It doesn’t help that this discussion mixes aspects of identity, entitlement and authentication. Verified credentials are just attributes of an identity. The verification merely adds provenance to those attributes. It’s not intended to prove your ID or entitlement to use the credentials. Separate to that, there’s a need to authenticate the bearer of the identity. Strictly speaking, the authentication doesn’t prove they are who they say they are, it just proves they are entitled to grant access to their ID and particular attributes of it. For example, in an age verification scenario, you really don’t need to know more about me than I have a trusted ID, and my age is over the threshold. Privacy law says you shouldn’t ask for data beyond what’s needed for the use case. A properly set up ID system should allow me to give consent for you to access the ID attributes you need, and no others - in a similar way to when an app asks to use mic, camera, etc. I’m probably not explaining this well - it’s worth reading someone like David Birch of Consult Hyperion to get the real expert view on this. Suffice to say, it’s not easy but it’s doable The problem is exclusion. We have two classes of users. One class is equipped with powerful devices that can deliver a rich mix of authentication factors: knowledge; possession: and inherence. The other class don’t have smartphones, and we need not to exclude them