Wallet certification is a process where digital wallets are independently tested and verified to meet specific security, privacy, and interoperability requirements. Certification provides assurance that a wallet can be trusted to handle sensitive identity credentials responsibly.
Why certification matters
Without certification, wallets could vary widely in how they protect sensitive identity data. Some might leak information, fail to enforce privacy protections, or be vulnerable to security exploits. Certification creates a consistent baseline that holders, issuers, and verifiers can rely on.
For holders, certification provides assurance that a wallet meets defined security, privacy, and interoperability requirements.
For issuers, certification means confidence that credentials provisioned into a wallet will be protected appropriately and presented in accordance with the issuer's requirements.
For verifiers, certification means assurance that the credentials they receive come from secure, trustworthy environments.
What certification covers
Wallet certification typically evaluates several areas.
Security requirements ensure wallets use hardware-backed keys, protect credential data with appropriate encryption, and resist common attacks. FIDO Alliance certifications, for example, provide assurance for authentication mechanisms and secure key management.
Privacy requirements ensure wallets support selective disclosure and give users control over what they share. Wallets must default to minimal disclosure and warn users about excessive data requests.
Interoperability requirements ensure wallets can work with credentials from different issuers and present them to different verifiers. FIME certifications focus on technical interoperability with ISO/IEC 18013-5 and related mobile driver's license standards. Governance requirements encompass operational practices such as credential lifecycle management, recovery mechanisms, and user consent flows.
Certification bodies
Several organizations offer wallet-related certifications.
The FIDO Alliance provides certifications for authentication mechanisms and hardware-backed key protection used by wallets.
The Kantara Initiative covers governance and operational practices, including identity proofing, credential lifecycle management, and privacy protections. Kantara's Identity Assurance Framework is leveraged by U.S. federal programs.
FIME is the established certification body for mobile driver's license and mdoc conformance. FIME certifications are particularly important for ensuring credentials can be accepted at TSA checkpoints.
States may also run their own certification programs or recognize certifications developed by other governments, such as those associated with the European Union's eIDAS 2.0 framework.
Continuous evaluation
Software updates can change a wallet's behavior and potentially affect its compliance with certification requirements. Certification isn't a one-time event, it requires ongoing evaluation to ensure wallets remain compliant as they evolve.
This might include periodic reviews, inspection of binary artifacts or code paths, and testing against updated requirements. The balance between review frequency and depth must be found to ensure safety without creating undue burden for wallet providers.
Building public confidence
Ultimately, certification builds public confidence in digital identity systems. Citizens can trust that certified wallets uphold their rights, while organizations can trust that credentials presented from those wallets are authentic and adequately protected.
Want to keep learning?
Subscribe to our blog.
