Why it matters

Fraud already drains more than £1.17 billion a year from the UK economy. At the same time, generative AI is producing synthetic voices, faces and documents at industrial scale, leaving citizens, businesses and government with no reliable way to tell who is real. Without a stronger identity layer, everything from banking to voting, risks becoming vulnerable to impersonation.

The trust crisis: AI’s gift to fraudsters

The NCSC warns that AI-generated content is eroding confidence in video, audio and written records. Deepfakes are no longer just political curiosities: they are being weaponised in fraud, from bogus CEO voice calls to forged identity documents.

Alongside this, UK Finance reports that criminals made off with £722 million in unauthorised fraud in 2024, with over 3.1 million cases logged—a 14 % rise on the previous year. The attack surface is widening, and today’s piecemeal identity checks are buckling under the strain.

ID, done properly

A modern digital ID isn’t about a centralised database or a plastic card. It is about verifiable credentials—cryptographically signed proofs of identity stored in a secure wallet on your device. These can be presented selectively (prove I’m over 18, prove I’m entitled to work) without disclosing more than is strictly necessary.

Europe has already set the direction: under eIDAS 2.0, every EU state must provide a Digital Identity Wallet by 2026, interoperable across borders. Estonia’s state-backed e-ID saves the country the equivalent of 2 % of GDP annually by streamlining administration, while Sweden’s bank-backed BankID now serves more than 8 million users across thousands of services.

The UK is catching up: the Data (Use and Access) Act 2025 gives statutory weight to the UK Digital Identity & Attributes Trust Framework, while the GOV.UK Wallet will soon hold driving licences and other official credentials

Why passkeys matter

Digital ID must not live in isolation. To succeed, it needs to plug directly into the passwordless authentication ecosystem that is already gaining traction across the private sector. Passkeys—based on FIDO2/WebAuth standards—replace passwords with cryptographic keys bound to a user’s device and biometrics. Apple, Google and Microsoft are rolling them out at scale.

If UK digital ID is natively compatible with passkeys, businesses can verify customers directly against a government-backed credential without building bespoke infrastructure. Instead of every retailer, insurer, or bank investing in costly ID-proofing technology, they can use the same secure channel already built into smartphones, browsers and operating systems.

This model delivers three wins:

• Security: tying a government-issued credential to device biometrics and passkeys makes deepfake impersonation exponentially harder.

• Cost savings: SMEs avoid reinventing the wheel; they plug into the state-backed identity layer instead.

• User experience: citizens log in once with a familiar gesture (fingerprint, Face ID, Windows Hello), not a maze of passwords and duplicative checks.

Privacy vs security: the bargain we must strike

Biometrics and government-linked digital ID are sensitive by definition. Under UK GDPR, they qualify as special category data, requiring strict necessity and safeguards. Public trust will evaporate if the system is seen as surveillance infrastructure.

The settlement must therefore be:

• Guardrails: no central biometric mega-database; credentials must stored on devices, checking that a real person is actually there (not just a photo or video) and proving who you are without having to share your actual personal details.

• Choice: digital-first but not digital-only—offline alternatives must remain. But with tangible incentives for the public to make the choice to go digital.

• Transparency: open standards, independent audits, and an independent regulator with teeth.

• Shared benefits: if privacy risks are centralised, then savings must flow back—lower council tax, reduced costs for SMEs, faster service delivery.

Security must be future-proof

AI is not the only trust shock. Quantum computing will eventually break today’s widely used public-key cryptography. The NCSC’s post-quantum migration timelines call for organisations to prepare now and complete transition by the early-to-mid 2030s. Any UK digital ID scheme that ships today must be crypto-agile and on a roadmap to post-quantum algorithms.

Provenance also helps. Government, media and critical sectors should embed Content Credentials (C2PA) so that official communications and high-risk media carry verifiable origins—reducing the blast radius of deepfake attacks.

Evidence from abroad: what “good” looks like

• Estonia: mandatory e-ID underpins nearly all public services and digital signatures alone are credited with saving roughly 2% of GDP annually.

• Sweden’s BankID: a private-sector, bank-backed scheme with 8.4m users and more than 6000 web services supported, shows that market-led identity at national scale is possible when incentives and trust align.

These models differ (state-led vs market-led) but share traits: strong standards, clear liability, ruthless focus on usability, and relentless privacy/security engineering.

Mandates and markets, together

Relying on voluntary take-up risks leaving gaps that bad actors will exploit; relying solely on mandates risks backlash and exclusion.

The evidence from Estonia and Sweden is simple: the most effective identity policies blend market forces with clear legal obligations—a trust framework that businesses want to join, combined with targeted mandates where public risk is highest.

The UK should follow suit:

• Mandate digital ID use for government services, financial Identity verification, and critical infrastructure access.

• Incentivise private adoption with reduced compliance burdens and preferential procurement treatment.

• Enforce interoperability with passkeys, ensuring businesses of all sizes can participate without prohibitive investment.

But nothing new is without risk. Innovation means managing risk, not eliminating it,

Four actions for the UK now

1. Legislate strong guardrails: prohibit central biometric databases; mandate selective disclosure; define liability and redress clearly.

2. Roll out GOV.UK Wallet rapidly: issue high-demand credentials (licences, passports, qualifications) and certify private wallets under the Trust Framework.

3. Tie digital ID to passkeys: embed FIDO2/WebAuthn compatibility so that businesses can adopt government-backed verification with minimal cost.

4. Plan for the future: ensure crypto-agility, including post-quantum migration, and adopt content credentials for official media to counter synthetic forgeries.

The Final Word: A national trust layer

The UK doesn’t need an Orwellian ID card scheme. It does need a secure, passkey-compatible digital identity ecosystem that makes impersonation uneconomic, reduces fraud, and lowers costs for citizens and business alike. If designed with discipline and transparency, digital ID could become not just a defence against deepfakes—but a foundation for a safer, more efficient digital economy.