How do relying parties authenticate users with eIDAS 2.0 wallets?

Person presenting a digital ID on a smartphone at a modern bank reception desk while a staff member reviews credentials nearby.

Relying parties authenticate users with eIDAS 2.0 wallets by sending a presentation request to the user’s EUDI Wallet, receiving a cryptographically signed response containing verified identity attributes, and validating that response against the EU trust framework. The entire process is standardized across Member States, which means a single integration approach works for users across the EU. The sections below break down each part of the flow, from the first request to the final verification check.

What happens during a wallet-based authentication flow?

During a wallet-based authentication flow under eIDAS 2.0, the relying party sends a presentation request to the user’s EUDI Wallet, the user reviews and approves what data is shared, and the wallet returns a cryptographically signed response that the relying party verifies. The user stays in control throughout, and no data is shared without explicit consent.

In practice, the flow typically looks like this:

  1. The relying party generates a presentation request specifying which identity attributes it needs, such as name, date of birth, or nationality.
  2. The request is delivered to the user’s wallet, either via a QR code, a deep link, or a redirect, depending on the channel.
  3. The user sees exactly what is being requested and actively chooses to approve or decline the sharing of each attribute.
  4. The wallet returns a signed presentation containing only the approved attributes.
  5. The relying party validates the cryptographic signatures and checks the issuer’s credentials against the trust framework before granting access.

This flow is designed to be fast, privacy-respecting, and highly reliable. Because the wallet holds pre-verified credentials issued by trusted authorities such as governments or qualified trust service providers, the relying party does not need to re-verify the underlying data itself. The heavy lifting of identity proofing has already been done upstream.

What credentials does a relying party request from the wallet?

A relying party requests specific identity attributes from the wallet, not the entire identity document. The most common starting point is the Person Identification Data (PID), which includes core attributes such as full name, date of birth, place of birth, and nationality. Depending on the use case, relying parties can also request Electronic Attestations of Attributes (EAAs).

EAAs extend the wallet beyond basic identity. They can include a wide range of verified credentials, such as professional qualifications, driving licenses, health insurance details, or educational certificates. Relying parties in regulated sectors often need a combination of PID and one or more EAAs to meet their compliance requirements.

A key principle built into the eIDAS 2.0 framework is data minimization. Relying parties are expected to request only the attributes they genuinely need for a specific transaction. For example, an age verification check only requires confirmation that the user is above a certain threshold, not their exact date of birth. This approach protects user privacy and reduces the risk of over-collection of personal data.

How does a relying party verify the authenticity of wallet credentials?

A relying party verifies the authenticity of wallet credentials by checking the cryptographic signatures attached to the presentation against the public keys of the issuing authority, which are published on trusted registries within the EU trust framework. If the signature is valid and the issuer is recognized, the credential can be trusted.

Each credential in the EUDI Wallet is digitally signed by its issuer at the point of issuance. When the wallet presents a credential to a relying party, that credential carries a signature that proves it has not been altered and that it came from a specific, registered issuer. The relying party’s verification software checks this signature automatically.

Beyond signature validation, relying parties also check whether a credential has been revoked. Issuers maintain revocation registries, and relying parties query these registries as part of the verification process. This ensures that credentials that have expired or been withdrawn are not accepted.

The technical standards underpinning this process are defined in the Architecture and Reference Framework (ARF) developed by the eIDAS Expert Group. These standards specify the credential formats, signature algorithms, and communication protocols that all EUDI Wallet implementations must follow, ensuring interoperability across borders and systems.

What is the role of the trust framework in relying party authentication?

The trust framework is the backbone of relying party authentication under eIDAS 2.0. It defines which wallet providers, credential issuers, and relying parties are recognized as trustworthy actors within the ecosystem. Without a functioning trust framework, relying parties would have no reliable way to distinguish genuine wallet credentials from fraudulent ones.

At its core, the trust framework consists of:

  • Trusted lists: Official registries maintained by Member States that list certified wallet providers, qualified trust service providers, and recognized credential issuers.
  • Certification requirements: Wallet solutions must be certified against defined security and interoperability standards before they can be listed.
  • Relying party registration: Organizations wishing to accept EUDI Wallet credentials must register as relying parties, which establishes their legitimacy within the ecosystem.
  • Cross-border recognition: Because the framework is harmonized across the EU, a relying party in one Member State can trust credentials issued by authorities in another.

This framework transforms wallet authentication from a bilateral trust problem into a federated, scalable system. Relying parties do not need individual agreements with every credential issuer. Instead, they trust the framework, and the framework vouches for the issuers. This is what makes cross-border digital identity practical at scale.

What are the technical requirements for becoming a relying party?

To become a relying party under eIDAS 2.0, an organization must register with the relevant national authority, implement the technical interfaces defined in the Architecture and Reference Framework, and ensure its systems can send valid presentation requests and process signed credential responses. Registration is a formal requirement, not just a technical one.

On the technical side, relying parties need to implement support for the protocols and interfaces specified in the ARF. This includes the OpenID for Verifiable Presentations (OID4VP) protocol, which governs how presentation requests are sent and how wallet responses are received and processed. The relying party’s backend must be capable of validating the cryptographic signatures on incoming credentials and querying revocation registries in real time.

Relying parties also need to manage their own signing keys, which are used to sign the presentation requests they send to wallets. Users and wallets can verify these keys against the relying party’s registered entry in the trusted list, which confirms that the request is coming from a legitimate, registered service.

For organizations in financial services or government services, additional sector-specific requirements may apply on top of the baseline eIDAS 2.0 technical obligations. The good news is that the core integration pattern is consistent, which means the investment in building wallet-compatible infrastructure has broad reuse value across different services and use cases.

How does eIDAS 2.0 wallet authentication differ from existing login methods?

eIDAS 2.0 wallet authentication differs from existing login methods primarily in where trust originates. With passwords or social logins, the relying party must verify the user’s identity itself or trust a third-party platform. With EUDI Wallet authentication, the user presents credentials that were already verified and issued by a trusted authority, shifting the trust anchor upstream.

Compared to username and password combinations, wallet authentication eliminates the risks of credential stuffing, phishing, and password reuse. There is no shared secret that can be stolen from a database, because the authentication is based on cryptographic proof rather than a memorized string.

Compared to existing eID-based logins, such as national electronic identity schemes, the EUDI Wallet adds portability and selective disclosure. A user can share only the specific attributes needed for a transaction, rather than presenting a full identity document. This is a meaningful privacy improvement, especially for services that only need to confirm a single attribute.

Compared to federated logins through commercial identity providers, wallet authentication gives users direct control over their data. There is no intermediary platform that logs the authentication event or builds a profile based on where the user logs in. The interaction is between the user, their wallet, and the relying party, with no third-party observer in the middle.

For organizations that currently rely on knowledge-based authentication or document uploads for identity verification, the transition to wallet-based identity solutions also reduces operational costs. Pre-verified credentials mean less manual review, fewer friction points in onboarding, and a more consistent user experience across services.

How TrustTech helps you connect with EUDI Wallet authentication

Implementing relying party authentication for eIDAS 2.0 wallets involves navigating registration requirements, technical integrations, trust framework compliance, and sector-specific rules all at once. That is a significant undertaking, especially for organizations that are still building their understanding of how the EUDI Wallet ecosystem works in practice.

TrustTech supports organizations through every step of this process. Whether you are just starting to assess your readiness or already working toward a concrete implementation timeline, TrustTech brings the technical depth and regulatory expertise to move you forward with confidence. Specifically, TrustTech helps with:

  • Relying party registration and navigating the requirements set by national authorities
  • Technical integration of OID4VP and wallet-compatible credential verification into your existing systems
  • Trust framework alignment, ensuring your infrastructure connects correctly to EU trusted lists and revocation services
  • Reusable identity infrastructure that works across onboarding, authentication, and qualified signatures in a single platform
  • Sector-specific guidance for regulated industries such as healthcare, finance, and government

TrustTech’s platform is built on European digital identity standards and designed to be eIDAS 2.0 ready by design, so you are not retrofitting compliance into a system that was never built for it. If you want to understand what it takes to become a relying party and how to make wallet authentication work for your organization, get in touch with TrustTech and let’s talk through your specific situation.