Passwordless Login with EUDI Wallets: Leveraging Verifiable Credentials for Secure, User-Centric Authentication, a paper by iGrant.io

Traditional password-based authentication remains the dominant method for accessing online services despite well-documented security weaknesses, including credential reuse, susceptibility to phishing, password fatigue, and the operational burden of password reset flows. The European Digital Identity (EUDI) Wallet ecosystem, mandated by eIDAS 2.0 (Regulation (EU) 2024/1183), presents a compelling opportunity to replace passwords entirely by leveraging cryptographically verifiable credentials stored in users’ secure, government-backed digital wallets. Download the paper to explore a practical architecture and reference implementation for passwordless login using EUDI Wallets.

This paper presents a standards-based approach demonstrated using the iGrant.io Organisation Wallet Suite integrated with Keycloak as the identity and access management (IAM) platform. By bridging the EUDI Wallet ecosystem with established IAM infrastructure through the OpenID Connect protocol, organisations can offer a “Sign in with EUDI Wallet” capability supporting three credential types: Person Identification Data (PID), Photo ID, and a dedicated Strong Customer Authentication (SCA) Authenticator as specified in TS12 of the EU Architecture and Reference Framework (ARF).

The architecture establishes a foundational authentication layer with broad applicability. In particular, it provides the high-assurance identity verification required before any form of delegated authority can be issued, whether to human representatives or autonomous software agents. The cryptographic trust chain from government-issued wallet credentials, through verified presentation, to authenticated session creates the assurance guarantees needed for sensitive domains, including financial services, healthcare, and government services.

Beyond authentication, the paper explores how this architecture extends to delegated authority and AI agent credentials, where passwordless wallet-based login provides the trust anchor required for issuing scoped, time-bound, revocable credentials to AI agents and human representatives acting on behalf of verified users and organisations.