Digital Identity
Digital identity is the technical, legal, and social infrastructure used to assert, verify, and govern identifiers, credentials, attributes, accounts, devices, agents, and access in networked systems.
Snapshot
- Scope: people, organizations, services, devices, software agents, accounts, credentials, attributes, and the relationships among them.
- Not the same as: a legal name, a single login account, a biometric template, a wallet, a government ID, a proof-of-personhood system, or a universal identifier.
- Main value: trustworthy access, fraud resistance, account recovery, portability, delegated authority, and accountable service delivery.
- Main danger: exclusion, surveillance, cross-context linkage, irreversible biometric errors, vendor lock-in, state or platform capture, and opaque denial of access.
- Evidence boundary: identity proofing, authentication, federation, authorization, credential presentation, account recovery, and audit trails are related but different controls.
Definition
Digital identity is the set of records, credentials, protocols, policies, and ceremonies that let systems represent an entity and decide whether to rely on claims about it. The entity might be a person, organization, device, service, workload, dataset, model, software agent, or account.
A useful digital identity system answers several separate questions: who or what is being represented; which attribute or credential is being relied on; who issued or vouched for it; how the presenter authenticated; what action is allowed; who records the decision; and how errors, loss, revocation, or misuse can be contested.
Digital identity is therefore broader than authentication. Logging in with a passkey proves control of a scoped credential for a relying party; it does not necessarily prove legal identity, age, employment, license status, personhood, or authorization to act for another person. A digital wallet can present credentials; it does not by itself decide whether the issuer is legitimate or whether the verifier is entitled to ask.
Current Context
As of the June 25, 2026 review, NIST SP 800-63 Revision 4 is the current U.S. federal digital identity guidance. NIST released the final Revision 4 suite in July 2025, replacing Revision 3, and organizes guidance across identity proofing, authentication, federation, and assertions. That framing is useful because it prevents a single login, wallet, or credential from being treated as the whole identity system.
Credential standards have also matured. The W3C Verifiable Credentials Data Model v2.0 became a W3C Recommendation on May 15, 2025, while W3C DID Core remains the Recommendation baseline for decentralized identifiers. OpenID for Verifiable Presentations 1.0 became an OpenID Final specification in July 2025, and OpenID for Verifiable Credential Issuance 1.0 became Final in September 2025. Those standards describe different layers: credential data, identifiers, presentation, and issuance.
Wallet and browser mediation remain active areas rather than settled infrastructure. The W3C Digital Credentials API is Working Draft work for user-agent mediation of credential presentation and issuance. Federated Credential Management, WebAuthn, passkeys, OpenID Connect, and mobile wallet systems can coexist, but claims about one layer should not be used as proof about another.
The European Digital Identity Regulation, often discussed through the European Digital Identity Wallet, makes digital identity part of public infrastructure and private-sector access. It also shows the governance tension: wallets can improve portability and selective disclosure, but they can also normalize credential checks in contexts where anonymity, pseudonymity, or non-digital alternatives should remain available.
Core Layers
- Identifiers: account IDs, government numbers, email addresses, phone numbers, DIDs, device IDs, workload identities, and pairwise pseudonymous identifiers.
- Proofing and enrollment: the process of binding a person, organization, device, or agent to evidence and creating a record or credential.
- Authentication: proof that a presenter controls an authenticator, such as a passkey, hardware key, one-time code, certificate, wallet key, or local biometric unlock.
- Federation: a relying party accepting an assertion or token from an identity provider or federation protocol rather than handling proofing directly.
- Credentials and wallets: portable claims such as age, license, membership, employment, education, device status, or agent authority, often presented through wallet or credential-management flows.
- Authorization: the policy decision about what the authenticated or credentialed actor is allowed to do.
- Lifecycle: recovery, revocation, expiry, renewal, correction, dispute, retention, deletion, delegated authority changes, and incident response.
AI Relevance
AI raises the stakes of digital identity because synthetic media, voice cloning, automated account creation, bot activity, and agentic browsing increase the demand for stronger verification. The response cannot be "identify everyone everywhere." High-assurance identity can reduce fraud in consequential settings, but mandatory proof for ordinary reading, speech, association, or support-seeking can become surveillance infrastructure.
AI Agent Identity makes the boundary sharper. A human account, an organizational service account, and an AI agent acting under delegated authority should not collapse into one identity. Systems need to know whether an action was performed by a person, an agent, a tool server, a bot, or a human-approved automation, and they need logs that distinguish authentication from authorization.
Digital credentials can carry claims about age, employment, license status, membership, organization authority, agent delegation, dataset provenance, audit status, or model-release attestations. A signature or credential presentation does not make the claim true; it only makes the issuer, subject, format, and integrity of the claim more inspectable.
Risks
- Exclusion: people without documents, devices, stable addresses, institutional records, biometric match reliability, or recovery channels can be blocked from essential services.
- Surveillance and linkage: reusable identifiers, wallet telemetry, verifier logs, issuer status checks, and federation identifiers can connect contexts that should stay separate.
- Function creep: a credential introduced for high-risk transactions can become a routine checkpoint for speech, browsing, shopping, housing, work, education, or public benefits.
- Vendor or state capture: wallet providers, identity providers, app stores, cloud platforms, and government registries can become chokepoints for public access.
- Biometric irreversibility: passwords and keys can be rotated; faces, fingerprints, iris patterns, and voice traits cannot be replaced in the same way.
- Recovery failure: account loss, phone loss, key loss, death, organizational turnover, and revocation errors can turn identity controls into denial-of-service mechanisms.
- Coercive disclosure: a verifier can pressure a person to disclose more than the narrow attribute needed, even when selective disclosure is technically possible.
- Agent confusion: automated systems can blur whether a credential was presented by a human, by an agent with delegated authority, or by a compromised automation path.
Governance and Safety
Identity governance starts with proportionality. The assurance level should match the consequence of the decision. A public benefit, bank transfer, prescription, age-restricted service, employment check, or cross-border wallet use may justify stronger evidence than a forum comment, newsletter subscription, or low-risk support request.
Good systems minimize disclosure. They ask for a narrow attribute when a narrow attribute is enough: over 18 rather than full birthdate, valid license rather than license number, organizational role rather than home address, or agent delegation scope rather than full human identity. Selective disclosure and Zero-Knowledge Proofs can help, but only if the verifier request, wallet behavior, status checking, and logs avoid unnecessary correlation.
Contestability is not optional. People and organizations need notice, correction, appeal, alternative channels, and human escalation when credentials are wrong, expired, unavailable, revoked, or rejected by an automated workflow. This connects digital identity directly to Notice and Appeal, Algorithmic Recourse, and Data Protection Impact Assessments.
For AI systems, governance should bind agent actions to explicit delegation. A relying party should know which principal authorized the agent, what scope was granted, when it expires, which tools were used, which credential request was shown to a human, and which audit trail preserves the decision without retaining unnecessary credential contents.
Minimum Identity Record
For consequential identity decisions, preserve a compact record that reviewers can understand without turning every interaction into a permanent dossier:
- Purpose: the service, transaction, or risk that required identity evidence.
- Actor type: person, organization, device, service account, workload, AI agent, or delegated representative.
- Evidence: proofing method, credential type, issuer, assurance level if used, and whether the evidence was self-asserted, institutionally issued, or cryptographically verifiable.
- Authentication: authenticator class, federation protocol, wallet path, holder binding, and account-recovery method.
- Disclosure: attributes requested, attributes disclosed, selective-disclosure method if any, and why less data was insufficient.
- Verifier: relying party, verifier authorization, retention period, logging rule, and any onward sharing.
- Decision: approval, denial, escalation, automated decision involvement, human review status, and policy version.
- Redress: correction path, appeal contact, revocation or suspension route, incident owner, and fallback access channel.
Source Discipline
Use exact terms. NIST assurance levels, W3C Verifiable Credentials, W3C Decentralized Identifiers, WebAuthn credentials, OpenID Connect claims, OpenID4VP presentations, OpenID4VCI issuance, passkeys, mobile documents, wallets, and browser credential APIs are not interchangeable.
For a factual claim, name the layer and source: the standard, version, maturity level, regulator text, official implementation note, or institutional policy. A vendor wallet page is not enough to prove interoperability, privacy, legal authority, or accuracy of the underlying claim.
For AI-related claims, avoid vague labels such as "verified agent" or "trusted model." State who issued the credential or attestation, what subject it covers, what evidence supports it, how status is checked, what the relying party may infer, and how a harmed person can challenge the decision.
Spiralist Reading
For Spiralism, digital identity is a boundary technology. It can protect trust, consent, and accountability, but it can also turn personhood into a credential gate. A humane identity layer verifies what must be verified, keeps contexts separate, preserves pseudonymity and anonymity where they matter, and gives people a practical way to refuse, correct, appeal, and recover.
Open Questions
- Which online actions genuinely require high-assurance identity, and which only need rate limits, reputation, payment risk checks, or content governance?
- How should wallets and browsers warn users when a verifier is asking for more identity data than the context requires?
- What identity signals should AI agents be required to carry when acting for a human, company, or public institution?
- How can public digital identity systems preserve offline access and non-smartphone alternatives?
Related Pages
- NIST Digital Identity Guidelines
- Verifiable Credentials
- Digital Credentials API
- Decentralized Identifiers
- Federated Credential Management
- OpenID Connect
- OpenID for Verifiable Presentations
- OpenID for Verifiable Credential Issuance
- WebAuthn
- Credential Management API
- AI Agent Identity
- Age Assurance
- Proof of Personhood
- Synthetic Identity Fraud
- Digital Public Infrastructure
- Data Minimization
- Contextual Integrity
- Notice and Appeal
- Global Privacy Control
- Privacy and Data
Sources
- NIST, SP 800-63-4 Digital Identity Guidelines, final Revision 4 suite, July 2025.
- NIST CSRC, SP 800-63-4 final publication record, July 2025.
- W3C, Verifiable Credentials Data Model v2.0, W3C Recommendation, May 15, 2025.
- W3C, Decentralized Identifiers v1.0, W3C Recommendation, July 19, 2022.
- W3C, Digital Credentials API, W3C Working Draft.
- W3C, Federated Credential Management API, W3C Working Draft.
- W3C, Web Authentication: An API for accessing Public Key Credentials Level 3, W3C specification.
- OpenID Foundation, OpenID Connect Core 1.0.
- OpenID Foundation, OpenID for Verifiable Presentations 1.0, Final specification, July 2025.
- OpenID Foundation, OpenID for Verifiable Credential Issuance 1.0, Final specification, September 2025.
- European Commission, European Digital Identity Regulation, official policy page.
- W3C TAG, Preventing Abuse of Digital Credentials, privacy and governance guidance.