ENS Passport V2 and Its Role in Decentralized Identity
The Ethereum Name Service (ENS) Passport V2 represents an evolution in how domain owners manage verifiable credentials linked to their ENS names. Released as a modular protocol layer, Passport V2 allows users to attach off-chain attestations, such as KYC status, community membership, or professional certifications, directly to an ENS domain. This new version shifts from a static record model to a dynamic, issuer-agnostic framework. For beginners, understanding its architecture is essential before integrating it into existing workflows. The system leverages Ethereum Attestation Service (EAS) schemas, meaning any third party can issue verifiable credentials that resolve through the ENS registry without central gatekeeping. This contrasts with earlier iterations that required direct on-chain storage for each data point, which proved costly and difficult to update. Passport V2 instead stores only a hash reference pointing to off-chain attestations, reducing transaction fees and enabling larger datasets. As of early 2025, the protocol supports multiple verification sources, including social identity, asset holdings, and reputation scores from decentralized platforms.
ENS domain owners benefit from this system because it decouples identity verification from any single provider. For instance, a user can hold a KYC attestation from one issuer and a GitHub contribution badge from another, all aggregated under one ENS name. The passport is interoperable across applications that support the ENS and EAS standards, from decentralized finance (DeFi) platforms to governance systems. This standardization reduces fragmentation in identity management. Developers building on ENS can now use the same subname manager to create subdomains with distinct passport configurations, enabling granular control over which attestations each subname exposes. The following sections outline the core components, setup process, and practical considerations for newcomers.
Core Components of ENS Passport V2
ENS Passport V2 consists of three primary components: a resolver contract, attestation records, and a display interface. The resolver contract is an update to the standard ENS resolver that includes functions for reading and writing attestation identifiers. It does not store attestation data itself but maps each ENS name to a list of attestation UIDs (unique identifiers). These UIDs correspond to assertions stored on the EAS network or other compatible attestation layers. Beginners should note that the resolver must be set explicitly for each ENS name; default resolvers do not include Passport V2 support unless manually upgraded. The upgrade process is handled through the ENS app's domain management page, where settings for records and resolvers are configured.
Attestation records in Passport V2 use a schema-based approach. Each attestation includes fields such as issuer address, recipient address, expiration timestamp, and a payload of data. The payload can be any JSON structure, limited in size only by gas costs. The V1 system relied on flat key-value pairs; V2 allows nested data and references to external documents, greatly expanding use cases. For example, a university could issue a degree attestation with the recipient's ENS name, degree type, graduation year, and a link to a verifying institution. The attestation remains valid until the issuer revokes it or it expires. The system uses revocable attestations as a default, though issuers may choose irrevocable options for permanent claims.
The display interface layer is the frontend component that reads attestations from the resolver and renders them in a human-readable format. Several community-built tools and wallets already support ENS Passport V2 display. These interfaces check each attestation UID against EAS contracts and format the response. Some implementations also aggregate trust scores by counting attestations from well-known issuers. This component is not part of the core ENS stack but is critical for adoption. Users should verify that the tool they use for viewing passports supports V2 spec, as V1 interfaces may not decode the new data structures correctly.
How to Set Up and Manage Passport V2
To start using ENS Passport V2, a user must first hold an ENS domain or subdomain. The domain must be configured to use a compatible resolver. The ENS team provides a recommended resolver that supports V2, which can be set through the official ENS manager interface. Users navigate to the 'Records' tab of their domain, select 'Update Resolver,' and choose the listed "Passport V2 Compatible Resolver." This step is straightforward but incurs a one-time gas transaction of roughly 50,000 to 80,000 gas on Ethereum mainnet, subject to network conditions. Layer 2 alternatives, such as Arbitrum or Optimism, also support this resolver, though attestation data must originate from the same chain as the domain's resolver.
Once the resolver is set, users can request attestations from third-party issuers. For example, a decentralized identity service like Verida or Gateway can issue a KYC attestation after an off-chain verification process. The issuer submits the attestation to EAS, specifying the recipient's ENS name and chosen schema. The user then sees the attestation appear in their Passport V2 display. To manage or revoke attestations, users need to interact with the EAS contracts directly, typically through the issuer's portal or a general EAS dashboard. This represents a shift from V1 where users needed to manage records manually via the ens domain manager. In V2, the user's domain acts as the passive container; issuers hold control over their attestations until revocation. Beginners should therefore vet issuers for reliability and revocation policies.
Subdomains inherit the parent domain's resolver settings by default, but domain owners can override this for each subname. Creating a subdomain with its own Passport V2 resolver allows custom attestation profiles. This feature is useful for organizations that want employee subdomains to have separate work-related attestations while the corporate parent holds its own credentials. The subdomain manager feature built into the ENS protocol facilitates this setup, and many third-party tools now integrate with the same EAS schemas for cross-platform consistency. Overall, setting up Passport V2 requires moderate technical familiarity but is well-documented on the ENS developer portal.
Key Changes from V1 and New Capabilities
ENS Passport V2 introduces several fundamental changes over its predecessor. The most significant is the shift from on-chain storage of records to off-chain attestation references. V1 required users to store all data, such as avatar URLs, social links, or text records, directly in the resolver's storage slot. Each record addition cost around 20,000 gas, quickly accumulating costs for multiple entries. V2 stores only the attestation UID, which costs a single storage update per attestation regardless of payload size. This makes V2 cost-effective for rich data sets, including encrypted data or large document hashes. For example, storing a full educational transcript as an attestation would cost the same as a simple name badge, because the blockchain holds only a 32-byte reference.
Another major upgrade is the support for programmatic verification. V2 attestations can include conditions, such as a time lock or multisignature requirement, before they are considered valid. V1 records were static and could not expire or depend on external states. With V2, a decentralized exchange can issue a "trading permit" attestation that expires every 90 days, forcing users to re-verify. The exchange can also revoke the attestation at any time if the user violates terms. This dynamic nature makes Passport V2 suitable for regulated environments like token offerings or compliance-required platforms. Furthermore, V2 is chain-agnostic in the sense that attestations can reference data from other blockchains via cross-chain oracles, though the attestation itself must be created on the same chain as the ENS resolver.
Interoperability has improved as well. The V1 spec was tightly coupled to ENS core, making it difficult for other name systems to adopt. V2 uses the EAS standard, which is already implemented across Ethereum, Polygon, and Arbitrum. This allows a user to hold an ENS V2 passport and use the same attestation data on a non-ENS domain system, provided the resolver supports the same interface. This interoperability reduces vendor lock-in and increases the utility of digital identities. Developers can build applications that rely solely on the EAS schema without assuming ENS, but ENS domains remain the most common anchoring point due to their human-readable names and widespread resolver adoption.
Security and Privacy Considerations
While Passport V2 improves flexibility, it introduces new security and privacy trade-offs. The off-chain attestation model means that personal data is not stored on the public ledger, but the attestation UID and the fact that an attestation exists are on-chain. This reveals that a relationship exists between a user and an issuer, potentially leaking metadata about the user's affiliations. For example, if a known medical credential issuer creates an attestation for an ENS name, onlookers can infer the holder's medical history. Privacy-conscious users should consider using proxy issuers or disposable subdomains to separate attestations from their primary ENS identity.
Revocation management also presents risk. V2 attestations are revocable by default, but the mechanism for checking revocation is not automatic. Applications must query the EAS contract to see if an attestation has been flagged. Some applications may cache attestation data and not perform real-time checks, leading to outdated or invalid credentials being accepted. Users should rely on applications that implement fresh checks and confirm issuer contracts are audited. Additionally, the resolver contract must be trustworthy; using unverified or community-built resolvers can expose users to misrouting or loss of attestation mapping. The ENS team maintains a reference resolver which is recommended for most use cases.
Finally, gas costs on mainnet remain non-trivial for setting up the resolver and writing the initial UID entries. On layer 2 networks, fees are negligible, but attestation availability depends on the stability of the chosen L2. Beginners should start with a testnet ENS domain on Sepolia or Görli to practice Setup without financial risk. Several testnet EAS instances operate in parallel, allowing users to simulate the full workflow. Once comfortable, they can migrate to a mainnet domain or a supported L2. The ENS community also offers grants for developers building privacy-enhanced passport tools, reflecting ongoing efforts to address these issues. As V2 matures, further improvements in zero-knowledge proofs may allow selective disclosure of attestation details, further protecting privacy while maintaining verifiability.
For domain managers and developers, understanding these trade-offs is crucial before deploying Passport V2 in production. The system is robust for many use cases but not suited for every identity need. Organizations requiring regulatory compliance should consult legal experts about the jurisdictional validity of attestations. Nonetheless, Passport V2 is a meaningful step forward in decentralized identity by providing a standard, cost-effective, and interoperable framework. It lowers barriers for individuals and businesses to manage credentials without centralized authorities, aligning with the broader ethos of web3. By focusing on attestation references rather than raw data, V2 paves the way for a more scalable identity layer that can grow with the Ethereum ecosystem.