Comps & Reflections

Digital Identity: Who Are You, Online?

Most people have dozens of digital identities that don't talk to each other. The vision of user-controlled identity has been under development for years and remains largely unrealized.

2026-05-14 · 6 min read Comps & Reflections
DigitalPart 5 of 15
Digital Colonialism Digital Colonialism Digital Divide BeyonDigital Ethics Beyon5Digital Leadership CDigital Nudging ChoiDigital Product ManaDigital Provenance TDigital Sovereignty Digital TransformatiDigital TransformatiDigital TransformatiDigital TransformatiDigital Twins Enterp

I counted my login credentials once. Email address plus password combinations across services I actually use: email, banking, university systems, health portal, cloud storage, professional tools, government services. I stopped at forty. Most of those systems have no idea the others exist. My bank does not know my health portal credentials. My university does not know my banking information. They are separate identities, maintained separately, each with their own recovery mechanisms, each with their own vulnerability surface. If any one of them gets compromised, the others are not automatically affected, which is a security benefit. But collectively they represent an identity infrastructure that nobody designed and nobody controls, including me.

This fragmentation is not an accident. It is the default outcome of building independent systems that each need to know who is accessing them, solved independently by each system, without coordination. The result is that my digital identity is not one thing. It is a collection of context-specific credentials, held in different places, with different levels of assurance, subject to different rules, and none of them particularly portable.

The "sign in with Google" or "sign in with Apple" pattern is an attempt to reduce this fragmentation, and it has worked at the user experience level. Instead of creating a new account on every service, I delegate identity assertion to a platform I already have a relationship with. The platform tells the new service: this is a real person, they authenticated to us, here is an identifier you can use. That is convenient. I use it. But it also means that Google, Apple, and Meta have become de facto identity intermediaries for a significant fraction of the internet. My ability to access services that rely on "sign in with Google" is contingent on my Google account remaining active and Google remaining willing to operate that service. These are commercial companies whose interests in providing identity infrastructure are not identical to my interests as a user. If Google decides to shut down a feature, or if my account is suspended for any reason, access to every service I authenticated through Google is at risk. I gave up control for convenience, and the convenience is real, but so is the dependency.

Self-sovereign identity (SSI) is the conceptual alternative that researchers and technologists have been developing for roughly a decade. The core idea is that individuals should own and control their own digital credentials without depending on a centralized issuer to assert their identity on demand. The W3C published Decentralized Identifiers (DIDs) as a formal W3C Recommendation in 2022. DIDs are identifiers that do not require a central registration authority to create or control. Instead of your identity being the username you hold in someone else's database, a DID is a cryptographic identifier that you control directly. Verifiable Credentials are a companion W3C standard that allows credentials issued by institutions (a university degree, a government ID, a professional certification) to be held by the credential owner and presented to any verifier, without the verifier needing to contact the original issuer. These are real, publicly documented technical standards, not speculative research.

The practical realization of SSI at meaningful scale is, however, still limited. The standards exist. Implementations exist in pilot programs and specific sectors. But the broad consumer reality, where I carry a wallet of verifiable credentials on my phone and use them across services the way I currently use passwords, is not here yet. My honest assessment is that SSI is in the slope of enlightenment phase of its development: the technical foundation is real, some specific applications are working, but the mainstream plateau is still ahead.

The EU Digital Identity Wallet is the policy initiative most likely to change this picture. Under the eIDAS 2.0 regulation, EU member states are required to provide a digital identity wallet to citizens, enabling them to use government-issued credentials to authenticate to both public and private services. The implementation is underway with target dates that I will not specify precisely because the timeline has been subject to ongoing adjustment and I do not want to misrepresent the current state. What I can say with confidence is that this is real EU policy, widely reported, and represents the most significant government-backed push toward citizen-held digital credentials in the world to date. If it works as intended, EU citizens will have a government-issued digital wallet they can use to prove their age, their nationality, their professional credentials, and other attributes without creating a new account with each service or handing that data to a private platform intermediary.

Gartner predicted in September 2024 that at least 500 million smartphone users will be regularly making verifiable claims using a digital identity wallet by 2026. That specific prediction, from the Gartner newsroom, is a forecast, not a measured outcome, and I note it as a signal of how seriously analysts are taking the wallet trajectory. The same press release noted the European Commission's requirement under eIDAS for member states to make a digital identity wallet available to citizens.

A separate Gartner prediction from February 2024 is worth noting here because it complicates the picture: Gartner predicted that 30 percent of enterprises would consider identity verification and authentication solutions unreliable in isolation due to AI-generated deepfakes by 2026. That prediction lives at gartner.com/en/newsroom. It points to a real problem: the same period when we are building more sophisticated identity infrastructure, the attack surface for identity fraud is expanding through AI-generated synthetic media. A digital identity wallet is a stronger credential mechanism than a password, but it does not solve the problem of a deepfake video convincing a human reviewer that an impersonator is the legitimate account holder. The identity problem is getting technically better and contextually harder at the same time.

What I take from all of this is that digital identity is an IS problem that has not been solved by any single technical or regulatory intervention. The SSI standards provide a real technical foundation. The EU wallet initiative provides real institutional pressure. But the fragmentation that characterizes the current state is not going away quickly, because it is the accumulated outcome of decades of independent system building. The path from where we are to user-controlled, portable, secure digital identity runs through a large number of legacy systems, established commercial relationships, and user habits that will change more slowly than any standard publication schedule predicts.

About the author

A
Ali Safari
PhD Student in IS, University of North Texas

Researching AI governance, trust in intelligent systems, and agentic AI. Writing while studying for comps.

in gs

Share

More notes

← Previous
The CIO Used to Keep the Lights On. Now What?
Next →
Digital Ethics: Beyond Compliance

Related notes

AI & Agentic Systems
The AI Dependency Paradox: You Cannot Stop Using What You Cannot Trust
6 min read
Comps & Reflections
DSR Is Not About the Prototype
5 min read
Comps & Reflections
FinTech Is an IS Problem Disguised as Finance
6 min read