TL;DR: Digital identity wallets are gaining momentum as governments and standards bodies push beyond passwords, with Belgium’s itsme showing high adoption, monthly transaction volumes, and eIDAS 2.0 setting a broader European direction according to 1Kosmos. The governance problem is no longer just authentication, but how to prove who is acting online without centralising more personal data than security programmes can safely protect.
At a glance
What this is: This is an analysis of how digital identity, eIDAS 2.0, and digital wallets are changing online authentication and privacy assumptions.
Why it matters: It matters because IAM teams must prepare for identity models that span human login, verifiable credentials, and privacy-preserving access decisions across public and private services.
By the numbers:
- More than 80% of the population has used it, making 25 to 35 million transactions per month.
- Belgium accounts for 35.5% of all cross-border e-commerce.
- Over 24 billion recently-compromised login credentials and personal identity files are available on the dark web.
👉 Read 1Kosmos's analysis of digital identity wallets and eIDAS 2.0
Context
Digital identity is the problem of proving who a person is online without making passwords and centrally stored profile data the only trust mechanism. The article argues that this matters because compromised credentials, phishing, and identity fraud have made conventional authentication too weak for modern transactions.
For IAM leaders, the real shift is from account authentication to portable proof, privacy control, and stronger assurance across services. That raises questions for human identity programmes, but it also foreshadows how identity patterns may be extended into broader lifecycle and governance models.
Belgium is used here as a reference point because it combines high digital adoption with a mature national identity model, making it a useful signal for other markets watching digital wallets, eID, and eIDAS 2.0 converge.
Key questions
Q: How should organisations move beyond password-based digital identity?
A: They should start by replacing passwords only where the business risk is highest and the identity proofing requirement is strongest. High-assurance workflows need stronger verification, selective disclosure, and better auditability than reusable credentials can provide. The goal is not to eliminate login factors everywhere at once, but to retire passwords as the default trust anchor in sensitive journeys.
Q: Why do digital identity wallets matter for IAM governance?
A: Digital identity wallets matter because they shift governance from storing all identity data centrally to controlling how claims are issued, shared, and expired. That gives IAM teams better privacy options, but it also creates new responsibilities around assurance, consent, and validation. The governance question becomes whether the claim was trustworthy at the moment it was presented.
Q: What do security teams get wrong about self-sovereign identity?
A: They often assume SSI is mainly a privacy feature. In practice, it is also a governance model that depends on trusted issuance, reliable validation, and lifecycle controls for every claim. Without those controls, SSI can become fragmented or poorly auditable, especially when multiple relying parties interpret the same attribute differently.
Q: Who should own digital identity wallet governance?
A: Ownership should sit across IAM, privacy, security architecture, and compliance, because wallet-based identity affects authentication, data handling, and regulatory alignment at the same time. No single team can own it fully. The practical answer is a shared governance model with clear authority for issuance policy, retention rules, and trust framework acceptance.
Technical breakdown
Why password-based authentication fails for digital identity
Passwords were designed for simple account access, not for proving legal identity across sectors, devices, and transactions. Once credentials are widely compromised, the model breaks down because authentication no longer establishes trust in the person, only in possession of a secret. The article’s core argument is that digital identity must separate proof of identity from repeated reuse of the same login factors. That means stronger verification, stronger binding to the real-world identity source, and less dependence on reusable credentials that can be phished or sold.
Practical implication: IAM teams should treat password-centric trust as a legacy control and plan for higher-assurance identity proofing.
How eIDAS 2.0 changes digital identity governance
eIDAS 2.0 pushes member states toward digital identity wallets that can carry verified attributes without forcing all identity data into one central database. That changes governance because the security model shifts from storing and reusing identity data to issuing, presenting, and validating claims on demand. It also introduces stronger privacy expectations, because users should be able to control what is shared, for how long, and with whom. For IAM and compliance teams, this means assurance, consent, and data minimisation become operational requirements rather than abstract policy goals.
Practical implication: build policy and audit controls around claim issuance, presentation, and expiry rather than only around account creation.
What zero-trust systems gain from verifiable credentials
In this model, zero trust no longer depends only on who authenticated earlier in the session. It can evaluate a presented claim, a risk score, or a credential quality signal without collecting more personal data than the transaction requires. That is a major architectural change because it supports selective disclosure, age verification, and time-limited access decisions. The result is a stronger separation between identity proof and data exposure, which helps reduce unnecessary retention of personal information across multiple providers.
Practical implication: design access flows that accept verified claims with minimal disclosure and clear retention limits.
NHI Mgmt Group analysis
Passwords are no longer a sufficient trust primitive for digital identity. The article makes clear that phishing, breach leakage, and identity fraud have turned reusable credentials into a weak foundation for online assurance. That failure is not just technical, it is architectural, because the same secret is expected to prove identity across many services and transactions. Practitioners should recognise that identity assurance now has to move beyond possession of a password or single login event.
Digital wallets shift the governance burden from central storage to controlled presentation. eIDAS 2.0 and SSI-style models reduce dependence on large identity repositories, but they do not remove governance. They move the control point to issuance, disclosure, expiry, and validation of claims. That means IAM teams must think about attribute trust, retention boundaries, and auditability as first-class policy objects.
Verifiable identity can improve privacy only if lifecycle governance is explicit. The article’s wallet model depends on knowing when data is shared, when it expires, and which claims are authoritative. Without lifecycle controls, even privacy-preserving identity systems can become brittle or overexposed. Practitioners should treat claim lifecycle as part of identity governance, not as an afterthought.
National digital identity programmes are becoming the reference model for enterprise IAM. Belgium’s adoption shows that convenience, assurance, and policy alignment can coexist when the trust stack is designed deliberately. For enterprises, the signal is that human identity programmes will increasingly be measured against wallet-based, claim-based, and privacy-aware patterns rather than legacy login design. Practitioners should prepare for that shift now.
Reusable Verified Identity is the right named concept for this transition. The article points toward an identity model where proof can be reused safely without re-sharing the underlying personal data. That matters because the field is moving from repeated authentication to controlled verification events. Practitioners should plan for identity architectures that preserve trust while shrinking the data footprint.
From our research:
- More than 80% of the population has used it, making 25 to 35 million transactions per month, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
- For a broader identity governance perspective, see NHI Lifecycle Management Guide for how lifecycle discipline changes when identity moves beyond a single login event.
What this signals
Reusable verified identity is becoming an enterprise design pattern, not just a government initiative. IAM teams should expect more pressure to support portable proof, selective disclosure, and attribute-level policy decisions as digital identity wallets mature. That will force identity programmes to connect authentication, privacy, and auditability in the same control plane.
The operational signal is that human identity governance is starting to resemble NHI lifecycle thinking in one key respect: the value is in governing claims over time, not only in authenticating once. Teams that already have strong lifecycle discipline will adapt faster than those still centered on static account controls.
As wallet models mature, the question for practitioners is not whether identity becomes more convenient, but whether their trust framework can safely consume claims without creating new retention or disclosure debt. The organisations that prepare now will be better placed to absorb eIDAS-style requirements and similar national identity shifts.
For practitioners
- Reassess password-centric trust paths Inventory where your current authentication model still relies on reusable credentials as the primary proof of identity. Replace those paths first in higher-risk workflows such as payments, healthcare access, and government-style entitlement flows.
- Map identity proof to data minimisation rules Define which attributes must be verified, which can be selectively disclosed, and which should never be retained beyond the transaction. Align those rules to privacy obligations and internal audit requirements.
- Build claim-level lifecycle controls Track issuance, expiry, revocation, and reuse of identity claims instead of treating identity as a one-time login event. Include logging for when a claim was presented and which relying party accepted it.
- Prepare zero-trust policy for wallet-based proof Update access decision logic so it can consume verified claims and contextual signals without demanding unnecessary personal data. This is especially important for age checks, entitlement verification, and regulated transactions.
Key takeaways
- Digital identity is moving from reusable login secrets toward verifiable claims and privacy-aware proof.
- The scale of compromised credentials shows why password-based trust is no longer adequate for high-value transactions.
- IAM teams should prepare for identity governance that covers issuance, disclosure, expiry, and validation together.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | Digital identity proofing and authentication are central to the article's trust model. | |
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access control are directly implicated by wallet-based trust. |
| NIST Zero Trust (SP 800-207) | ID | The article's claim-based access model aligns with zero-trust identity verification. |
Use NIST 800-63 assurance principles to raise identity proofing strength for high-risk transactions.
Key terms
- Digital Identity Wallet: A digital identity wallet is a user-controlled container for verified identity data and credentials that can be presented to relying parties. It reduces the need to store all personal information centrally and supports selective disclosure, but it still depends on strong issuance, validation, and lifecycle governance.
- Self-Sovereign Identity: Self-sovereign identity is an identity model in which the individual has more control over which identity attributes are shared and with whom. It does not remove trust requirements. It shifts them toward trusted issuance, verifiable presentation, and policy-controlled data sharing.
- Selective Disclosure: Selective disclosure is the practice of sharing only the minimum identity attributes needed for a transaction. It improves privacy and lowers data exposure, but it requires reliable cryptographic or policy-based mechanisms to ensure the relying party receives a valid claim without the rest of the personal record.
- Verifiable Credential: A verifiable credential is a digitally issued claim that can be checked by a relying party against a trusted issuer. It is useful when identity needs to be portable across services, but its value depends on issuance integrity, revocation handling, and clear rules for expiry and reuse.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
This post draws on content published by 1Kosmos: digital identity, Belgium, and the path to self-sovereign identity. Read the original.
Published by the NHIMG editorial team on 2023-07-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
