Centralized digital identity systems suffer from single points of failure and control, undermining availability and privacy in high-frequency physical-world scenarios—such as access control, public transit, and cross-border passage. To address this, we propose a distributed digital identity architecture tailored for physical-world transactions, centered on a Personal Identity Agent (PIA) that enables users to autonomously manage their identity attributes without reliance on centralized authorities. We design an end-to-end decentralized protocol integrating biometric sensors, authoritative issuers, and attribute verifiers, and formally verify its security under a realistic threat model. A prototype implementation achieves end-to-end latency of several seconds, demonstrating feasibility while satisfying stringent requirements for security, functional expressiveness, and low-latency interaction. Our solution provides a deployable, decentralized foundation for trustworthy identity authentication in physical spaces.

Digital identities are increasingly important for mediating not only digital but also physical service transactions. Managing such identities through centralized providers can cause both availability and privacy concerns: single points of failure and control are ideal targets for global attacks on technical, organizational, or legal fronts. We design, analyze, and build a distributed digital identity architecture for physical world transactions in common scenarios like unlocking doors, public transport, or crossing country borders. This architecture combines (biometric and other) sensors, (established and upcoming) identity authorities, attribute verifiers, and a new core component we call the emph{Personal Identity Agent (PIA)} that represents individuals with their identity attributes in the digital domain. All transactions are conducted in a completely decentralized manner, and the components for which we currently assume central coordination are optional and only used for assisting with service discovery and latency reduction. We present a first protocol between these parties and formally verify that it achieves relevant security properties based on a realistic threat model including strong global adversaries. A proof-of-concept implementation demonstrates practical feasibility of both architecture and initial protocol for applications that can tolerate end-to-end latencies in the range of a few seconds.