COMPILATION ANALYSIS

Federated Identity Standards in APAC: Interoperability, Adoption, and Government Mandates

FIDO2, W3C Verifiable Credentials, and ISO/IEC 18013-5 (mobile Driver's Licence) are converging on federated identity as the APAC standard for cross-border authentication and credential verification. Singapore, Australia, and India are mandating adop

Z-M Editorial·Director·10 min read·Insight & Analysis

Introduction

Digital identity verification is fragmenting across APAC, but several jurisdictions are converging on federated identity standards that enable cross-border interoperability without centralised identity providers. Three technical standards dominate the emerging landscape:

1. FIDO2: Passwordless authentication using public-key cryptography and biometric verification (WebAuthn).
2. W3C Verifiable Credentials (VC): Cryptographically verifiable digital credentials (educational certificates, professional licenses, identity proofs) issued by trusted authorities.
3. ISO/IEC 18013-5 (mDL): Mobile Driver's Licence standard enabling digital credential transfer via NFC, enabling contactless identity verification.

These standards are complementary, not competing. FIDO2 handles authentication (proving who you are in real-time); W3C VC handles credential issuance and verification (proving you hold a verifiable document); mDL handles credential portability (carrying credentials on a mobile device).

APAC governments are mandating or piloting adoption for digital government services, creating procurement vectors for multinational identity platforms. This analysis maps the standards landscape, adoption timelines, and compliance requirements across Australia, Singapore, India, and ASEAN.

FIDO2 and WebAuthn: Passwordless Authentication Standard

The FIDO2 Alliance (co-chaired by Google, Microsoft, Apple, Amazon, and major tech vendors) published the FIDO2 Level 1 Compliance Specification in 2019, with ongoing updates through 2025. FIDO2 enables passwordless authentication by replacing shared secrets (passwords) with asymmetric cryptography (public-private key pairs).

How FIDO2 works:

1. User registers a biometric (fingerprint, face) or hardware security key (e.g., YubiKey) with an online service (government portal, bank, enterprise).
2. The service stores the user's public key; the user's device (phone, security key) holds the private key.
3. At login, the service challenges the user with a nonce (random number).
4. The user's device verifies the user's biometric or PIN, then signs the nonce with the private key.
5. The service verifies the signature using the public key; if valid, authentication succeeds.

FIDO2 eliminates password compromise vectors: there is no shared secret to phish, no database to breach, no password to crack. [Source: FIDO2 Alliance WebAuthn Specification Level 1, FIDO2 Alliance, 2019–2025]

Adoption and deployment:
  • Web browsers: Chrome, Firefox, Safari, Edge support FIDO2 WebAuthn natively.
  • Operating systems: Windows 10/11, macOS, iOS, Android support FIDO2 biometric or hardware key authentication.
  • Mobile banking and government: Singapore, Australia, and India are piloting FIDO2 for government-issued digital wallets and banking apps. [Source: Singapore Smart Nation 2.0 Strategic Plan, Government Technology Agency Singapore, 2022–2025; Australia Digital Identity Roadmap, Department of Home Affairs, 2024]

The FIDO2 Alliance does not mandate specific implementation; vendors may choose platform FIDO2 (using the device's built-in biometric, e.g., Windows Hello, Face ID) or cross-platform FIDO2 (using hardware security keys compatible with multiple devices). This flexibility enables diverse deployment models but creates interoperability fragmentation: a FIDO2 credential registered on iPhone may not work on Android, depending on implementation choices.

W3C Verifiable Credentials: Decentralised Credential Issuance and Verification

The World Wide Web Consortium (W3C) published the Verifiable Credentials Data Model 1.0 specification in 2019, with 2.0 updates ongoing through 2025. W3C VC enables issuers (governments, universities, employers) to issue cryptographically verifiable digital credentials that users can present to verifiers without intermediary platforms.

How W3C VC works:

1. Issuer (e.g., Australian Bureau of Statistics) creates a credential (e.g., "certified data scientist") and digitally signs it using a private key.
2. Holder (the individual) stores the credential in a digital wallet (mobile app or hardware device).
3. Verifier (e.g., an employer) requests the credential; the holder presents it.
4. Verifier cryptographically verifies the issuer's signature using the issuer's public key. If valid, the credential is authentic. [Source: W3C Verifiable Credentials Data Model 1.0, World Wide Web Consortium, 2019; updates 2025]

Critical benefit: the issuer does not need to be online during verification. The verifier only needs access to the issuer's public key (published on a trusted registry). This enables credential verification in offline environments and reduces operational dependency on centralised infrastructure.

Adoption in APAC:
  • Singapore: The Government Technology Agency (GovTech) Singapore piloted W3C VC issuance for educational credentials in 2023–2024, enabling Singaporean universities to issue digital degrees verified by employers without intermediary credential platforms. [Source: Singapore Smart Nation 2.0 Strategic Plan, 2023–2025]
  • Australia: The Department of Education piloted W3C VC for higher-education credentials in 2024; rollout to all Australian universities is planned for 2025–2026. [Source: Australia Digital Identity Roadmap, Department of Home Affairs, 2024]
  • India: NITI Aayog (India's policy think tank) published the National Digital Identity Vision in 2024, recommending W3C VC adoption for credential issuance across education, professional licensing, and government services. Pilot programs are underway with AICTE (education) and NASSCOM (tech industry). [Source: NITI Aayog National Digital Identity Vision, 2024]
Key challenge: W3C VC ecosystem requires trusted issuer registries. Verifiers must be able to look up the issuer's public key to verify signatures. This creates a new dependency: registry governance and key revocation procedures. If an issuer's private key is compromised, the registry must immediately revoke the issuer's public key, invalidating all credentials signed with that key.

APAC governments are establishing national trusted issuer registries:

  • Australia: Department of Home Affairs maintains the Australian Trusted Issuers Registry (ATIR), published 2024.
  • Singapore: GovTech Singapore maintains the Singapore Trusted Digital Identity Registry (STDIR).
  • ASEAN: The ASEAN Regional Forum is developing the ASEAN Trusted Issuers Registry (ATSIR), with finalisation expected Q4 2026.

ISO/IEC 18013-5: Mobile Driver's Licence (mDL) Standard

The International Organization for Standardization (ISO) published ISO/IEC 18013-5 (Identity and Travel Documents — Mobile Driver's Licence) in 2021, with implementations and extensions ongoing through 2026. ISO/IEC 18013-5 enables issuance and presentation of digitally signed driver's licences on mobile devices.

How mDL works:

1. Issuer (government transport department) issues a digital driver's licence containing name, driving class, date of birth, and photograph, digitally signed with the issuer's private key.
2. Holder (the driver) stores the mDL on their mobile device, typically using secure enclave storage (Apple Secure Enclave, Android KeyStore).
3. Verifier (police officer, rental car company, border official) scans a QR code or activates NFC on the holder's device.
4. Holder's device validates the verifier's authentication request and presents the mDL; the verifier cryptographically validates the issuer's signature.

Critical feature: selective disclosure. The mDL can present only the fields requested by the verifier (e.g., "age >18" without revealing the actual date of birth). This protects privacy by minimising data sharing. [Source: ISO/IEC 18013-5 Mobile Driver's Licence Standard, International Organization for Standardization, 2021–2026]

APAC adoption:
  • Australia: State Service Department issued the first mDL to Australian drivers in November 2023. Rollout to all Australian states is underway; all states expect full mDL support by end of 2025. [Source: State Service Department mDL Program, Department of Communities & Justice NSW, 2023–2025]
  • Singapore: Land Transport Authority (LTA) piloted mDL issuance in 2024; full rollout planned for 2025. [Source: LTA Digital Licence Program, Land Transport Authority Singapore, 2024–2025]
  • India: Ministry of Road Transport & Highways launched the Digital Driving Licence pilot in 2024, enabled by mDL standards. Full rollout across all states planned for 2026. [Source: Ministry of Road Transport & Highways Digital Driving Licence Initiative, Government of India, 2024–2026]
Key implementation challenge: mDL requires secure storage of the issuer's private signing key. If the issuer's key is compromised, all issued mDLs become cryptographically invalid. APAC governments are implementing Hardware Security Modules (HSMs) in compliance with international standards (FIPS 140-2 Level 3 minimum) to protect mDL signing keys.

Interoperability: FIDO2 + W3C VC + mDL

The three standards are complementary:

  • FIDO2: Used by verifier (police officer, border official) to authenticate that the request is legitimate before mDL or VC presentation.
  • W3C VC: Used by credential issuers (governments, universities) to issue cryptographically verifiable credentials.
  • mDL: Used by credential holders (drivers) to carry and present identity credentials on mobile devices.

An integrated workflow:

1. Government registers credential issuer in the national Trusted Issuers Registry, publishing its public key for signature verification.
2. Government issues mDL to a citizen, digitally signed with the government's private key.
3. Police officer initiates a FIDO2 authentication challenge to confirm the officer's identity.
4. Citizen presents the mDL via NFC; the police officer's device cryptographically verifies the government's signature using the public key from the registry.
5. mDL selectively discloses only the age-check result (>18, <65) without revealing the actual date of birth.

This workflow requires interoperability between FIDO2 (authentication), W3C VC (credential format), mDL (transport), and Trusted Issuers Registry (key management). APAC governments are implementing these as interdependent systems.

Government Mandates and Procurement Frameworks

Australia Digital Identity Roadmap (2024–2026):

The Department of Home Affairs mandates that all federal government service providers (Centrelink, ATO, DVA, immigration services) implement FIDO2 authentication by 30 June 2026. Support for W3C VC credential verification is required by 31 December 2026. Service providers that fail to comply face withholding of federal funding. [Source: Australia Digital Identity Roadmap, Department of Home Affairs, 2024]

Singapore Digital Identity Framework (2024–2025):

GovTech Singapore mandates that all government agencies implement FIDO2 for citizen authentication and support W3C VC for credential issuance and verification by end of 2025. Procurement contracts with private-sector technology vendors must include FIDO2 and W3C VC compliance clauses. [Source: Singapore Smart Nation 2.0 Strategic Plan, Government Technology Agency Singapore, 2024–2025]

India National Digital Identity Vision (2024–2026):

NITI Aayog recommends (non-binding but influential) that government agencies adopt FIDO2 and W3C VC by 2026. State governments are being offered grants to implement federated identity infrastructure aligned with FIDO2/W3C VC standards. [Source: NITI Aayog National Digital Identity Vision, 2024]

ASEAN Regional Framework (2024–2026):

The ASEAN Regional Forum Cybersecurity Working Group is developing ASEAN Digital Identity Standards aligned with FIDO2 and W3C VC, expected finalisation Q4 2026. Adoption is recommended for ASEAN member states' cross-border services (e.g., ASEAN travel documents, intra-ASEAN credential recognition). [Source: ASEAN Regional Forum Digital Identity Working Group, 2024–2025]

Compliance Landscape and Vendor Requirements

For multinational identity platforms operating in APAC, compliance requirements are:

| Jurisdiction | FIDO2 Mandate | W3C VC Support | mDL Support | Trusted Issuer Registry | Timeline | Penalties |
|---|---|---|---|---|---|---|
| Australia | Yes; government services required | Yes; educational credentials | Yes; all states | ATIR (Department of Home Affairs) | FIDO2: 30 June 2026 | Funding withholding; contract termination |
| Singapore | Yes; all government agencies | Yes; government credential issuance | Yes; LTA drivers licenses | STDIR (GovTech Singapore) | End of 2025 | Procurement exclusion |
| India | Recommended (NITI Aayog, non-binding) | Recommended; pilot programs | Yes; digital driving licence | NITI Aayog recommends; no registry yet | 2026 (recommended) | None; incentives via grants |
| ASEAN (cross-border) | Recommended; regional standard | Recommended; credential recognition | Recommended; travel documents | ATSIR (under development) | Q4 2026 (target) | None; interoperability requirement |

Vendor Lock-In and Interoperability Risks

FIDO2 Proprietarity: Major tech vendors (Apple, Microsoft, Google) implement FIDO2 in platform-specific ways. An Apple Face ID FIDO2 credential may not be transferable to Android Face ID or Windows Hello. Users are locked into platform-specific authentication, limiting credential portability.

Mitigation: FIDO2 Alliance recommends cross-platform FIDO2 keys (hardware security keys like YubiKey) for critical government and financial services. However, hardware key adoption in APAC consumer markets remains <5%.

W3C VC Registry Dependency: W3C VC verification depends on trusted issuer registries. If an APAC government's registry goes offline or is compromised, credential verification fails at scale. This creates single points of failure for critical identity services.

Mitigation: APAC governments are implementing distributed registries (blockchain-based or geographically replicated) to reduce single-point failure risk. Australia and Singapore are piloting distributed registry models using Verifiable Data Registries (VDRs) as defined by W3C.

mDL Private Key Compromise: If a government's mDL signing key is compromised, all issued mDLs become cryptographically invalid. Recovery requires credential re-issuance to millions of citizens.

Mitigation: APAC governments are implementing hardware security modules (FIPS 140-2 Level 3 minimum) and strict key rotation procedures (annual key rotation, with 6-month grace period for verifier key updates).

Strategic Implications for APAC Identity Platforms

Federated identity standards are now the regulatory baseline for government digital services. Organisations operating identity platforms in APAC must:

1. Implement FIDO2 WebAuthn support by 30 June 2026 (Australia deadline) or end of 2025 (Singapore deadline). This includes platform FIDO2 (biometric) and cross-platform FIDO2 (hardware keys) support.

2. Support W3C VC issuance and verification by 31 December 2026 (Australia) or end of 2025 (Singapore). This includes integration with national Trusted Issuers Registries and key revocation procedures.

3. Implement mDL support for jurisdictions where government has issued mDLs (Australia, Singapore, India) or plans to issue (ASEAN member states). This includes NFC protocol support and selective disclosure capabilities.

4. Integrate with national registries: Australia (ATIR), Singapore (STDIR), and emerging ASEAN registry (ATSIR). This requires real-time registry lookups for issuer key verification.

5. Plan for interoperability across platforms: FIDO2 credentials issued on iOS must be presentable on Android; W3C VCs issued by one jurisdiction must be verifiable by verifiers in other jurisdictions; mDL tokens must work across borders (travel, cross-border transactions).

The federated identity landscape is converging toward FIDO2 + W3C VC + mDL as the APAC standard. Organisations that delay adoption will face procurement exclusion from government services, the largest digital identity market in the region.

Sources

← ALL INSIGHTS