Posted by Rohey Livne – Group Product Manager
In today’s interconnected world, managing digital identity is essential. Android aims to support open standards that ensure seamless interoperability with various identity providers and services. As part of this goal, we are excited to announce that Android, via Credential Manager’s DigitalCredential API, now natively supports OpenID4VP and OpenID4VCI for digital credential presentation and issuance respectively.
What are digital credentials?
Digital credentials are cryptographically verifiable documents. The most common emerging use case for digital credentials is identity documents such as driver’s licenses, passports, or national ID cards. In the coming years, it is anticipated that Android developers will develop innovative applications of this technology for a wider range of personal credentials that users will need to present digitally, including education certifications, insurance policies, memberships, permits, and more.
Digital credentials can be provided by any installed Android app. These apps are known as “credential holders”; typically digital wallet apps such as Google Wallet or Samsung Wallet.
Other apps not necessarily thought of as “wallets” may also have a use for exposing a digital credential. For example an airline app might want to offer their users’ air miles reward program membership as a digital credential to be presented to other apps or websites.
Digital credentials can be presented by the user to any other app or website on the same device, and Android also supports securely presenting Digital Credentials between devices using the same industry standard protocols used by passkeys (CTAP), by establishing encrypted communication tunnels.
Users can store multiple credentials across multiple apps on their device. By leveraging OpenID4VP requests from websites using the W3C Digital Credential API, or from native apps using Android Credential Manager API, a user can select what credential to present from across all available credentials across all installed digital wallet apps.
How digital credentials work
Presentation
To present the credential, the verifier sends an OpenID4VP request to the Digital Credential API, which then prompts the user to select a credential across all the credentials that can satisfy this request. Note that the user is selecting a credential, not a digital wallet app:

Once the user chooses a credential to proceed with, Android platform redirects the original OpenID4VP request to the digital wallet app that holds the chosen credential to complete the presentation back to the verifier. When the digital wallet app receives the OpenID4VP request from Android, it can also perform any additional due-diligence steps it needs to perform prior to releasing the credential to the verifier.
Issuance
Android also allows developers to issue their own Digital Credentials to a user’s digital wallet app. This process can be done using an OpenID4VCI request, which prompts the user to choose the digital wallet app that they want to store the credential in. Alternatively, the issuance could be done directly from within the digital wallet app (some apps might not even have an explicit user facing issuance step if they store credentials based on their association to a signed-in user account).

Over time, the user can repeat this process to issue multiple credentials across multiple digital wallet apps:

Note: To ensure that at presentation time Android can appropriately list all the credentials that digital wallet apps hold, digital wallets must register their credentials’ metadata with Credential Manager. Credential Manager uses this metadata to match credentials across available digital wallet apps to the verifier’s request, so that it can only present a list of valid credentials that can satisfy the request for the user to select from.
Early adopters
As Google Wallet announced yesterday, soon users will be able to use digital credentials to recover Amazon accounts, access online health services with CVS and MyChart by Epic, and verify profiles or identity on platforms like Uber and Bumble.
These use cases will take advantage of users’ digital credentials stored in any digital wallet app users have on their Android device. To that end, we’re also happy to share that both Samsung Wallet and 1Password will hold users’ digital credentials as digital wallets and support OpenID standards via Android’s Credential Manager API.
Learn more
Credential Manager API lets every Android app implement credential verification or provide credentials on the Android platform.
Check out our new digital credential documentation on how to become a credential verifier, taking advantage of users’ existing digital credentials using Jetpack Credential Manager, or to become a digital wallet app holding your own credentials for other apps or websites to verify.
 
                                                                             
