EU Digital Identity Wallet | Technical Deep-Dive

What It Is

The EU Digital Identity (EUDI) Wallet is a mobile application that allows EU citizens to store, manage, and present verifiable credentials—digital equivalents of physical documents like driver's licenses, university diplomas, health cards, and more. Mandated by the revised eIDAS 2.0 regulation, member states must provide wallets to all citizens by 2026.

                Core Principle: Self-sovereign identity. Users control which credentials they share, with whom, 
                and for how long. No central database stores citizen data—wallets are personal vaults secured by biometric authentication.
            

Unlike traditional identity systems where service providers query central registries, EUDI Wallets implement holder-presented credentials: the user receives a cryptographically signed credential from an issuer (e.g., government, university) and presents it directly to verifiers (e.g., employer, bank) without intermediaries.

Technical Architecture

Component Stack

Layer	Technology	Purpose
Credential Format	W3C Verifiable Credentials (VC) 2.0	JSON-LD or JWT representation of claims
Identifier	W3C Decentralized Identifiers (DID)	User-controlled, cryptographically verifiable IDs
Presentation Protocol	OpenID4VP (Verifiable Presentations)	OAuth 2.0 extension for credential sharing
Issuance Protocol	OpenID4VCI (Verifiable Credential Issuance)	Standardized credential delivery to wallets
Cryptography	ECDSA (P-256), EdDSA, RSA-PSS	Digital signatures for credential integrity
Selective Disclosure	SD-JWT (Selective Disclosure JWT)	Share only required attributes (e.g., age ≥18, not birthdate)
Holder Binding	DID Auth, biometric authentication	Prove the presenter is the rightful credential holder
Revocation	Status List 2021, OCSP	Check if credential has been revoked

High-Level Flow Diagram

┌─────────────────────────────────────────────────────────────────┐ │ EUDI Wallet Ecosystem │ └─────────────────────────────────────────────────────────────────┘ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ ISSUER │ │ HOLDER │ │ VERIFIER │ │ (Government,│ │ (Citizen) │ │ (Employer, │ │ University) │ │ │ │ Bank, etc.)│ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │ │ │ │ 1. Credential Request │ │ │◄─────────────────────────┤ │ │ (OpenID4VCI) │ │ │ │ │ │ 2. Issue VC (signed) │ │ ├─────────────────────────►│ │ │ {claims, proof, schema} │ │ │ │ │ │ │ 3. Presentation Request │ │ │◄─────────────────────────┤ │ │ (OpenID4VP) │ │ │ │ │ │ 4. Present VP (signed) │ │ ├─────────────────────────►│ │ │ {selected claims, proof}│ │ │ │ │ 5. Verify signature ←───┼──────────────────────────┤ │◄─────────────────────────┘ (against issuer DID) │ │ │ └─────────────────────────────────────────────────────┘ Storage: Wallet stores VCs locally (encrypted, biometric-protected) Trust: Verifier checks issuer's DID against Trust Registry Privacy: Holder chooses which attributes to share (selective disclosure)

Core Standards & Specifications

W3C Verifiable Credentials 2.0

VCs are JSON-LD or JWT documents containing claims about a subject (holder), issued by a trusted authority, and cryptographically signed. Example structure:

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://www.w3.org/2018/credentials/examples/v1"
  ],
  "type": ["VerifiableCredential", "UniversityDegreeCredential"],
  "issuer": "did:web:university.fi",
  "issuanceDate": "2024-09-01T12:00:00Z",
  "expirationDate": "2029-09-01T12:00:00Z",
  "credentialSubject": {
    "id": "did:key:z6Mkv...",
    "degree": {
      "type": "MasterDegree",
      "name": "Master of Science in Computer Science",
      "university": "University of Helsinki"
    }
  },
  "proof": {
    "type": "Ed25519Signature2020",
    "created": "2024-09-01T12:00:00Z",
    "verificationMethod": "did:web:university.fi#key-1",
    "proofPurpose": "assertionMethod",
    "proofValue": "z5vK9..."
  }
}
            

Selective Disclosure JWT (SD-JWT)

Allows holders to reveal only specific attributes. For example, proving age ≥18 without disclosing exact birthdate:

// Issuer creates SD-JWT with hashed claims:
{
  "iss": "https://dvv.fi",
  "sub": "did:key:z6Mkv...",
  "_sd": ["hash(birthdate)", "hash(address)", "hash(name)"],
  "age_over_18": true  // Derived attribute, not selectively disclosable
}

// Holder presents only the "age_over_18" claim:
{
  "vp_token": "eyJ...",  // VP with only age_over_18 revealed
  "disclosures": []      // No personal details disclosed
}
            

OpenID4VP (Verifiable Presentations)

Extends OAuth 2.0 for credential presentation. Verifier creates a presentation request; wallet responds with a VP:

// 1. Verifier creates presentation request (QR code or deep link):
{
  "response_type": "vp_token",
  "client_id": "https://bank.fi",
  "presentation_definition": {
    "input_descriptors": [{
      "id": "id_credential",
      "constraints": {
        "fields": [{
          "path": ["$.credentialSubject.age_over_18"],
          "filter": {"const": true}
        }]
      }
    }]
  }
}

// 2. Wallet presents VP:
{
  "vp_token": {
    "@context": ["https://www.w3.org/2018/credentials/v1"],
    "type": ["VerifiablePresentation"],
    "verifiableCredential": [{ /* SD-JWT with selected claims */ }],
    "proof": { /* Holder signature */ }
  }
}
            

Real-World Credential Flows

Use Case 1: Applying for a Job

                Scenario: Citizen applies for a job requiring a university degree and work permit.
                Employer sends presentation request (QR code or link) specifying required credentials
Wallet prompts user to select which credentials to share (degree, work permit)
User approves (biometric authentication)
Wallet creates VP with selected credentials, signed by holder's DID
Employer verifies signatures against Trust Registry, checks revocation status
Automatic eligibility check: no manual document review needed

            

Use Case 2: Bank Loan Application

                Scenario: Citizen applies for a mortgage, bank needs income verification.
                Bank requests income threshold proof (e.g., "annual income ≥60k€")
Tax office credential uses SD-JWT to prove threshold without revealing exact salary
User shares zero-knowledge proof (future enhancement with ZK-SNARKs)
Bank receives confirmation without accessing personal financial data
Privacy preserved, compliance maintained, loan processed instantly

            

Use Case 3: Cross-Border Travel

                Scenario: Finnish citizen travels to Spain, rents a car.
                Rental agency requests driver's license and age verification
EUDI Wallet presents Finnish driver's license VC (EU-recognized format)
Spanish verifier trusts Finnish issuer (via EU Trust Registry)
Instant verification: no need to inspect physical documents or validate foreign IDs
Interoperability achieved through shared standards (eIDAS 2.0)

            

Implementation Considerations

Security & Privacy

Requirement	Implementation
Credential Storage	Hardware-backed keystores (Android: Keystore, iOS: Secure Enclave)
Authentication	Biometric (fingerprint, face) + PIN fallback
Consent	Explicit approval for each presentation (no background sharing)
Revocation Checking	Real-time OCSP or periodic Status List 2021 updates
Backup & Recovery	Encrypted cloud backup (user-controlled) or social recovery
Device Loss	Revoke wallet DID, reissue credentials to new device

Issuer Integration

Government agencies and other credential issuers integrate via OpenID4VCI:

# Example: University issues degree credential

1. Student authenticates to university portal
2. University backend generates VC:
   - Queries student database for degree data
   - Constructs VC according to schema (e.g., EuropeanDigitalCredential)
   - Signs with university's DID key
3. University exposes OpenID4VCI endpoint
4. Student's wallet fetches credential via OAuth flow
5. Credential stored locally, issuer retains no copy
            

Verifier Integration

# Example: Employer verifies degree credential

1. Employer generates presentation request (QR code)
2. Applicant scans QR with wallet, approves presentation
3. Employer receives VP with degree credential
4. Employer verifies:
   a. Signature valid (university's public key from DID)
   b. Credential not revoked (check Status List)
   c. Issuer trusted (check Trust Registry)
   d. Schema matches expected format
5. Decision automated: eligible candidates flagged instantly
            

Implementation Challenge: Verifiers must integrate with Trust Registry to validate issuer DIDs. Without this, malicious actors could create fake credentials. National trust infrastructure (see: Distributed Trust Registry) is critical for ecosystem security.

Deployment Timeline

Phase	Timeframe	Deliverables
Pilot Programs	2024-2025	Limited rollout in select member states (Germany, Spain, Finland leading)
National Wallets	2026	All EU member states provide EUDI Wallets to citizens
Cross-Border Recognition	2026-2027	Mutual recognition of credentials across EU (via Trust Registry)
Private Sector Adoption	2027+	Banks, employers, service providers integrate verification
Advanced Features	2028+	Zero-knowledge proofs, attribute-based credentials, federated identity

📱 EU Digital Identity Wallet