Decentralized Identifiers (DIDs)
A W3C standard for globally unique, self-sovereign identifiers that are controlled by the subject rather than a central authority, enabling verifiable identity without depending on any single provider.
Decentralized Identifiers (DIDs) are a W3C standard (DID Core 1.0) for creating identifiers that are fully controlled by the identity owner, not by any centralized registry. A DID looks like did:ethr:0x1234...5678 or did:web:example.com. Each DID resolves to a DID Document containing public keys, authentication methods, and service endpoints. The identity owner controls the private keys and can update or deactivate the DID without permission from any authority. DIDs enable Verifiable Credentials -- cryptographically signed attestations (degree, employment, age) that can be presented and verified without contacting the issuer. This is the foundation of self-sovereign identity (SSI).
Security Model
DID security is based on public-key cryptography. The DID controller holds private keys that correspond to verification methods in the DID Document. Security depends on key management practices, the security of the DID method's underlying infrastructure (blockchain, web hosting), and proper implementation of DID resolution and verification. Key rotation and recovery mechanisms vary by DID method. The decentralized nature means there's no central authority to reset credentials.
Implementation
high complexityUser Experience
DIDs are currently invisible to most end users -- they interact with wallets and credentials, not raw DIDs. The ideal UX presents DIDs as human-readable names (ENS, domain-based) rather than cryptographic strings. Credential presentation should be as simple as showing an ID card: select the credential, approve sharing, done. Current reality: wallet UX is still confusing, key backup is scary, and credential ecosystems are fragmented.
Platform Examples
Microsoft ION
DID method anchored on Bitcoin using the Sidetree protocol. Microsoft uses DIDs for Entra Verified ID, enabling verifiable credentials for employee badges and educational credentials.
Spruce
Develops DID and VC infrastructure. Created the SIWE standard and SpruceID toolkit. Uses did:key and did:pkh for wallet-based identity.
Civic
Identity verification platform using DIDs and VCs. Users complete KYC once and reuse the verifiable credential across multiple services.
cheqd
DID and VC infrastructure on Cosmos blockchain. Enables payment for credential verification, creating an economic model for identity.
Tradeoffs
Strengths
- Self-sovereign -- no dependency on any single authority or platform
- Globally unique and resolvable across systems
- Enables verifiable credentials with selective disclosure for privacy
- Interoperable standard (W3C) with growing ecosystem support
- Persistent -- identifiers survive platform shutdowns
- Censorship-resistant (for blockchain-based methods)
Weaknesses
- Key management complexity places a heavy burden on users
- Ecosystem fragmentation -- many competing DID methods
- Limited mainstream adoption and tooling maturity
- Regulatory compliance uncertainty (GDPR right to erasure vs immutable DIDs)
- Key loss means permanent identity loss without recovery mechanisms
- Resolution performance varies dramatically by DID method
Likely Follow-Up Questions
- How do Decentralized Identifiers differ from traditional federated identity (OIDC/SAML)?
- What are the trade-offs between different DID methods (did:web vs did:ethr vs did:key)?
- How do Verifiable Credentials enable privacy-preserving identity verification?
- What are the key management challenges for DIDs and how would you solve them?
- How would you design a system that bridges DID-based identity with traditional authentication?
- What regulatory challenges do DIDs face and how might they be addressed?
Related Auth Methods
Source: editorial — Decentralized Identifiers deep dive covering W3C standards, DID methods, verifiable credentials, and self-sovereign identity for interview preparation.