Identity & Authentication
VDX bridges the gap between digital wallets and enterprise identity systems. When a user presents credentials from their wallet, the platform handles verification, privacy-preserving identity matching, optional identity proofing, and user resolution, then returns standard OIDC claims to your existing authorization infrastructure.
Instant Recognition, Privacy Preserved
The first time a wallet appears, VDX links it to an internal identity through privacy-preserving HMAC fingerprinting. Raw public keys are never stored: only HMAC-SHA-256(tenant_pepper, canonical_key_bytes). Tenant-isolated peppers prevent cross-tenant correlation.
For returning users, recognition is instant: hash the key, check the blind index, decrypt cached attributes, issue a token. No external calls, no user interaction, no delay.
For new users, the reconciliation engine evaluates configurable rules and decides: run identity verification, accept the wallet claims directly, or reject. The decision depends on the credential type, the issuer, the tenant's policies, and the available claims.
Composable Verification
When identity proofing is required, VDX orchestrates configurable verification pipelines that combine multiple methods:
OIDC
SURFconext, DigiD, FranceConnect, Azure AD
Document
Passport NFC, ID card OCR via ReadID, Onfido, Jumio
Biometric
Face liveness via iProov, Onfido, Jumio
OTP
Email, SMS, authenticator app
Wallet
EUDIW PID, mDL credential
Registry
Chamber of commerce, civil registry, REST API
Methods compose in four modes: ALL (every method must pass), ANY (user chooses one), THRESHOLD(n) (at least N pass), and SEQUENCE (ordered, with claims flowing between steps).
Each method produces identifiers, claims, assurance level (eIDAS LoA, NIST AAL), authentication methods (RFC 8176 AMR), and evidence strength, enabling downstream systems to make assurance-based access decisions.
Assurance Grows Over Time
A person can be verified through multiple channels over time, wallet PID, institutional OIDC, email OTP, document scan, each contributing its own assurance level. VDX computes the derived assurance dynamically: the highest LoA across all bindings, with stale bindings degrading after a configurable age.
Step-up authentication triggers automatically when an operation requires higher assurance than the current session provides. A user browsing a catalog might need only low assurance, but signing a contract requires high, VDX challenges them to re-authenticate through a stronger method without the application needing to know about assurance levels.
Enterprise IAM Integration
VDX integrates with your existing identity infrastructure rather than replacing it:
| Integration | What it does |
|---|---|
| Identity Broker | Connects to upstream OIDC providers (Keycloak, Azure AD, SURFconext) while preserving issuer_state for OID4VCI correlation |
| Token Exchange | RFC 8693, normalizes tokens from any source into uniform STS tokens with standardized claims, ACR/AMR, and verified_claims |
| Claims Mapping | Translates between credential formats (SD-JWT, mdoc, JSON) and OIDC claims, with provenance tracking per claim |
| Impersonation & Delegation | Service acts AS the user or ON BEHALF OF the user, with nested act claims for full audit trail |
Enterprise applications keep using standard OIDC tokens. They don't need to know that behind the scenes, a wallet presentation was verified, an identity was matched, and claims were projected from encrypted canonical bindings.
Per-Identity Encryption
Sensitive identity data is encrypted at rest using a two-layer key hierarchy. An Identity Access Key (per-identity, random 256-bit symmetric) wraps per-document Document Encryption Keys (AES-256-GCM).
Access is controlled through grants:
| Grant type | How it works |
|---|---|
| Org Grant | IAK wrapped by KMS/HSM org root key, organization can decrypt |
| Wallet Grant | IAK sealed with wallet's public key (HPKE), holder can decrypt |
| Knowledge Grant | IAK derived from passphrase (Argon2id), user can decrypt with PIN/password |
| Sharing Grant | DEK re-wrapped for a specific recipient, controlled data sharing |
GDPR compliance is cryptographic: destroying the IAK makes all data for that identity irrecoverable in O(1), crypto-shredding without data migration. Data portability is an export command. Consent is modeled as grants with purpose, validity period, and instant revocation.