One thing that is severely lacking in the digital world today is trust. How can you tell if a message, email, website or app can be trusted? Most people rely on familiarity, hoping that things that worked previously will continue to be ok. That’s a pretty weak basis for trust. When a message is fraudulent or an email account has been taken over it can be very difficult to tell. It should not be this way. We’ve had the technology to ensure the authenticity and integrity of digital messages for over 30 years – namely cryptographic digital signatures where the secret keys are protected in secure hardware like a smart card or the secure element of the phone. With this technology, you can tie the message to a specific hardware device that is in the possession of a particular person. This makes it much more difficult for fraudsters to pretend to be someone they are not. Unfortunately, the incentives have not aligned to enable the integration and adoption of this technology.
But things are changing.
Regulatory pressure is gradually forcing device manufacturers to open up access to the secure elements in their devices. This technology is critical to securing the digital wallets that will contain those secret keys that we can use to interact and transact digitally in the future. In 2024 we saw two concessions made by Apple, and I’m sure this is not the end of it.
Wallets will become ever more important in our digital interactions. Today, some payment credentials are hosted in wallets, tomorrow, cryptocurrencies, CBDCs, asset tokenization, and digital identity will all need secure wallets to hold those all-important secret keys.
What will be needed to deliver the wallets that meet the needs of ordinary people?
In the cryptocurrency space, there have been vivid examples of how things can go wrong. One approach to wallets is to put the onus on the individual to manage their own. As James Howells of Newport in Wales discovered, when his partner mistakenly threw out the hard drive containing the keys to his Bitcoin stash, this can easily go wrong.
The self-sovereign identity community pursued the idea that individuals have total control over their data including being able to choose where to store their identity data. The problem is that this can place too much responsibility on the user – most people will not be able to make such a choice.
The alternative is for an organisation to manage the wallet for the individual – in other words, custodial wallets. Unfortunately, some early entrants – like Mt. Gox and more recently Ronin – were not very good custodians, suffering breaches and exposing their customers to losses. That doesn’t mean the custodial approach is wrong. But it does show the need for standards and regulations to ensure that custodial services deliver the assurances that end-users need.
Commercials have been a challenge in wallet payments, with some wallet providers taking a slice of every transaction. The question here is simply whether or not the slice taken is reasonable. The commercials for non-payment use cases (such as digital identity) are more complex. Placing a value on the data being exchanged can be difficult as can determining the proportion of any value that should be given to the distribution channel, i.e. the wallet. Public sector initiatives such as eIDAS in the EU and Mobile Driving Licences in the US may be able to side-step these issues as long as the public sector sees creating trust in the digital world as a societal good. You would hope they would take this view, given that the economic upside could be enormous.
Adoption of wallets will depend on wallet users being happy that they are protected, secure, and have recourse when things go wrong. In the card payments world, those assurances are provided by the card issuer, not the wallet provider. That might be ok for someone with a wallet that contains one or two cards. What happens when the wallet contains multiple payment instruments, digital identity documents, digital assets, and more? Who is going to help the customer then – it would be reasonable to expect the custodial wallet provider to play a role, and perhaps provide some insurance against losses.
Too often the digital trust conversation has been reduced to ‘can a business trust its customer’. That only addresses half of the problem – customers need to trust businesses too. This one-sided approach leaves the digital world open to criminals, who can pretend to be businesses to take over or fake transactions. A holistic approach to digital trust is what we desperately need. Transactions should be wallet to wallet – with verification of credentials being performed by both parties. Mutual authentication. Great progress is being made but there is a long way still to go.
This editorial piece was originally published in The Paypers` Global Payments and Fintech Trends Report 2025. The report compiles insights and expertise from leaders representing companies across the financial services spectrum and it delves into the latest innovations and trends in payments and fintech across key markets worldwide.
Steve Pannifer is Managing Director at Consult Hyperion. He has worked with card schemes, banks, mobile operators, and others developing innovative products and services exploiting new technology. Steve is a well-known expert in digital identity having worked on numerous digital identity initiatives around the world.
Consult Hyperion is an independent strategic advisory and technical consultancy specialising in secure electronic transactions. For the last 30 years, we’ve helped our clients explore the opportunities created by advances in technology, regulation, and consumer behaviour. With global knowledge and practical experience, we’ve helped organisations across the globe define and deliver their payment and identity strategies.
Consult Hyperion is part of Fime, a global leader in consulting, testing, and certification services.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now