A Trusted Foundation for the EUDI Wallet in Research and Education: Why eduGAIN and OpenID Federation Matter
Authors: Paul den Hertog (Strategic advisor, SURF), Niels van Dijk (Trust & Security specialist, SURF), Klaas Wierenga (Chief Information & Technology Officer, GÉANT)
Date: July 2025
This paper was written within the framework of the DC4EU Large Scale Pilot. The DC4EU project is Co-funded by the European Union’s Digital Europe Programme under Grant Agreement no. 101102611
As the European Digital Identity (EUDI) Wallet initiative advances, trust becomes a foundational requirement across sectors, for example in research and education, where digital collaboration routinely crosses national borders.
This paper makes the case for using OpenID Federation to connect the EUDI Wallet with existing academic infrastructures, particularly eduGAIN. We argue that trust in the EUDI Wallet must be grounded in both character and competence, combining ethical design with robust technical implementation and transparent governance.
EduGAIN, as a mature global identity federation, provides the infrastructure, governance and scale to support secure, interoperable digital identity in research and education. Its decentralised, community-driven model safeguards institutional autonomy and academic independence and aligns with core European values such as transparency and self-governance. These values are increasingly seen as enabling conditions for digital sovereignty in Europe. Many digital identity use cases in education and research already supported by eduGAIN, do not require a high Level of Assurance (LoA), allowing for differentiated trust models that support innovation within appropriate safeguards.
Integrating eduGAIN into the EUDI Wallet using OpenID Federation offers a trusted, decentralised, privacy-preserving and scalable solution. This approach allows Europe to build on what already works, accelerate adoption and reinforce digital sovereignty in the research and education sector.
Keywords: Trust, OpenID Federation, European Digital Identity (EUDI) Wallet, Digital Identity, eduGAIN, Education, Research, Digital Sovereignty
As European higher education institutions increasingly depend on cross-border digital infrastructure to support mobility and collaboration, trust becomes a fundamental condition. To meet authentication and authorisation needs at scale, the research and education sector has developed a global trust infrastructure, rooted in national federations and interconnected via eduGAIN (Géant, 2025).
The European Digital Identity (EUDI) Wallet initiative, launched by the European Commission (2021), aims to enable EU citizens to use a secure and standardised digital identity framework based on national identities, with full control over their personal data. As the initiative evolves, it intersects with existing identity frameworks in research and education, prompting a key question: how can trust be preserved and extended in this rapidly changing landscape?
Rachel Botsman (2017) describes trust as "a confident relationship with the unknown”, a definition that captures the core challenge of digital transformation in many domains, including research and education.
OpenID Federation provides a robust, privacy-preserving model for identity verification and access management, well-suited to educational use cases within the EUDI Wallet. In this paper, we argue how integrating OpenID Federation with eduGAIN, a trusted, large-scale identity federation, enables education and research institutions to issue and verify Electronic Attestations of Attributes (EAAs) across all EU member states and beyond. These verified credentials can then be securely stored in the EUDI Wallet, ensuring interoperability, institutional autonomy, user privacy, and ultimately trust.
Botsman’s perspective on trust emphasises the dynamic and evolving nature of trust, especially as we navigate unknowns in digital interaction. Trust, in this sense, is not so much about static security features or specific technological implementations, but rather about the confidence users place in systems based on perceived familiarity, transparency, and reliability.
Stephen M.R. Covey (2006) complements this view by articulating that trust is a function of both character and competence. In digital systems like the EUDI Wallet, this translates into the ethical intentions behind the system’s design (character) and its technical efficacy and security (competence). Covey also introduces the concept of "Smart Trust" –a balanced approach that combines high trust with sound judgment. He argues that in a world of growing scepticism and rapid change, leaders and organisations that actively extend trust –rather than withholding it by default– foster greater innovation, collaboration, and performance. Ultimately, Smart Trust shows how to create a high-trust culture while still minimising risk in high-stakes environments.
Botsman, in turn, builds on this by showing how trust is shifting from traditional institutions such as governments to distributed systems like eduGAIN, where trust is primarily built through competence and transparency rather than long standing authority. Together, their work suggests that leaders must not only demonstrate trustworthy behaviour, but also design systems –both human and technological– that enable users and organisations to evaluate and extend trust reliably. In practical terms, this means combining integrity and credibility (Covey, 2006) with mechanisms such as distributed systems, verified identities and transparent governance (Botsman, 2017) to build trust in both physical and digital interactions, in academia and beyond.
Fortunately, the principles articulated by Botsman and Covey are well aligned with the European Commission’s ambitions for the EUDI Wallet.
The insights expressed by Botsman and Covey are not abstract: they are already reflected in the digital identity practices of the research and education sector, most notably through eduGAIN.
EduGAIN is the global service that interconnects academic identity federations worldwide, simplifying access to content, services, and resources for the international research and education community (Géant, 2025). It brings together over 75 federation operators across Europe and beyond, with more than 6,000 connected identity providers. This enables over 27 million European students, staff and researchers to access seamlessly across borders. The federation processes billions of transactions annually, demonstrating its established and indispensable role in supporting European research and education.
In essence, eduGAIN supports two use cases: access to services for institutions, and access to services for collaborations. In the former, the federation allows institutions to easily and securely connect to services from many vendors, public and commercial, national and international, to be used by students, staff and researchers. These services are the backbone of day-to-day work at European research and education institutions. The collaboration use case emerges when students or researchers engage in cross-border activities. Today, international student mobility is already fundamentally supported through eduGAIN, as it is the core enabler for authentication in the pan-European Erasmus Without Paper (EWP) programme. Increasingly, European University Alliances also establish trust relations between institutions across borders using eduGAIN. The research sector, just like education, has become a primary user of the international trust fabric that eduGAIN provides. Renowned research facilities like CERN and LIGO – like most other pan-European research facilities– have chosen eduGAIN as their core trust infrastructure for authentication and authorisation. Even the European Open Science Cloud (EOSC) is building on top of it.
When evaluating these use cases from a trust perspective, institutions remain autonomous and in control. Federation members define whom they trust and with whom they are willing to connect and exchange information. Typically, the national identity federation provides the trust framework that institutions rely on. In international use cases, eduGAIN connects the national federations through an interfederation. The partners themselves, however, remain in the lead and retain control when it comes to defining their trust relationships. This results in a highly distributed and decentralised robust trust infrastructure.
The proposed integration of federated academic identities with the EUDI Wallet represents a strategic response to broader concerns about digital sovereignty and technological dependence. As outlined by De Rosa (2025), Europe's move towards more autonomous and cooperative digital infrastructures –particularly in identity management– reflects a broader geopolitical imperative to reduce reliance on Big Tech. In this light, eduGAIN exemplifies a sector-specific embodiment of strategic digital autonomy: a trust infrastructure developed, governed, and maintained by the research and education community itself, closely aligned with European values such as openness, privacy, and democratic accountability.
The EUDI Wallet, with its promise of a user-centric, privacy-preserving digital identity, has the potential to revolutionise how both students and educators authenticate themselves and gain access to educational services across borders. Integrating the eduGAIN federation with the EUDI Wallet using OpenID Federation (OpenID Foundation, 2025) would enhance interoperability and reduce the administrative burden on educational institutions, while also empowering users with greater control over their data.
However, this potential can only be realised if trust in the EUDI Wallet ecosystem is widely established and reliably maintained, and if interoperability is safeguarded using open standards and systems. These requirements directly relate to Covey’s definitions of character and competence, and reflect Botsman’s emphasis on transparency and cognizance as conditions for trust in distributed systems. By embedding the EUDI Wallet in a known and trusted ecosystem governed by the research and education community itself, the integration with eduGAIN supports both technical reliability and relational trust.
Europe has taken a value-driven giant leap with the introduction of the revised eIDAS regulation and must now move forward by joining efforts already underway in the European research and education sector.
While Botsman and Covey provide foundational insights into the relational and ethical dimensions of trust, it is equally important to examine how digital infrastructures reconfigure trust through their technical and institutional architectures. Becker and Bodó (2021) argue that blockchain-based systems do not eliminate the need for trust but rather redistribute it –from centralised institutions to decentralised mechanisms such as cryptographic protocols, consensus algorithms, and in particular the actors who design and maintain them. This reconceptualization of trust is particularly salient when comparing the European Blockchain Services Infrastructure (EBSI) and eduGAIN. EBSI, governed by national authorities, embodies a state-centric trust model in which trust is primarily derived from governmental oversight (European Blockchain Services Infrastructure, 2024). In contrast, eduGAIN is managed by and for the research and education community, reflecting a distributed governance model rooted in academic autonomy and peer accountability.
This divergence is not merely technical but also normative. In democratic societies, the independence of academic institutions from political authorities is a cornerstone of intellectual freedom and scholarly collaboration. Entrusting the governance of digital identity infrastructures to the academic sector, as in the case of eduGAIN, upholds this democratic principle by ensuring that control over authentication and access remains with the academic community rather than with centralised state actors. OpenID Federation (OpenID Foundation, 2025), when implemented within this context, reinforces a decentralised trust architecture that aligns with both the operational requirements and ethical commitments of the education and research sector. Trust, therefore, is not only embedded in technological protocols, but is also sustained through institutional autonomy, transparency, and shared sectoral governance.
OpenID Federation offers a decentralised and scalable approach to trust management that aligns closely with the needs and values of the academic community. Unlike centralised models, which can become bottlenecks or single points of failure, federated identity systems distribute trust among multiple entities. OpenID Federation presents a compelling model for European research and educational institutions by supporting both their strategic values and day-to-day operations. It respects academic autonomy by allowing institutions to maintain control over their identity providers while integrating into a broader, collaborative academic trust framework. Designed with privacy in mind, it minimises data disclosure in compliance with GDPR and the EUDI Wallet Architecture and Reference Framework (ARF), enabling secure authentication without exposing unnecessary personal information. OpenID Federation offers a decentralised and scalable trust model, designed to support a wide range of identity providers and enable smooth cross-border collaboration. By building on the widely adopted OpenID Connect protocol, it leverages proven technology, reduces implementation risks and allows institutions to capitalise on existing investments. It is already being implemented in several National Wallets, including in Italy (De Marco, 2024), the Netherlands and Sweden, and in a pilot as part of the German SPRIND initiative. It has also been selected by the Digital Credentials Consortium for issuer registry implementation (Schwartz, 2025).
Beyond trust architecture and governance, it is also essential to consider how digital infrastructures enable innovation itself. One influential perspective comes from Adam Thierer (2016), who introduced the concept of permissionless innovation. This approach promotes a regulatory environment in which experimentation and entrepreneurial activity can flourish without requiring prior approval, except in cases where clear risks are evident. This approach aligns with digital systems that differentiate Levels of Assurance (LoA), where greater oversight or verification is applied only when the potential for harm –such as fraud, data breaches, or system misuse– is significant. In contexts such as cross-border collaboration or educational credentialing, this layered model allows most innovations to proceed with minimal friction while reserving stricter controls for high-assurance scenarios. In doing so, it preserves the core principle of openness without sacrificing security or trust. For example, the issuance of a degree clearly requires a high LoA, while many other use cases in research and education do not. Thierer does not advocate for a regulatory vacuum; instead, he supports a dynamic approach in which the freedom to innovate is balanced by mechanisms for accountability. This balance strongly resonates with Covey’s concept of Smart Trust –sensibly covering middle ground between blind trust and distrust.
Building on the previously outlined use cases, we can now assess how they align with Thierer’s concept of permissionless innovation and Covey’s Smart Trust. In many cases, the risks are comparatively low and trust can be effectively managed by federated institutional identity providers, eliminating the need for a high Level of Assurance (LoA). Access-oriented scenarios include entry to licensed academic resources such as digital libraries and journal platforms, which rely on institutional affiliation rather than legally verified identity (e.g. JSTOR or Elsevier). Similarly, access to campus-based services like labs, Wi-Fi, or libraries is typically managed by the institution and involves minimal risk, thereby not requiring state-level identity proof. Another illustrative case is the Erasmus Without Paper (EWP) initiative, where cross-border student mobility already relies on eduGAIN to authenticate students without mandating a high LoA, as institutional trust relationships suffice.
Collaboration-oriented use cases further underscore the appropriateness of lower assurance levels in research and education. Virtual collaboration tools support synchronous and asynchronous educational interaction based on institutional accounts. Authentication is essential for security and accountability, but does not require verification beyond the issuing institution. Similarly, research collaboration platforms, including document repositories and code-sharing systems, typically operate based on federated identity and role-based access. In both categories, reliance on institutional credentialing within federated systems such as eduGAIN enables secure, scalable, and privacy-respecting digital interactions, while avoiding the burdens associated with high LoA requirements.
Applied to the context of the deployment of the EUDI Wallet in the research and education sector, the combination of permissionless innovation and Smart Trust suggests that innovation should be encouraged within a framework that empowers stakeholders to develop and deploy new technologies, while embedding safeguards such as standards for data protection and interoperability. In this way, Covey’s Smart Trust gives practical form to a balanced version of Thierer’s permissionless innovation –one that accelerates progress without sacrificing oversight or public confidence. This interpretation acknowledges that even within a permissionless innovation framework, appropriate safeguards and proportional oversight remain essential. Permissionless innovation has nurtured the open architecture of the Internet by allowing developers to rapidly build and share applications without requiring prior approval from central authorities. This freedom enabled the fast-paced evolution of web applications, services, and protocols –from hypertext to email and DNS– without being constrained by heavy-handed regulation. Without such an environment, many foundational technologies of the Internet would likely have been delayed, restricted, or never developed at all.
Despite its compelling advantages, the adoption of OpenID Federation within the EUDI Wallet ecosystem is not without challenges and objections. One concern relates to the initial complexity of implementation and governance coordination. OpenID Federation relies on distributed trust management, requiring institutions to take an active role in defining and maintaining trust relationships. This places greater responsibility on individual organisations, which may lack the technical capacity or human resources to manage such complexity, particularly in countries or institutions with less-developed digital infrastructure.
Another challenge is the heterogeneity of federation maturity across Europe. While some National Research and Education Networks (NRENs) and their identity federations have well-developed governance models and high levels of interoperability, such as SURFconext in the Netherlands or SWAMID in Sweden, others are still evolving. This unevenness may hinder consistent implementation, leading to fragmentation and disparities in user experience and access. Without deliberate support and investment in less mature regions, the benefits may be unevenly distributed across the European Education Area.
A further counterargument concerns the perceived difficulty of auditing and monitoring decentralised systems. Critics may argue that centralised identity models, such as those governed directly by state authorities or large identity providers, offer greater auditability, uniform compliance enforcement, and potentially faster policy implementation. However, this argument overlooks the significant risks associated with centralised control, particularly in academic contexts where sovereignty, agility, and protection from political interference are vital. Centralisation can introduce single points of failure and increase the risk of top-down control or mission creep, potentially undermining the autonomy of research and education institutions.
Additionally, some policymakers may express concern that federated models like eduGAIN and OpenID Federation lack the formal legal accountability structures that underpin state-issued digital identities. From a regulatory standpoint, questions of liability in cases of identity fraud or data breaches may seem less clear-cut in a federated model where trust is shared among multiple autonomous actors. Yet this critique underestimates the extensive governance mechanisms already in place within eduGAIN and its member federations. These include adherence to open standards and protocols, service provider agreements, audits, data protection impact assessments and well-established incident response procedures. In practice, federated academic infrastructures often demonstrate a high degree of operational transparency and agility –qualities that large centralised systems may lack.
Finally, some argue that integrating federated academic identities with national wallets could dilute the user-centric and privacy-preserving vision of the EUDI Wallet by introducing non-government trust frameworks. However, this concern can be mitigated through careful architectural alignment, strong privacy-by-design principles and the inevitable coexistence of multiple interoperable trust frameworks in the ecosystem. Rather than undermining the EUDI Wallet, a well-integrated academic federation model extends its utility into research and education, fostering trust among millions of users already operating within decentralised academic ecosystems.
In sum, while these counterarguments warrant careful consideration, they do not disqualify OpenID Federation as a viable approach. Instead, they highlight areas where proactive governance, capacity building and alignment of coexisting trust frameworks are needed to ensure successful adoption across the European research and education landscape.
The integration of the EUDI Wallet into the research and education sector represents a pivotal opportunity to align technical innovation with the longstanding values of academic autonomy, transparency, and institutional trust. As argued throughout this paper, trust in digital identity systems should not be understood merely as a product of technological robustness, but as the outcome of ethical governance and distributed institutional competence (Botsman, 2017; Covey, 2006).
OpenID Federation, implemented through eduGAIN, provides a decentralised, scalable, and privacy-preserving trust framework that matches the operational and normative needs of the research and education sector. Its governance structures, based on peer accountability and institutional autonomy, provide a resilient alternative to centralised, state-controlled identity models, which may pose risks to democratic principles and academic freedom (Becker & Bodó, 2021).
While technical coordination and uneven federation maturity present real challenges, they are outweighed by the systemic benefits of autonomy, distributed trust and interoperability. Moreover, many core use cases in education –such as access to digital resources, collaborative tools, and institutional services– do not require high Levels of Assurance, further justifying a federated approach.
To ensure the EUDI Wallet’s success in research and education, its design and governance must reflect academic values such as transparency, autonomy and trust, build on existing federated infrastructures and incorporate open standards. This will not only support technical interoperability, but also reinforce institutional legitimacy and public confidence in Europe’s evolving digital identity landscape.
In an increasingly digital world trust is not just about securing systems, it is something we consciously design to instigate confidence. The EUDI Wallet, when thoughtfully integrated with eduGAIN through OpenID Federation, embodies Botsman’s “confident relationship with the unknown”, and offers a credible, value-driven future for trustworthy verifiable credentials in European research and education.
Becker, M., & Bodó, B. (2021). Trust in blockchain-based systems. Internet Policy Review, 10(2). https://doi.org/10.14763/2021.2.1555
Botsman, R. (2017). Who can you trust? How technology brought us together and why it might drive us apart. Portfolio Penguin.
Covey, S. M. R. (2006). The speed of trust: The one thing that changes everything. Free Press.
De Marco, G. (2024, September). Discover the Italian Digital Identity Wallet [Conference presentation]. W3C TPAC 2024 Breakout Sessions. Retrieved from https://www.w3.org/2024/Talks/TPAC/breakouts/italian-wallet.pdf
De Rosa, P. (2025, May 1). Digital cooperation: The strategic response to technological dependence. CyberVerso. Retrieved from https://www.cyberverso.net/digital-cooperation-the-strategic-response-to-technological-dependence/
European Blockchain Services Infrastructure. (2024, August 16). Design your trust chain. EBSI Hub. Retrieved from https://hub.ebsi.eu/get-started/design/trust-chain
European Commission. (2021). Proposal for a regulation on a European digital identity (COM(2021) 281 final) https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52021PC0281
GÉANT. (2025). eduGAIN: Connecting identity federations. Retrieved from https://edugain.org/about-edugain/what-is-edugain/
OpenID Foundation. (2025). OpenID Connect and federation specifications. Retrieved from https://openid.net/specs/openid-federation-1_0.html
Schwartz, R. X. (2025, January 7). Selecting the OpenID Federation specification for the DCC and Credential Engine Issuer Registry Project. Digital Credentials Consortium. Retrieved from https://blog.dcconsortium.org/selecting-the-openid-federation-specification-for-the-dcc-and-credential-engine-issuer-registry-f9079f620472
Thierer, A. (2016). Permissionless innovation: The continuing case for comprehensive technological freedom (Revised and expanded ed.). Mercatus Center at George Mason University.