Digital identity is increasingly being touted as a transformative force, promising efficiency and enhanced security in our interconnected world. However, as nations like the UK contemplate its widespread adoption and countries like India navigate its complexities, a critical examination reveals both its compelling benefits and significant risks, particularly concerning our reliance on phone numbers for authentication.

What is Digital Identity?

At its core, digital identity is a distinct electronic representation of an individual that allows them to be sufficiently distinguished when interacting online with services. It functions as a reusable digital profile that, once verified, minimises the need to repeatedly provide physical documents like passports or driver’s licenses to various organisations. This shift aims to create a standardised, secure, and streamlined verification system, reducing manual checks and paperwork, and ultimately reducing the risk of loss, theft, fraud, and identity theft. Digital identity verification employs a range of methods to confirm who a person claims to be online. These can include:

  • Biometric Verification - Fingerprint scanning, facial recognition, iris scanning, and voice recognition.
  • Identity Document Verification - Using passports, driver’s licenses, or national ID cards.
  • Two-Factor Authentication (2FA) - SMS verification, email verification, and authenticator apps.
  • Knowledge-Based Authentication (KBA) - Security questions and personal information.
  • Behavioral Biometrics - Keystroke dynamics, mouse movements, and usage patterns.
  • Mobile Authentication - SIM card verification and mobile ID apps.
  • Digital Identity Platforms - Single Sign-On (SSO) and Identity Providers (IdPs).
  • Blockchain-Based Verification - Decentralised identity and Self-Sovereign Identity (SSI).

These methods are often combined to enhance security and ensure accurate verification. The benefits of digital identity include convenience, location-independence, enhanced security, and faster fraud detection, which can improve user experience and customer acquisition while protecting against fraud. Many countries, such as Belgium, Denmark, Estonia, India, the Netherlands, Nigeria, and Singapore, have already implemented successful digital ID systems. India’s Aadhaar system, for instance, issues a 12-digit number capturing biometric data and serves as proof of identity and address for 1.3 billion people.

Why is Digital Identity Being Scrutinised Right Now?

Despite the touted advantages, the concept of digital identity, particularly mandatory systems, faces considerable scrutiny. In the United Kingdom, for example, the idea of a “BritCard” – a “progressive digital identity for Britain” – has been put forward by the Labour Together think tank and endorsed by dozens of Labour MPs, with No. 10 reportedly interested. Proponents, including former Prime Minister Tony Blair, argue it’s necessary for public health, saving taxpayers’ money, and controlling migration. However, the UK has a historical “lack of appetite for compulsory ID”, with privacy concerns being a major issue.

Critics highlight the poor quality of public discourse surrounding the subject. Polling used to suggest “immense popularity” for digital ID by linking it to tackling illegal immigration is viewed as manipulative, as only 29% actually believed it would deter illegal immigrants, while 40% feared government misuse of data and 23% worried about an increase in the black economy. There are also serious security concerns, with Andrew Orlowski pointing out the terrible track record of existing government systems like One Login, warning that an insecure system could lead to identity theft, impersonation, and easier government fraud. He suggests that a system like BritCard would become a prime target for criminal gangs.

Globally, the discussion around digital identity intersects with concerns about state surveillance. Declassified documents reveal that UK security agencies like GCHQ have historically used Cold War-era statutes to compel telecoms companies to provide access to public communications and even weaken security protocols, often under a veil of secrecy. This practice, dating back decades, raises alarms about the potential for extreme powers to remain largely invisible to the public and Parliament. The recent cyberattack on UK telecom firm Colt, involving alleged stolen customer and employee data and a ransom threat, underscores the vulnerability of critical infrastructure and highlights the potential for wide-ranging implications for millions of people’s security and privacy when sensitive digital systems are compromised.

Phone numbers have become an integral part of digital identity verification. They are widely used for Two-Factor Authentication (2FA), particularly through SMS One-Time Passwords (OTPs), which are often the primary or sole method for securing accounts in India, including banking and government services. Mobile authentication methods also include SIM card verification, which confirms identity using mobile network data. This widespread adoption is partly due to its simplicity and relative affordability to implement, making it accessible even to older generations.

The Dangers of Over-Reliance on Phone Numbers

Despite their convenience, an over-reliance on phone numbers for digital identity verification can be extremely harmful and insecure. One of the most significant threats is the SIM swap scam (also known as port-out scam, SIM splitting, or simjacking). This type of account takeover fraud exploits the mobile number portability feature, typically used for lost phones or switching service. Fraudsters initiate these scams by:

  • Gathering personal details about the victim through phishing emails, buying information from organised criminals, or retrieving it from online data breaches.
  • Socially engineering the mobile phone provider by impersonating the victim and claiming a lost phone, convincing the company to port the victim’s number to the fraudster’s SIM. In some countries like India and Nigeria, victims might even be tricked into approving the SIM swap themselves.
  • Bribing telecom company employees to directly change SIM numbers.

Once the SIM is swapped, the victim’s phone loses network connection, and the fraudster receives all SMS and voice calls, including critical one-time passwords. This grants them access to almost any account tied to the hijacked number, allowing them to transfer funds, extort the owner, or sell accounts for further identity theft. High-profile incidents, such as the hacking of former Twitter CEO Jack Dorsey’s account, and a sharp increase in financial losses (from $12 million between 2018-2020 to $68 million in 2021 alone in the US) highlight the severity of these scams.

In India, the reliance on phone numbers and Aadhaar biometrics has led to specific challenges. While “locking your Aadhaar biometrics for security” is advised for fraud prevention, such as against AEPS scams, it creates a “headache loop” if a SIM card is lost. The process to unlock biometrics requires OTPs sent to the registered number, which is now missing, trapping users in a difficult situation. Obtaining a replacement SIM often requires biometric verification, which is impossible if locked, or an OTP sent to the lost number. Users describe a “LONG process” involving relatives, UIDAI centres, and multiple number changes to resolve this. The mAadhaar app, often suggested for managing biometrics, can be unreliable, frequently logging users out or failing to send OTPs, further complicating the process. This situation has been described as a “broken system”. The “Indian obsession with OTP” via SMS is criticised as one of the least secure methods and most prone to risk, with calls for more modern security measures like email+password+TOTP or passkeys. The heavy reliance on a single phone, especially with the advent of eSIMs, creates a single point of failure: if the phone is lost or dies, access to emails and other online services that use phone-based 2FA becomes extremely difficult.

Other Flaws in the AADHAR System using Phone Numbers

  • SIM Swap Scams: This is a prevalent issue in India, where fraudsters gather personal details through phishing, online data breaches, or social engineering to convince a mobile service provider to port a victim’s phone number to their own SIM card. Once successful, the victim’s phone loses network connection, and the fraudster receives all SMS and voice calls, including one-time passwords (OTPs). This allows them to bypass two-factor authentication for bank accounts and other services, potentially leading to direct transfer of funds, extortion, or identity theft. While in some countries like India, the victim might be asked to approve the SIM swap by pressing ‘1’, employees of telecom companies have also been bribed to facilitate these swaps.
  • Over-reliance on SMS OTPs: India has been noted for its “obsession with OTP” for nearly all digital interactions, despite SMS-based OTPs being considered one of the least secure authentication methods and highly prone to risk. This over-reliance creates a “single point of failure,” meaning if a phone is lost or stolen, the user is cut off from accessing numerous services, including banking apps and credit card transactions, which all require a mobile number for verification.
  • Challenges with Locked Biometrics: Many users in India lock their Aadhaar biometrics for security, but this can create a “complete headache loop” if they lose their SIM card. To get a replacement SIM, biometric verification is often required, but the OTP needed to unlock biometrics goes to the missing number. The mobile app (mAadhaar) designed for managing these locks is often unreliable, leaving users stranded and unable to access critical services or even perform property registrations.
  • Misleading Practices by Service Providers: Some telecom operators in India have been accused of misleading customers by insisting on Aadhaar biometric authentication for SIM replacements, even though alternative identity proofs like a physical Aadhaar card or a PAN card should be accepted. This forces users into a difficult situation, especially if their biometrics are locked or the system is down.
  • Scams involving Account Freezing: There have been incidents where scammers send small amounts of money to accounts, leading banks to freeze them due to suspicious activity. Victims are then asked to contact police, who in some cases, allegedly demand bribes to unfreeze accounts. This highlights a systemic vulnerability that can be exploited for illicit gains.
  • Aadhaar Enabled Payment System (AEPS) fraud: If Aadhaar biometrics are left unlocked, scammers can potentially withdraw money from linked bank accounts using just fingerprints, without any additional authentication.

If a similar system were adopted in the UK, these issues could lead to a “whole lot of trouble” and significantly affect privacy:

  • Exacerbated SIM Swap Scams: The UK has existing concerns about data security and a “terrible track record on data security” with systems like One Login, which links personal identification documents to government and third parties. Introducing a digital ID like “BritCard” that “forcibly enrols you into it” could make individuals highly vulnerable to SIM swap scams, as criminals would have a centralised target for obtaining identity details and then hijacking phone numbers to access financial and other sensitive accounts.
  • Increased Risk with Centralised Data: The proposed “BritCard” aims to consolidate personal information. If this data is stored in a “leaky centralised system,” as critics fear, it creates an attractive target for criminal gangs for identity theft and impersonation. A cyberattack on a telecom giant like Colt Technology Services, which led to the compromise of customer data including financial records and internal emails, demonstrates the real-world risks associated with centralised data in the telecommunications sector.
  • Privacy Erosion: The proposal for digital ID in the UK has already raised “very real concerns about putting huge amounts of personal information into a leaky centralised system”. While proponents argue for convenience and crime deterrence, 40% of the public polled feared that digital ID could be misused by the government. The UK’s history of secret surveillance, where security agencies have compelled telecoms firms to weaken security and access communications data, suggests a potential for mission creep with a mandatory digital ID system. This raises questions about whether such powers can “live up to the expectations of modern, human-rights respecting societies”.
  • Weak Public Trust and Lack of Consent: The discourse around digital ID in the UK has been criticised for its “poor quality” and for using polls as “tools of political persuasion” rather than reflecting genuine public demand or addressing core privacy principles. Forcing adoption of a digital ID system without genuine public consent and robust safeguards against the identified risks from India could further erode trust in government and private entities handling sensitive personal data.
  • Impact on Vulnerable Populations: Just as the Aadhaar system can be difficult for uneducated or elderly people to navigate, a digital ID system in the UK could disproportionately affect those less familiar with technology or those who lose their phones, creating barriers to essential services and putting them at higher risk of exploitation.

In conclusion, while digital identity promises a future of seamless and secure online interactions, its implementation demands meticulous consideration. The current scrutiny highlights the tension between convenience and the fundamental rights to privacy and security. Over-reliance on phone numbers for critical authentication, as demonstrated by the prevalence of SIM swap scams and the difficulties faced by Aadhaar users, exposes significant vulnerabilities. For digital identity systems to truly serve the common good, they must be developed with robust, multi-layered security, transparent public discourse, and genuine consent, ensuring they empower citizens without inadvertently creating new avenues for fraud and surveillance.