Indicio SSI Network and Anonyome Labs

Vendor and Product Reality

Indicio operates the Indicio Network, a public utility ledger for decentralized identifiers, plus a managed stack of Aries-based agents, mediators, and verification services sold to enterprise customers. The technology lineage is Hyperledger Indy and Hyperledger Aries, with active contributions to the Aries Framework JavaScript and Aries Cloud Agent Python codebases, and conformance with the W3C Decentralized Identifier and Verifiable Credentials specifications. Customer deployments span travel credentials, workforce identity, financial onboarding, and government pilots.

The architecture is canonical SSI. Each holder runs an agent that owns a wallet of cryptographic keys; issuers sign verifiable credentials against schemas anchored on the Indicio Network; verifiers request presentations and check signatures against the resolved DID documents. Indicio's commercial value-add is the operational layer: hosted mediators that buffer messages for mobile holders, a managed verifier service, schema and credential-definition management, and the network governance that makes the ledger usable in regulated industries. The Anonyome Labs partnership extends this stack into consumer-facing identity wallets.

The pain point in production is not signature math; it is key custody. Every holder agent has to generate, store, back up, and rotate private keys. Mobile devices lose, brick, and get replaced. Enterprise endpoints get re-imaged. Hardware security modules cost real money and complicate deployment. Recovery flows — seed phrases, custodial escrow, social recovery — reintroduce exactly the kind of credential-handling friction that SSI was supposed to abolish. The result is that even excellent SSI deployments spend a disproportionate share of their engineering budget on key lifecycle, not on identity semantics.

The Architectural Gap

The W3C VC and DID specifications assume a key-bearing subject. A holder is identified by control of a private key bound to a DID, and every authentication or presentation event is, at bottom, a signature produced by that key. This is mathematically clean and operationally expensive. It also creates a quiet but persistent quantum exposure: the long-lived public keys anchored on the ledger today are the verification targets that a future cryptanalytically relevant quantum computer would attack. Post-quantum migration in an SSI ecosystem is not a flag flip; it is a coordinated re-anchoring of every issuer, every schema, and every holder.

The gap, then, is not in Indicio's implementation. It is in the credential model itself. There is no first-class concept of a device-pseudonymous, stateless authentication that does not depend on a stored secret. Wallet-as-key is treated as a primitive rather than as one possible binding among several. As soon as a deployment moves into device-rich environments — IoT fleets, point-of-sale terminals, kiosks, ephemeral browser sessions — the wallet abstraction starts to fight the deployment rather than support it.

The biometric fallback that often gets bolted on does not solve the problem; it relocates it. A stored biometric template is a stored secret, with worse recovery properties than a private key. A recoverable wallet is a custodial wallet by another name. The architecture needs a way to authenticate a device or a session without storing anything secret on it, and without requiring the user to produce a memorable or biometric input on every interaction.

What the AQ Primitive Provides

Keyless identity is, precisely, an authentication primitive in which the device holds no key, no certificate, and no biometric template, yet the verifier obtains cryptographic-strength assurance that it is talking to the same device it talked to before. The construction relies on a dynamic device hash derived at authentication time from a structured, non-secret device fingerprint and a freshly bound challenge. Nothing persistent on the device is sensitive; nothing on the verifier needs to be a long-lived public key.

Stateless device pseudonymity is the operative property. The verifier learns a stable, device-scoped pseudonym across sessions without ever learning a globally identifying key, and without the device having to remember anything between sessions other than non-secret configuration. Loss of the device is not a credential-loss event; the user simply enrolls a new device, because there was no secret to lose. Re-imaging an endpoint is not a key-rotation event for the same reason.

Post-quantum-by-construction follows from the absence of the long-lived asymmetric public key as a verification anchor. The keyless construction does not present a public-key target for Shor's algorithm to attack, because the authentication path does not route through a stable asymmetric key pair. The cryptographic primitives in the dynamic hash and challenge-binding are chosen from the symmetric and hash-based families that remain secure under known quantum attacks. Migration is therefore not a coordinated re-anchoring; it is a property of the architecture from day one. For an SSI network, that means the verifiable-credential layer can sit on top of an authentication substrate that does not inherit the ledger's quantum exposure.

Composition Pathway

Indicio does not have to abandon Aries to adopt keyless identity. The natural composition is to keep the credential layer — schemas, credential definitions, presentations, governance — exactly as it is, and to swap the holder-authentication binding underneath. Where the stack today binds a credential to a wallet-controlled DID, the composed stack binds it to a keyless device pseudonym for the device-scoped portion of the trust chain, and reserves the wallet-controlled DID for genuinely user-scoped credentials that need cross-device portability.

The first integration target is the mediator and the mobile holder agent. A keyless authentication on the device-to-mediator hop removes the most operationally painful key in the system — the long-lived mobile wallet key — and replaces it with a device-pseudonymous channel that survives reinstallation, OS upgrades, and device replacement without recovery flows. The credential wallet itself can move to a hosted, keyless-authenticated store, eliminating the seed-phrase user experience entirely for the large class of credentials that do not need offline holder custody.

The second composition step is the verifier side. Verifiers that today consume Aries presentations can additionally consume keyless device attestations as a binding factor, strengthening fraud signals without adding a second credential format. The Anonyome consumer wallets become materially simpler, because the device side of the trust chain stops being a key-management product.

Commercial and Licensing Implication

Indicio's commercial trajectory is gated on the operational cost of running SSI at consumer scale. Every dollar spent on key recovery, every support ticket about a lost wallet, and every regulated-industry conversation about post-quantum readiness is a tax on the deployment model. Keyless identity removes the largest line items on that tax bill: the device-side key lifecycle disappears, and the post-quantum conversation becomes an architectural fact rather than a roadmap commitment.

The primitive is non-obvious and is claimed as a coherent construction — stateless device pseudonymity, dynamic device-hash authentication, no stored keys or certificates or biometrics, post-quantum-by-construction. An in-house reimplementation would land inside that claim surface. The economically rational path for Indicio is to license the primitive as the device-authentication substrate beneath the existing Aries stack, preserving the entire credential and governance investment while removing the operational ceiling that key custody currently imposes. The result is an SSI offering that is genuinely deployable at consumer device scale and that does not need a post-quantum migration project to remain credible into the next decade.