Why Verifiable Credentials Aren’t Widely Adopted & Why Trinsic Pivoted

Riley Hughes
15 min readOct 15, 2024

--

A presentation I gave at IIW38, in April 2024.

At the Internet Identity Workshop 38, I announced my talk with a description something like this:

Five years ago at this conference, Trinsic’s first product (our self-sovereign identity wallet app) was launched. Today, I’m hosting a session called “SSI didn’t work. Trinsic is pivoting.”

I knew it was a provocative title — and I fully considered that apostatizing this publicly could result in a mob of opposition. But I was not prepared for what actually happened.

  1. Right after my announcement (and brief, surprised gasp from the crowd of ~350 people) one IIW veteran popped off his chair and clapped his way across the room to embrace me.
  2. Right before my session, the CEOs of two separate identity companies asked to broadcast the talk online (one via livestream, another via live Tweet).
  3. Right after my session during the closing circle (where the original crowd of ~350 reconvened), the cofounder of the conference wept as she thanked me. Another longtime identity veteran stood immediately after and claimed it was the most important session held at the event in the last 5 years.
  4. The next morning, a startup CEO called for memorializing a “Riley Session” as a new staple of the conference twice each year. More than a dozen people asked me to reprise my session.

I say this all descriptively, not boastfully. Far from feeling proud, I actually felt humbled to have had the opportunity to contribute something evidently valuable to a community which has given me so much. (It was at an IIW in 2018 that I realized I wanted to build a career in this industry.) That is the context for this post — to share apparently-useful insights that hopefully will result in getting the world closer to using better digital ID technologies.

The spoiler for this article: I’m no longer betting on verifiable credentials taking off. I mean this literally — 99% of my net worth is Trinsic stock, so the strategy I bet my company on is an objective revelation of my strongest convictions. While once central to Trinsic’s existence, our latest pivot demonstrates that I believe interoperable digital credentials won’t succeed in market anytime soon.

Specifically, my prognostication is that digital identities will continue to be deployed and adopted, but that fragmentation, incompatibility, and bespoke implementations will continue to dominate the market.

Now, I’ve been working on this problem for 7 years. Explaining how I landed on this conclusion requires expounding on years of the business equivalent of trench warfare. This post is a deep dive, not a summary. If you want a summary, I suggest dropping this post into your LLM of choice (I won’t be offended). I’ll do my best to be concise, but I also intend on being thorough. The structure of this post is as follows:

Assumptions

Brief History

Impossible Problems

Bull Case

End

Assumptions

Assumption #0: I’ve drunk the Kool-aid

As you read this post, your walls might go up. Especially if your salary depends on me being wrong. Just be aware of your biases and know that I am still Kool-aid drunk on the philosophy of self-sovereign identity. I want that future as much as anybody. But in my sincere pursuit to discover reality, I’ve learned some things that I hope others can benefit from.

Assumption #1: Terminology

I will use “verifiable credential” or “VC” in this post quite a bit. I’ll also use “self-sovereign identity” or “SSI” or “IDtech”. “Decentralized identity” or “DI” could be subbed in too for all I care. Fundamentally, I’m trying to communicate: A standard way to exchange trustworthy data in a user-centric/user-controlled way. But I’m intentionally avoiding being too pedantic, so don’t get overly caught up in semantics.

Assumption #2: The world is huge

The world is inconceivably big.

Consulting in SSI is a good way to make a living. But hand-to-hand combat is insufficient to get VCs adopted. The only way to scale something on the magnitude needed for SSI to work is a product with product/market fit. That, or regulatory obligation.

Imagine if companies needed Accenture to adopt artificial intelligence. Now consider how that differs from a world where any developer can pick up an API key from OpenAI and implement GPT4 in an afternoon. LLMs have product/market fit, SSI does not.

Assumption #3: The market is reality

Here’s how I think about startups & new product development. The market is unknowable in its entirety. If it was known how to build a successful product (in our case, a widely-adopted SSI wallet or an adoptable VC format), it would have been done by now. To make progress at the cutting edge, you must do something desirable and different. Andy Radcliff calls this being “non-consensus and right”.

Chamath describes a startup as an exercise in mentally modeling the “market” and building a product to fit that model. If your product is rejected, your model of the world is wrong and you need to iterate its form. If your product is adopted, your model of the world is right.

All this is to say, the market is the objective reality. It decides winners and losers. As I’ve sought to get product/market fit in this space, I seek to discover reality as impartially as I can. When I see evidence of something working, I pay attention; when I see evidence that something isn’t working, I try to absorb those data points too.

Assumption #4: The best technology gets adopted

The worth of software is its impact on humans. The most elegant, idealistic, best software is therefore worthless unless it’s adopted. Actually, if it’s not adopted, it’s not elegant, idealistic, or best — no consolation prizes. The market is the judge and if your product isn’t making an impact on people’s lives, it’s no better than a refrigerator on the moon.

Adoption isn’t just the most important thing, it’s the only thing. Thus, this is actually a tautology: by definition, what gets adopted is best.

Assumption #5: Don’t waste your time

I’ve thought a lot about the optimal point between discouraging and cautioning. Yes, I’ve tried a lot of things but it’s important to state that markets change. Maybe something is different now than when I tried it. I surely can’t turn over every stone. Running new or differentiated experiments in this market is probably fruitful–I don’t want to discourage innovation. But I do want it to shine a light on the graveyard that exists in this space and hopefully prevent people from doing things that are doomed to fail.

Brief history

I started my journey in identity in 2017 when I interviewed for a job at Sovrin Foundation. I started Trinsic with two cofounders in 2019 because of the relatively low adoption of Sovrin’s network. I thought if we made the technology dramatically easier to use, more companies would adopt SSI.

Me plus Tomislav & Michael, my cofounders, launching our product at IIW in 2019.

We built something good. Hundreds of developers were signing up every month and issuing verifiable credentials. One of those developers was Wayne Chang who, before cofounding Spruce, gave me the feedback that Trinsic was the best execution of any SSI product in the market. He asked something like:

“With a product like this (where a developer can get value for free) you are probably either using this as lead gen for $250k consulting deals, or you’re just really betting on verifiable credentials blowing up.”

I told him we were betting on VCs blowing up.

Our aim was to build a product that would accelerate VC adoption. In our view, if a customer needed consulting to succeed, it was a signal the product wasn’t good enough. (We did consult customers on how to succeed — but we treated this time as product discovery time, and incorporated the results immediately into the product roadmap.)

What happened is we acquired dozens of paying customers, but not enough were successful enough. We had roughly 1 breakaway customer story per 500 companies that signed up. The rest were either startups that failed to get traction or large enterprise R&D departments that never went to production.

In the meantime, the market shaped out in an undeniable way. Dozens of companies obtained product/market fit in the reusable identity space, none of which use the VC standard. Either none of the successful companies chose to use VCs, or none of companies that chose VCs succeeded (two statements of identical outcome but different presumed causation).

A slide I made in 5 mins immediately before my IIW38 presentation to make this point!

In fact one such company, which raised over $75m from top-tier venture capitalists to fuel its meteoric growth, said to me (paraphrasing):

“The SSI people had a good idea. So we’re applying that idea to get customers while they’re wasting their time in working groups. You can think of us as proprietary SSI.”

It’s been a few years since I was told that. I recently checked back in on them. They’re used by tens of millions of users.

Another reusable ID company used by several million end-users, which has raised 10s of millions, told me (paraphrasing):

“We are building a monopoly. Our goal is to own the identity layer of the internet. It might not work, but if it does, we’re going to make a lot of money.”

Both companies were started after 2019 (the year the VC data model became a W3C recommendation) and chose not to use standards.

This dynamic vexed me for months. Why was the market rewarding companies with inferior identity solutions?

It took me too long to conclude that SSI is the inferior identity solution. The market determines winners and losers, better and worse — and there are important reasons the market is rejecting verifiable credentials in favor of proprietary solutions.

After 4+ years of hypothesizing, experimenting, evaluating, and iterating, I found what I consider to be intractable problems that block adoption of verifiable credentials. I do not know the answers to these problems. If you’re building in the IDtech space, you should take these problems seriously because, in my view, these are the billion-dollar questions you’ll need to crack to have any meaningful success.

Impossible problems

Impossible problem #1: Interoperability is the premise, but doesn’t exist

Standards exist to enable compatibility. If interoperability isn’t important, simple alternatives to verifiable credentials exist (such as signing — or not signing — JSON). The ability to share data with an arbitrary 3rd-party in a standardized way (without bespoke integration or direct connection to issuing source) is the core purpose of VCs. But that doesn’t actually exist right now.

In other words, the reason for the existence of VCs is not present.

This is because interoperability at the application level requires technical interoperability of keys/signatures, public key resolution, exchange protocols, request/response formats, data models, semantics, and a host of underlying elements. (Not to mention nontechnical interoperability elements, like business models and trust frameworks.) Because a myriad of VC variants, exchange protocols, signature suites, etc. have emerged over the years, which must all line up to effectively interoperate, the only practical way to achieve interoperability with others is to use the same software.

Theoretically, if everyone in the industry agreed upon a single standard to use, interoperability would be present, and there would begin to be value to adopting VCs today — but there’s a problem: which standard should be adopted? and what if it’s the wrong one?

Prematurely standardizing is a risky endeavor. But in order to find out what kind of digital credential will have real product/market fit — and thus be adopted — the world needs to experiment, iterate, innovate, over trade-offs to discover what the market will adopt.

Do you see the problem? VCs need innovation, iteration, and experimentation to succeed. But they also need standardization, agreement, buy-in, and stagnation to have value. These two forces are directly opposed. I wrote about this dynamic more in a post several years ago.

An image I made in 2022 for a post I wrote about the tension between interop & innovation.

Standardization is essential for adoption. But adoption is essential for knowing what to standardize (there’s nothing worse than standardizing the wrong thing)! Prematurely standardizing before adoption is a classic “cart before the horse” scenario.

To be clear, none of this means that there is no reason to adopt VCs now — it means every reason to adopt VCs today is in anticipation of future value. Because today, verifiable credentials offer zero marginal value relative to simpler alternatives. To rationally adopt VCs, one must make a bet on the future. Some bold companies will be willing to take that very costly journey (like we did), but most will not.

Impossible problem #2: Initial UX is worse than baseline

Verifiable credentials are always a better UX than existing identity solutions at scale, but always a worse experience initially.

I had a mask-laden conversation with the late Vittorio Bertocci at the Internet Identity Workshop in 2021 where I was working to convince him of the merits of VCs as he advocated for federated approaches.

His point: VCs aren’t necessary to share data outside its original domain. Take, for example, Airbnb wanting to verify a digital driver’s license. Instead of using a VC, DMVs could become an IdP, and Airbnb could add a “verify with X driver’s license button” into their app. The tech exists today.

My point: Yes, but nobody does that today because it doesn’t work in person, doesn’t work offline, doesn’t work when presenting multiple credentials, doesn’t work when privacy needs to be preserved, etc. But most importantly, in this example Airbnb would need to add a “verify with X” button for all 50 states, which is a very bad UX — VCs would enable one universal verification button!

I’ve thought a lot about this interaction. While I like to think I helped nudge Vittorio a bit on the value VCs could provide, you’ll notice my points are basically only relevant at scale.

For a concrete example, take AI agents who need identity wallet capabilities. We ran a whole campaign about this at Trinsic and spoke to dozens of AI agent developers (see this landing page, watch the demo video!). It’s obvious the problem exists in the long-term. As a user, it’s a pain to provision an agent access to all my accounts, info, etc. needed for it to accomplish real tasks for me. But in the near-term, 100% of the AI developers we talked to just chose to use OAuth to connect to sources where users’ data exists already (e.g. Google).

If a user already has a wallet with a bunch of useful credentials in it, obviously sharing those is a better UX than redoing the onboarding process that was required to obtain those credentials. But acquiring the wallet with credentials in the first place will always cause extra friction upfront, which businesses and users are very reluctant toward.

This problem is compounded because businesses don’t just adopt things that are a little bit better than alternatives. In order to switch behaviors or risk their careers on unproven technologies, new solutions need to be better enough to justify that extra investment. And unfortunately for VCs, for every initial use case I’m aware of, the experience is objectively worse.

I shared more insights from Vittorio here.

Impossible problem #3: Heat map is too scattered

When I was raising money for Trinsic as a general-purpose verifiable credential platform, investors would often ask what the most prominent use case for verifiable credentials was — and more specifically, what the most common use case for Trinsic’s customers was. My answer sucked:

Our customers are building use cases in education, employment, financial services, healthcare, insurance, industrials, government, and agriculture. And more!

Once, in pursuit of a better answer to this question, we plotted the industries, geographies, and use cases of 100+ paying customers. The scatter plot was all over the place. Nothing stuck out prominently. It didn’t make sense to double down on a specific industry or use case because none dominated our demand. We didn’t even have geographic consistency — adoption existed from Myanmar to Peru to USA to Romania.

My cofounder Michael continuously sounded the alarm in my ear: in order for VCs to take off, a network effect needs to take hold. No network effect will exist if all adoption is completely scattered.

This problem doesn’t just affect Trinsic, it affects the entire VC space. Until pockets of adoption breed more adoption in a virtuous cycle, the rate of adoption will be capped to a linear value — and adoption to 1+ billion people requires exponential rates.

To drive this point home, I’ll cite an example from a packed room at a previous Internet Identity Workshop, circa 2020. In a room full of decentralized ID vendors, I asked for a raise of hands: “Who has ever heard of a verifiable credential being used for a purpose other than that for which it was issued?” (In other words, who has ever heard of a verifiable credential being used for the reason the VC standard was created.)

No hand went up.

I asked again in 2024. Still crickets.

Verifiable credentials won’t take off until this sort of thing is commonplace. This cross-context data sharing simply won’t happen until both sides of the exchange are interested in similar credentials, or are from a similar industry or geography. In other words, this won’t happen until the heat map of potential use cases lights up in a particular spot. But the current nature of the market is very scattered.

Bull case

This post outlines why I’m not betting on verifiable credentials taking off anytime soon. But if I had to articulate the bull case, there are two arguments here: government mandates and timing/direction of causality.

Governments

Governments represent the silver lining for verifiable credentials. While, in my view, the private sector lacks a viable adoption path for the reasons outlined above, governments have different incentives. Governments build utilities, and there is a good argument that interoperable digital ID is a government utility. Many governments in the West are investing in VCs, most notably eIDAS 2.0. Although even that is far from settled.

Government involvement is not limited to government-issued credentials. Virtually every private sector company in the verifiable credential world (except Trinsic, for what it’s worth) has been subsidized by governments funding their preferred VC standards (DHS funding different standards than the EU, for example). Various technologies through the years have succeeded due to government mandates or subsidies–nothing wrong with it inherently–but it is a telling aspect.

Governments compelling use of interoperable digital credentials represents the most likely success case for VCs I can think of. But that scenario exists in the medium-term, not the short-term.

Timing

The other argument says that verifiable credentials are simply too early. Many of the leading reusable ID ecosystems like IDme, Yoti, CLEAR, etc. were started and initially grew before the VC standard was finalized/stabilized. So one could argue these companies, if started today, could have had the same or greater success using verifiable credentials rather than a proprietary solution.

Unfortunately, recently companies like Incode, Footprint, Plaid, and many others launched “reusable ID” products and chose not to use VCs after extensive research. And have succeeded far beyond most SSI products. Which presents a difficult rebuttal to this argument.

One cannot rule out the possibility that companies can succeed betting on the VC standard. But it’s difficult to point to examples of VCs helping a business solve problems for customers (and thus make money) — and it’s trivial to point to dozens of examples of companies sinking millions of dollars into verifiable credential infrastructure (money which could have been spent acquiring customers). One hypothesis is that tinkerers are attracted to VCs while aggressive operators are less likely to experiment on new technologies or make speculative bets on the future.

End

I referenced Vittorio earlier, and I’ll cite him one last time here. In a blog post about his involvement in the CardSpace project at Microsoft, which is a spiritual ancestor of modern SSI, he said:

“When the user centric identity effort substantially failed to gain traction in actual products, with the identity industry incorporating some important innovations (hello, claims) but generally rejecting many of the key tenets I held so dear, something broke inside me. I became disillusioned with pure principled views, and moved toward a stricter Job to be done, user cases driven stance.”

I’ve not changed my convictions on the future I want to live in. Nor has my resolve wavered in my desire to build that future. But the market has spoken. Prematurely standardizing a pre-product/market fit technology won’t work — no matter how badly zealous advocates of SSI want it to. That is why Trinsic is no longer a general-purpose verifiable credential infrastructure company.

While I don’t expect a universal standard for digital IDs will happen anytime soon, new digital IDs continue to roll out every day. These digital IDs are sometimes built with VCs, other times with mDLs, but usually in proprietary ways. Some are bound with biometrics, others with passkeys. Some are focused on solving a problem in a specific industry, others in a specific geography.

Today, the Trinsic Identity Acceptance Network represents the future of Trinsic. Instead of helping companies create digital IDs (issue verifiable credentials or create wallets for users), we help businesses accept existing digital IDs. Our strategy is a bet on continued fragmentation of the ID landscape — a bet on no single standard winning out.

In fact, I’ve become convinced that Trinsic’s current strategy to help businesses accept digital credentials is actually a necessary stepping stone to a future world powered by interoperable digital credentials. We’re still ushering the world in that direction, just from a different angle.

Of course, I could be wrong, and I hope I am. My ears and eyes are wide open for new information. My only objective is to see reality as clearly as I can. If you have information you believe I’m missing, I’d love to hear from you and have a conversation. Sincerely! You can DM me on LinkedIn or Twitter, or shoot me an email riley@trinsic.id.

Thanks to Kim Hamilton Duffy, Gerald Glickman, Timothy Ruff, Eve Maler, James Monaghan, Dave Grantham, and Zachary Jones for giving feedback on a draft of this post.

--

--