Your iPhone may be ready for your digital ID. Most Americans are not.
Not because the technology is science fiction. In pieces, it is already here. A growing list of states lets residents add a mobile driver’s license or state ID to Apple, Google or Samsung wallets, or to state-issued apps. TSA accepts digital IDs at more than 250 airports. Some states are also testing mobile driver’s licenses, or mDLs, for age verification.
On the technology side, the American Association of Motor Vehicle Administrators (AAMVA) launched its Mobile Driver License Digital Trust Service in April 2024. It gives relying parties a backend framework to use digital IDs and verify that they are legitimate.
Meanwhile, the National Institute of Standards and Technology, part of the U.S. Department of Commerce, is working with the banking industry on guidance for how financial institutions can securely accept and verify mDLs for customer identification. It released draft guidance in March 2026 seeking industry input on architecture, implementation details, regulatory mapping and a threat model for the financial sector. Comments closed last month, with no final publication date.
Digital IDs: A no-brainer?
The promise of less friction and card-free digital identities — en masse — sounds almost utopian to some. However, the reality is we still need to carry a physical ID, because most bars, banks, doctor’s offices, police departments and rental services — you name it — either don’t or can’t accept a phone-based credential yet.
And there lies one of the problems.
The practical value of an mDL for most consumers is thin, so adoption is weak. Digital IDs stored on mobile devices are still a hard sell for most people, save for niche use cases such as breezing through airport security.
An IAM user base of 300M+
Why do digital IDs even matter?
NIST says mDLs can help secure digital transactions and protect businesses and consumers against fraud, identity theft and unauthorized access to personal data. The potential savings are significant. McKinsey has estimated (PDF) that broad adoption of digital IDs could generate $27 billion in reduced identity-related fraud in the United States by 2030.
And that’s where digital IDs become a cybersecurity issue and one of the biggest new challenges for the identity security and management industry. That trust and security layer is what turns mDLs, digital identities and e-wallets that hold an ID from a convenience feature into a digital identity management story.
The next question is, can it be built and can it be managed?
“Critical infrastructure needs maintenance — roads, bridges, power grids, water systems,” said Olaf Jonkers, head of risk and compliance at Belgian digital identity provider itsme, during the European Identity and Cloud Conference in Berlin. “They all must have continuous operational investments to sustain the trustworthiness of those infrastructures. It’s the same with identity.”
AAMVA is one part of the management solution. Its Digital Trust Service gives relying parties in the U.S. a way to verify that a mobile credential was cryptographically signed by a legitimate issuing authority, rather than trusting a screenshot, a plastic card or a user-submitted image.
“What needs to be built is an ecosystem, not an application,” said Gabriel Pene and Arjen van Veen of SPRIND, Germany’s Federal Agency for Breakthrough Innovation. Speaking at EIC, they said they have built a near-production environment for relying parties to stress-test wallet integrations before going live.
IAM lessons from abroad
Earlier this month at the European Identity and Cloud Conference, experts gathered to discuss Europe’s faster-moving wallet rollout of digital IDs. They were joined by U.S. counterparts to discuss the real-world challenges of deploying digital IDs to more than 400 million citizens of the European Union.
The EU’s digital identity framework requires all 27 member states to make at least one digital identity wallet available by the end of 2026 for more than 400 million citizens. The project is still in rollout mode, with legal rules in force, certification work underway and large-scale pilots testing wallets across payments, travel, education and government services.
The challenge is not simply putting an ID in e-wallets. It is making that wallet trusted across borders, useful across public and private services, resistant to new forms of identity fraud and private enough that people are not forced to overshare, said Anja Lehmann, a cryptography professor at the Hasso Plattner Institute at the University of Potsdam.
The U.S. problem, like Europe’s, is less about whether iPhones are ready and more about whether the identity ecosystem is.
Fraud savings replace new security costs?
For Lehmann and others, the biggest impediment to digital IDs’ promising future is fraud.
“Practical solutions for building these systems exist for 25 years now,” Lehmann said.
The warning is not that digital IDs are insecure. It is that criminals follow value, adoption and scale. The same thing that makes an e-wallet or digital ID useful for citizens, banks and governments also makes it useful to criminals.
“The fraud problem moves,” Jonkers said. Once a system covers a whole population, fraud “scales with that adoption.” His company, itsme, has been supporting eight million Belgian digital IDs for nine years.
The risks do not require breaking the cryptography, he said. They come from ordinary behavior: lost phones, shared devices, PIN sharing, social engineering, remote-control scams, accessibility exceptions and account-recovery failures.
NIST’s Ryan Galluzzo and other co-authors of the agency’s mDL guidance treat the fraud issue as an ecosystem risk problem. Digital IDs may reduce some fraud, but they also shift security responsibility to phones, wallet apps, issuers, verifiers and the relying-party systems that act on the credential.
That is why digital ID security cannot stop at device binding or one-time certification. Fraud prevention also depends on shared, real-time signals — device intelligence, velocity, behavior and known-bad patterns — especially as cheaper wallet checks push identity fraud from rare onboarding attacks into more frequent transaction-level abuse, said Jonkers.
Privacy upgrade or surveillance layer?
The challenge is that the same signals that help detect fraud can also create new privacy concerns. A digital ID system built to prove who someone is, where a credential came from and whether a transaction looks suspicious can also generate sensitive records about when, where and how people are asked to identify themselves.
The ACLU’s Jay Stanley has been especially blunt about “phone home” systems that notify an issuer or government authority whenever a credential is used. “Creating a system through which the government can track us any time we use our driver’s license is an Orwellian nightmare,” said Stanley, an ACLU policy analyst.
He worries that the more often people use digital IDs, the more chances there are for businesses, platforms and agencies to ask for verified personal information they may not actually need.
“Don’t ask for a credit card or a passport” when all a service needs to know is whether someone is over 21, said Ian Glazer, head of continuous identity product strategy at CrowdStrike.
The privacy dream is a system that supports proving the answer, not the whole identity.
That is the “proofing creep” problem, said Glazer. He warned that convenient digital proofing with digital IDs can normalize overcollection of PII because it is so easy to do.
That does not make digital IDs inherently anti-privacy, Lehmann said. It makes the rules around them decisive. The privacy outcome depends on who can ask for what, what the wallet reveals, what the verifier stores, how long data is kept and whether anyone audits abuse.
And the problem gets harder once digital identity moves beyond proving facts about a person and starts proving who, or what, is allowed to act for them.
One privacy answer is anonymous credentials backed by zero-knowledge proofs. In plain English, the wallet can prove a fact — for example, that a person is over 21 — without revealing the person’s name, address, license number or full date of birth.
Lehmann said practical ways to build those systems have existed for years. The harder part is deployment: phones, wallet standards and real-world use cases do not all move at the same speed. Banks may still need full identity for account opening, but age checks are exactly where selective disclosure could matter most.
May the best wallet win
Europe’s digital ID rollout offers a preview of the problems the U.S. may face, even if America is taking a very different path.
The European Digital Identity Wallet effort requires every EU member state to offer at least one wallet by the end of 2026. That creates one kind of fragmentation: 27 countries, national issuers, certified wallets and relying parties that all have to trust each other across borders.
The U.S. has a different version of the same problem. There is no single federal wallet and no national mandate. Instead, mobile IDs are emerging through state DMVs, Apple, Google and Samsung wallets, state apps, TSA checkpoints, AAMVA trust infrastructure, NIST bank guidance and a long tail of future relying parties that may include banks, retailers, schools, health care providers, employers and online services.
That means the weak point may not be the cryptography. It may be the state with poor recovery controls, the verifier that asks for too much, the vendor that validates a credential incorrectly, or the support scam that talks a victim into approving a request on a real phone with a real wallet.
That is the “weakest wallet wins” problem. Fraudsters do not need to beat the best implementation. They only need to find the weakest credential, wallet, verifier or recovery flow that the rest of the ecosystem is still willing to trust.
The upside remains real. Done well, digital IDs can make forged plastic harder to use, make static license images less useful and let a verifier ask for “over 21” instead of collecting a full identity record. A bank could validate a credential rather than trust an uploaded image of a license. A traveler could prove identity at a TSA checkpoint without digging for a physical card.
But perfect deployment is not the world security teams live in.
The better lesson from Europe is not that the U.S. needs a single national wallet. It is that adoption is not the finish line. Scale creates its own security problems. Fraud follows value. Privacy requires defaults, not promises. And the expensive part of digital identity may not be issuing the credential. It may be defending the ecosystem after the credential becomes useful.
For consumers, the promise is simple: prove less, faster. For businesses, the opportunity is cheaper trust. For security leaders, the warning is just as clear: trust gets dangerous when everyone wants to consume it and nobody clearly owns what happens when it fails.
Digital IDs may not stall because the cryptography is weak. They may stall because the value is too thin, the politics too hot and the ecosystem asking Americans to trust it has not yet earned that trust.
