TL;DR: Identity fraud is slowing digital government by enabling synthetic and stolen identities at enrollment and account takeover through phishing and social engineering, according to 1Kosmos. The governance lesson is that resident identity proofing, phishing-resistant authentication, and account recovery must be treated as one control chain, not separate projects.
NHIMG editorial — based on content published by 1Kosmos: Demands by residents for contactless services and the need for digital government identity protections
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should government teams reduce resident account takeover without adding too much login friction?
A: Use phishing-resistant authentication for higher-risk services, but pair it with strong proofing, secure recovery, and device-aware policies.
Q: Why do identity proofing failures create downstream access risk?
A: If a synthetic or stolen identity gets through enrolment, every later login confirms the wrong person instead of the right one.
Q: What do teams get wrong about reusable digital credentials?
A: They often focus on convenience and ignore lifecycle governance.
Practitioner guidance
- Strengthen enrolment assurance Require identity proofing controls that bind a resident to government-issued evidence and biometric verification before issuing reusable credentials.
- Protect account recovery as a high-risk path Treat password resets, device changes, and help-desk recovery as high-risk events that require equivalent or stronger verification than first login.
- Use phishing-resistant authentication for sensitive services Adopt device-bound or biometric authenticators for resident services that carry fraud, benefits, tax, or benefits-adjacent risk.
What's in the full article
1Kosmos' full article covers the operational detail this post intentionally leaves for the source:
- How the Credential Service Provider model is applied during enrolment and each access attempt.
- Details on identity proofing using biometrics, government-issued IDs, and verifiable data registries.
- How the managed service supports self-service identity verification and authentication across devices.
- The digital wallet approach for reusable credentials and persona management.
👉 Read 1Kosmos' analysis of identity fraud and digital government access →
Identity fraud and resident accounts: what IAM teams need to change?
Explore further
Resident identity fraud is a lifecycle governance problem, not just an authentication problem. The article focuses on proofing and passwordless login, but the underlying issue is that agencies must defend identity from enrolment through account recovery and reuse. Once a synthetic or stolen identity enters the system, later authentication controls simply preserve the original mistake. Practitioners should treat fraud resistance as a joiner, mover, leaver issue for citizens, not as a point-in-time login control.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: Who is accountable when resident identity fraud causes service abuse?
A: Accountability usually sits across identity proofing owners, IAM teams, service owners, and fraud operations, which is exactly why the governance model must be explicit. If no one owns enrolment quality, recovery assurance, and cross-service revocation together, fraud will fall between teams and persist across the resident lifecycle.
👉 Read our full editorial: Digital identity fraud is forcing governments to rethink resident access