By any measure, January was a busy month for digital identity.
Digital Identity trends in 2025.
Age assurance continues to be a hot topic as regulators grapple with the need to protect children online.
In France, the data protection agency CNIL has published its strategic plan for 2025 - 2028. Unsurprisingly it focuses on the privacy and cybersecurity risks presented by AI alongside the protection of children. It recognizes that the key to addressing these risks is the development of privacy-preserving online identity verification and age assurance solutions.
The United Kingdom’s national regulator for communications services, OfCom, has published guidance on age assurance methods that it believes are "capable" of being highly effective for protecting children online. These include facial age estimation, email usage-based age estimation, digital identities and credit card checks.
The use of credit card checks seems a little weak, despite the fact that in the UK you need to be over 18 to obtain a credit card. In the guidance, OfCom states:
"Credit-card based age checks work by asking a user to input their credit card details, after which a payment processor sends a request to check the card is valid by the issuing bank. Approval by the issuing bank can be taken as evidence that the user is over 18".
Checking the card is valid tells you nothing about who entered the cards details. This was presumably not the intent of OfCom but it shows the risk of regulating which specific methods are acceptable. Firstly, you are in danger of stifling innovation but secondly if the method or the way it is defined has a weakness (as this definition clearly does) it becomes more difficult to change. A better approach might have been to define the required measurable outcomes and leave it to the industry to design and adapt solutions accordingly.
Meanwhile, facial age estimation has been the subject of significant testing by the National Institute of Standards and Technology (NIST) in the US. It's "Face Analysis Technology Evaluation (FATE) Age Estimation & Verification" program provides measurable performance of the technology's accuracy and computational efficiency. In a cruel twist of fate, another UK body - this time the Home Office - has deemed that biometric age estimation is not suitable for proving age when purchasing alcohol because "suitable government approved national standards" are not yet in place.
Talking of testing, Australia has taken the very pragmatic approach of commissioning an age assurance technology trial that will run until June. We will have to wait to see how rigorous and empirical the results are. It is probably no coincidence that Australia has also just approved legislation to ban children under 16 from many social media sites from later this year. It is by far the strictest law of its kind to date. If they are going to have any chance of enforcing it they will need solutions that produce clear and measurable outcomes.
A tale of two continents.
There are two main stories in the digital identity world at the moment: the US and the EU. At first, they appear different but actually there are overlaps.
I have been monitoring digital identity developments internationally for some 15 years. For most of that time, very little meaningful progress seemed to be made in the US. That has all changed now that DMVs across the country have started to issue mobile driver's licenses (mDL). Whilst these are not identity documents per se, it seems very likely that they will get used for identity purposes much as physical driver's licenses are. The TSA recently published its final rule allowing the continued use of mobile driver’s licenses for domestic flights. But that is just the first use case. With the development of part 7 of the ISO 18013 mobile driver's license standard, it will be possible to present mDLs online, enabling a plethora of use cases.
The importance of the mDLs was illustrated in January when President Biden issued an Executive Order on Cybersecurity which included providing funding to accelerate the adoption of mDLs. It recognized the important role this digital identity technology can play in making the digital world a safer place. At the time of writing, we are waiting to hear if President Trump’s new administration agrees with this assessment.
The rollout of mDLs in the US is a movement. It started in Louisiana but is spreading across the country. The EU on the other hand has a mandate. The eIDAS regulation requires member states to make digital identity wallets available to all EU citizens by the end of 2026, in which citizens (and businesses) can hold a range of documents with acceptance across a whole range of sectors by the end of 2027. It is very ambitious.
A key part of the EU strategy is funding large scale pilots involving many stakeholders from the public and private sector who work together to test identity wallets and inform the implementation of the eIDAS regulation. The second round of pilots are due to start soon, with one – WE BUILD – breaking cover a few days ago.
Where is the overlap? In December, the European Commission published a number of implementing acts, including one on protocols and interfaces, requiring that EU digital identity wallets to support ISO 18013 - the same standard being used for US mDLs. This means that in both the US and the EU, wallets are being rolled out that can present digital documents aligned with the same ISO standards. That is huge.
Not to be left out the UK government announced in January that it would be launching a wallet later in 2025 including a "digital driving license". The announcement was very thin on detail and seemed to catch many people by surprise. No doubt the progress being made in both the US and the EU, will put pressure on the UK government to up the pace of its digital identity work.
What can we conclude?
I think it is reasonable to assume that 2025 is going to be an important year of progress in digital identity. It is long overdue - we desperately need robust and interoperable digital identity ecosystems designed for the digital world. To get there, legal, business and technical alignment is essential. That means developing frameworks, standards, certification and testing - the very areas where Fime is actively contributing to make digital identity a reality.
