Digital identity is the foundation for government digital services. Citizens who can't prove who they are can't access benefits, conduct transactions, or engage with government online. Yet digital identity is complex—balancing security with accessibility, privacy with functionality, and consistency with agency autonomy.
This guide provides a framework for citizen digital identity, addressing identity proofing, authentication, federation, and inclusive design.
The Digital Identity Challenge
Why Identity Matters
Digital identity enables:
Service access: Proving eligibility for benefits and services.
Transaction security: Ensuring right person conducts transaction.
Privacy protection: Accessing only authorized information.
Fraud prevention: Protecting against identity fraud.
Digital transformation: Foundation for online government.
Current Challenges
Fragmented identity: Different credentials for different agencies.
Verification difficulty: Proving identity remotely is hard.
Equity gaps: Not everyone has documentation or technology access.
Security threats: Identity fraud and credential compromise.
Legacy systems: Outdated identity infrastructure.
The Trust Framework
Identity confidence varies by scenario:
Low assurance: Self-assertion; minimal verification.
Medium assurance: Remote proofing; some verification.
High assurance: In-person proofing; strong verification.
Very high assurance: Biometrics; multiple verification methods.
Match assurance level to transaction risk.
Digital Identity Framework
Component 1: Identity Proofing
Establishing identity initially:
Proofing methods:
- Document verification (ID documents, physical or digital)
- Knowledge-based verification (security questions)
- Biometric verification (facial recognition, fingerprint)
- In-person proofing (physical presence verification)
- Trusted referee (someone vouching for identity)
Remote proofing challenges:
- Document fraud detection
- Liveness detection (preventing photo/video spoofing)
- Identity record matching
- Equity (not everyone has required documents)
Standards alignment:
- NIST 800-63A guidelines
- Assurance level requirements
- Evidence requirements by level
Component 2: Authentication
Proving identity for transactions:
Authentication factors:
- Knowledge (passwords, PINs)
- Possession (devices, tokens)
- Inherence (biometrics)
- Multi-factor combinations
Authentication methods:
- Passwords (weak; still common)
- SMS/email codes (some security concerns)
- Authenticator apps (TOTP/HOTP)
- FIDO2/WebAuthn (strong, modern standard)
- Biometrics (convenient with considerations)
Phishing resistance:
- Modern standards (FIDO2) resist phishing
- Critical for high-value government transactions
- Direction of federal requirements
Component 3: Federation and Interoperability
Sharing identity across agencies:
Federation benefits:
- Single credential for multiple agencies
- Reduced credential management burden
- Consistent identity experience
Federation approaches:
- Centralized identity provider
- Federated identity network
- Commercial identity providers
Login.gov model:
- Federal shared services platform
- Available to federal and state agencies
- Standards-based implementation
Component 4: Credential Management
Managing identity lifecycle:
Credential operations:
- Credential issuance
- Credential renewal
- Credential revocation
- Password/credential reset
Recovery challenges:
- Account recovery when credentials lost
- Identity re-proofing for recovery
- Preventing social engineering attacks
Component 5: Equity and Accessibility
Inclusive identity systems:
Equity considerations:
- Not everyone has ID documents
- Not everyone has smartphones
- Digital literacy varies
- Disabilities affect technology use
Inclusive design:
- Multiple proofing pathways
- Alternative authentication methods
- Accessibility compliance
- Offline options
Implementation Approach
Strategy Development
Planning digital identity:
Use case inventory: What transactions require identity?
Assurance mapping: What assurance level for each?
Current state assessment: What identity infrastructure exists?
Gap analysis: What's missing?
Architecture Design
Designing the solution:
Shared services vs. agency: Centralized or federated model?
Technology selection: Platforms and standards.
Integration approach: How agencies connect.
Privacy architecture: Minimizing data collection; protecting data.
Implementation Phases
Building identity capability:
Foundation: Core infrastructure and initial use cases.
Expansion: Broader agency adoption; more use cases.
Optimization: Enhanced features; improved experience.
Organizational and Policy Considerations
Governance
Managing identity program:
Cross-agency governance: Coordination across agencies.
Policy framework: Rules for identity use.
Privacy governance: Protecting citizen data.
Vendor management: Managing identity service providers.
Privacy
Citizen data protection:
Data minimization: Collect only what's needed.
Purpose limitation: Use data only for stated purpose.
Transparency: Clear privacy communication.
Control: Citizen access to their data.
Key Takeaways
-
Identity enables digital government: Without identity, digital services can't work.
-
Balance security and accessibility: High security that excludes citizens fails.
-
Federation reduces friction: Shared identity reduces citizen and agency burden.
-
Equity must be designed in: Ensure all citizens can access identity services.
-
Standards compliance is essential: Align with NIST and federal guidance.
Frequently Asked Questions
Should we use Login.gov or build our own? Shared services like Login.gov offer efficiency; evaluate fit for your use cases and governance needs.
How do we handle citizens without ID documents? Alternative proofing pathways: trusted referees, in-person with alternative evidence, staged credential building.
What about biometrics and privacy? Biometrics offer convenience but raise privacy concerns. Implement with strong privacy protections, consent, and alternatives.
How do we achieve phishing-resistant authentication? FIDO2/WebAuthn provides phishing resistance. Federal mandate is driving adoption; plan for implementation.
What about mobile driver's licenses (mDL)? Emerging standard. Potential for stronger identity proofing. Watch adoption trajectory.
How do we ensure accessibility? WCAG compliance, alternative methods, assistive technology support, and testing with diverse users.