Digital Identity Spotlight: The UK
The UK is aiming to join the growing number of nations introducing forms of digital identity that, if done right, could empower citizens to protect their privacy like never before.
In 2023, the British government released a Digital Identity and Attributes Trust Framework (DITF) that provided a set of rules and standards designed to establish trust in any future digital identity-based initiatives in an effort to boost the country’s $150 billion digital economy. The idea: enable smoother, more secure online transactions and align more closely to the secure route taken by much of Europe when it comes to digital identity.
What Exactly Is Digital Identity?
Identity verification and proofing are essential to functioning societies. It enables individuals to prove their identity to take out loans, make purchases, receive entitlements, access services, manage finances, and more. Verifying that identity in digital channels has been tougher, accomplished mainly through usernames, passwords, and rudimentary forms of multifactor authentication. Thanks to never-ending phishing scams and data breaches, the result has been a $10.5 trillion-a-year global cybercrime economy.
New forms of digital identity are generally validated digital attributes and credentials designed primarily, but not exclusively, for the digital world that are verified by cross-referenced government-issued physical world credentials. Birth credentials, driver’s license, passports—those kinds of things. They also increasingly include biometric information, like a fingerprint or face scan.
For national identification purposes, digital identity can be connected to, and even contained in, biometric-enabled ID cards, though a growing number of countries, including Singapore, India, Estonia, Sweden and Spain, are also launching mobile apps and digital wallets for keeping this and other credentials for accessing medical care, educational services, and other information that may be used for interactions and information exchange between government, universities, banks and lenders, employers, and businesses.
Benefits include convenience—citizens don’t need to manage multiple usernames and passwords for different services or transactions. Instead, they grant permission to banks, health care providers, government agencies, and businesses to retrieve personal information to simplify account enrollment and verification. In the UK’s case, it’s estimated that digital identity can generate an additional $800 million to the UK economy every year. But there are more than a few challenges ahead.
Identity Proof Is in the Pudding
According to the 2025 Cyber Security Breaches Survey from the UK’s Department for Science, Innovation, and Technology, 43% of UK businesses experienced a cyberattack or breach in the past year. That’s actually down from recent years, thanks to heightened cybersecurity—but still quite troubling. Phishing played a role in 85% of the successful breaches or attacks. The financial impact of successful breaches is significant—an average of $4.5 million per incident, before any lawsuits or regulatory fines. When personal information is breached, it can take years to rebuild public trust.
Provisions in the Digital Information and Smart Data Bill introduced in 2024 are designed to address data privacy concerns. This includes specially-certified third-party digital identity services that follow strict government guidelines for helping people set up digital identities while “reducing costs, time, and data leakage.” It also includes attribute providers that share attributes—specific elements of an individual’s full identity—with organizations or individuals needing to verify identity, but only with the individual’s consent. The official list of such services was launched on April 16. For the record, it’s also worth pointing out that the government ruled out a mandatory digital identity.
The government has also announced the introduction of a Gov.uk digital wallet. This mobile app gives users the ability to store and manage their identity information, and is expected to drive significant growth in adoption of digital identity among UK residents. Portugal, Singapore, Thailand, India, and other nations are seeing tremendous uptake of digital identity through such apps. And Juniper Research estimates that 6.9 million people will adopt the app this year, climbing to 25.5 million by 2029.
But there are reasons to believe this is overly optimistic. Surveys have shown that more than 40% of people have “little to no trust” in the government managing their personal information through such systems. They trust businesses even less.
What Kind of Digital Identity Makes All the Difference
For digital identity systems to work, individuals must control who has access to their data. These systems must also lower barriers to participation. In the UK, 8% of the population doesn’t have even traditional forms of identification. Voting, driving, working, borrowing, and even commerce can be difficult without an ID.
Digital identity can change that. It can also reduce bias by enabling only pertinent information to be used, so that personal data vulnerable to discrimination doesn’t come into play. These systems can also reduce fraud by cryptographically protecting and locking with specific multifactor authentication methods.
The UK’s digital identity initiative is a significant step in the right direction. But it might also be a sign of the post-Brexit world we live in that, as Forbes points out, the UK is pursuing a different strategy for digital identity than the European Union. And that may matter in a couple of significant ways.
Under EU law, users remain in control of the digital credentials in their wallets to ensure that they can decide what information they share and with whom, and they can use verifiable credentials to prove certain attributes without revealing their personal data at all. A standardized digital identity solution is used via wallets across all member states under the EU’s Electronic Identification, Authentication, and Trust (EIDAS) regulations. Governance oversight is maintained by public sector institutions in each member state.
Under the UK strategy, attribute service providers give users the ability to share just the information they want with specific organizations or individuals needing to verify identity. This includes combining, say, identity information with birthdate information to verify an individual is old enough to enter a bar or example. But approved private sector providers centrally store and govern digital identity information under the DITF guidelines. As a practical matter, the utility of digital identities is also limited because of its lack of interoperability with EU systems.
In other words, citizens must use digital identity managed by a private sector it trusts less than the government and won’t be able to even use it with the organizations with which millions transact and interact each day. But there are steps the UK can take to mitigate these issues.
Building an Infrastructure of Trust: What Should Come Next
Yes, moving toward EIDAS standards could significantly improve the UK’s ability to conduct business with its neighbors in the EU. But either way, following some of the steps the EU is taking in distributed ledger-based identity systems can benefit the utility and adoption of digital identity no matter the framework the UK employs.
Both frameworks make use of digital wallets. And both frameworks grant users a measure of control over with whom their personal information is shared. But several EU countries are ahead of the curve in moving toward far more decentralized forms of identity that give users even more control over personal data—while dramatically reducing the chances of it getting hacked.
With distributed ledger-based systems, users are authenticated without requiring personal data to be stored centrally on servers belonging to public or private organizations such as the UK’s attribute service providers, where it can be hacked, ransomed, or otherwise exploited to commit fraud. Instead, individual users maintain full ownership and control of their digital identities without relying on a third party at all. They control what information they share, for what purpose, and for how long.
Germany, Italy, Estonia, and Poland have pilots in place for this kind of system as part of EIDAS 2, an ambitious update to the original EIDAS framework. There’s no reason the UK couldn’t embrace its own flavor of this kind of “self-sovereign identity.”
Even within its current framework, digital identity wallets should also comply with NIST-, FIDO2-, and ISO/IEC biometrics-based standards that leverage liveness tests capable of defeating virtually any attempt at identity spoofing or unauthorized access to accounts in a process that’s nearly effortless for users. The architecture for this kind of functional, practical digital identity is available today. In fact, it’s baked into the solution we offer at 1Kosmos. In light of distrust in government and business stemming from non-stop threats to personal data and privacy, it’s the kind of digital identity anyone would welcome.
Interested in digital identity-based authentication but aren’t sure where to start? Learn more about 1Kosmos, the only NIST 800-63-3, FIDO2-, and ISO/IEC 30107-1, and ISO/IEC 30107-3 biometrics-certified digital identity platform—and schedule a free demo today.
