Self-sovereign identity: ideology isn’t a product
Self-sovereign identity promised individuals portable, privacy-preserving credentials they control, not platforms. A decade on, the idea still struggles because it keeps competing with logins instead of fixing attestation.
Most digital journeys need two different things: a session and an attribute. OAuth/OIDC gives you a session quickly; it does not give you a regulator-grade proof of age, license, residency, or training across domains. Reusable, issuer-signed credentials with selective disclosure do target that gap, but they rarely show up where the pain is measured.
Where the pain is measurable, budgets exist. Fintechs repeat KYC at high cost, merchants absorb card-not-present fraud, platforms juggle age-assurance mandates, and enterprises re-verify workforce training at each supplier boundary. Put SSI-style credentials there and tie success to KPIs: fewer manual reviews, lower false accepts, shorter time-to-revenue, and smaller privacy blast radius.
The developer story must match the web as it is.
Lead with OIDC4VCI for issuance, SIOPv2 or mdoc-over-the-internet for presentation, and Status List–style revocation; treat JSON-LD as an option, not a religion. Prefer did:web for issuers unless you truly need a public ledger; keep DID methods pairwise for correlation resistance; reserve blockchains for the narrow cases that need decentralized timestamping or consortium governance.
Regulation is not the enemy if you map roles precisely. Issuers and verifiers are controllers; the holder is the data subject; presentations are purpose-limited and minimized. Put consent receipts, audit trails, and dispute resolution into the profile, and document the lawful bases for issuance and verification. Show privacy engineering, not slogans: unlinkable presentations, short-lived credentials, batched status lists, and soft-revocation patterns.
UX must hide cryptography without hiding accountability. Bind wallets to device secure hardware or passkeys; support social and institutional recovery with threshold secrets; enable custodial or guardianship models for citizens who opt in; surface human-readable issuer names, scope, and expiry; fail closed without marooning the user.
Governance beats vibes. The EU’s EUDI wallet, ISO mdoc, NIST and ETSI profiles, and OpenWallet Foundation work are converging on verifiable, state-anchored credentials with clear liability.
Treat "SSI" as a design pattern—pairwise identifiers, selective disclosure, user-held verifiers—implemented inside governed ecosystems, not as a quest to abolish authorities.
Stop trying to replace "Login with X." Augment it. Let an RP start with OIDC for session, then request a fit-for-purpose credential: an age attestation for content access, a KYC token for account funding, a workforce certificate for plant entry. Ship reference flows: issuer discovery, consent UX, mobile-to-web handoff, deferred verification, and step-up when risk flags trip.
Pick three wedge use cases and industrialize them.
- age assurance with zero-knowledge range proofs for online safety compliance.
- reusable KYC/AML tokens for fintech account opening and high-risk payments.
- portable workforce and supplier credentials for safety, training, and device access. For each, publish a profile, a conformance suite, hosted reference services, and ROI data from pilots.
Drop the ideology, keep the properties. Call it "verifiable data wallets," not "self-sovereign." Measure fraud avoided, minutes saved, and fines not paid. Make migration incremental, interoperability boring, and governance explicit.
When SSI stops arguing with sessions and starts deleting cost centers, adoption will look like an engineering decision, not a belief system.