Portugal's eID and self-sovereign identity: what IAM teams should watch

TL;DR: Portugal’s eID programme shows how validated digital identity, biometric access, and user-controlled data sharing can support public services and private-sector access while reducing reliance on passwords, according to 1Kosmos. The real test is whether identity architectures can deliver privacy, usability, and phishing resistance without recreating centralized credential risk.

NHIMG editorial — based on content published by 1Kosmos: Portugal's digital identity and self-sovereign identity analysis

By the numbers:

• 80% of the population uses the eID, es the eID, making nearly 13 million authentications per year.
• One recent study found 775 million logins available through underworld access-as-a-service offerings on the dark web.
• Digital identity and proofing are central because more than 24 billion login credentials and personal identity files have been compromised in recent years.

Questions worth separating out

Q: How should organisations reduce identity fraud without storing too much personal data centrally?

A: Design identity systems so verification, disclosure, and storage are separated as much as possible.

Q: Why do passwordless and biometric login programmes still need strong lifecycle controls?

A: Because the primary login path is only part of the access model.

Q: What do security teams get wrong about self-sovereign identity?

A: They sometimes assume SSI is automatically safer because data is more distributed.

Practitioner guidance

• Limit central identity storage Keep personal identity data out of broadly exposed centralized repositories where possible, and separate issuance, verification, and disclosure functions so a single compromise does not expose the whole identity set.
• Harden recovery and fallback paths Review every alternate login, account recovery, and exception workflow with the same rigor as primary authentication, because attackers routinely target the weakest route back into trust.
• Use selective disclosure by design Adopt architectures that let users share only the minimum identity attributes required for the transaction, reducing unnecessary data retention and limiting the blast radius of later compromise.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• How Portugal's national eID and ID.Gov.PT app are used across elections, health insurance, social security, and taxes
• The legal and architectural constraints that prevent identity data from being stored on centralized servers
• The role of NIST, FIDO2, and iBeta biometrics-based standards in practical digital identity rollout
• How the source positions passwordless authentication and biometric verification for real-world adoption

👉 Read 1Kosmos's analysis of Portugal's digital identity model and passwordless access →

Portugal's eID and self-sovereign identity: what IAM teams should watch?

Explore further

View Full Forum →  |  NHI Foundation Course →