By Matt Cooper.
DIGITAL IDENTITY WALLETS ARE SOLVING THE WRONG PROBLEM
Government-backed identity doesn’t stop account takeover
For years we’ve talked about digital identity as though it’s both an ID panacea and the final piece of the identity jigsaw. The European Digital Identity (EUDI) Wallet and the UK’s own digital identity ambitions certainly move us much closer to a credential nirvana; governments will issue trusted credentials, citizens will be able to prove who they are without repeatedly uploading passports or utility bills, and organisations will finally have a higher level of confidence that the person they’re dealing with is genuine. That’s all good news. But amid all the excitement, there’s one question that hardly anyone seems to be asking. What protects the wallet itself?
The assumption seems to be that because the identity has been issued by a government, it’s somehow immune from the threats that affect every other digital account. It isn’t. Once that credential has been issued, it lives inside an application on your smartphone of choice. The government isn’t managing that phone. It isn’t monitoring the device. It isn’t protecting the authentication journey every time the wallet is opened. From a criminal’s perspective, it’s simply another high-value account waiting to be taken over.
The credential may be secure. The journey around it may not be.
We’ve seen this pattern countless times before; criminals rarely attack the strongest part of a system. They attack whatever sits around it. Banks spend millions securing payment platforms, yet fraudsters manipulate customers into authorising payments themselves. Multi-factor authentication was supposed to solve account security, yet phishing kits now proxy authentication sessions in real time. The same will happen with digital identity wallets. Rather than trying to forge hardened government credentials, criminals will simply focus on taking control of the legitimate owner’s device, their mobile number or the recovery journey.
That’s what makes account takeover such an important part of the conversation. Once someone has successfully taken control of a digital identity wallet, they’re no longer impersonating a victim. For many services, they effectively become them. A wallet that can prove your identity to a bank, government department, healthcare provider or employer becomes enormously valuable. It isn’t difficult to imagine organised crime adapting its playbook accordingly. Why spend time creating synthetic identities when you can hijack a genuine government-backed one?
Identity assurance and identity protection are different problems
The uncomfortable reality is that governments are solving identity assurance, not identity protection. Those are two very different challenges.
Issuing a cryptographically secure credential is one thing. Continuously establishing that it’s still being used by its rightful owner is something else entirely. The responsibility for that doesn’t disappear simply because the identity originated from a government.
We think that raises an interesting policy question. If governments are encouraging citizens to rely on digital identity for increasingly sensitive interactions, should they also define the minimum protections around the wallet itself? At the moment, much of that responsibility falls to individual service providers. Banks, insurers and government agencies will each decide how much additional assurance they require before trusting the wallet. That risks creating inconsistent levels of protection across the ecosystem, even though they’re all relying on the same identity.
Mobile network intelligence can protect the wallet
This is where mobile network intelligence becomes incredibly interesting because it addresses risks that neither the wallet nor the operating system can always see. Before trusting a digital identity, organisations should also understand what’s happening around the mobile number and the device. Has the SIM recently been replaced? Is the number genuinely associated with the handset making the request? Have calls been diverted elsewhere? These aren’t abstract technical signals. They’re some of the strongest indicators that an account takeover may already be underway.
Number Verify, SIM Swap and Call Forwarding APIs provide exactly that additional layer of confidence. Number Verify establishes that the mobile number genuinely belongs to the device making the request without relying on vulnerable SMS codes. SIM Swap identifies whether control of the number has recently changed, one of the clearest warning signs for identity fraud. Call Forwarding helps identify attempts to redirect voice calls that might otherwise be used during recovery or verification processes. None of these replace a government-issued identity. They protect it.
That’s an important distinction because digital identity wallets don’t remove the need for layered security. In many ways, they actually increase it. The more valuable an identity becomes, the more attractive it becomes to criminals. If a wallet ultimately becomes the key to banking, healthcare, taxation, property and government services, then compromising that wallet delivers far greater rewards than compromising any individual account ever could.
Government-backed digital identities solve the problem of proving who you are. The internet’s remaining challenge is proving it’s still you every single time that identity is used. They’re related problems, but they’re not the same.
Digital identity is rapidly becoming a national infrastructure. We should absolutely celebrate that. But infrastructure also needs protection. The next phase of digital identity shouldn’t focus solely on issuing trusted credentials. It should focus just as much on protecting them against the account takeover attacks we already know criminals excel at. Otherwise, we’ll have built an incredibly secure front door while leaving the keys sitting under the mat.