Identity fraud and resident accounts: what IAM teams need to change

TL;DR: Identity fraud is slowing digital government by enabling synthetic and stolen identities at enrollment and account takeover through phishing and social engineering, according to 1Kosmos. The governance lesson is that resident identity proofing, phishing-resistant authentication, and account recovery must be treated as one control chain, not separate projects.

NHIMG editorial — based on content published by 1Kosmos: Demands by residents for contactless services and the need for digital government identity protections

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should government teams reduce resident account takeover without adding too much login friction?

A: Use phishing-resistant authentication for higher-risk services, but pair it with strong proofing, secure recovery, and device-aware policies.

Q: Why do identity proofing failures create downstream access risk?

A: If a synthetic or stolen identity gets through enrolment, every later login confirms the wrong person instead of the right one.

Q: What do teams get wrong about reusable digital credentials?

A: They often focus on convenience and ignore lifecycle governance.

Practitioner guidance

• Strengthen enrolment assurance Require identity proofing controls that bind a resident to government-issued evidence and biometric verification before issuing reusable credentials.
• Protect account recovery as a high-risk path Treat password resets, device changes, and help-desk recovery as high-risk events that require equivalent or stronger verification than first login.
• Use phishing-resistant authentication for sensitive services Adopt device-bound or biometric authenticators for resident services that carry fraud, benefits, tax, or benefits-adjacent risk.

What's in the full article

1Kosmos' full article covers the operational detail this post intentionally leaves for the source:

• How the Credential Service Provider model is applied during enrolment and each access attempt.
• Details on identity proofing using biometrics, government-issued IDs, and verifiable data registries.
• How the managed service supports self-service identity verification and authentication across devices.
• The digital wallet approach for reusable credentials and persona management.

👉 Read 1Kosmos' analysis of identity fraud and digital government access →

Identity fraud and resident accounts: what IAM teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →