Data Wallet

The core identity anchor for a data wallet. A DID is a globally unique, cryptographically verifiable identifier that is not issued by a central authority (like an email address). It is typically stored on a blockchain or decentralized network and is controlled by the user's private keys. This enables self-sovereign identity, where users own and control their identity without depending on any single organization.

The primary data format for claims and attestations. A Verifiable Credential is a tamper-evident digital credential (like a diploma or driver's license) issued by an authority. It contains cryptographically signed claims and metadata. The wallet stores these VCs and can generate Verifiable Presentations—selective proofs derived from credentials—to share with verifiers without revealing the underlying credential data.

The secure cryptographic engine of the wallet. This feature manages the user's private keys, which are used to:

• Sign transactions and verifiable presentations.
• Authenticate the user to services using their DID.
• Decrypt encrypted data sent to the wallet. Management can range from simple local storage to advanced custodial or non-custodial models, with some wallets integrating hardware security modules (HSMs) or secure enclaves for enterprise-grade protection.

A privacy-preserving mechanism that allows users to share minimal, necessary proof. Instead of showing an entire credential, the wallet can use zero-knowledge proofs (ZKPs) or hash comparisons to prove specific attributes (e.g., "I am over 21") without revealing the underlying data (the exact birth date or document number). This is fundamental for data minimization and compliance with regulations like GDPR.

Standardized workflows for secure interactions. Data wallets implement open protocols to ensure interoperability. Key protocols include:

• DIDComm for secure, encrypted peer-to-peer messaging.
• OpenID Connect (OIDC) or SIOPv2 for federated login using DIDs.
• W3C Verifiable Credentials Data Model for the structure of credentials.
• Aries RFCs for specific issuance and presentation flows. These protocols govern how wallets discover, request, issue, present, and verify credentials.

The ability to function across different ecosystems. A core principle of data wallets is that identity and credentials should not be locked into a single vendor or platform. This is achieved through adherence to open standards (like those from W3C and DIF), support for multiple blockchain networks for DID anchoring, and the ability to export/backup wallet data in standard formats. This ensures user sovereignty and reduces vendor lock-in.

Data wallets serve as the primary interface for managing Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs). They allow users to:

• Create and store their self-sovereign identity.
• Receive and present cryptographically signed credentials (e.g., proof of age, KYC status).
• Control which dApps or services can access specific identity attributes, enabling selective disclosure without revealing the entire identity document.

Data wallets replace traditional username/password logins for Web3 applications. They provide secure cryptographic authentication through methods like sign-in with Ethereum (SIWE). Key functions include:

• Generating and signing login messages to prove ownership of a blockchain address.
• Managing active sessions and permissions for connected dApps.
• Serving as a universal login mechanism across the decentralized web, eliminating the need for separate accounts on each platform.

Beyond identity, data wallets are the primary tool for interacting with blockchain-based assets. They enable users to:

• Securely store private keys and seed phrases for multiple blockchain accounts.
• View balances of tokens and NFTs across different networks.
• Initiate, sign, and broadcast transactions (e.g., token transfers, smart contract interactions).
• Connect to decentralized exchanges (DEXs) and DeFi protocols to manage financial activities.

A core promise of data wallets is breaking down data silos. They act as a portable data layer, allowing users to:

• Aggregate data and reputation from multiple platforms into a single, user-controlled profile.
• Transport their social graph, achievements, or transaction history between compatible applications.
• Facilitate data monetization models where users can grant temporary, paid access to their data streams for analytics or advertising, with the wallet managing consent and payments.

Data wallets implement granular consent mechanisms, governed by technical standards. They allow users to:

• Set precise permissions for what data is shared, with whom, and for how long.
• Interact with Data Unions or Data DAOs to pool and license anonymized data sets.
• Leverage zero-knowledge proofs (ZKPs) to prove a claim (e.g., "I am over 18") without revealing the underlying data (their birth date). This enables privacy-preserving verification.

Prominent data wallet implementations demonstrate their varied use cases:

• MetaMask: Primarily an EVM asset wallet, now expanding into identity with Snaps.
• Argent: A smart contract wallet with social recovery and integrated DeFi/identity features.
• SpruceID: Focuses on decentralized identity, supporting Sign-in with Ethereum and credential management.
• Brave Wallet: Integrated into the Brave browser, combining privacy-focused browsing with crypto and NFT management.

The foundational identity layer for data wallets. A DID is a globally unique, cryptographically verifiable identifier that is not issued by a central authority.

• Self-Sovereignty: Created and controlled entirely by the user, independent of any organization.
• Verifiable: Linked to a DID Document containing public keys and service endpoints for authentication.
• Portable: The identity is not locked to a specific platform or provider, enabling true user-centric data control.

The standard for issuing, holding, and verifying tamper-proof digital claims. VCs are the primary data type stored in a data wallet.

• Cryptographic Proof: Credentials are digitally signed by the issuer, allowing anyone to cryptographically verify their authenticity and integrity.
• Selective Disclosure: Users can present only specific attributes from a credential (e.g., prove they are over 21 without revealing their exact birthdate).
• Zero-Knowledge Proofs (ZKPs): Advanced wallets use ZKPs to generate proofs about credential attributes without revealing the underlying data.

The security of a data wallet hinges on the secure generation, storage, and use of private keys.

• On-Device Storage: Keys are typically generated and stored locally on the user's device (e.g., in a secure enclave), never transmitted to a server.
• Recovery Mechanisms: Use of social recovery (trusted contacts), biometric authentication, or hardware security modules (HSMs) to prevent permanent loss.
• Key Separation: Different keys are often used for signing credentials, authenticating to services, and encrypting data, limiting the blast radius of a compromise.

A core privacy principle enforced by the data wallet architecture, ensuring users share only the data necessary for a transaction.

• Attribute-Based Presentation: Instead of showing a full driver's license, the wallet can generate a proof that the user is licensed and over 18.
• No Correlation: Well-designed systems prevent verifiers from linking different presentations back to the same user or wallet, reducing tracking.
• User Consent: Every data-sharing request requires explicit, informed user approval, with clear details on what is being shared and with whom.

How sensitive data is protected at rest and in transit within the wallet ecosystem.

• Local-First Storage: Credentials and personal data are encrypted and stored primarily on the user's device, not in a centralized cloud.

• End-to-End Encryption (E2EE): When data must be synced or backed up, it is encrypted with user-controlled keys before leaving the device.

• Secure Communication: All interactions with issuers and verifiers use authenticated, encrypted channels (e.g., DIDComm, OIDC SIOPv2).

Understanding the security landscape is critical for evaluating data wallet implementations.

• Phishing & Social Engineering: Attackers may trick users into signing malicious authentication requests or revealing recovery phrases.
• Device Compromise: Malware on a user's phone could attempt to exfiltrate private keys or stored credentials.
• Issuer Trust: The system's security depends on the trustworthiness of credential issuers; a compromised issuer can issue false credentials.
• Protocol Vulnerabilities: Flaws in the underlying W3C Verifiable Credentials or decentralized identity protocols could undermine the entire system.

A Zero-Knowledge Proof (ZKP) is a cryptographic method that allows one party to prove to another that a statement is true without revealing any information beyond the validity of the statement. Advanced data wallets use ZKPs for enhanced privacy.

• Application in Wallets: Used to create ZK-VCs (Zero-Knowledge Verifiable Credentials).
• Example: Proving you are over 18 from a birthdate credential without revealing your actual age or birthdate.
• Technology: Enables selective disclosure at a cryptographic level, minimizing data exposure.