The internet was built to connect machines, not people. Its basic architecture maps servers to domain names and uses cryptographic certificates to prove websites are authentic. Yet it lacks a built-in way to bridge the gap between our offline identities — citizen, taxpayer, patient, employee, student — and the digital systems on which we increasingly rely to conduct our economic, civic, and personal lives.
Thanks to the internet’s missing identity layer, online life has become a painful, repetitive hassle of lost passwords, security code texts, and cumbersome, invasive sign-ups. We cobble together credit records, blurry photos of driver’s licenses, awkward selfies, and security questions about our childhood pets. The experience is just awful, but it also doesn’t work — and it’s costing us.
Americans lost $47 billion to identity fraud and scams in 2024 alone. Organized criminal networks siphoned off billions in pandemic relief. Fraud in public benefits, student aid, and small business lending has become endemic. At the same time, generative AI threatens to make all these problems much worse. The physical documents we upload to prove things about ourselves are now trivial to fake, while the astonishing quality of deepfake audio and video means that our own faces and voices can no longer reliably prove that it’s really us on the other end of a phone line or Zoom call.
That’s why digital identity needs to be treated as critical infrastructure, like the financial system, the electrical grid, and the internet itself. Lawmakers, regulators, and industry leaders have talked about digital identity as a matter of critical infrastructure for years, but the need has never been clearer or more urgent. It’s time to act and create a federal digital identity framework—not to centralize identity (Americans neither want nor need a national ID), but to standardize and govern the federated architecture of online trust.
Without it, we’ll keep layering brittle workarounds on top of an internet that was never built to handle identity and risk the security and performance of all the critical infrastructure into which the internet is increasingly tightly woven.
We know what to do
The good news is that we know what to do. Digital identity technology, built on the same encryption methods we use to verify the authenticity of your bank’s website, can go a long way toward closing the chasm between online and offline identity. Cryptographically secured digital identity has long seemed like a merely theoretical solution, but that’s rapidly changing. We’ve very recently reached a technical tipping point. We no longer have a tooling problem.
Today, at least 20 U.S. states have moved to launch mobile driver’s licenses and state IDs (mDLs) that can be held in a digital wallet, offering a glimpse of how digital credentials can work in practice. Unlike physical driver’s licenses, mDLs, which are cryptographically signed by the issuing state, can’t be faked. They support “selective disclosure,” which makes it possible to share only the information needed for a specific transaction, like proving you’re old enough to buy beer without also revealing your weight and home address. It’s a rare technology that enhances security and privacy at the same time.
That said, mDLs aren’t currently very useful because they’ve been limited to in-person use cases. You can use them to prove your identity at some airport security lines or tap a point-of-sale system at a handful of venues to prove that you’re old enough to buy an adult beverage. That’s cool and holding an mDL on your phone will swiftly become more practical and convenient as readers get integrated into more systems.
However, to be really useful, digital credentials need to be sharable online. Right now, if you want to open a bank account, start driving for DoorDash, or sell macrame owls on Etsy, you’re required to upload a photo of your driver’s license. This is a clumsy, invasive process prone to all sorts of fraud. But over the past few months, new technical standards for sharing and verifying mDLs online, and for requesting and receiving credentials through browsers and mobile operating systems, have finally rolled out. So, instead of launching yet another picture of your entire driver’s license into the ether, you’ll soon be able to securely share an mDL — or just the information required for the specific transaction — straight from your phone or browser wallet.
The future of digital credentials doesn’t begin and end with driver’s licenses. The same basic technology will make it possible to issue and share digital birth certificates, marriage licenses, student IDs, occupational licenses, diplomas — you name it. If it can be issued on paper or plastic, it can be issued as a secure, cryptographically signed digital credential.
We have the technology, but it won’t automatically add up to the kind of digital identity infrastructure we need — or want. Successfully fixing the problem will require broad coordination between the government agencies that issue our identity credentials, the organizations that set technical standards, the software companies and device manufacturers that build secure digital wallets, and citizens rightly jealous of their privacy and sensitive personal information who don’t feel pressured to share their mobile driver’s license every time they order a pizza.
We could easily get stuck with a patchwork
Without federal leadership, we’re likely to get stuck with what we already have: a patchwork of DMV-led identity programs, closed-system vendor contracts, and siloed solutions that don’t scale or interoperate. To get this right, we need a federal digital identity strategy that establishes the rules, standards, and safeguards for how identity works in the 21st century.
That strategy should do four things:
- Establish shared technical and policy standards for how digital identity credentials are issued, verified, and used. That includes privacy-by-design, selective disclosure, cryptographic integrity, and high-assurance verification.
- Ensure interoperability across states, agencies, platforms, and sectors. Whether someone’s credential is issued by a state, a federal agency, or a private entity, it should work wherever identity is needed—just like passports, but for digital life.
- Build public trust. That means legal guardrails, transparency, and oversight. Identity infrastructure should be open, auditable, and protected from abuse by both state and corporate actors. There need to be clear rules limiting when sensitive digital credentials can be requested, and regulating how our personal information is collected, stored, and shared. The issuers of digital credentials should not know when or where you’ve presented them. If digital IDs can be used to track us, we won’t use them.
- Promote inclusion and resilience. Not everyone has a smartphone. Not everyone drives. Not everyone wants to use the same platform. A national framework should support public options—such as offering identity verification and digital credential issuance at local post offices—and mandate device and platform neutrality.
The government has taken some small steps in the right direction. The text of the GENIUS Act, which creates a legal structure around stablecoins, directs the Department of the Treasury to explore digital identity technology as a tool for combating illicit finance. Likewise, a recent report from the White House Working Group on Digital Asset Markets notes that digital identity is critical for securing cryptocurrency networks against fraud and financial crime in a privacy-preserving way.
That’s great, but in an increasingly online world, problems of identity and trust pervade nearly every service and system, not just crypto networks. Infrastructure-level problems demand infrastructure-level solutions. That begins with a federal framework for digital identity.
Again, this isn’t about issuing a national ID card. Nor is it about replacing paper and plastic credentials with digital ones. There should always be physical credentials and the option to use them. It’s about creating a public trust layer — an identity architecture that enables secure, privacy-preserving, human-centered participation in the digital systems that have come to shape our lives.
This won’t work without trust
None of this will work if people don’t trust it. There’s a reason many Americans get nervous when they hear “digital ID.” And they’re not wrong. Identity systems — especially ones controlled by centralized authorities or tied to proprietary platforms — can become powerful tools of surveillance. Without safeguards, they risk enabling the very abuse they’re meant to prevent.
That’s why privacy isn’t an optional feature. It’s the cornerstone of any legitimate identity infrastructure.
A well-designed digital identity system doesn’t just verify that you are who you say you are. It also protects your ability to limit what you reveal — to disclose that you’re over 18 without handing over your birthday, to prove eligibility for benefits without exposing your entire financial history. We have the tools for this. The question is whether we’ll use them.
A digital identity system without democratic governance or legal guardrails doesn’t enhance freedom — it conditions it. It turns participation into permission. And when identity becomes a proprietary product, the terms of recognition shift from public legitimacy to private control.
We built the internet without an identity layer. We can fix that. But it will take public coordination, political will, and a commitment to openness, privacy, and the common good.
So let’s get started. Let’s get it right.
The opinions expressed in Fortune.com commentary pieces are solely the views of their authors and do not necessarily reflect the opinions and beliefs of Fortune.
