engineering · · 9 min read
Designing identity for population scale
Six lessons from rolling out a sovereign identity stack to 25 million people — what we got right, and what we'd do differently.
Population-scale identity is not authentication at scale. It is a covenant: every citizen, every transaction, every service, for decades. The mistakes you make on day one are the ones you live with.
Six lessons from rolling out a sovereign identity stack to twenty-five million people. What we got right, what we did not, and what we would change if we were starting tomorrow.
1. Cryptographic primitives matter more than UX
We spent the first year arguing about onboarding flows. We should have spent it arguing about key derivation, hardware-backed signing, key rotation, and revocation. UX iterates; cryptography is forever. If your token format cannot be re-rotated without breaking every relying party, you have already lost.
2. Privacy is a product surface, not a checkbox
Selective disclosure is not a feature you add at the end. It is the data model. If your tokens cannot represent "prove you are over eighteen without revealing date of birth," you cannot retro-fit privacy. Decide your zero-knowledge story on day one. Pick a verifiable credential format that supports it. Choose primitives that make selective disclosure cheap.
3. The boring infrastructure is the hard infrastructure
Most of our hard production lessons came from the parts of the stack that nobody markets. The signing-key HSM cluster. The certificate transparency log. The disaster recovery rehearsal we did at 02:30 every Sunday. The on-call rotation that catches a single five-second outage before it becomes a news story. None of this is in the case study; all of it determines whether the case study exists.
4. The relying-party SDK is the product
Citizens never see your identity service directly. They see a hospital portal that uses it, a government grant application that uses it, a banking app that uses it. The hospital, the agency, the bank are your real customers. Their developers ship your SDK. If your SDK is fifty pages of documentation and three different installation paths, you have lost. Spend ten percent of your engineering on the integrator's experience and you will see your active relying-parties triple.
5. Standards win, but not the one you started with
We started with a homemade format because the standards in 2023 were not quite right. By 2025 the W3C verifiable credentials spec had matured and was the only serious choice. The migration cost us a quarter. The lesson is not to bet on standards. The lesson is to make your formats convertible from day one — keep the data model abstract enough that you can serialise to whatever wins.
6. The audit log is the trust proposition
Every government we work with eventually asks the same question: "How do we know you are not silently logging in as our citizens?" The honest answer is a tamper-evident, externally-mirrored audit log of every credential issuance, presentation, and revocation. We did not build this in the first version. We had to add it later. If we were starting again, the audit log would ship before the user-facing app.
Authors
Tewodros BekeleChief Technology Officer