AWS Public Sector Blog

How Thales issues verifiable credentials at scale for governments using AWS managed services

AWS branded background with text "How Thales issues verifiable credentials at scale for governments using AWS managed services"

Digital identities foster trust in the billions of interactions that take place online every day. For governments, this trust forms the foundation of modern public service delivery. As the UK House of Commons notes, “digital identity systems can offer efficiency, fraud reduction, and privacy protection.” The technical foundation for this transformation rests on evolving international standards. For example, ISO/IEC 18013-5:2021 establishes interface specifications for mobile driving license applications and sets the foundations for a variety of digital credentials. Similarly, OpenID for Verifiable Credentials (OpenID4VC) defines an API and OAuth-based authorization mechanisms for credential issuance across additional use cases—both technologies will be important in the implementation of digital credentials from national identity documents and professional certifications to educational credentials and health records.

These standards enable governments to deliver faster, more convenient services while achieving organizational efficiencies. However, implementing them at scale presents significant technical challenges: handling unpredictable demand patterns, maintaining stringent cryptographic security, achieving high availability, and complying with evolving regulatory requirements while controlling costs and operational complexity.

As it supports government authorities with their digital identity programs, Thales recognized that Amazon Web Services (AWS) managed services can help address these challenges. The company built a production-grade verifiable credentials issuance platform on AWS that serves government customers worldwide, supporting over 300 national identity programs. Thales has been recognized for 3 years in a row by KuppingerCole as market leader in verifiable and reusable digital identity, and they achieved the milestone of being the world’s first digital identity wallet certified to ISO 18013-5.

The challenge: Balancing security, scale, and flexibility

Issuing verifiable credentials for government agencies presents unique challenges across multiple standards and use cases. Diverse use cases and unpredictable demand patterns necessitate standards-based interoperability and flexible security requirements.

Government agencies increasingly adopt international standards for interoperability and to future-proof their investments. These standards establish common protocols for secure data exchange, cryptographic verification, and cross-jurisdictional recognition.

Government credential issuance spans multiple use cases such as national identity documents, professional licenses, educational certificates, and healthcare credentials—each with distinct technical requirements. Platforms must support various validation methods while maintaining consistent security standards across all credential types. This diversity creates architectural complexity, requiring flexibility without compromising rigorous security controls.

Credential requests can surge during specific periods or events. Traditional approaches using a dedicated but finite number of hardware security modules (HSMs) and monolithic server architectures struggle with this balance. Over-provisioning results in underutilized resources during normal operations, whereas under-provisioning risks service degradation when demand spikes.

Government agencies require flexibility in their cryptographic key management approach. Some prioritize fully managed services such as AWS Key Management Service (AWS KMS), which abstracts operational complexity while providing FIPS 140-3 Level 3 validated security. Others require dedicated cloud-based HSMs through AWS CloudHSM for exclusive control over cryptographic operations. Still others prefer to maintain physical HSMs in their own data centers, retaining complete operational control. The platform must accommodate this full spectrum—from fully managed to customer managed infrastructure—without requiring application-level changes.

The solution: A cloud-based architecture on AWS

To address these challenges, Thales used the AWS Cloud to design its cloud-based platform that balances security, scalability, and operational efficiency. The platform needed to support diverse credential types—from mobile driver’s licenses to national identity documents—while meeting stringent government security requirements and handling unpredictable demand patterns.

Thales built the solution using AWS managed services to eliminate the operational complexity of maintaining dedicated infrastructure while achieving government-grade security. The architecture abstracts cryptographic operations, enables elastic scaling for variable workloads, and maintains high availability across multiple AWS Regions.

The platform integrates AWS managed services across four key areas:

  • For cryptographic key management – Thales uses AWS KMS with AWS CloudHSM as a custom key store, combining the operational simplicity of AWS KMS with the security assurance of dedicated FIPS 140-2 Level 3 validated HSMs. This approach provides government customers with exclusive control over their cryptographic keys stored in dedicated HSM infrastructure, using the managed AWS KMS interface for key operations, rotation, and access logging.
  • For request orchestration – The platform employs Amazon MQ for asynchronous message queuing, decoupling workload spikes from service performance and enabling controlled parallelism across cryptographic signing operations.
  • For data storageAmazon Aurora provides high-performance, highly available storage with automatic six-way replication across three Availability Zones, along with automated backups, patching, and crash recovery.
  • For platform managementAmazon Elastic Kubernetes Service (Amazon EKS) manages container orchestration, handling cluster provisioning, upgrades, and patching, and Parameter Store, a capability of AWS Systems Manager, securely manages secrets and configuration.

The following diagram shows the solution architecture.

Figure 1: Thales cloud-based verifiable credentials issuance architecture on AWS

Results: Trusted by governments worldwide

Thales digital identity solutions are trusted by governments globally and already used by millions of citizens, supporting over 300 national identity programs. These deployments span multiple credential types—from national identity cards to mobile driver’s licenses.

Thales achieved a significant milestone as the world’s first digital identity wallet certified to ISO 18013-5 by UL Solutions. This certification demonstrates that Thales applications meet the ISO/IEC 18013-5 standard for data security, presentation, verification, and interoperability. Drawing on extensive feedback from pilot projects and cocreation sessions with customers and end users, Thales has crafted a citizen-centric solution which achieved a 94% satisfaction rate.

The AWS based architecture delivers measurable benefits. Integration with AWS KMS and CloudHSM secures cryptographic operations while meeting government security requirements. The platform achieves FIPS 140-2 Level 3 certification, providing a high level of assurance. The asynchronous architecture and container-based deployment scale to meet demand during peak periods, then scale down during normal operations to optimize costs. Because managed services reduce operational overhead significantly, Thales can focus on application features and customer requirements rather than infrastructure maintenance.

Looking forward

As governments worldwide modernize identity systems, the convergence of international standards creates new possibilities for secure, scalable credential issuance. AWS managed services provide the foundation for these systems, offering government-grade security with the operational efficiency and cost-effectiveness that public sector organizations require.

For government agencies considering digital credential programs—whether for national identity cards, driver’s licenses, professional certifications, or educational credentials—the path forward combines proven international standards, production-tested platforms, and cloud infrastructure designed for security and scale. The result is a foundation for modern identity systems that serve citizens efficiently while maintaining the trust and security that government services demand.

Learn more about how AWS supports government digital transformation at AWS in the Public Sector.

Visit the AWS Public Sector Blog to learn about the latest in AWS tools, solutions, and innovations from the public sector, or contact us.

TAGS: , , ,
Nizar Kheir

Nizar Kheir

Nizar is a senior solutions architect at AWS with more than 15 years of experience spanning various industry segments. He currently works with public sector customers in France and across EMEA to help them modernize their IT infrastructure and foster innovation by harnessing the power of the AWS Cloud.

Hugo Bruna

Hugo Bruna

Hugo is a software solution engineer at THALES working with strong focus on Digital Identity topics. He currently works on THALES solutions to issue and manage digital identity documents.

Thomas Schalldach

Thomas Schalldach

Thomas is the head of the Cloud Excellence Center at Thales Identity and Biometric Solutions working more than 8 years with the AWS Cloud. As a member of the IBS Technical Directorate, he is responsible for the cloud strategy and is leading Thales public sector customers transformation to the AWS Cloud.