September 12, 2025 • 9:00 am ET
Trustworthy digital identities can set the standards for secure benefits provision in the US
Table of contents
Introduction
The proliferation of public and private services online has necessitated the creation of verifiable and usable digital IDs globally. These electronic, reusable, and portable representations of identity can not only improve convenience for those accessing services but also reduce cost, waste, and fraud, especially when applied in the provision of benefits by federal and state authorities. Importantly, if designed with intention, they can improve access and enhance the inclusion of those with limited or no access to traditional and analog identities. Digital IDs also can be imbued with technological capabilities that both reduce the burdens on government providers and citizens and the privacy harms, especially to personal data, and enhance the security of our data ecosystem.
Digital identity is often fraught with controversy however due to implications for the privacy of individuals, both in the United States and elsewhere. It can spur new risks of state surveillance and cyberattacks, and lead to the exclusion of social groups. These harms are indeed serious and require clear governance standards for the responsible deployment of digital identity, strong provisions to protect consumer rights, and mechanisms to redress violations.
To that end, our paper is divided into three sections. In part 1, we begin with the stakeholders responsible for identity use and credentialing in the United States, followed by an overview of the landscape of benefits provision and its pain points, leading to an overarching assessment of the United States and its use of digital ID in benefits provision currently. In part 2, we look at Japan and the European Union (EU), which are slightly ahead in both their deployment of digital identities and governance frameworks that aim to ultimately impact global standards for digital identity. Given the lessons for the rollout of digital identity in Japan, the EU, and our initial US assessment, in part 3, we provide four key policy recommendations for the responsible development of digital identities for benefits provision in the United States.
Part 1: Identity in the United States
Citizens in the United States usually have multiple identity documents, issued by both state and federal authorities for various purposes such as access to public services, tax identification, and travel. In 2005, Congress passed the REAL ID Act, requiring state-issued identity cards like driver’s licenses to adhere to a similar format and convey the same information. Under this act, the Department of Homeland Security (DHS) was given federal authority to implement and enforce REAL IDs. In recent years, the DHS Transportation Security Administration (TSA), in partnership with states, has also introduced mobile driver’s licenses, which are verifiable at limited airports throughout the country. Other forms of verifiable credentials, such as ID.me, can link multiple federal and state agencies, such as the Internal Revenue Service (IRS) and the Social Security Administration (SSA), with private companies (such as those that provide health insurance) through one form of identity. In parallel, Login.gov is an another secure single sign on service developed by the General Services Administration (GSA) that allow users to access multiple government services using a single account.
Further analysis of seventy-two unique programs and services delivered by thirty-five High Impact Service Providers (HISPs) show a multitude of additional login options that are being used. Most notably, thirty programs and services require an applicant to call or email the agency as the only option available to access benefits. These findings highlight how there are still outstanding challenges to adopting digital identity and the increased citizen burden associated with navigating a fragmented landscape of technology options.
US benefits provision and improper payments
Benefits to individuals are the largest federal expenditure for the US government. By category, they amounted to the following in 2024: Social Security ($1,454 billion), Medicare ($1,031 billion), Medicaid/Children’s Health Insurance Program/Other Medical Care ($810 billion), Veterans benefits ($319 billion); and other benefits ($634 billion) (for Temporary Assistance for Needy Families, or TANF; Supplementary Security Income, or SSI; housing assistance; child tax credit, etc.) The SSA administers Social Security and SSI as well as Medicare enrollment. The Centers for Medicare and Medicaid Services (under the Department of Health and Human Services) oversees Medicare and Medicaid reimbursements. HHS also distributes TANF block grants. The US Department of Agriculture (USDA) funds the Supplemental Nutrition Assistance Plan (SNAP) and free/reduced lunch; the Department of Housing and Urban Development (HUD) provides funding for housing assistance; and the Department of Labor is responsible for unemployment insurance (UI), workforce development programs, and employment-related benefits.
In 2022, one in three Americans were enrolled in at least one public assistance program. Social Security and Medicare each cover 20 percent of Americans, and Medicare is the largest benefits program by enrollment, followed by SNAP (11.7 percent), and free and reduced lunch (8.8 percent). Beneficiaries of Medicare, Social Security, and the Department of Veterans Affairs benefits program interface directly with the federal government in benefits disbursal and access, but other forms of public benefits are mostly administered at the state level. All agencies are required to utilize direct deposits to transmit federal funds. However, there is some limited use of checks across benefits disbursal. Payment Processing Centers calculate benefits and process payments, but actual disbursal is conducted by Treasury payment systems.
In July 2024, the Office of the Inspector General of the Social Security Administration released a report citing $71.8 billion in improper payments between Fiscal Year 2015 and FY 2022. This figure is less than 1 percent of all the benefits payments made by the SSA. More broadly, a study by the Government Accountability Office (GAO) estimated losses of $162 billion in improper payments across sixty-eight programs in 2024. This has come down from pandemic-period highs of $281 billion. Of the $162 billion in 2024, $85 billion were improper payments in Medicare and Medicaid. While this reflects self-reported improper payments, the GAO also estimates that the government loses between $233 billion to $521 billion annually to fraud and improper payments. While recommendations from the GAO have primarily included enhancing existing reporting, data sharing, and analytics to prevent fraud and improper payments, we explore the status of digital identities in benefits provision in the United States below; later in the paper, we explore lessons learned in other jurisdictions.
Box 1: How the US government verifies digital identities
The National Institute of Standards and Technology developed the Identity Assurance Level (IAL) framework as part of its Digital Identity Guidelines to establish standardized requirements for verifying digital identities across federal agencies. IAL2, the intermediate level in this three-tier system, requires either remote or in-person identity proofing using evidence such as a state-issued photo ID, Social Security number verification, and additional authentication factors like phone numbers.
At its core, IAL2 ensures that there is sufficient evidence to support the existence of a claimed identity and to confirm that the “applicant” is its true owner. To achieve this, identity providers collect three types of data from the applicant: first, personal information (such as name, date of birth, and address); second, identity evidence (such as a photo ID); and third, a biometric factor (such as a fingerprint or live photo). The provider then validates that this information is consistent, authenticates the identity evidence, and verifies that the applicant is correctly associated with the claimed identity.
This standard was developed in response to the growing need for consistent and secure identity verification as government services moved online—particularly in the wake of high-profile data breaches and fraud incidents that exposed the vulnerabilities of ad hoc verification systems. The previous version of this guidance, NIST Special Publication 800-63-3, was withdrawn on August 1, 2025. The new and current guidance, SP 800-63-4serves as a critical benchmark for digital identity credibility in the United States, serving as the minimum standard for accessing sensitive government benefits and services. However, as this paper highlights, significant implementation challenges persist. For instance, the IRS has declined to adopt Login.gov due to concerns about IAL2 noncompliance, and twelve of twenty-one federal agencies have expressed similar concerns about the platform’s ability to meet these standards.
Sources: NIST, Digital Identity Guidelines, Special Publication 800‑63‑3, NIST, March 2, 2020, Withdrawn August 1, 2025, https://csrc.nist.gov/pubs/sp/800/63/3/upd2/final; ID.me Marketing Team, “What Is NIST IAL2 Identity Verification?,” ID.me Network, February 19, 2021, https://network.id.me/article/what-is-nist-ial2-identity-verification/; “Identity Verification,” in A Playbook for Improving Unemployment Insurance Delivery, New America, accessed July 24, 2025, https://improveunemployment.com/identity_verification/; and Treasury Inspector General for Tax Administration (TIGTA), Key Events of the IRS’s Planning Efforts to Implement Login.gov for Identity Verification, Report No. 20232S070fr, TIGTA, October 27, 2023, https://www.tigta.gov/sites/default/files/reports/2023-10/20232S070fr.pdf.
Using digital IDs for benefits in the United States
Login.gov (under the General Services Administration’s purview) is a government provided ID-verification service that allows approval of credentials across websites from various partner federal agencies. As of September 2024 (i.e., the end of FY 2024), Login.gov reported seventy-two million active users and 3.3 million identity-verified accounts at the Identity Assurance Level (two of three), or IAL2-level. Login.gov is used by over fifty agencies, most notably the VA and SSA. Enabling verification methods on a Login.gov account requires state-issued ID, a Social Security number (SSN), and a phone number. ID.me is a market-provided ID-verification service that is also used across various federal agencies in a similar capacity. In April 2025, ID.me had 145 million users, including seventy million IAL2‑verified individuals.NIST provides the IAL as a guiding framework of digital identities in the United States. Both Login.gov and ID.me are considered to meet criteria for IAL2. The SSA accepts both Login.gov and ID.me as credentials for creating mySocial Security account. Through mySocial Security account, individuals can apply for benefits and manage their payments. While funded federally, Medicaid, TANF, SNAP, and housing assistance (among others) are administered at the state level and thus verification processes can differ substantially. ID.me’s single sign-on (SSO) service is used by Arizona as means of accessing a beneficiary’s AHCCCS (Arizona’s Medicaid provider) account. Similarly, various states allow the use of the ID.me-provided SSO to access unemployment insurance. This was a result of a boom in applicants during the COVID-19 pandemic. Use of the SSO service outside of housing benefits is very limited at the state level. Several states, such as Illinois, Colorado, and California, have centralized benefits under a common web portal.
Login.gov was widely implemented as a response to a 2017 federal mandate requiring agencies to implement an SSO platform for accessing an agency’s websites. While it has been widely adopted by federal agencies, there have been complaints and concerns about the service. While the IRS allows taxpayers to use ID.me to access services, it has not implemented Login.gov for services, citing Login.gov failure in meeting the IAL2 standard. The IRS uses the service at the IAL1 level, but recent data breaches continue to raise questions about the service’s security and reliability.
In a GAO investigation, nine of twenty-one participating agencies cited issues with Login.gov’s lack of fraud controls and visibility into authentications. Another twelve reported concerns over IAL2 noncompliance. The current director of GSA’s Technology Transformation Services has previously thrown his support behind Login.gov and hopes to “accelerate Login’s roadmap.”
The above sections on the benefits provision, related fraud, waste, and abuse and the rollout of digitization lead to the following overarching assessment of the US model:
- The federal government is an important player in the identity issuance, credentialing, verification, and data-management system. However, it does so in partnership with private players, and both sectors face similar vulnerabilities and risks, especially related to personal data transfer, storage, and use.
- The identity landscape in the United States is highly fragmented across individual holders, issuers, and those that accept verifiable credentials. Multiple standards, both technological and regulatory, exist across states, agencies, and private issuers and verifiers of identities.
- A related lack of interoperability and the failure to recognize that individuals often interact with different layers of the identity ecosystem lead them to be the least able to bear and use their own identity.
- The costs of transition from analog to digital forms of identity are large but surmountable. They often do not include the frictions and delays associated with adoption by identity users and providers.
- Improper payments are the biggest challenge for benefits service providers in the United States. Therefore, ID improvements in the provision of benefits need to be designed with the purpose of reducing improper payments and substantively impacting waste, fraud, and abuse.
- The refinement of technology, including blockchain and privacy-enhancing technology (PET), presents new opportunities to create IDs that can be used across various functions and be linked to multiple verifiers. On the other hand, use of technology can also heighten the risk environment for identity holders and issuers and should be an important consideration when developing digital IDs.
The next section of this paper puts these assessments in context with the developments in the EU and Japan on digital identity.
Box 2: PETs vary in degrees of complexity, privacy protection
New forms of payments need to balance privacy concerns with both anti-money laundering and combating the financing of terrorism (AML/CFT) protocols and transaction efficiency in order to become a successful technology. Due to this, discussions of what to do with the data collected from digital ID processes can benefit significantly from an evaluation of privacy-enhancing technologies (PETs). Zero-knowledge proofs (ZKPs) are a computationally lightweight method of confirming that a transaction is valid and compliant with regulations without revealing any specific information about the content of the transaction using a mathematical proof (e.g., it is true that the user paid the full amount, but the amount is unspecified). Differential privacy (DP) is a method of obscuring individual activities by inserting noise into a dataset that includes information about the individual that still produces valid macro-level information. Multiparty computation (MPC) allows providers to jointly process personal information without a single party having complete information about an individual. DP and MPC are logistically complex methods, while all three promise a different extent of privacy.
Sources: “Zero-Knowledge Proof,” National Institute of Standards and Technology Computer Security Resource Center, https://csrc.nist.gov/projects/pec/zkproof. National Institute of Standards and Technology, “Guidelines for Evaluating Differential Privacy Guarantees,” NIST Special Publication 800-226, March 2025, https://csrc.nist.gov/pubs/sp/800/226/final.
“Multi-Party Computation (MPC) and Threshold Schemes,” National Institute of Standards and Technology Computer Security Resource Center, https://csrc.nist.gov/Projects/pec/threshold.
Part 2: Existing digital IDs in Japan and the EU
Japan launched its digital identity platform, the My Number Card (MINC), in 2016. The MINC features an integrated circuit chip that stores personal information and simplifies interactions with government and financial institutions, supporting services like social insurance applications, tax filings, job assistance, and bank-account setup. Since its launch, around a hundred million cards have been issued. The Digital Agency, established in 2021, also oversees the implementation and regulation of digital transformation initiatives, including digital ID systems. The cards themselves are issued by the Japan Agency for Local Authority Information Systems (which is jointly organized at the municipal and prefecture level).
The European Digital Identity (EUDI) Wallet is a digital ID solution designed to enable EU citizens, residents, and businesses to securely identify themselves and verify personal information both online and offline. It builds on the foundation of the eIDAS (Electronic Identification, Authentication, and Trust Services) regulation. Developed by the European Commission, its main functions are cross-border recognition and harmonization. The European Commission is investing in four large-scale pilot projects to test and develop the wallet’s functionality. These pilots involve approximately 360 entities, including private companies and public authorities from twenty-six member states and Norway, Iceland, and Ukraine.
Digital ID governance and implementation framework
Digital ID creation in both the EU and Japan follows a layer-based framework that consists of a highly centralized governance and implementation effort led by the federal authorities within the respective jurisdictions. The first layer is ID issuance by a government agency. The second layer is ID creation, governance, and implementation and comprises trust and verification intermediaries, such as providers of the personal ID, qualified electronic attestation of attributes, electronic seals, and other authentic sources. The third layer is entirely implementation based, consisting of “relying” on ID-accepting institutions, which are the private and public institutions that enable ID use. The fourth layer is made up of software and hardware. The final layer is made up of participants: In both cases below, these are individuals or small and medium enterprises holding digital IDs.
Outside this layer-based framework are the European Commission or Japan’s Digital Agency, respectively, along with supervisory and regulatory authorities, and various schemes for the governance of the trust layer.
Standards creation and gaps
EU’s eID framework is part of a larger packet of regulatory standard-setting action on data sovereignty and privacy. Japan is similarly aligned with its G7 presidency action plan for the free flow of data with trust and wider push for digitalization of services. Regulatory actions have emphasized privacy protection, data management and flow decisions, and ID harmonization/mobility/interoperability. Generally, across both jurisdictions, there is an emphasis on governance and assessment frameworks over technical standards on verification, privacy, and cybersecurity.
Additionally, the EU and Japan have established an MoU with each other for collaboration in exploring use cases and mutual recognition.
Identity theft-based benefits
Across the EU, identity-theft-specific benefits fraud statistics are limited, but individual member states have published figures that provide useful context. In Finland, the Social Insurance Institution (Kela) reported 1,104 suspected benefit fraud cases in 2024 totaling €7.15 million—about 0.43% of all benefits paid, down from 0.45% in 2023 and 0.79% in 2020. While these figures cover all detected benefit fraud rather than identity-theft cases alone, Kela attributes part of the reduction to stronger digital verification, such as the national Incomes Register, which enables real-time income checks. Estonia, often cited as Europe’s digital identity pioneer, maintains low fraud rates through integrated verification across multiple government services. Although EU-wide identity-theft-specific data is not available, evidence from countries further along in the digital identity pathway, like Finland and Estonia, suggests that robust, integrated systems can help drive overall fraud down. The upcoming European Digital Identity (EUDI) wallet, set for implementation by 2026, could further standardize and strengthen verification measures across member states.
In Japan, fraudulent public assistance cases—including all forms from undeclared income to misrepresentation—account for less than 0.5% of total payouts. No public data isolates identity-theft-driven cases, and Japan’s reporting on fraud statistics is generally limited. While the My Number digital identity system is fully deployed, there is no evidence to confirm a measurable decline in identity-theft-specific benefits fraud. Digital identity systems can contribute to benefits fraud reduction, but effectiveness depends heavily on implementation quality, system integration, and supportive legal frameworks.
Use and expansion
The EU is still in the pilot phase. Meanwhile, 75 percent of the Japanese population (93.08 million citizens as of September 2024), has a My Number ID card. This uptake is in line with the growth of other digital services provided by the Japan Agency and with growth in favorable attitudes toward digitalization in Japan. This agency conducts annual assessments and evaluations of the system, and communicates expansion plans along with new use cases (e.g., entertainment, most recently) and community management.
Policy goals
Both jurisdictions are attempting two tiers of policy goals. On the ID user and holder level, the policy goals are associated with reducing administrative burden and time, enabling efficiency and reducing cost. The second tier of goals has to do with national digitalization priorities, built on actions to realize economic benefits from better use and management of private data and public services. In addition to this, the EU has a goal of ID harmonization and portability across its member states, in line with its long-term policy goal of integration.
Putting these learnings from the EU and Japan in context with the overarching assessments in Part 1 of the paper, the next section provides policy oriented recommendations for the development of digital IDs for benefits provision in the United States.
Part 3: Policy recommendations for the United States
Given the lessons from the rollout of digital identity in the EU and Japan (Part 2), and with the context of the current use of digital identities in benefits provision in the United States (Part 1), we conclude this paper with appropriate policy recommendations to responsibly prompt the next generation of digital IDs in the United States. These recommendations, calibrated with appropriate regulations to protect the personal data of US citizens and residents, can effectively resolve existing friction in the use of digital identities in the United States, and enable the creation of an innovative ecosystem of financial products, ultimately positively impacting the financial health of the public sector, corporations, and individuals.
Policy goal 1: Incentivize private sector in the identity governance and implementation framework by creating a technology sandbox
There is an important aspect of incentivization in digital identity that drives its uptake among users and holders and broader deployment across a range of functions. Jurisdictions like the EU, Japan, and emerging markets like India, have each given a central role in this to the public sector, making access to public services the main incentive to drive ID use. The US private-sector-driven innovation model and strong foundations of individual privacy offer an alternative governance model, which can now be provided through the maturation of privacy-enhancing technologies. A governance framework should build on strong foundations for privacy, data management, as well as reciprocity and portability in digital ID for holders. Importantly, we recommend the creation of a public-private sandbox that can incentivize private-sector participants to test out new technologies and create models that address existing gaps and new risks in the cyber domain. The purpose of this sandbox should be to inform future technological and governance standards needs, reduce pain points of improper payments, and maximize digital ID deployment in the United States.
Policy goal 2: Create innovative, federated technological models that combine benefits delivery and digital identity
What is clear in our assessment of the EU and Japan is their global standards-setting ambition, largely seen in governance frameworks. Moreover, through regulatory actions they have been able to mandate interoperability requirements and have embraced verifiable credentials based digital identity technologies to address coordination challenges. To help further the state of the art, the United States has an opportunity to develop models for a federated technology stack for benefits delivery that integrates digital identity and novel payment solutions for use by the government and the private sector alike . This requires investment in research and development, especially incorporating new technologies for decentralization in pilot projects. Emerging regulatory clarity in digital assets can also inform these pilot projects and explore the feasibility of using self-hosted wallets and payment stablecoins.
Policy goal 3: Minimize ID based threat vectors in benefits disbursement
Part 1 of this paper puts into perspective the role of improper payments in benefits disbursal in the US, as well as the highly fragmented verification process used by US agencies and their private sector partners. This enables scaling of phishing attacks and other scams, with innovation by fraudsters outpacing security in our public infrastructure and private sector services. Quantifying the problem is difficult due to a lack of transparency about fraud attack data, which undermines public trust in both government and private sector services. Put in context with the lessons from the EU area digital ID roll-outs, we see a clear need for robust and integrated system of verifications, used across agencies, for a variety of end purposes. These should be aimed at reducing the duplication of efforts, beginning at the verification stage, as well as the costs associated with detection. Furthermore, law enforcement agencies and public benefit service providers should engage periodically to assess the continuously evolving threat landscape and create information sharing strategies that can help provide early indicators to inform mitigation options.
About the author
Ananya Kumar is the deputy director, Future of Money, at the GeoEconomics Center.
The author would like to thank Alisha Chhangani for her research and support on this paper.
This work was supported by the MITRE Independent Research & Development Program
Related content
Explore the program
At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.
Image: iStock
