Skip to main content

2 posts tagged with "Identity"

View All Tags

From Passwords to Portable Proofs: A 2025 Builder’s Guide to Web3 Identity

· 10 min read
Dora Noda
Software Engineer

Most apps still anchor identity to usernames, passwords, and centralized databases. That model is fragile (breaches), leaky (data resale), and clunky (endless KYC repeats). The new stack emerging around decentralized identifiers (DIDs), verifiable credentials (VCs), and attestations points to a different future: users carry cryptographic proof of facts about themselves and reveal only what’s needed—no more, no less.

This post distills the landscape and offers a practical blueprint you can ship with today.


The Shift: From Accounts to Credentials

The core of this new identity stack is built on two foundational W3C standards that fundamentally change how we handle user data.

  • Decentralized Identifiers (DIDs): These are user-controlled identifiers that don’t require a central registry like a domain name system. Think of a DID as a permanent, self-owned address for identity. A DID resolves to a signed “DID document” containing public keys and service endpoints, allowing for secure, decentralized authentication. The v1.0 standard became an official W3C Recommendation on July 19, 2022, marking a major milestone for the ecosystem.
  • Verifiable Credentials (VCs): This is a tamper-evident, digital format for expressing claims, like "age is over 18," "holds a diploma from University X," or "has passed a KYC check." The VC Data Model 2.0 became a W3C Recommendation on May 15, 2025, locking in a modern foundation for how these credentials are issued and verified.

What changes for developers? The shift is profound. Instead of storing sensitive personally identifiable information (PII) in your database, you verify cryptographic proofs supplied by the user’s wallet. You can request only the specific piece of information you need (e.g., residency in a specific country) without seeing the underlying document, thanks to powerful primitives like selective disclosure.


Where It Meets the Logins You Already Use

This new world doesn't require abandoning familiar login experiences. Instead, it complements them.

  • Passkeys / WebAuthn: This is your go-to for phishing-resistant authentication. Passkeys are FIDO credentials bound to a device or biometric (like Face ID or a fingerprint), and they are now widely supported across all major browsers and operating systems. They offer a seamless, passwordless login experience for your app or wallet.
  • Sign-In with Ethereum (SIWE / EIP-4361): This standard lets a user prove control of a blockchain address and link it to an application session. It works via a simple, signed, nonce-based message, creating a clean bridge between traditional Web2 sessions and Web3 control.

The best practice is to use them together: implement passkeys for mainstream, everyday sign-in and offer SIWE for wallet-linked flows where a user needs to authorize a crypto-native action.


The Rails for Issuing and Checking Credentials

For credentials to be useful, we need standardized ways to issue them to users and for users to present them to apps. The OpenID Foundation provides the two key protocols for this.

  • Issuance: OpenID for Verifiable Credential Issuance (OID4VCI) defines an OAuth-protected API for getting credentials from issuers (like a government agency or a KYC provider) into a user's digital wallet. It’s designed to be flexible, supporting multiple credential formats.
  • Presentation: OpenID for Verifiable Presentations (OID4VP) standardizes how your application makes a "proof request" and how a user's wallet responds to it. This can happen over classic OAuth redirects or through modern browser APIs.

When building, you’ll encounter a few key credential formats designed for different ecosystems and use cases:

  • W3C VC with Data Integrity Suites (JSON-LD): Often paired with BBS+ cryptography to enable powerful selective disclosure.
  • VC-JOSE-COSE and SD-JWT VC (IETF): These formats are built for JWT and CBOR-based ecosystems, also featuring strong selective disclosure capabilities.

Fortunately, interoperability is improving rapidly. Profiles like OpenID4VC High Assurance are helping to narrow the technical options, making cross-vendor integrations much saner for developers.


DID Methods: Picking the Right Address Scheme

A DID is just an identifier; a "DID method" specifies how it's anchored to a root of trust. You’ll want to support a couple of common ones.

  • did:web: This method backs a DID with a domain you control. It’s incredibly easy to deploy and is a fantastic choice for enterprises, issuers, and organizations who want to leverage their existing web infrastructure as a trust anchor.
  • did:pkh: This method derives a DID directly from a blockchain address (e.g., an Ethereum address). This is highly useful when your user base already has crypto wallets and you want to link their identity to on-chain assets.

Rule of thumb: Support at least two methods—did:web for organizations and did:pkh for individual users. Use a standard DID resolver library to handle the lookup, and consult official registries to evaluate the security, persistence, and governance of any new method you consider adding.


Useful Building Blocks You Can Plug In

Beyond the core standards, several tools can enhance your identity stack.

  • ENS (Ethereum Name Service): Provides human-readable names (yourname.eth) that can map to blockchain addresses and DIDs. This is an invaluable tool for improving user experience, reducing errors, and providing a simple profile layer.
  • Attestations: These are flexible, verifiable "facts about anything" that can be recorded on-chain or off-chain. The Ethereum Attestation Service (EAS), for example, provides a robust substrate for building reputation and trust graphs without ever storing PII on a public ledger.

Compliance Tailwinds You Should Track

Regulation is often seen as a hurdle, but in this space, it’s a massive accelerator. The EU Digital Identity Framework (eIDAS 2.0), officially adopted as Regulation EU 2024/1183 on May 20, 2024, is the most significant development. It mandates that all EU Member States offer citizens a free EU Digital Identity Wallet (EUDI). With implementing regulations published on May 7, 2025, this is a powerful signal for the adoption of wallet-based credentials across both public and private services in Europe.

Even if you don't operate in the EU, expect the EUDI Wallet and its underlying protocols to shape user expectations and drive wallet adoption globally.


Design Patterns That Work in Production (2025)

  • Passwordless First, Wallets Optional: Default to passkeys for sign-in. It's secure, simple, and familiar. Only introduce SIWE when users need to perform a crypto-linked action like minting an NFT or receiving a payout.
  • Ask for Proofs, Not Documents: Replace clunky document uploads with a crisp VC proof request using OID4VP. Instead of asking for a driver's license, ask for a proof of "age over 18" or "country of residence is X." Accept credentials that support selective disclosure, like those using BBS+ or SD-JWT.
  • Keep PII Off Your Servers: When a user proves something, record an attestation or a short-lived verification result, not the raw credential itself. On-chain attestations are a powerful way to create an auditable record—"User Y passed KYC with Issuer Z on date D"—without storing any personal data.
  • Let Orgs Be Issuers with did:web: Businesses, universities, and other organizations already control their domains. Let them sign credentials as issuers using did:web, allowing them to manage their cryptographic keys under their existing web governance models.
  • Use ENS for Names, Not Identity: Treat ENS as a user-friendly handle and profile pointer. It's great for UX, but keep the authoritative identity claims within credentials and attestations.

A Starter Architecture

Here’s a blueprint for a modern, credential-based identity system:

  • Authentication
    • Default Login: Passkeys (FIDO/WebAuthn).
    • Crypto-Linked Sessions: Sign-In with Ethereum (SIWE) for wallet-based actions.
  • Credentials
    • Issuance: Integrate with OID4VCI endpoints from your chosen issuers (e.g., a KYC provider, a university).
    • Presentation: Trigger OID4VP proof requests from your web or native app. Be prepared to accept both W3C VCs (with BBS+) and SD-JWT VCs.
  • Resolution & Trust
    • DID Resolver: Use a library that supports at least did:web and did:pkh. Maintain an allowlist of trusted issuer DIDs to prevent spoofing.
  • Attestations & Reputation
    • Durable Records: When you need an auditable signal of a verification, mint an attestation containing a hash, the issuer's DID, and a timestamp, rather than storing the claim itself.
  • Storage & Privacy
    • Minimalism: Drastically minimize the PII you store server-side. Encrypt everything at rest and set strict time-to-live (TTL) policies. Prefer ephemeral proofs and lean heavily on zero-knowledge or selective disclosure.

UX Lessons Learned

  • Start Invisible: For most users, the best wallet is the one they don’t have to think about. Use passkeys to handle sign-in seamlessly and only surface wallet interactions contextually when they are absolutely necessary.
  • Progressive Disclosure: Don't ask for everything at once. Request the smallest possible proof that unblocks the user's immediate goal. With selective disclosure, you don't need their full document to verify one fact.
  • Key Recovery Matters: A credential bound to a single device key is a liability. Plan for re-issuance and cross-device portability from day one. This is a key reason modern profiles are adopting formats like SD-JWT VC and claims-based holder binding.
  • Human-Readable Handles Help: An ENS name is far less intimidating than a long hexadecimal address. It reduces user error and adds a layer of recognizable context, even if the true authority lives in the underlying credentials.

What to Ship Next Quarter: A Pragmatic Roadmap

  • Weeks 1–2:
    • Add passkeys for your primary sign-in flow.
    • Gate all crypto-native actions behind a SIWE check.
  • Weeks 3–6:
    • Pilot a simple age or region gate using an OID4VP request.
    • Accept VC 2.0 credentials with selective disclosure (BBS+ or SD-JWT VC).
    • Start creating attestations for "verification passed" events instead of logging PII.
  • Weeks 7–10:
    • Onboard a partner issuer (e.g., your KYC provider) using did:web and implement a DID allowlist.
    • Offer ENS name linking in user profiles to improve address UX.
  • Weeks 11–12:
    • Threat-model your presentation and revocation flows. Add telemetry for common failure modes (expired credential, untrusted issuer).
    • Publish a clear privacy posture explaining exactly what you ask for, why, how long you retain it, and how users can audit it.

What’s Changing Fast (Keep an Eye on This)

  • EU EUDI Wallet Rollouts: The implementation and conformance testing of these wallets will massively shape capabilities and verification UX across the globe.
  • OpenID4VC Profiles: Interoperability between issuers, wallets, and verifiers is constantly improving thanks to new profiles and test suites.
  • Selective Disclosure Cryptosuites: Libraries and developer guidance for both BBS+ and SD-JWT VC are rapidly maturing, making them easier to implement.

Principles to Build By

  • Prove, Don’t Store: Default to verifying claims over storing raw PII.
  • Interoperate by Default: Support multiple credential formats and DID methods from day one to future-proof your stack.
  • Minimize & Disclose: Ask for the smallest possible claim. Be transparent with users about what you are checking and why.
  • Make Recovery Boring: Plan for device loss and issuer rotation. Avoid brittle key-binding that strands users.

If you’re building fintech, social, or creator platforms, credential-first identity isn’t a future bet anymore—it’s the shortest path to lower risk, smoother onboarding, and global interoperability.

From Game Loot to Product Passports: What NFTs Are Actually Good For in 2025

· 11 min read
Dora Noda
Software Engineer

In 2021, NFTs were mostly about flexing JPEGs. In 2025, the most interesting work is quieter: game studios using NFTs for player-owned items, luxury houses stitching them into digital product passports, and brands folding tokens into loyalty and access. Even mainstream explainers now frame NFTs as infrastructure for ownership and provenance—not just collectibles (Encyclopedia Britannica).

Below is a field guide to the use cases that have real traction (and a few that learned hard lessons), plus a practical checklist if you’re building.


Gaming: Where “I Own This” Actually Matters

Gaming is a natural fit for NFTs because players already understand the value of scarce digital items. Instead of being trapped in one game's silo, NFTs add portable ownership and create opportunities for secondary liquidity.

  • Production chains built for games: The infrastructure has matured significantly. Immutable launched a Polygon-powered zkEVM in 2024, designed to make asset creation, trading, and on-chain logic feel native to the game loop. By the end of that year, the ecosystem had signed hundreds of titles, and its flagship game Guild of Guardians crossed one million downloads (The Block, immutable.com, PR Newswire).

  • At-scale player economies: We now have proof that mainstream players will engage with NFT economies when the game is fun first. Mythical Games reports over $650 million in transactions across more than seven million registered players. Its FIFA Rivals mobile game hit one million downloads within about six weeks of launch, showing that the technology can be seamlessly integrated into familiar experiences (NFT Plazas, PlayToEarn, The Defiant).

  • Major publishers are still experimenting: The industry's giants are actively involved. Ubisoft’s Champions Tactics: Grimoria Chronicles, built on the Oasys blockchain with NFT-native elements, rolled out in late 2024 and has seen continuous updates into 2025, signaling a long-term commitment to exploring the model (GAM3S.GG, Champions Tactics™ Grimoria Chronicles, Ubisoft).

Why this works: When thoughtfully integrated, NFTs enhance the existing player experience without breaking the fiction of the game world.


Luxury & Authenticity: Digital Product Passports Go Mainstream

For luxury brands, provenance is paramount. NFTs are becoming the backbone for verifying authenticity and tracking an item's history, moving from a niche concept to a core business tool.

  • A shared backbone for provenance: The Aura Blockchain Consortium—founded by LVMH, Prada Group, Cartier (Richemont), and others—offers industry-grade tooling so that new luxury goods ship with verifiable, transferable “digital twins” (Aura Blockchain Consortium). This creates a common standard for authenticity.

  • Regulatory pull, not just brand push: This trend is being accelerated by regulation. Europe’s Ecodesign for Sustainable Products Regulation (ESPR) will require digital product passports across many categories by 2030, making supply-chain transparency a legal requirement. Luxury groups are building the infrastructure to comply now (Vogue Business).

  • Real deployments: This is already happening in production. Consortium members like OTB (Maison Margiela, Marni) emphasize blockchain-backed traceability and Digital Product Passports (DPPs) as a core part of their growth and sustainability strategy. Aura has highlighted active use cases at houses such as Loro Piana and others (Vogue Business, Aura Blockchain Consortium).

Why this works: Anti-counterfeiting is a fundamental need in luxury. NFTs make authenticity checks self-serve for the consumer and create a durable record of ownership that persists across resale channels.


Ticketing & Live Events: Collectibles and Access

Events are about status, community, and memories. NFTs provide a way to bind those intangible values to a verifiable digital token that can unlock new experiences.

  • Token-gated perks at scale: Ticketmaster has rolled out features that let artists and organizers grant special access to NFT holders. A ticket stub is no longer just a piece of paper; it's a programmable membership card that can grant access to exclusive merchandise, content, or future events (Blockworks).

  • On-chain souvenirs: Ticketmaster’s “digital collectibles” program gives fans proof that they attended an event, creating a new kind of digital memorabilia. These tokens can also be used to unlock future benefits or discounts, deepening the relationship between artists and fans (ticketmastercollectibles.com).

  • Cautionary tale: Early experiments highlighted the risks of centralization. Coachella’s 2022 NFTs, which were tied to the now-defunct exchange FTX, infamously went dark, leaving holders with nothing. The festival has since resumed its NFT experiments with other partners in 2024, but the lesson is clear: build to avoid single points of failure (IQ Magazine, Blockworks).

Why this works: NFTs transform a one-time event into a lasting, verifiable relationship with ongoing potential for engagement.


Loyalty & Memberships: When Tokens Replace Tiers

Brands are exploring how tokens can make loyalty programs more flexible and engaging, moving beyond simple points systems to create portable status.

  • Airlines as on-ramps: Lufthansa’s Uptrip program turns flights into digital trading cards that can be redeemed for perks like lounge access or upgrades. The cards can optionally be converted to NFTs in a self-custodial wallet, offering a gamified loyalty experience first and making the crypto aspect entirely optional (uptrip.app, Lufthansa).

  • Legacy programs on blockchain rails: Some programs have been using this technology for years. Singapore Airlines’ KrisPay has used a blockchain-backed wallet since 2018 to make airline miles spendable at partner merchants—an early blueprint for interoperable rewards (Singapore Airlines).

  • Consumer brands token-gate in familiar storefronts: Retailers can now use Shopify’s built-in token-gating features to reward NFT holders with exclusive product drops and community access. Adidas’ ALTS program is a prime example, using dynamic NFT traits and tokenproof verification to tie digital ownership to real-world commerce and events (Shopify, NFT Plazas, NFT Evening).

  • Not everything sticks: It’s a useful reminder that loyalty is a behavior loop first and a technology second. Starbucks shuttered its Odyssey NFT beta program in March 2024, demonstrating that even a massive brand can't force a new model if it doesn't offer clear, everyday value to the user (Nation’s Restaurant News).

Why this works: The winning pattern is clear: start with utility that non-crypto users already want, then make the "NFT" aspect optional and invisible.


Identity & Credentials: Readable Names, Non-Transferable Proofs

NFTs are also being adapted for identity, where the goal is not to trade but to prove. This creates a foundation for user-controlled reputation and credentials.

  • Human-readable identities: The Ethereum Name Service (ENS) replaces long, complex wallet addresses with human-readable names (e.g., yourname.eth). With the recent addition of L2 Primary Names, a single ENS name can now resolve cleanly across multiple networks like Arbitrum, Base, and OP Mainnet, creating a more unified digital identity (ens.domains, messari.io).

  • Non-transferable credentials (SBTs): The “soulbound” token concept—tokens you can earn but cannot trade—has matured into a practical tool for issuing diplomas, professional licenses, and membership proofs. Expect to see more pilots in education and certification where provenance is key (SSRN, Webopedia).

  • Beware biometric trade-offs: While "proof-of-personhood" systems are evolving quickly, they come with significant privacy risks. High-profile projects in this space have drawn scrutiny from core crypto leaders for their data collection practices, highlighting the need for careful implementation (TechCrunch).

Why this works: Identity and reputation shouldn’t be tradable. NFT variants like SBTs provide a way to build a composable, user-owned identity layer without relying on central gatekeepers.


Creator Economy & Media: New Revenue Paths (Plus Reality Checks)

For creators, NFTs offer a way to create scarcity, control access, and build direct financial relationships with their communities.

  • Direct-to-fan music collectibles: Platforms like Sound are creating new economic models for musicians. By offering guaranteed mint rewards to artists—even on free drops—the platform reports generating revenues for artists comparable to what they would earn from billions of streams. It’s a modern reframing of the “1,000 true fans” concept for on-chain music (help.sound.xyz, sound.mirror.xyz).

  • Shared IP rights—if licensed explicitly: Some NFT collections grant holders commercial rights to their art (e.g., the Bored Ape Yacht Club license), enabling a decentralized ecosystem of merchandise and media projects. The importance of legal clarity here is paramount, as reflected in recent case law and the emergence of formal licensing programs (boredapeyachtclub.com, 9th Circuit Court of Appeals).

  • Not all experiments pay back: Early royalty-sharing drops, such as those facilitated by marketplaces like Royal, showed promise but delivered mixed returns. This serves as a reminder for teams to model cash flows conservatively and not rely on speculative hype (Center for a Digital Future).

Why this works: NFTs allow creators to bypass traditional intermediaries, offering new ways to monetize their work through paid mints, token-gated content, and real-world tie-ins.


Finance: Using NFTs as Collateral (and the 2025 Cooldown)

NFTs can also function as financial assets, primarily as collateral for loans in a growing DeFi niche.

  • The mechanism: Protocols such as NFTfi allow users to borrow against their NFTs via escrowed peer-to-peer loans. The cumulative volume on these platforms has exceeded hundreds of millions of dollars, proving the model's viability (nftfi.com).

  • 2025 reality check: This market is highly cyclical. After peaking around January 2024, NFT lending volumes fell by approximately 95–97% by May 2025 as the value of collateral dropped and risk appetite evaporated. Leadership in the space has also shifted from established players like Blend to newer ones. This indicates that NFT-backed lending is a useful financial tool, but it remains a niche and volatile market (The Defiant, DappRadar).

Why this works (when it does): High-value NFTs, like digital art or rare in-game assets, can be transformed into productive capital—but only if sufficient liquidity exists and risk is managed carefully.


Philanthropy & Public Goods: Transparent Fundraising

On-chain fundraising offers a powerful model for transparency and rapid mobilization, making it a compelling tool for charitable causes.

  • UkraineDAO’s flag NFT raised roughly $6.75 million in early 2022, showcasing how quickly and transparently a global community could mobilize for a cause. Crypto donations to Ukraine more broadly crossed tens of millions of dollars within days (Decrypt, TIME).

  • Quadratic funding at scale: Gitcoin continues to iterate on its model for community-matched funding rounds that support open-source software and other public goods. It represents a durable, effective pattern for resource allocation that has long outlasted the NFT hype cycles (gitcoin.co).

Why this works: On-chain rails shorten the path from philanthropic intent to real-world impact, with public ledgers providing a built-in layer of accountability.


Patterns That Win (and Pitfalls to Avoid)

  • Start with the user story, not the token. If status, access, or provenance isn’t core to your product, an NFT won’t fix it. Starbucks Odyssey’s sunset is a potent reminder to ground loyalty programs in tangible, everyday value (Nation’s Restaurant News).
  • Minimize single points of failure. Don’t architect your system around a single custodian or vendor. Coachella’s FTX fiasco shows why this is critical. Use portable standards and plan migration paths from day one (IQ Magazine).
  • Design for chain-agnostic UX. Users want simple logins and consistent benefits, regardless of the underlying blockchain. ENS’s L2 identity support and Shopify's cross-chain token-gated commerce show that the future is interoperable (messari.io, Shopify).
  • Use dynamic metadata when states change. Assets should be able to evolve. Dynamic NFTs (dNFTs) and standards like EIP-4906 allow metadata to change (e.g., character levels, item repairs), ensuring marketplaces and applications stay in sync (Chainlink, Ethereum Improvement Proposals).
  • License IP explicitly. If your holders can commercialize the art associated with their NFTs, say so—clearly. BAYC’s terms and formal licensing program are instructive models (boredapeyachtclub.com).

A Builder’s Checklist for NFT Utility in 2025

  • Define the job to be done. What does the token unlock that a simple database row can’t (e.g., composability, secondary markets, user custody)?
  • Make crypto optional. Let users start with an email or an in-app wallet. Allow them to opt into self-custody later.
  • Choose the right chain + standard. Optimize for transaction fees, user experience, and ecosystem support (e.g., ERC-721/1155 with EIP-4906 for dynamic states).
  • Plan for interoperability. Support token-gated commerce and identity solutions that work across existing web2 platforms (e.g., Shopify, ENS).
  • Avoid lock-in. Prefer open standards. Architect metadata portability and migration paths from day one.
  • Embrace off-chain + on-chain. Blend efficient server-side logic with verifiable on-chain proofs. Always keep personally identifiable information (PII) off-chain.
  • Model economics conservatively. Don’t build a business model that relies on secondary market royalties. Test for cyclical demand, especially in financial applications.
  • Design for regulation. If you’re in apparel or physical goods, start tracking Digital Product Passport and sustainability disclosure requirements now, not in 2029.
  • Write the license. Spell out commercial rights, derivatives, and trademark usage in plain, unambiguous language.
  • Measure what matters. Focus on retained users, repeat redemptions, and secondary market health—not just the revenue from the initial mint.

Bottom Line

The hype cycle burned off. What’s left is useful: NFTs as building blocks for ownership, access, and provenance that normal people can actually touch—especially when teams hide the blockchain and foreground the benefit.