By Adrian Doerk, Lissi
Lissi is a software house of identity experts who have been working on the topic of digital identity with ID-Wallets and verifiable credentials since 2018. The company, based in Frankfurt am Main in Germany, offers software for organizations to interact with EU Digital Identity Wallets in order to comply with the eIDAS 2 regulation ((EU) 2024/1183).
What is the importance of User Experience in driving uptake of the EUDI Wallet?
User experience is the number one factor that will determine adoption. If we don’t start investing heavily in this now, we won’t reach the targeted adoption level of 80 percent of citizens in 2030.
Communication and education are also very important. This needs to be transparent, and also needs to address negative topics. Missing communication was one of the key reasons for the failed adoption of the German eID scheme 14 years ago.
What usability challenges do you see with the EUDI Wallet?
OpenID4VC is very new and there are many aspects which still need to be addressed. The protocol responsible for presenting credentials to a relying party (OpenID4VP) is critical, and will be crucial in defining the processes of the ecosystem. The protocol currently doesn’t support use case and credential discovery functions. For instance, what happens if a relying party requests three different credentials and the holder only has two in their wallet? We need to inform the user about where to get the missing credential.
The answer may be clear for certain types of credentials, such as driving licenses. But what about things like proof of income? Not only can there be multiple potential issuers (such as an employer or bank), but proof of income is an abstract concept instead of a specific source the relying party can point to. If a degree is required for a job application, there are 427 universities in Germany — how do you find out if your degree is available as a VC? I believe this process needs to be supported in the protocol, for example as a directory of issuers, which relying parties can point to.
Furthermore, all EUDI wallets will need intuitive icons to represent common functions like requesting a credential, presenting a credential and so on. There should be a general guidance for all wallet providers on how to illustrate such core processes.
For now, there is no forum where these topics are discussed. Creating an open community in which such user acceptance topics can be addressed would create immense value for adoption of the EUDI Wallet.
The aspects addressed above are just a small part of what’s needed overall. Many other topics also need to go down a standards track. Further topics which need to be addressed from a user-first approach are guardianship, the backup function as well as the protection of the individual.
How much progress is being made on tackling these issues? Who is driving this?
The technical standards are decided on by the eIDAS expert tool group. This group consists of two representatives of every EU member state. They define the Architecture and Reference Framework (ARF). The four eIDAS Large Scale Pilots (LSPs), which started in May 2023, each have 50+ partners exploring different use cases. A lot of know-how has been built up already, but we also wait for the implementing acts to provide further information. The standards themselves are defined in recognised standardization bodies such as the European Telecommunication Standards Institute (ETSI).
In Germany, there is a public consultation process initiated by the Federal Ministry of Interior and hosted by the Federal Agency for leap innovation. They made the right choice to get world-class experts in their team, and open a forum for discussing the many open questions that arise when implementing eIDAS 2.0 on a national level.
So, Germany is in a good position, but we also see others doing great work. The Dutch government initiated a wallet focused community, which is working on user flows, user interfaces and creating mock-ups. We also see a strong community in Finland, Italy and Spain among others.
How do these issues impact Lissi? How much of this is about standardization, versus proprietary solutions from wallet providers?
There’s only so much you can do as a single vendor. Lissi participates in the working groups within the relevant standardization organizations, such as the OpenID Foundation, assisting the development of the underlying protocols. We see our role as raising the flag on important topics and discussing them with our peers in communities such as the European Wallet Consortium.
Within the last few years we shifted our focus away from the wallet, towards API software for issuers and verifiers. Here we can build a proprietary product based on open standards, which meets the requirements of financial institutions, insurance companies and other regulated institutions. They can use our software to implement use cases with the future EUDI wallets, such as verifying the identity of a person to perform a know-your-customer (KYC) process or issue an IBAN credential.
What is Lissi’s business model?
We’re a software development company enabling organizations to implement use cases with EUDI Wallets by providing the necessary API software. We license this software to our clients. Hosting and integration is done directly by the clients, or by our implementation partners.
Organizations operating in the European Union face a choice: make-or-buy? It’s a bit like learning a language. Either you learn it, or you get everything translated. We’re the translator that enables you to enter the market without spending a year and half learning the language, maintaining and updating the software and contacting the 30+ expected wallet issuers if implementations are not as interoperable as intended. While having a strong footing in Germany, we also operate throughout Europe.
Are you mainly focused on standards compliance or product differentiation?
For now we are concentrating on ensuring that our clients are compliant with eIDAS 2.0. We’re focusing on ensuring smooth user flows and a holistic user experience with the Lissi EUDI-Wallet Connector API software. Within our Pilot Program organizations get insights into the ecosystem, expert guidance from our team as well as the API and wallet software.
Where do you see opportunities for wallet providers to differentiate themselves?
The big opportunity is to develop user-centric approaches. We need to think outside the box and take a broader view of what the wallet can be. Governments look at it from a regulatory perspective, but I also want my wallet to show me a list of all my accounts and contracts, to automatically notify service providers when I change address, and so on. Building additional functions into the wallet is how wallet providers can set their offer apart.
You’ve previously spoken of the role DIDComm can play in addressing certain usability issues with the EUDI Wallet. Is that still your view?
Here we are speaking about the protocols used by the issuer and verifier to interact with wallets. The currently used OpenID4VC is less flexible than DIDComm, which was used by many stakeholders before eIDAS 2.0. While the EU’s decision to standardize on OpenID4VC decreases implementation complexity, it also limits our ability to meet some of our clients’ requirements, such as a direct chat communication with the wallet.
Our clients tell us they need persistent digital relationships with customers. We still think DIDComm is the best candidate to meet this need, given its maturity. If there are enough stakeholders requesting functionality offered by such a protocol, it might eventually be integrated into the technical requirements of eIDAS.
What is your view on the so-called ‘three wallet problem’? (referring to the complexity and inconvenience citizens may experience if they are required to download and manage many identity wallets)
In my opinion, the more important question is how successful eIDAS will be. If it's successful, citizens will have a single wallet with their national ID, and won’t need ten additional wallets for identity related topics. It all depends on whether the barrier to entry is low enough for organizations to interact with citizens without needing to issue a wallet of their own.
Do wallet providers have enough incentive to participate in the eIDAS ecosystem?
Good question! I’ve spent some time investigating the business case for wallet providers. According to eIDAS, we will have at least 30 wallets (one for each of the 27 member states plus 3 EEA countries). Given the option for additional private-sector wallets certified by member states, there may be a lot more, though it probably doesn’t make sense for wallet providers to enter the smaller markets.
Will wallet providers be able to build a viable business model? We have some ideas on this, but it’s still a big question mark for everyone. You can join the Ecosystem, governance and business model working group of the German public consultation process to discuss this in more detail.
Are there any other important gaps in eIDAS, from your perspective?
To avoid the risk that relying parties request too much or unnecessary data from citizens, they will need to register in their member state. For now it’s still discussed to what extent they need to register. If they will be required to register every credential they want to request, this would create unnecessary complexity and a potential barrier to entry. It’s also still to be decided if this will be technically enforced or just a legal prerequisite. We don’t think a technical enforcement is viable for the ecosystem. How a data request complaint is handled by the wallet, and EU member states, also needs to be standardized, not left to member states, or we’ll end up with a confusing mess of solutions.
The other area is the trust mechanism enabling relying parties to determine if an issuer is trusted to issue a certain credential, such as the Person Identification Data (PID). We need a clear direction on what trust model will be adopted, in order to continue the practical implementation of use cases.