Portugal’s digital identity model shows where passwordless access works

At a glance

What this is: Portugal’s digital identity programme combines national eID, biometric-enabled access, and user-controlled sharing to reduce password dependence and central data storage risk.

Why it matters: It matters because the same design pressures now shape IAM, NHI governance, and identity lifecycle decisions wherever organisations are trying to reduce credential theft and improve assurance.

By the numbers:

• 80% of the population uses the eID, es the eID, making nearly 13 million authentications per year.
• One recent study found 775 million logins available through underworld access-as-a-service offerings on the dark web.
• Digital identity and proofing are central because more than 24 billion login credentials and personal identity files have been compromised in recent years.

👉 Read 1Kosmos's analysis of Portugal's digital identity model and passwordless access

Context

Portugal’s digital identity programme is a useful case study in how governments move beyond password-based access toward stronger assurance and more user-centric identity control. The security question is not whether digital identity is needed, but whether the architecture avoids centralizing the very data attackers most want.

For IAM practitioners, the article sits at the intersection of human identity, credential assurance, and privacy-preserving design. It also points to a broader programme design issue: identity becomes safer when trust is distributed, but governance still has to prove that usability, verification, and recovery are all working together.

The article’s starting point is typical of modern identity modernisation efforts, not unusual: the challenge is to improve assurance without making authentication or data storage more brittle.

Key questions

Q: How should organisations reduce identity fraud without storing too much personal data centrally?

A: Design identity systems so verification, disclosure, and storage are separated as much as possible. Use selective disclosure, minimise retained attributes, and avoid making a single database the primary trust anchor. Centralization is convenient, but it turns identity into a high-value breach target and makes every downstream service inherit the same exposure.

Q: Why do passwordless and biometric login programmes still need strong lifecycle controls?

A: Because the primary login path is only part of the access model. Recovery channels, alternate factors, and exception handling can reintroduce weak credentials or unsafe trust decisions. If lifecycle and exception governance are loose, attackers will target the easiest route back into the account rather than the strongest authentication path.

Q: What do security teams get wrong about self-sovereign identity?

A: They sometimes assume SSI is automatically safer because data is more distributed. In reality, the trust chain still depends on strong issuance, verification, revocation, and relying-party controls. If those are weak, the architecture changes where data lives but not whether identity can be abused.

Q: How can IAM teams tell whether phishing-resistant identity controls are actually working?

A: Look for falling rates of credential replay, credential stuffing success, and recovery-based account takeover, not just higher login success rates. If the programme only improves user convenience while fraud and fallback abuse remain stable, the control is not changing the threat landscape in a meaningful way.

Technical breakdown

National eID, digital wallets, and federated assurance

Portugal’s model combines a government-issued identity foundation with digital authentication that can be used across public and private services. The core design idea is that identity proofing happens once, then the user can present validated attributes through a digital channel rather than re-entering passwords across every service. That reduces password sprawl and lowers the value of stolen login material. The architectural trade-off is that federation only works when verification is strong enough to prevent account takeover and when recovery paths do not silently reintroduce weak credentials.

Practical implication: align assurance levels to service risk and keep recovery flows from becoming the weakest authentication path.

Self-sovereign identity and central storage risk

Self-sovereign identity, or SSI, aims to let individuals control which identity attributes are shared, for what purpose, and for how long. In practice, that means fewer copies of sensitive identity data sitting on centralized servers that can be breached, ransomed, or misused. The model is attractive because it shifts from repository-centric identity to user-centric disclosure. But SSI only changes the risk model if the issuing, verification, and revocation processes are trustworthy and if relying parties can validate claims without creating a new hidden dependency layer.

Practical implication: treat decentralisation as a governance change, not a guarantee, and verify the trust chain end to end.

Biometrics, liveness, and passwordless access

The article points to biometric-enabled identity and liveness testing as a way to reduce spoofing and unauthorized access. Biometrics do not replace identity governance. They improve proof at the point of access, while the programme still has to manage assurance, device binding, fallback authentication, and account recovery. Passwordless designs can reduce phishing exposure, but only if the surrounding lifecycle controls prevent weak fallback channels, duplicated identity records, and excessive access persistence.

Practical implication: pair passwordless methods with strict recovery governance so the fallback path does not recreate the attack surface you removed.

Threat narrative

Attacker objective: The attacker aims to turn stolen identity into trusted access that can be monetized through fraud, exfiltration, or impersonation.

1. Entry occurs when attackers obtain credentials through phishing, spyware, or access-as-a-service marketplaces and then reuse those logins against digital identity systems.
2. Escalation happens through credential stuffing and account takeover, where automated attacks test large numbers of username and password combinations until a valid session is found.
3. Impact follows when stolen identity is used to impersonate the account owner, drain funds, steal data, or submit fraudulent transactions under trusted identity.
4. The attacker objective is to convert identity assurance into a monetizable access path that enables fraud, data theft, or unauthorized government and banking activity.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Distributed identity reduces credential concentration, but it does not remove identity risk. The article correctly pushes the programme away from storing personal identity data on centralized servers where compromise becomes catastrophic. That shift matters because the risk moves from one high-value repository to verification, recovery, and trust orchestration across multiple parties. Practitioners should read this as a governance redesign problem, not just a technology upgrade.

Passwordless access only works when fallback identity paths are controlled as tightly as the primary path. Biometrics and liveness checks can reduce spoofing, but every recovery flow, alternate factor, and exception path becomes part of the real attack surface. The programme succeeds or fails on the weakest route back into the account, not on the strongest normal-path authentication.

Identity assurance must now be measured by resistance to reuse, replay, and monetization. The article’s threat picture is not theoretical credential theft, but industrialized access resale and high-volume account abuse. That means the relevant question for the field is whether identity controls can stop compromised credentials from becoming tradable access in the first place. Practitioners should think in terms of exploitability, not just authentication strength.

Portugal’s model is a credible example of privacy-preserving identity architecture, but it is not a finished governance model. The value lies in reducing overcollection and enabling selective disclosure, which aligns with modern identity minimization principles. The implication for the market is clear: future identity programmes will be judged as much by data containment as by login success rates. Practitioners should design for both assurance and restraint.

Identity modernisation is converging across human, machine, and autonomous use cases. The same design question appears in NHI and agentic AI programmes: how to prove identity without creating persistent stores of secrets that expand breach impact. That convergence makes this article relevant beyond consumer login design. Practitioners should use it to pressure-test whether their identity fabric reduces exposure or simply relocates it.

From our research:

• More than 80% of the population uses the eID, making nearly 13 million authentications per year, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• As identity programmes expand into both human and non-human access, the NHI Lifecycle Management Guide shows why issuance, rotation, and offboarding must be governed together.

What this signals

Selective disclosure is becoming the practical standard for identity programmes that want both assurance and privacy. The more identity data you centralize, the more you inherit a breach problem that scales faster than authentication itself. IAM leaders should treat data minimisation as an access-control design choice, not a privacy-only concern.

Portugal’s model also reinforces a broader programme signal: passwordless success is measured by reduced abuse, not just reduced password use. If recovery, exception handling, and identity proofing remain fragmented, attackers will simply move to the weakest path. The control stack has to be built around the full lifecycle, not the login screen.

For teams managing human, machine, and emerging autonomous identities, the lesson is consistent. Identity architectures that reduce persistent secrets and narrow data retention are easier to govern over time, especially when paired with lifecycle discipline from the NHI Lifecycle Management Guide and assurance patterns aligned to CISA cyber threat advisories.

For practitioners

• Limit central identity storage Keep personal identity data out of broadly exposed centralized repositories where possible, and separate issuance, verification, and disclosure functions so a single compromise does not expose the whole identity set.
• Harden recovery and fallback paths Review every alternate login, account recovery, and exception workflow with the same rigor as primary authentication, because attackers routinely target the weakest route back into trust.
• Use selective disclosure by design Adopt architectures that let users share only the minimum identity attributes required for the transaction, reducing unnecessary data retention and limiting the blast radius of later compromise.
• Treat biometrics as one control, not the control Pair biometric verification with device binding, liveness detection, step-up checks, and fraud monitoring so identity assurance does not depend on a single signal.

Key takeaways

• Portugal’s digital identity approach shows how stronger assurance can coexist with lower data concentration risk when identity is designed for selective disclosure and distributed trust.
• The scale of credential abuse remains the central warning sign, with more than 24 billion credentials and identity files compromised and 775 million logins circulating in access-as-a-service markets.
• Practitioners should judge identity modernisation by how well it reduces replay, recovery abuse, and centralized exposure, not by how quickly it replaces passwords.

Key terms

• Selective Disclosure: Selective disclosure is an identity pattern where only the minimum necessary attributes are shared for a transaction. It reduces unnecessary data exposure while preserving trust, but it still depends on strong issuance, verification, and revocation behind the scenes.
• Self-Sovereign Identity: Self-sovereign identity is a model in which the user retains greater control over identity attributes and how they are shared. It aims to reduce central storage of personal data, but it still requires trustworthy issuers, verifiers, and recovery processes.
• Biometric Liveness Testing: Biometric liveness testing checks whether the person presenting biometric data is physically present and not using a replay, mask, or synthetic artefact. In practice, it strengthens authentication assurance, but it must be combined with recovery governance and device controls.
• Identity Assurance: Identity assurance is the degree of confidence that an identity claim is genuine at the point of access. It is determined by proofing, authentication strength, and the resilience of fallback paths, not by a single technology or login method.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Kosmos: Portugal's digital identity and self-sovereign identity analysis. Read the original.