OpenID4VP Reaches Final Status

Why Your Digital Identity Stack Needs to Pay Attention

Digital identity verification is about to get a lot more standardised. OpenID for Verifiable Presentations (OpenID4VP) achieved Final specification status in July 2025. Within recent years, it has transformed from a technical protocol into a regulatory requirement affecting, for example, 450 million EU citizens. If you're working with digital identity, customer verification, or regulatory compliance, this shift impacts your technology roadmap whether you realise it or not. At Vidos, it's one of the core standards used for credentials we verify.

What exactly is OpenID4VP?

Think of OpenID4VP as the universal language for sharing digital credentials. Just as HTTPS standardised secure web communications, OpenID4VP standardises how digital wallets present credentials to verifiers.

When you apply for a mortgage, you might need to prove your identity, employment status, income, and residency. Traditionally, this means gathering documents from multiple sources: passport from government, employment letter from HR, bank statements from your bank, utility bills for address proof. OpenID4VP revolutionises this by enabling you to present multiple credentials from different issuers in a single, cryptographically verified transaction.

The protocol builds on OAuth 2.0, the same foundation that powers "Sign in with Google" buttons across the web. We're looking at an evolution of battle-tested standards that already handle billions of authentication events daily.

Why Final specification status matters

Version 1.0 reaching Final status in July 2025 fundamentally changes the risk calculation for organisations. A Final specification means:

• No more breaking changes: The protocol is frozen. Systems built today won't need rebuilding when someone decides to "improve" the standard
• Legal protection: Implementers receive intellectual property protections, reducing litigation risk
• Regulatory confidence: Governments can mandate the standard knowing it won't shift beneath them

This stability aligns with an avalanche of adoption. The EU made OpenID4VP legally mandatory for all digital identity wallets by December 2026. Switzerland, Japan, Germany, and the UK have all committed to implementations. When regulations reference a technical standard by name, that standard has crossed from "interesting technology" to "business requirement."

The regulatory landscape: From Brussels to Silicon Valley

The European Union embedded OpenID4VP directly into law through eIDAS 2.0. By December 2026, every EU member state must provide citizens with digital identity wallets that speak OpenID4VP. This represents a legal obligation with enforcement mechanisms.

The ripple effects extend far beyond Europe:

• United States: California's DMV wallet with 1.5 million participants uses OpenID4VP for mobile driving licenses
• United Kingdom: The GOV.UK Wallet launch is underway and will make all government credentials digitally available by 2027, including a UK digital ID
• Japan: Universities issue student credentials via OpenID4VP for transit discount verification
• Switzerland: Federal Electronic Wallet entered public beta earlier this year with OpenID4VP at its core with the rollout planned for 2026

Perhaps most significantly, Google built native OpenID4VP support directly into Android as of April 2025. When a protocol gets integrated into an operating system, it's past the experimental phase.

Real-world impact: Complex verification made simple

A Netherlands-Canada Digital Travel Credential pilot shows what's possible when standards align. Border crossing times dropped from minutes to 10-14 seconds, with the fastest recorded at 6 seconds. Speed tells only part of the story. Travellers presented both their digital passport and visa credentials together, border systems verified both simultaneously against different government issuers, and the combined verification completed instantly.

Financial services demonstrate even more sophisticated scenarios. Consider opening a business account, which typically requires:

• Identity verification: Government-issued ID confirming who you are
• Company registration: Proof your business legally exists
• Authorisation: Evidence you're authorised to act for the company
• Tax status: Confirmation of tax registration
• Address verification: Proof of business premises

In future, with OpenID4VP, a business owner can present all five credentials from different issuers - government, companies registry, tax authority - in one transaction. The bank's verification system confirms each credential's authenticity, checks they haven't been revoked, and validates the relationships between them (ensuring the person presenting the ID is the same person authorised by the company).

Healthcare providers leverage this for complex eligibility verification. A patient seeking specialist treatment might need to prove:

• Their identity (government credential)
• Insurance coverage (insurance company credential)
• Referral from primary care (healthcare provider credential)
• Vaccination status (health department credential)

Rather than faxing documents between offices or carrying paper folders, patients present all required credentials digitally. The receiving system verifies each credential independently while understanding their relationships.

Why standards-based verification matters for your organisation

Modern verification requires understanding complex relationships between multiple credentials from various sources. Here's where professional verification services prove their value.

A standards-compliant verification service like Vidos handles this orchestration through several key capabilities:

The Vidos Verifier: Technical verification at scale

The Verifier checks the cryptographic validity of each credential - ensuring they haven't been forged, confirming the digital signatures, validating they're from legitimate issuers. When someone presents three credentials from different countries' governments, the Verifier handles the varying signature algorithms, credential formats (W3C Verifiable Credentials, ISO mDocs, SD-JWT VCs), and revocation mechanisms each might use.

The Vidos Validator: Business logic and compliance

Technical validity alone won't suffice. The Validator applies your organisation's specific rules:

• Are all required credentials present?
• Do the credentials meet regulatory requirements for your jurisdiction?
• Are the issuers on your approved list?
• Do the credentials satisfy your risk policies?

For instance, a German bank might require that business registration credentials come from an EU member state's official registry, be less than 30 days old, and include specific company type information. The Validator enforces these rules consistently across millions of verifications.

The Vidos Authorizer: Orchestrating complex requests

Real-world verification often involves choices. An age verification request might accept either a driving licence or passport. Employment verification might accept either a recent payslip or an employer-issued credential. The Authorizer manages these presentation rules, telling wallets exactly what combinations of credentials will satisfy the request.

This flexibility matters enormously for user experience. Instead of rejection because they lack one specific credential, users see alternatives they can provide.

An interoperability reality check

The OpenID Foundation's July 2025 interoperability event achieved an 87% success rate across different implementations. That's remarkable for a new standard, while highlighting why professional verification services matter.

Consider a university verifying international student applications. Students might present:

• Secondary school credentials from 150+ countries
• Language proficiency certificates from various testing organisations
• Identity documents in dozens of formats
• Financial capability proofs from banks worldwide

Each credential type might use different standards, signature methods, and validity periods. Some might include selective disclosure (showing grades for specific subjects without revealing others), while others present all-or-nothing. A standards-based verifier abstracts this complexity, providing consistent results regardless of credential origin.

Preparing for the standards-based future

The transition to OpenID4VP is happening now. Under EU mandates, by the end of 2027, companies must support it by law. Financial institutions need it for streamlined KYC. Healthcare providers require it for privacy-compliant patient verification. Even social media platforms are adopting it for age assurance ahead of the UK's Online Safety Act enforcement in 2026.

OpenID4VP rarely deploys in isolation. Real implementations combine:

• Multiple protocols: OpenID4VP for remote verification, ISO 18013-5 for proximity scenarios
• Various credential formats: Government mDocs, education badges, professional certifications
• Different trust frameworks: National identity schemes, industry consortiums, bilateral agreements

This complexity makes building verification in-house prohibitively expensive. By the time you've implemented OpenID4VP, added format support, built revocation checking, created policy engines, and maintained issuer trust lists, you've essentially rebuilt what specialised verification services already provide.

Beyond simple verification: The ecosystem advantage

What gets us excited is that standards-based verification enables entirely new business models. Consider a car rental company that accepts:

• Digital driving licenses from any country
• Insurance credentials from any provider
• Payment credentials from any bank
• Age verification from any government source

Instead of building integrations with each potential source, they implement OpenID4VP once and immediately support thousands of credential issuers worldwide. Their competitive advantage shifts from "we accept these three types of ID" to "we accept any standards-compliant credential."

This universality extends to sector-specific scenarios:

• Education: Universities accept transcripts from any institution using verifiable credentials
• Employment: Employers verify qualifications from any accredited body
• Travel: Airlines verify health credentials from any recognised health authority
• Finance: Banks accept income verification from any registered employer

Looking ahead

There are 4 key take aways:

1. OpenID4VP represents the foundation for a fundamental shift in how organisations handle identity and verification. Organisations become capability verifiers rather than document processors. They verify cryptographic proofs instead of storing sensitive data. They implement standards-based protocols instead of building brittle integrations. It scales beautifully.
2. The standard's rapid progression from technical specification to regulatory mandate signals its maturity. With major platforms, governments, and enterprises aligned around OpenID4VP, we've reached a potential tipping point where non-adoption soon becomes competitively disadvantageous.
3. For organisations evaluating their verification and fraud mitigation strategy, the message is clear: implement comprehensive, standards-based verification that handles OpenID4VP alongside the full complexity of real-world credential ecosystems. This means supporting multiple credentials, various formats, complex presentation rules, and sophisticated validation logic.
4. The companies investing in robust verification capabilities today - whether through internal development or professional verification services - will be the ones at the forefront of tomorrow's digital economy. Those waiting risk scrambling to meet regulatory deadlines while their competitors have already moved on to building differentiated services on top of standardised verification infrastructure.

Exciting times lie ahead! If you're looking to explore digital credential verification for your organisation, get in touch to discover how Vidos can help you implement OpenID4VP and build sophisticated verification flows