Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Digital identity reuse: can privacy and security actually coexist?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: Digital identity programmes are expanding worldwide, but the article argues that reusable credentials still face unresolved trade-offs between privacy, security, and accessibility, especially as exposed credentials and system vulnerabilities keep surfacing, according to Sumsub. The governing problem is not whether digital ID is useful, but whether identity assurance can remain trustworthy once reuse, leakage, and cross-system dependence scale.

NHIMG editorial — based on content published by Sumsub: ID Future: Reusable, Secure, Real?

Questions worth separating out

Q: How should organisations govern reusable digital identity without weakening assurance?

A: Organisations should treat reusable digital identity as a governed trust chain, not a standalone convenience layer.

Q: Why do leaked credentials matter more in reusable identity systems?

A: Leaked credentials matter more because they can be reused across services or relied on by multiple parties, multiplying the impact of a single compromise.

Q: What breaks when recovery is easier than primary authentication?

A: When recovery is easier than primary authentication, attackers target the reset path instead of the login path.

Practitioner guidance

  • Map the recovery path before scaling reuse Document every password reset, account recovery, and fallback identity verification path, then test whether it is easier to abuse than the primary login flow.
  • Separate reusable attributes from contextual attributes Define which identity claims can travel across services and which must stay bound to a single relying party, jurisdiction, or assurance event.
  • Extend governance to identity proofing and revocation Make sure enrollment evidence, credential issuance, revocation, and recovery are visible in the same governance process as authentication and access review.

What's in the full article

Sumsub's full video podcast covers the operational detail this post intentionally leaves for the source:

  • The speakers’ discussion of how national digital ID systems are being designed and where the current trust model is under pressure.
  • Specific examples of exposed vulnerabilities and leaked credentials mentioned in the episode, including how they affect user trust.
  • The panel’s reasoning on how privacy, security, and accessibility can be balanced without collapsing assurance.
  • The broader podcast context around digital identity, fraud prevention, and compliance media coverage.

👉 Read Sumsub's podcast episode on reusable digital identity and trust →

Digital identity reuse: can privacy and security actually coexist?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Reusable identity should be treated as a trust multiplication problem. The more often an identity assertion is reused, the more valuable the underlying proofing and recovery paths become to attackers. That is true for human identity systems first, but the same logic will later apply to machine and agentic identity ecosystems that inherit the same trust primitives. The practitioner conclusion is that portability must be governed as a blast-radius decision, not a convenience feature.

A few things that frame the scale:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means identity blind spots remain common even in mature environments.

A question worth separating out:

Q: Who should own digital identity assurance in the enterprise?

A: Digital identity assurance should sit jointly with IAM, fraud, and security governance teams, because it affects authentication, lifecycle controls, and fraud exposure at the same time. If ownership stays fragmented, no one owns the full trust model. The result is inconsistent policy and weak accountability.

👉 Read our full editorial: Digital identity reuse is still struggling to balance trust and privacy



   
ReplyQuote
Share: