A "Wallet-less" decentralized identity protocol — FIDO-authenticated Verifiable Credentials with cloud-held custody and on-device signing authority.

📖 Documentation: https://fido4vc.github.io 📝 Paper: FIDO4VC: A User-Friendly, Wallet-Less Framework for Decentralized Identity Using FIDO and OpenID4VC Protocols — to be presented as a short paper at the Open Identity Summit 2026 (HTW Dresden, May 21–22, 2026).

Walk-through of the full DID-creation → issuance → presentation flow against the Docker-Compose stack in fido4vc/demo.

Self-Sovereign Identity has promised user-controlled digital credentials for over a decade — and adoption has stayed in single digits, even where mandated. The hypothesis behind FIDO4VC is that this isn't a UX problem — it's a structural one: on-device wallet apps are the wrong primitive.

FIDO4VC moves the wallet off-device and removes user-side key custody. A wallet still exists; it just lives in a cloud service, cryptographically inert without a live FIDO assertion from the user. The user installs nothing. Recovery comes free from OS Passkey sync. The cloud custodian cannot present a credential without the user — and that property is enforced by the cryptosuite, not by trust.

The defensible architectural claim: a cloud wallet operator with full access to credential storage cannot present a credential. Only the user's live FIDO assertion can.

The FIDO4VC project is split across separate repositories, one per component.

• fido-vc-cryptosuite-ts — TypeScript reference implementation of the fido4vc-jcs-2026 W3C VC Data Integrity cryptosuite. The canonical implementation; all other components depend on it.
• fido-vc-middleware — Express middleware bridging FIDO/WebAuthn (browser) and the walt.id Wallet API. Orchestrates registration, issuance, and presentation flows; computes WebAuthn challenges from canonicalized VPs.
• fido-vc-verifier-sidecar — Thin Express service exposing fido-vc-cryptosuite-ts verification over HTTP. Lets non-Node verifier stacks (notably walt.id JVM) validate fido4vc-jcs-2026 signatures without porting the cryptosuite.
• fido-vc-wallet-ui — Next.js 16 / React 19 user-facing wallet UI. Drives the three flows (register, receive, present) and talks to fido-vc-middleware and the walt.id Wallet API.

• fido4vc/waltid-identity — Fork of walt.id with the FIDO4VC integration applied. Adds the signature_ld-vp policy, ldp_vp support in issuer / verifier APIs, and the external-signature exchange flow in the Wallet API.

• fido4vc.github.io — Source for the documentation site at https://fido4vc.github.io.

fido-vc-wallet-ui (Next.js, browser-side WebAuthn invocation)
        │
        ├── HTTP ─► fido-vc-middleware
        │              │   ──── signer side ────
        │              │   cryptosuite.canonicalize(unsignedVP)
        │              │   → derive WebAuthn challenge
        │              │   → wrap the resulting WebAuthn assertion as a
        │              │     DataIntegrityProof on the VP
        │              │
        │              └── uses ──►  fido-vc-cryptosuite-ts
        │
        └── HTTP ─► waltid-identity  (walt.id Wallet / Issuer / Verifier APIs)
                       │
                       └── HTTP policy ──►  fido-vc-verifier-sidecar
                                               │   ──── verifier side ────
                                               │   cryptosuite.verify(signedVP)
                                               │   → recompute challenge
                                               │   → validate FIDO assertion
                                               │     against did:jwk pubkey
                                               │
                                               └── uses ──►  fido-vc-cryptosuite-ts

The cryptosuite is a single library used at both ends of the protocol:

• Signer side — fido-vc-middleware calls cryptosuite.canonicalize() to compute the WebAuthn challenge over a JCS-canonicalized VP. The middleware never signs anything itself; the FIDO authenticator does, and the middleware wraps the resulting assertion as a DataIntegrityProof with cryptosuite="fido4vc-jcs-2026".
• Verifier side — fido-vc-verifier-sidecar calls cryptosuite.verify() to validate a signed VP: recomputes the expected challenge, confirms it matches clientData.challenge, and verifies the FIDO signature against the public key resolved from the proof's did:jwk.

The Wallet UI itself never sees the cryptosuite — it uses @simplewebauthn/browser only to invoke WebAuthn in the browser.

End-to-end orchestration lives in fido4vc/demo. It pulls all six prebuilt images from ghcr.io/fido4vc/* — no host JDK, Node toolchain, or Gradle build required.

git clone https://github.com/fido4vc/demo
cd demo
docker compose up -d

Then open the Wallet UI at http://localhost:3000, register, and walk through DID creation, credential receive, and present in the UI (curl payloads for issuance and presentation are in the demo README).

To hack on a component, see Build from source in the demo README — clones the sibling repos and builds locally instead of pulling images.

Created by:

• Mujtaba Idrees
• Hira Siddiqui
• Yunna Kheifets

Supervised by:

• Dr. Ivan Gudymenko

This research was partially sponsored by Deutsche Telekom MMS, as part of their decentralized digital identity initiatives and the SEMECO (Secure medical microsystems and communications) project.

All FIDO4VC component repositories are licensed under the Apache License 2.0. The walt.id fork inherits Apache-2.0 from upstream.