Dibran Mulder

A security analysis of the EU Age Verification Wallet reveals a privacy-first design with a critical trust gap that undermines its security guarantees.

We're pleased to announce that all Privacy by Design Foundation issuers now issue SD-JWT Verifiable Credentials alongside traditional Idemix credentials. This marks a significant milestone in Yivi's transition to becoming a fully EUDI-compliant wallet.

We're thrilled to announce that Yivi now supports ID-cards and Dutch Driver Licenses as credentials. This expansion significantly broadens Yivi's international reach and makes the platform more accessible to users worldwide.

According to our mission, we are committed to transparency and accountability. This post-mortem is part of that commitment, detailing the events surrounding the outage of the 7th of January 2026.

Summary of the impact​

We experienced significant degradated user experience on the 7th of January 2026, which affected our services for approximately 4 hours. During this time, users experienced inconsistent success rates in onboarding the Yivi app and or issuing credentials to them. The issue was caused by key rotation of the Yivi scheme and successive issues which arose from rotating the key.

We are announcing the release of the Trusted Verifier on the 24th of September!

Trusted Verifiers marks a crucial step forward in our mission to enhance the security and reliability of digital identity verification within the Yivi ecosystem. It also secures the long term sustainability of the Yivi project.

We are excited to announce the BETA release of Yivi Passport credentials!
This new feature allows users to securely store and manage their digital passports within the Yivi wallet, enhancing convenience and accessibility for travelers. With this release, Yivi expands its reach to a truly international audience.

Our mission is to make Yivi the most privacy and user friendly wallet out there. In line with this mission we developed our crypto agile vision, allowing users to use different cryptographic technologies in a seamless way. As part of this vision, we want to support verifiable credentials, which are becoming increasingly popular in the digital identity space.

According to our mission, we are committed to transparency and accountability. This post-mortem is part of that commitment, detailing the events surrounding the issue with the Yivi app on iOS on June 29th and 30th 2025.

Summary of the impact​

Some iOS users of the Yivi app were unable to open their Yivi app on June 29th and 30th, 2025, due to an issue with the Universal Links feature. This issue was caused by a domain migration of irma.app, resulting traffic to be redirected from irma.app to yivi.app. iOS devices however do not support redirection for Universal Links, which led to the app being unable to open Universal Links. This issue was resolved by changing the irma.app domain back to its original server.

Users that had the Yivi app installed prior to the incident were probably not affected, as the app was still able to open. However, users who installed the app after the domain migration were unable to open it due to the Universal Links issue.

According to our mission, we are committed to transparency and accountability. This post-mortem is part of that commitment, detailing the events surrounding the outage of the 1st of July 2025.

Summary of the impact​

We experienced a significant outage on the 1st of July 2025, which affected our services for approximately 6 hours. During this time, users were unable to validate their pincodes and access their Yivi App, making the Yivi-App unusable. The issue was caused by an outage in the Scaleway data center AMS-1, where our database server is located. Scaleway preemptively shut down several services in the datacenter to prevent further issues such as hardware damage due to abnormal temperatures.

Protecting minors, today and tomorrow​

The European Commission is preparing a temporary age verification app, aimed at protecting minors on platforms where a minimum age is required—think of online pornography, gambling, alcohol sales, and certain social media services. In a digital world, it's legitimate to shield minors from harmful content. The Digital Services Act (DSA) already obligates large platforms to take protective measures, and the Commission is stepping in where compliance is lacking. A technical solution to verify age online is therefore urgently needed.