8 Fundamental Issues That Will Shape the Future of Digital Identity

In one universe, the future of digital identity might look a lot like a mobile driver’s license on a smartphone — a complex ecosystem in which a state-issued identity document resides in a software company’s wallet secured by biometrics like a face scan. In another, it might be centrally managed by the federal government. In yet another, identity could be completely decentralized, with individuals deciding what information to share with the government and other organizations.

While the end state isn’t clear, digital identity is growing rapidly — even as many of the core issues, including technology, privacy, security and jurisdiction remain unresolved. The result has been “a patchwork of approaches at federal, state and local government levels as well as in private industry,” says Arthur Mickoleit, a Gartner director analyst. The status quo has led to “friction and confusion.”

But some trends are clearly emerging that allow governments to think about their own identity roadmaps.

“The real question is not what identity is going to look like, but whether we are asking the right questions,” says Morgan Wright, a Center for Digital Government (CDG) senior fellow and internationally recognized expert on cybersecurity. “If we do the right things today, in five years we will be much more comfortable.”

1. The concept of identity is evolving. The migration from physical identity records to digital systems shifts the focus from information to validation. As a result, governments must determine how much information they need to establish identity for different use cases, says Solomon Adote, Delaware’s chief security officer.

“Constituent identity is multifaceted,” Adote says. “There’s a level of identity you need to buy a park pass and another level to request housing assistance. We need to build identity [validation] in different sequences.”

Identity systems need the capability to update a constituent’s information as their life circumstances change, driving different requirements for services such as unemployment insurance or disaster relief. “Digital identities aren’t static — they change over time,” says CDG Senior Fellow Deborah Snyder, former chief information security officer for the state of New York. “Agility and flexibility in processes, and making them more real-time, is going to be increasingly important.”

Digital identity also raises questions about data ownership and who controls information sharing. Russell Castagnaro, former director of digital transformation for the state of Colorado, says decentralized identity technologies are starting to give people more choice over how they share information like health records.

“For the first time, you can share your information directly [with a healthcare provider] without having to go through three different parties,” says Castagnaro, now chief of staff for SporkDAO and an investment steward for Bufficorn Ventures.

In this context, “who owns what is the wrong question,” says Luke Hogg, director of policy outreach at the Foundation for American Innovation, a nonprofit focused on the intersection of innovation, governance and national security. “The better question is who is doing the validating — it’s context-specific. You’re trying to figure out a way to take existing structures built for a world where you can show a physical card at the DMV and update them for a digital world.”
2. The U.S. may lag — or outright buck — international trends. Gartner predicts nearly one-third of national governments worldwide will create mobile identity wallets by the end of this year. Residents in Ukraine and Poland can already “use their smartphone-based identity across the economy in the same way as their plastic ID card for all domestic use cases, like opening a bank account,” Mickoleit says. Canada and the European Union (EU) have made efforts to create common frameworks for government and commercial identity. But the United States has yet to follow suit, with several efforts having stalled in Congress.

But even if a national digital identity standard ultimately emerges, the decentralized nature of U.S. governance means it would probably be applied in different ways across the states. Consider how different states currently require different information for voter ID or age verification for websites, or the complexities already involved in living in one state and doing business or going to school in another.

“Every state has gone in its own direction,” Snyder says. “A focus on federal privacy law would be welcome and helpful.”

3. Privacy is essential to build trust. Digital identities can create trust or demolish it. That’s because in online interactions with government, “identity is an outcome,” Wright says, and the validation of this outcome is at the heart of privacy considerations.

In theory, all information associated with a digital ID could be shared with a government agency during every interaction, whether it is needed or not. Or every transaction could generate new data for governments to collect — for example, a constituent’s location and purchases when a digital ID is used to verify age at a state-run liquor store.

“Too often, governments collect way more information than they need,” Wright says, leading to surveillance concerns. And even when governments don’t collect a lot of data, constituents remain suspicious about their motives. The COVID-19 applications created by many states during the pandemic were widely hailed as an example of limited information sharing. But even these efforts resulted in a backlash, according to a Deloitte Future of Digital Identity report that noted “an increase in negative sentiment about the collection and use of personal data and how privacy is ensured.”

Federal privacy laws remain anchored in the analog world. The last comprehensive privacy law passed by Congress was arguably in 1988, and it focused on videotape rental records. In the absence of federal guidance, states have enacted their own legislation, beginning with the California Consumer Privacy Act in 2018. Now, a dozen states have similarly comprehensive privacy laws of their own, creating a fragmented policy landscape, according to a 2023 report from the International Association of Privacy Professionals.

Privacy will remain “the foundation of trust for government,” says Snyder. “The relationship between digital identities, trust and secure government services must be firmly understood. It’s key to building out essential government services, and we can’t get there without it.”

4. Trust will depend on smart decisions around technology and processes.

As governments work toward building digital identities for constituents, “privacy has to be at the core of design, intentionally and purposefully,” Snyder says. That will involve new technologies and careful process decisions.

Hogg points to the zero-knowledge proof, a cryptographic data-sharing method that verifies information like age or legal status without sharing identifiers such as names or Social Security numbers. “The only record created is a validation — just a yes or no that is not directly linked to the individual,” he says.

Such technology could support what Castagnaro calls “privacy-oriented digital identifications,” which provide the minimum proof necessary to validate a transaction and meet compliance requirements. For example, states with cannabis dispensaries often scan and store images of driver’s licenses to prove they have verified customer identities. A privacy-oriented approach could instead record digital attestations verified by state identity systems without the accompanying personal information.

5. Giving constituents control requires systems simple enough to use.

Privacy conversations often revolve around giving individuals control over their digital identities and associated personal information. Delaware, for example, is developing a portal that will tell residents what information state services have about them and give them the option to delete it, according to Adote.

Making such tools simple enough for residents to use will be key. Castagnaro notes that the mobile driver’s license (mDL) standard published by the International Organization for Standardization (ISO) already includes the concept of pre-approved profiles, which would let individuals choose from preset levels of data sharing. These options could become more powerful as more information, like education records or documented skills, is associated with a digital ID or wallet. “The best solutions are ones that put you in control,” Castagnaro says.

6. Decentralization will depend on centralized identity. Decentralized solutions, like those stored in an immutable digital ledger like a blockchain, represent one way for residents to control their digital identities. But they won’t be fully trusted without some sort of centralized authority providing an imprimatur, experts argue.

“Before digital identity is accepted, we have to have known, trusted sources issuing digital credentials,” says Castagnaro, who calls an identity from a state DMV or similar agency “a trust anchor.” Until people get used to trusting digital identity, he adds, “nothing else matters.”

“You have to get the established identity issuers on board,” he says.

But don’t dismiss the potential of decentralized systems. Gartner’s Mickoleit sees distributed ledgers — “often blockchain-based although it’s not a must” — being a significant part of the identity ecosystem. He suggests the current approach in areas like the EU will likely lead to hybrid models that, borrowing a page from the financial sector, will be based on a combination of centralized and decentralized identity systems (CeDeID).

“We expect by 2026 to see at least 500 million smartphone users in the world regularly presenting verifiable claims using a digital identity wallet built on distributed ledger technology,” Mickoleit says, pointing to existing pilots for staff in the United Kingdom’s National Health System and a health and social benefits system in Spain’s Basque region. Both were built using open source protocols developed by the World Wide Web Consortium (W3C), which created the standards that power the Web itself.

“Using open source tools that are verifiable — instead of a black box that a state doesn’t want to explain and may not understand itself because it pays companies to [manage] it — allows the public and civil liberty organizations to come in and verify them,” Hogg says.

7. Digital identity is at risk, and protecting privacy is one of the best solutions. The current state of digital identity — an array of differing identities across government and commercial systems — is ripe for synthetic identity theft, where legitimate identity information is supplemented with false or manipulated data to create a fabricated person.

“Since aspects of it change over time, fraudsters have access to fresh data and can create a whole lot of fraud,” says Snyder. Generative AI and its ability to create “deep fakes”— highly credible synthetic likenesses that could trick existing validation systems — represent another threat, according to Mickoleit.

At the same time, Wright predicts AI will become “a force multiplier” to fight fraud. Governments will need to adopt AI and other sophisticated fraud identification techniques developed by financial players such as credit card issuers, according to Snyder. “We need to take lessons from the private sector and apply them,” she says.

Emerging cybersecurity methodologies such as Zero Trust and continuous validation will become even more critical. And in a hybrid ecosystem where state-issued digital identities may be used in non-government systems, governments must also assess the security of external use cases, Adote says. “State governments will want to make sure that anywhere their identity is used is secure so we’re not passing along credentials where they could be used against us.”

Privacy strategies that minimize information sharing and abstract identity for verification purposes may wind up being the best defense of all. Snyder recommends “right-sizing verification” to provide the minimal amount of data required to establish identity based on the use case or service. Hogg stresses private-sector practices that automatically delete data after its use or a statutory recordkeeping period ends. Both approaches help eliminate stored data records that are tempting targets for cybercriminals.

“It’s a very different world with far fewer potential liabilities and honeypots,” Castagnaro says. “Institutions tend to overengineer solutions and overreach on the information required. The solutions that will be the most secure and versatile are the ones that give people agency over their own data and let them protect it themselves.”

8. Digital identity adoption will depend on governments’ ability to develop relevant use cases that don’t reinvent the wheel. “Governments know — and some have learned the hard way — that success of digital identity initiatives is not measured in terms of technology maturity or supply, but in terms of adoption, trust and value creation across society,” Mickoleit says.

Government digital identity ecosystems must be flexible enough to meet changing needs, and they can’t require constituents to start from scratch by reestablishing their identity for every new service. As an example, Castagnaro points to Colorado’s COVID-era digital vaccination records, which were simpler to integrate with the state’s myColorado digital ID than standing up verification systems “from ground zero.”

While the policy environment will eventually come into focus, governments must build identity systems that work in what’s likely to remain a fragmented ecosystem. “The online world is borderless in general,” Hogg says. “Make sure these things are built to be digitally native and operate seamlessly in the digital world.” Systems that lack interoperability and ease of use, he cautions, will drive people to continue to use analog systems.

Wright agrees. “Situations are going to change, laws are going to change, and people are going to change,” he says. “We have to make sure systems are adaptable and able to solve the problems that arise.”