legal content we view, a digital wallet ecosystem could enable private digital payments along the lines of GNU Taler. There’s so many possibilities for what this initiative could lead to.

It’ll certainly be interesting to see what they manage to do with this. As age verification laws are being rolled out without much thought as to how to make it secure, standards bodies like the FIDO alliance will be the ones we lean on to fix the mess that lawmakers have made.