Skip to content
FIDO4VC FIDO4VC

FIDO4VC

Self-Sovereign Identity without the wallet app. Your Passkey is the signing power; the cloud holds only the receipts.
Read the spec GitHub

Why this exists

Section titled “Why this exists”

Self-Sovereign Identity has promised user-controlled digital credentials for over a decade. Adoption remains in single digits even where mandated. The hypothesis behind FIDO4VC is that this isn’t a UX problem — it’s a structural one. On-device wallet apps are the wrong primitive.

FIDO4VC moves the wallet off-device and removes user-side key custody. A wallet still exists; it just lives in a cloud service, cryptographically inert without a live FIDO assertion from the user. The user installs nothing. Recovery comes free from OS Passkey sync. The cloud custodian cannot present a credential without the user — that property is enforced by the cryptosuite, not by trust.

What you get

Section titled “What you get”

Zero install

Works on any browser with WebAuthn. No wallet app to download. No extension. Users never install software to participate.

OS-level recovery

Signing capability follows the user’s iCloud / Google / Microsoft account across every device. No seed phrase. No vendor-specific backup. Credentials survive device-generation changes.

Cloud-inert credentials

Credentials at rest are meaningless without a fresh FIDO signature. Even with full database access, an attacker cannot present a VP. A property no prior SSI design has.

Familiar UX

Face ID / Touch ID / security key. The exact prompt users see dozens of times a day. Zero training cost.

How it works

Section titled “How it works”
FIDO4VC high-level architecture

The wallet’s two roles — where credentials live and what signs presentations — are decoupled. Credentials live in a cloud wallet service. Signing authority lives in the user’s FIDO authenticator. Issuance and presentation flows orchestrate the two via standard OpenID4VCI and OpenID4VP, with a new W3C Data Integrity cryptosuite (fido4vc-jcs-2026) gluing the FIDO assertion into the VP proof.

Read the architecture →

Composes with existing standards

Section titled “Composes with existing standards”

FIDO4VC isn’t a replacement — it slots into the existing identity stack:

  • W3C Verifiable Credentials — credentials are standard VCs, signed by issuers as today
  • W3C VC Data Integrity — proofs use the standard DataIntegrityProof shape, with a new cryptosuite
  • OpenID4VCI — issuance happens via the standard Pre-Authorized Code flow
  • OpenID4VP — presentation uses the ldp_vp proof type with cross-device or same-device flows
  • FIDO2 / WebAuthn — signing uses standard WebAuthn assertions, no custom extensions

Verifiers only need to support one new thing: the fido4vc-jcs-2026 cryptosuite. Everything else is off-the-shelf.

Get involved

Section titled “Get involved”
fido-vc-cryptosuite-ts TypeScript reference implementation of the cryptosuite.
fido-vc-middleware FIDO ↔ cloud-wallet bridge orchestrating the user flows.
fido-vc-verifier-sidecar HTTP sidecar so non-Node verifier stacks can verify VPs.
fido-vc-wallet-ui Next.js / React user-facing wallet UI.