identity

ID Technology Trends in March 2026

Nat 2026-03-31 No Comments
559 VIEWS
Pinterest LinkedIn LINE

March 2026 was an extremely busy month for me, with standards-related meetings such as JTC 1/SC44, SC27, and IETF just among my acquaintances.

ISO/IEC JTC 1

There are many things related to ISO that shouldn't be written about, so this will be a very brief overview.

SC27 (Information Security, Cybersecurity and Privacy) International Conference

  • a) General Assembly: March 16th/17th, 2026 b) Working Group Meeting: March 9th/13th, 2026
  • Location: Nuremberg, Germany

SC27 is a professional committee that creates and maintains standards that form the foundation of modern IT, including ISMS, cryptography, common criteria, cybersecurity, identity and privacy, and biometric authentication.

Regarding digital identity,

  • The ISO/IEC 29115 Entity Authentication Assurance Framework is currently under review. This framework outlines threats and countermeasures related to human and non-human identities.
  • ISO/IEC 27566-1 Age Assurance Systems Part 1: Framework is available free of charge.
  • Systematic review of ISO/IEC 29184 Online privacy notices and consent

These are some of the things being considered. Incidentally, SC 27/WG 5, which deals with digital identity, currently has as many as 53 standards/work items.

SC44 (Consumer Protection – Privacy by Design in Consumer Products and Services) International Conference

  • Dates: March 4th/5th, 2026
  • Location: Virtual

SC 44 is based on the already published "ISO/IEC 31700-1 (High-Level Requirements)" and "ISO/TR 31700-2 (Use Cases)," and currently, there are about four work items that are specific to particular fields. However, the details cannot be made public yet... We may be able to release more information in September.

OpenID Foundation

Progress in specifications and standardization

  • Public review of OpenID Connect Advanced Syntax for Claims (ASC) 1.0 began on March 16th.
  • Voting begins on March 22nd for the International Government Assurance (iGov) Profile for OAuth 2.0 implementer's draft.
  • 3/26 OpenID Connect Relying Party Metadata Choices 1.0 Final Specification Approved

Other Information

  • On March 11, the AIIM Threat Modeling Subgroup provided information to NIST's RFI on AI agent security.
  • On March 18th, TrustID Solutions announced the first wave of OpenID Conformance testing providers: BixeLab, FIDO Alliance, Inc., Fime, and Raidiam.

Open Wallet Foundation

While recent OWF activities have become less transparent due to the lack of public disclosure, the following can be observed from the outside:

EUDIPLO

EUDIPLO is open-source middleware for connecting existing business systems and backends with the EUDI Wallet (EU Digital Identity Wallet).

  • Version 4.0.0 was released on March 23rd. This update includes features such as the `/api` prefix for management APIs, separation of management and protocol systems in OpenAPI, an AWS KMS adapter, persistent session logs, and an integrated key and certificate management model.

identity-credential / Multipaz

  • 3/19 Version 0.98.0 released. Added translation infrastructure and support for 21 languages.

Credo

  • Added "Credo 0.5.x to 0.6.x" to the Migration Guide on March 12th. GDC information for September 1st-3rd.
  • 3/26 DIDComm ext repo transferred to OWF

IETF 125

  • Date: 2026-03-14/20
  • Location: Shenzhen, China

I couldn't attend this time because it clashed with SC27, but it seems there were a lot of proposals related to AI agents. However, many of them were just ideas and were shot down with the question, "So, are there any other implementations trying to do the same thing?"

The main points of the WG that interest me are roughly as follows:

  • OAuth WG — Authorization extensions for AI agents are surging. Several drafts have been proposed, including Multi-AI Agent Collaboration, A2A Profile for OAuth Transaction Tokens, and Agent Operation Authorization. OAuth 2.1 continues to be updated up to v15.
  • JOSE WG — The focus was on the transition to post-quantum cryptography (PQC). PQ/T Hybrid Composite Signatures, PQ KEMs, and HPKE's JWE integration were discussed, and a progress report on JSON Web Proof (JWP) was also given. Discussions on the deprecation of the "none" algorithm and RSA1_5 are also ongoing.
  • WIMSE WG — After two years since its establishment, it has entered the specification completion phase. The introduction of the WIMSE-Audience header in HTTP Signatures, the definition of the wimse:// URI scheme, and the WGLC for Workload Identity Practices are underway.
  • The WebBotAuth WG had no sessions at IETF 125. At IETF 124, there was active discussion about the negative impacts of mandatory bot authentication on the ecosystem (hindrance to anonymous browsing, risk of favoring large businesses), suggesting a reconsideration of the direction.
  • CFRG — 2 sessions were held. Discussions included proposals for reforming the cryptographic standardization process using the "Two-Lane Publication Model," progress on Longfellow ZK (PQ-secure zero-knowledge proofs), the possibility of FHE standardization at the IETF, and progress on ARKG.

Summary of Digital Identity-related trends and news for March 2026

In the field of Digital Identity as of March 2026, new challenges in identity management emerged due to the progress of legal frameworks and pilot projects in various countries, the widespread adoption of passkeys, and the rise of AI agents. The main trends are summarized below by sector.

1. Progress in digital ID policies and legal frameworks in various countries

  • Progress of eIDAS 2.0 and EUDI wallets in Europe (EU)
    • Interoperability tests among member states were conducted in Romania on March 17-18, ahead of the December 2026 deadline for the full implementation of the EUDI (European Digital Identity) wallet. [1]
    • For financial institutions and fintech companies, the question of whether or not EUDI wallets will be implemented has shifted from "will they be implemented?" to "are we ready?" [1]
  • US Developments: Utah Passes Nation's First "Digital Identity Bill of Rights" Bill
    • The Utah Legislature passed a bill (SB 275) relating to a state-approved digital identity program (scheduled to take effect on May 6, 2026)[2].
    • This bill is groundbreaking in that it requires participating companies to obtain explicit consent from users, provide only the minimum necessary attribute information (selective disclosure), and limit the purposes for which data is retained and shared. [2]
  • Update to the UK's Digital Identity Trust Framework
    • The UK government has released a pre-release version 1.0 of the UK digital verification services trust framework and has launched a public consultation on a national digital identity scheme. [3]
    • This resulted in updated certification standards for digital verification service (DVS) providers, including the introduction of a new trust mark and additional rules for orchestration service providers. [3]
  • Spain's "MiDNI" app is now fully operational.
    • Spain has announced that the "MiDNI" app, a mobile version of its national digital ID, will be fully operational from April 2, 2026. [4]
    • This means that a digital DNI (identity card) on a smartphone has the same legal effect as a physical ID and can be used for hotel check-in, age verification, and other purposes. [4]

2. Trends within Japan: My Number and Verifiable Credentials

  • The Financial Services Agency has published the results of its pilot project using Verifiable Credentials (VC) for identity verification.
    • The Financial Services Agency has published the results of a pilot project in which financial institutions utilize verifiable credentials for Know Your Customer (KYC) verification. [5]
    • The possibility of issuing a VC (Virtual Certificate) to a user based on the results of an initial identity verification and allowing it to be reused at another financial institution was explored, indicating a new direction for identity verification in the digital age. [5]
    • The Bank of Japan also published a report that same month on the overview of VC and trends in standard development, discussing the potential application of VC, which has tamper-proof and selective disclosure functions, to financial practices. [6]
  • Expansion of identity verification using My Number Card (eKYC)
    • LINE Yahoo has introduced a system that uses the "Digital Authentication App" provided by the Digital Agency to verify the identity of My Number Cards when recovering Yahoo! JAPAN ID accounts, etc. [7]
    • In private services such as PayPay, the use of the Japan Public Key Infrastructure (JPKI) for identity verification using My Number cards is rapidly becoming widespread. [8]

3. The spread of passwords and the acceleration of passwordless authentication

  • Microsoft's automatic passkey activation
    • Microsoft will begin automatically enabling passkey profiles for all Microsoft Entra ID tenants starting in March 2026. [9]
    • This forced millions of enterprise users to switch to passwordless authentication, marking a major tipping point in the adoption of passkeys. [9]
  • Reddit's use of passkeys as "Proof of Humanity"
    • Reddit announced it will implement a system to protect against bots by using passkeys (biometric authentication such as Face ID and Touch ID) to verify that users are "real people" [9].
    • This is attracting attention as a new use case for passkeys that proves a person's presence without identifying them (while maintaining anonymity) [9].

4. AI Agents and Non-Human Identity (NHI) Management

  • Challenges in Identity Management for Agentic AI (Autonomous AI Agents)
    • With the increasing prevalence of "Agentic AI," where AI autonomously performs tasks, identity management and access control (IAM) for AI agents have become an urgent necessity. [10]
    • A study by the Cloud Security Alliance (CSA) found that many organizations are unable to clearly distinguish between the behavior of AI agents and human behavior.[11]
    • Security companies such as Ping Identity and Saviynt have been announcing a number of new products for managing and monitoring the identities of AI agents.[12]

5. Age verification and protection of privacy

  • The spread and challenges of online age verification tools
    • As age verification laws aimed at ensuring children's online safety are increasingly being introduced in countries such as the United States and the United Kingdom, the use of biometric authentication and AI-based age estimation technologies is expanding. [13]
    • On the other hand, experts have raised strong concerns that these technologies could infringe on the privacy of adults and lead to a surveillance society. [13]

References

[1] Zyphe. “eIDAS 2.0 & EU Digital Identity Wallet: KYC Guide 2026”. https://www.zyphe.com/resources/blog/eidas-2-eu-digital-identity-wallet-kyc-compliance-guide

[2] Byte Back. “Utah SB 275's “Digital Identity Bill of Rights”: What It Could Mean for Businesses”. https://www.bytebacklaw.com/2026/03/utah-sb-275s-digital-identity-bill-of-rights-what-it-could-mean-for-businesses/

[3] Bird & Bird. “UK Digital IDs Early Updates for 2026”. https://www.twobirds.com/en/insights/2026/uk/uk-digital-ids-early-updates-for-2026

[4] Biometric Update. “Spain's national digital ID going live with full legal status”. https://www.biometricupdate.com/202603/spains-national-digital-id-going-live-with-full-legal-status

[5] VESS Labs. "Financial Services Agency publishes results of pilot experiment using Verifiable Credentials for identity verification". https://note.com/vesslabs/n/n0fd0ff625e97

[6] Bank of Japan. "Overview of Verifiable Credentials and Trends in Standards Development Supporting Identity Verification in the Digital Society". https://www.boj.or.jp/research/wps_rev/rev_2026/rev26j02.htm

[7] Nikkei. "LINE and Yahoo to use My Number Card 'digital authentication app' for identity verification". https://www.nikkei.com/article/DGXZQOUC108FL0Q6A310C2000000/

[8] PayPay. "PayPay surpasses 4000 million users with verified identity (eKYC)!" https://about.paypay.ne.jp/pr/20260318/02/

[9] Security Boulevard. “Passkeys Hit Critical Mass: Microsoft Auto-Enables for Millions, 87% of Companies Deploy as Passwords Near End-of-Life”. https://securityboulevard.com/2026/03/passkeys-hit-critical-mass-microsoft-auto-enables-for-millions-87-of-companies-deploy-as-passwords-near-end-of-life/

[10] Security Boulevard. “Agentic AI Governance: How to Approach It”. https://securityboulevard.com/2026/04/agentic-ai-governance-how-to-approach-it/

[11] Cloud Security Alliance. “More Than Two-Thirds of Organizations Cannot Clearly Distinguish AI Agent from Human Actions”. https://cloudsecurityalliance.org/press-releases/2026/03/24/more-than-two-thirds-of-organizations-cannot-clearly-distinguish-ai-agent-from-human-actions

[12] THINK Digital Partners. “Digital Identity: Global Roundup”. https://www.thinkdigitalpartners.com/news/2026/03/30/digital-identity-global-roundup-261/

[13] CNBC. “Online age-verification tools for child safety are surveilling adults”. https://www.cnbc.com/2026/03/08/social-media-child-safety-internet-ai-surveillance.html

Leave a comment

This site uses Akismet to reduce spam.For details of how to process comment data, please click here.