As verifiable credentials are adopted at scale in ecosystems around the world, addressing security and privacy challenges is becoming increasingly important. In this talk, I will discuss some of the most pressing issues around protocols and credential formats and how they can — or cannot — be addressed. Using the OpenID and IETF specifications as examples, I will discuss the challenges of establishing trust, mitigating replay and phishing attacks, avoiding linkability and tracking, securing cross-device flows, addressing confidentiality and (non-)repudiation, and more. While some of these issues are well known in identity protocols, others only arise in the context of verifiable credentials. As an editor of the OAuth Security Best Current Practice draft, the Cross-Device Flow Best Current Practice draft, the SD-JWT and SD-JWT VC specifications, and a contributor to many other specifications in this area, I will share my experiences and insights from moving from the world of OAuth and OpenID to the world of verifiable credentials.