informa
/
Operations
Commentary

4 Places Where Digital ID Models Falter

Good digital identity must be secure and unique, verified with high assurance, and privacy-preserving, along with individual user control and embedded consent.

The race to upgrade digital identity is on. A new study from Juniper Research reported that spending on digital ID verification will reach $16.7 billion in 2026, projecting 77% growth over five years, and the EU just proposed a new framework for European Digital Identity wallets.

In addition, Apple announced some iPhone users will now be able to store digital driver's licenses or state IDs on their phones and is reportedly working with the Transportation Security Administration to enable support for these digital IDs at airports. And Internet payment processor Stripe began publicizing a new digital product that lets companies verify identities with machine learning by having users submit both a picture of their driver's license and a live selfie.

A lot of this news looks like progress. For example, extending the capabilities of mobile wallets truly is a good thing. And there are plenty of reasons why digital ID technology is making news. Most obviously, as McKinsey has noted, "the design, governance, and use of digital ID is a rapidly evolving area" with the potential to unlock economic value equivalent to 3% to 13% of GDP by 2030.

But good digital identity must be secure and unique, verified with high assurance, and privacy-preserving — with individual user control and embedded consent. Hitting all those notes is nontrivial and no solution at scale today has done so. That's why you probably have around 37 usernames, three email accounts, two phone numbers, 13 good passwords you can't remember, and three bad ones you can. Even though there's only one you, your digital identity is remarkably fractured and hard to maintain.

There are myriad weaknesses pervading our current digital identity infrastructure. It's time to do away with:

Centralization: Personally identifying information (PII) is constantly being collected and perpetually under threat. There are hundreds of companies collecting hordes of personal information about individuals and selling it to thousands of others. These numerous and massive silos of personal data invite crime. How many times have compromised passwords been used in a ransomware attack? How many people have been victimized by identity theft? Why do we still put up with it?

Widespread reliance on centralized data collection and storage is an unacceptable risk to security and privacy.

Independent identity initiatives: Tech behemoths have been known to independently implement identity products (e.g., Login with Facebook, Sign Up with Google), promising convenience. But these have resulted in plenty of inconvenience to users and some well-known cautionary tales.

Good digital identity requires a cooperative network and coordinated efforts, with all participants adhering to collective standards that enshrine user consent, security, and privacy.

Passwords and OTPs: The old paradigm of usernames, passwords, and one-time passcodes (OTPs) has become the bane of everyone's digital existence. None of it serves much benefit in our modern security environment, where breached usernames and passwords can be bought for pennies and simple SIM-swap attacks intercept passcodes. The old paradigm always relies on shared secrets, and anything shared can easily be stolen.

For secure and privacy-preserving digital identity, it's essential to use strong multifactor authentication resolved locally on a user's device (e.g., FIDO). Eliminating shared secrets will make our digital world both more secure and far easier to navigate.

Single-use identification data: The biggest weakness in digital ID models is single-use identification data. Your bank, healthcare provider, insurance company, ride-sharing apps, and countless other services hold enormous amounts of data about you — and a ton of it overlaps.

When you transact online with an application or service, you are required to prove who you are with PII. You do this by filling out forms supplying the same basic information (name, address, phone number, date of birth, credit information, etc.). Then, each of those companies independently validates your data with a third party (like a data broker described under “Centralization” above) and holds your PII on their servers. It's all hopelessly inefficient.

The onus is on the user to go through verification over and over again with each organization. And those organizations still bear huge costs for that process.

Marginal improvements to existing models may weed out some fraud and demonstrate certain compliance requirements but cannot solve the central issue: Why do I as a user have to have a separate “me” established for every digital interaction? If I verified my identity at Company A, why should I have to go through the same annoying process at Company B? Single-use verification is the faulty bedrock of all our digital identity problems. It's not wholly responsible for every ill, but it's a major factor across the board.

The 1-to-1 relationship between a real person and their digital identity needs to be standardized and strengthened, ideally with a combination of cryptography and biometrics, and should be controlled locally by users on their own equipment. And that single strong digital ID needs to be reusable across cyberspace.

Users shouldn’t be forced to repeatedly throw their delicate data around the Web like it's free and harmless. It is neither.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5