Digital identity has evolved through distinct phases, each shaped by the technology and needs of its era. Understanding this history explains why we've arrived at today's model of verifiable, user-controlled credentials, and why earlier approaches fell short.
The missing identity layer
As Kim Cameron, longtime Chief Architect of Identity at Microsoft, famously observed: "The internet was built without an identity layer." This foundational gap explains much of the complexity we see today.
Early internet networks were built by and for trusted communities, governments, universities, and research institutions where everyone knew everyone else. As the internet expanded to the general public, no universal approach for trusted identities emerged. The result was a fragmented landscape where each application managed its own silo of user data.
The era of siloed accounts
The first generation of digital identity was simple: each website or service maintained its own database of usernames and passwords. Users created separate accounts everywhere they went online. This model worked when people used only a handful of services, but it scaled poorly.
According to NordPass, the average person now maintains over 150 passwords. Each application stores its own copy of user data, creating massive security risks. Every database becomes a target for attackers. Data breaches expose millions of records at a time. Users reuse passwords across sites, meaning a breach at one service compromises accounts everywhere.
This fragmentation also created friction. Proving identity for high-value use cases like opening a bank account often required showing a physical card to a webcam or traveling to a branch in person. These steps were slow, prone to fraud, and created unnecessary barriers.
Federated identity and social login
The next phase attempted to reduce fragmentation through federated identity. Instead of creating accounts everywhere, users could "Log in with Google" or "Sign in with Facebook." This approach reduced password fatigue and simplified access.
But federated login came with significant tradeoffs. It concentrated identity control in the hands of a few large platforms. Users gained convenience but lost autonomy, accounts could be suspended, data could be resold, and trust was intermediated by companies whose incentives rarely aligned with their users.
Social login also normalized surveillance as the price of convenience. Platforms built entire economies on behavioral data collected through identity services. Identity became an asset to be monetized rather than a right to be owned.
Early attempts at user-controlled identity
Several efforts tried to give users more control. Microsoft's Windows CardSpace and VeriSign's Personal Identity Provider in the 1990s and 2000s envisioned user-managed credentials but struggled to gain adoption. The technology wasn't mature enough, smartphones didn't yet exist, and the digital interactions that would make such systems valuable were still limited.
The ID4Me protocol later attempted to create a federated identity approach using domain-based authentication, allowing users to control their own data while maintaining interoperability. These efforts established important principles but couldn't overcome the network effects of established platforms.
The smartphone transformation
The proliferation of smartphones fundamentally changed what was possible. Suddenly, everyone carried a powerful computer with secure hardware, biometric sensors, and constant connectivity. This created the foundation for credentials that individuals could truly hold and control.
The same period saw rapid growth in digital interactions. Online banking, e-commerce, government services, and healthcare all moved increasingly online, creating urgent demand for better identity verification. The status quo, paper documents, manual checks, and fragmented databases, couldn't keep pace.
The convergence of technology and policy
Several threads have now converged to make decentralized identity practical:
Open standards have matured. The W3C's Verifiable Credentials provide a universal data model for verifiable digital credentials. ISO/IEC 18013-5 and 18013-7 define how mobile driver's licenses work in-person and online. These standards ensure that credentials issued in one system can be trusted and verified in another.
Cryptographic techniques have advanced. Digital signatures, selective disclosure, and zero-knowledge proofs enable credentials that are tamper-proof, privacy-preserving, and verifiable without intermediaries.
Policy momentum has built. California's DMV Wallet has issued over two million mobile driver's licenses. Utah Code § 63A-16-1202 has codified privacy protections into law. Federal agencies are piloting verifiable digital credentials. Over 250 TSA checkpoints accept mobile IDs.
The outcome of digital identity efforts in the coming years will be very different from past attempts, not because the vision has changed, but because the environment finally supports it.
Where we are now
Digital identity stands at an inflection point. The building blocks exist to move away from fragmented, paper-based systems toward interoperable, privacy-preserving credentials. The challenge is designing infrastructure that protects individual rights, prevents fraud, and supports inclusion.
For individuals, this means fewer passwords, more secure transactions, and greater control over personal data. For governments, it means creating systems that protect privacy while ensuring interoperability. For businesses, it means unlocking new opportunities for secure digital services while reducing the risks and costs of data breaches.
The arc of identity is bending from something you rent to something you own, from platforms asking permission to use your data, to you deciding what to share and with whom.
Want to keep learning?
Subscribe to our blog.
