Identity standards, explained
The protocols that hold identity together, in plain language: what each one is, how it works, where it stands, and the pitfalls to avoid. For the at-a-glance status table, see the research tracker.
OAuth 2.0 is the delegated authorization framework that lets an app obtain scoped access to resources on a user's behalf. It is about access, not identity.
OAuth 2.1 is a consolidation of OAuth 2.0 plus a decade of security best practice into a single, safer-by-default specification.
OpenID Connect is the identity layer on top of OAuth 2.0. It is what you use to log a user in and learn who they are.
SAML 2.0 is the XML-based standard behind enterprise single sign-on. It is older than OIDC but remains the lingua franca of enterprise federation.
WebAuthn and FIDO2 are the standards behind passkeys and security keys: public-key authentication that is resistant to phishing by design.
FAPI is a hardened OAuth and OIDC security profile for high-risk APIs such as open banking, where a standard OAuth setup is not strong enough.
SCIM is the standard for automatically provisioning and deprovisioning user accounts across applications. It is how identity flows between systems.
Verifiable Credentials are tamper-evident digital credentials a user holds in a wallet and presents without contacting the issuer. They underpin decentralized identity and the EU wallet.
Decentralized Identifiers are identifiers a subject controls without a central registry, resolving to a document of public keys and endpoints. They anchor the trust in decentralized identity.
eIDAS 2.0 mandates a digital identity wallet for every EU citizen and is the largest real-world driver of decentralized identity, verifiable credentials, and the OpenID4VC protocols.
ISO/IEC 18013-5 is the standard for driver's licenses issued to a phone wallet, with selective disclosure in person and, via 18013-7, online. It is the fastest-moving government credential format.
OpenID4VC is the OpenID Foundation family that issues and presents verifiable credentials over OAuth 2.0. It is the transport layer turning decentralized identity standards into working wallets.