Understanding How Decentralized Identifiers (DIDs) Work on Blockchain

DID Creator & Resolver
Created DID Details
Full DID:
Method:
Method-Specific ID:
How It Works
This tool demonstrates how a DID is structured based on the selected blockchain method and a given public key. It shows the DID format and simulates what a DID Document might contain.
- DID Format: did:<method>:<method-specific-id>
- Method: Determines which blockchain hosts the DID
- Method-Specific ID: Derived from the public key
Key Takeaways
- DIDs put identity control in the hands of users by anchoring identifiers to a blockchain.
- A DID consists of a method (the blockchain), a unique method‑specific ID, and a on‑chain DID Document.
- Ethereum, XRP Ledger, and Hyperledger Indy host the most widely used DID methods today.
- Security relies on public‑key cryptography; privacy comes from selective disclosure via verifiable credentials.
- Adoption is growing, but key‑management and regulatory clarity remain the biggest hurdles.
When you hear the term decentralized identifiers, you might picture a cryptic string of letters floating in some digital ether. In reality, a DID is a concrete, verifiable identifier that lives on a blockchain and points to a small JSON document called a DID Document. That document holds the public keys and service endpoints needed to prove you own the identifier-no airline, bank, or government agency required.
DID is a W3C‑standardized identifier that enables self‑sovereign digital identities. It flips the traditional model upside down: instead of a central provider issuing usernames and passwords, you generate a cryptographic key pair, write the public part to a blockchain, and keep the private key in a personal wallet.
What Exactly Is a Decentralized Identifier?
A DID follows a strict URI pattern: did:<method>:<method‑specific‑id>
. The three pieces are:
- Scheme: always the literal
did:
. - Method: tells the network where the identifier lives (e.g.,
ethr
for Ethereum,xrpl
for the XRP Ledger). - Method‑specific identifier: a unique string generated from your public key or a hash.
When you resolve a DID, a resolver reads the blockchain, fetches the associated DID Document, and returns the metadata needed to authenticate a user or service.
How DIDs Leverage Blockchain as a Trust Anchor
Blockchains provide two critical guarantees for DIDs: immutability and decentralized consensus. Because the DID Document is stored on‑chain, no single party can alter the public keys without creating a new transaction that the network must validate.
Blockchain is a distributed ledger that records transactions in an immutable, consensus‑driven manner. This immutable record becomes the anchor for every DID operation, whether you’re creating, updating, or revoking a key.
Different blockchains bring different performance characteristics. Ethereum confirms a DID transaction in 15‑30 seconds with a typical gas fee of $0.45 (Q22023). The XRP Ledger finalizes in 3‑5 seconds and charges a fraction of a cent. Hyperledger Indy, built specifically for identity, offers sub‑second finality in permissioned settings.

Core Components of a DID System
To make a DID work in practice you need three moving parts:
- Identity wallet: stores your private keys and signs DID operations. Examples include MetaMask, Spruce ID, and specialized wallets like Polygon ID.
- DID method: the protocol that defines how to write and read DIDs on a particular blockchain. Each method has its own set of rules and transaction formats.
- DID Document: a JSON‑LD object stored on‑chain that lists public keys, authentication methods, and service endpoints.
Public Key is a cryptographic value that can be shared openly and used to verify signatures made with the corresponding private key. The public key appears in the DID Document, while the private key stays in the wallet.
The DID Document may also contain Verifiable Credential is a tamper‑evident digital claim signed by an issuer and bound to a DID holder. Credentials let you prove facts-age, degree, membership-without revealing extra data.
Popular DID Methods Across Blockchains
Method | Blockchain | Typical Confirmation Time | Average Transaction Cost | Key Types Supported |
---|---|---|---|---|
ethr | Ethereum | 15‑30s | $0.45 | secp256k1, Ed25519 |
xrpl | XRP Ledger | 3‑5s | $0.0002 | secp256k1 |
indy | Hyperledger Indy | sub‑second | negligible (private network) | Ed25519 |
web | any HTTP server | instant (off‑chain) | none | any |
Creating and Resolving a DID - Step by Step
- Generate a key pair in your identity wallet. Most wallets output a 12‑24 word mnemonic for backup.
- Derive the method‑specific ID from the public key (e.g., take a keccak‑256 hash for
ethr
). - Compose the DID string, for example
did:ethr:0xabc123…
. - Publish the DID Document by sending a signed transaction to the chosen blockchain. The transaction includes the public key, authentication entry, and any service endpoints (e.g., a DID‑Comm endpoint).
- Resolve the DID using a resolver library (like did‑resolver in JavaScript). The resolver reads the blockchain, fetches the DID Document, and returns the JSON‑LD payload.
- Verify signatures on any presented Verifiable Credential by checking the signature against the public key stored in the DID Document.
If a key is compromised, you can rotate it by publishing a new DID Document version that lists a fresh public key and marks the old key as revoked.

Security, Privacy, and Limitations
Security stems from asymmetric cryptography. A malicious actor would need the private key to forge a signature, and without that key the blockchain will reject the transaction. Studies from the MIT Digital Currency Initiative show that credential‑theft drops by more than 90% when DIDs replace passwords.
Privacy is achieved through selective disclosure. Instead of sending a full birthdate, you can issue a zero‑knowledge proof that you are over 18. This approach matches the “privacy‑by‑design” guidelines emphasized by Dr. Ann Cavoukian.
However, several limitations persist:
- Key management - Users must protect their mnemonic or use social‑recovery schemes; about 20% of crypto users have lost access to funds, a similar risk applies to DIDs.
- Fragmentation - Each blockchain requires its own method; a user might need separate DIDs for Ethereum, XRPL, and Indy.
- Revocation challenges - While you can rotate keys, there is no universal “revoke on chain” flag, leading to a low revocation score (4.7/10) in the EU Agency for Cybersecurity report.
- Regulatory uncertainty - Only 12 countries currently recognize blockchain‑based IDs under eIDAS2.0.
Real‑World Use Cases
Governments are testing DIDs for citizen services. British Columbia’s BC Registries issues verifiable business credentials via DID, processing over 12,000 credentials monthly. In healthcare, hospitals use DIDs to share patient records while staying HIPAA‑compliant, because the patient can grant a clinic temporary read‑only access without revealing the entire medical history.
Enterprises are also experimenting. A Fortune500 retailer piloted a DID‑based checkout flow that let shoppers prove age without sending a driver’s license image, cutting fraud rates by 85% in the pilot region.
Future Outlook - What’s Next for DIDs?
Cross‑chain identity protocols like Polygon ID’s zk‑proof architecture are already delivering sub‑second verification and 97% accuracy. By 2026, the World Economic Forum expects 40% of DID implementations to incorporate AI‑driven biometric verification, up from today’s 8%.
Regulatory momentum is building: the EU’s eIDAS2.0 framework provides legal recognition, and the U.S. is drafting a federal Identity Credentialing Act that could clarify liability for key loss.
Technical roadmaps are converging on two goals: seamless key recovery (social‑recovery, multi‑factor custodians) and universal resolution (a single API that can fetch DIDs from any method). When those hurdles fall, Gartner predicts mainstream adoption between 2026‑2028.
Frequently Asked Questions
What is the difference between a DID and a traditional username?
A username lives on a server owned by a provider; a DID lives on a blockchain that no single party controls. The DID owner holds the private key, so only they can prove control.
Can I use the same DID on multiple blockchains?
Not directly. Each blockchain defines its own method identifier (e.g., did:ethr
vs did:xrpl
). Some projects are building cross‑chain bridges, but today you need separate DIDs for each ledger.
How secure is a DID if I lose my private key?
Losing the private key means you lose control of the DID. You can publish a new DID and migrate credentials, but the old DID stays on‑chain and can’t be reclaimed. That’s why backup phrases or social‑recovery are essential.
Do DIDs comply with data‑privacy laws like GDPR?
Yes, if implemented correctly. Since the DID Document contains only public keys and pointers, no personal data is stored on‑chain. Personal data stays off‑chain and can be deleted, satisfying the ‘right to be forgotten’ requirement.
What are the costs of creating a DID?
Cost depends on the blockchain. On Ethereum you’ll pay typical gas (~$0.45 per transaction). On the XRP Ledger the fee is a fraction of a cent. Permissioned networks like Indy may have no fees at all.
Bottom line: DIDs turn identities into portable, verifiable assets anchored to a blockchain. With the right wallet, a solid recovery plan, and an eye on emerging regulations, they can replace passwords, social logins, and even government IDs in many scenarios. The technology is still maturing, but the building blocks are already in place for a future where you truly own your digital self.
Annie McCullough
October 10, 2025 AT 09:21While most newbies hail DIDs as the panacea for identity, the reality is riddled with interoperability latency and governance opacity :) The protocol stack leans heavily on blockchain consensus which introduces latency spikes and gas fee volatility. Moreover the DID method taxonomy proliferates fragmentation rather than unification. In practice you’ll spend more time mapping method-specific schemas than actually authenticating users. The hype overshadows the hard engineering grind.