The European Union will introduce the EUDI Wallet by late 2026, which allows users to hold digital credentials (i.e., representations of physical official identity documents) on their devices. This will allow users to securely and privately disclose identity attributes to websites. Although such a system has many benefits, it also introduces risks caused by poor credential disclosure decisions. In this paper, we (i) conduct a large-scale survey on credential disclosure with users and experts and (ii) evaluate the effectiveness and feasibility of our Credential Assistant that displays expert recommendations and user opinions. Our results show that users are likely to overshare (e.g., ~20% of users disclosed their official ID to news websites). This indicates that users struggle to protect their privacy, which will impact the usability of the EUDI Wallet and lead to privacy violations, identity theft, and other abuses of leaked credentials. Finally, we show that our Credential Assistant significantly reduces users' credential disclosure mistakes from ~15% to ~7%. However, it does not fully eliminate poor credential disclosure decisions, indicating that stronger interventions may be necessary, especially for sensitive attributes.

翻译：欧盟将于2026年底推出EUDI钱包，允许用户在设备上持有数字凭证（即实体官方身份证明文件的电子化表示），从而安全私密地向网站披露身份属性。尽管此类系统具有诸多优势，但不当的凭证披露决策也带来了风险。本文通过（i）对用户和专家开展大规模凭证披露调查，以及（ii）评估我们提出的凭证助手（显示专家建议和用户意见）的有效性与可行性，发现用户存在过度披露倾向（如约20%的用户向新闻网站披露了官方身份证件）。这表明用户难以有效保护隐私，这将影响EUDI钱包的可用性，并可能导致隐私泄露、身份盗窃及其他凭证滥用行为。最后，我们证明凭证助手能将用户的凭证披露错误率从约15%显著降低至约7%，但未能完全消除不当的凭证披露决策，这表明可能需要更强有力的干预措施，尤其针对敏感属性。