This paper analyzes the “Binding” provisions within the new digital identity standard, NIST SP800-63-4 (released July 31, 2025). While the standard does not explicitly define a “Binding Level of Assurance,” the document concentrates on the implicit levels found in SP800-63A-4 and a critical security flaw in the process for adding subsequent authenticators, as detailed in SP800-63B-4.

The core issue is that the current provision allows a new, higher-level authenticator (e.g., AAL2 or AAL3) to be bound to a subscriber’s account within a low-assurance session (e.g., AAL1). This creates a vulnerability where an attacker, having compromised a lower-level authenticator, could bind their own high-level authenticator to the victim’s account, potentially leading to an account hijack.

To mitigate this risk, the paper proposes three amendments to the binding provision. These amendments aim to ensure that the binding process is either performed at an authentication assurance level (AAL) equal to or greater than the new authenticator’s AAL, that the new authenticator is registered at the AAL of the current session, or that identity proofing is re-executed. This would prevent the binding of a high-assurance authenticator using a low-assurance session, thereby enhancing security and providing a more accurate assessment of assurance to Relying Parties.

1. Introduction

NIST SP800-63-4 is a new digital identity standard that came out on July 31, 2025. It covers vast territory. However, in this paper, we will concentrate on the aspect of “Binding”. 

NIST SP800-63B-4 used the word “Binding” rather than “Issuance” because users can bring their own authenticators and register them to their account at the CSP rather than CSPs issuing it. So “binding” is a term that encompasses both registration by the user (subscriber) to the CSP and the issuance by the CSP. 

There is no explicit mention of the binding level of assurance in NIST SP800-63-4. However, there are some hints of it. It is mainly in the initial registration phase of the authenticator, which is described in SP800-63A-4 in the list of provisions for each level, referring to NIST SP800-63B-4 for specific security requirements that are common to all levels. 

2. Authenticator Binding 

General provisions

In SP800-63B-4, section 4.1 is dedicated to this binding. 

First, it defines “Authenticator binding” as follows: 

Authenticator binding refers to establishing an association between a specific authenticator and a subscriber account to enable the authenticator to authenticate for that subscriber account, possibly in conjunction with other authenticators. (Source: NIST SP800-63B-4)

Then, the document introduces a group of provisions as follows. 

Authenticators SHALL be bound to subscriber accounts by either:

1. being issued by the CSP as part of enrollment or
2. using a subscriber-provided authenticator that is acceptable to the CSP.

When subsequent authenticator is to be bound to the subscriber account, the CSP

3. SHALL ensure that the process requires authentication at either the maximum AAL currently available in the subscriber account or the maximum AAL at which the new authenticator will be used, whichever is lower; and
   • EXAMPLE:  binding an authenticator that is suitable for use at AAL2 requires authentication at AAL2 unless the subscriber account currently has only AAL1 authentication capabilities.
4. SHALL notify the subscriber via a mechanism independent of the transaction binding the new authenticator, as described in Sec. 4.6.,  when an authenticator is added. 

Provision 1-3 above is problematic. It will be discussed in section 4.2. 

Throughout the lifetime of a digital identity, CSPs

5. SHALL bound to subscriber accounts by either
   • the CSP issues as part of enrollment or 
   • the CSP accept the acceptable authenticator and registers it linke to the subscriber account; 
6. SHALL maintain a record of all authenticators that are bound to each subscriber account;  
7. SHALL determine the characteristics of the authenticator being bound (e.g., single-factor versus multi-factor, phishing-resistant or not) so that verifiers can assess compliance with the requirements at each AAL; 
8. (implicit) SHALL communicate to the RP the result of determination; 
9. MAY determine it based on strong evidence (e.g., authenticator attestation), direct information from having issued the authenticator, or typical characteristics of authenticator implementations (e.g., whether a user verification bit is set by [WebAuthn]); 
10. SHALL also maintain other state information that is required to meet the authenticator verification requirements;
    • EXAMPLE:  the throttling of authentication attempts described in Sec. 3.2.2 requires the CSP or verifier to maintain state information on recent failed authentication attempts, except for activation factors verified at the authenticator. 
11. SHALL  create the record that contain the date and time of significant authenticator lifecycle events (e.g., binding to the subscriber account, renewal, update, expiration); 
12. SHOULD include information about the source of the binding (e.g., IP address, device identifier) of any device associated with the event; and 
13.  MAY require additional information about the new authenticator or its associated endpoint to determine whether it is suitable for the requested AAL. 

3. Binding at Enrollment 

Binding at the time of enrollment is part of the enrollment process and is discussed in [SP800-63A]. paraphrasing, the provisions are as follows. 

CSP SHALL

1. permit the binding of multiple authenticators to a subscriber account; 
2. ensure that the process requires authentication at the lower of either
   • the maximum AAL currently available; or 
   • maximum AAL at which the new authenticator will be used;
     
     NOTE 1: This means that if the subscriber account is only bound to AAL1 authenticator, the subsequent AAL2 authenticator is boud to the subscriber account within an AAL1 session. This poses a problem as AAL1 session may have been already taken over by the attacker and the attacker may be attempting to bind its AAL2 authenticator to the victim’s account.
     
3. notify the subscriber via a mechanism independent of the transaction binding the new authenticator, as described in Sec. 4.6. (Account Notifications).
   
   NOTE 2: This partly addresses the problem pointed out in NOTE 1. 

Further, if an authenticator is provided by another device other than the one on which the subscriber is currently authenticated, the binding process SHALL occur in the following sequence.

1. The device on which the subscriber is currently authenticated requests a binding code to the CSP. 
2. CSP generates and returns a binding code to the device. 
3. The subscriber enters the binding code to the second device with a new authenticator. 

4. Binding Provisions 

SP800-63A-4 states the requirements for each IAL. The following are the requirements for IAL 2 and 3. 

4.1 IAL2 Binding Provisions

IAL2 Binding requirements are listed in SP800-63A-4 section 4.2.12 Initial Authenticator Binding. 

Once a unique subscriber account is established for the applicant (now subscriber) in the CSP’s identity system, that is, when a record was created in the identity register of the CSP, one or more authenticators can be associated (i.e., bound) to the subscriber’s account. 

To minimize the need for account recovery, the CSP

1. SHOULD encourage subscribers to bind at least two separate means of authentication.
   NOTE: See Sec. 5 for more information about subscriber accounts and Sec. 4.1.2.1 of [SP800-63B] for more information on binding authenticators.

2. SHALL provide the ability for the applicant to bind an authenticator using one of the following methods:
   1. Remote enrollment of a subscriber-provided authenticator consistent with the requirements for the authenticator type, as defined in Sec. 4.1.3 of [SP800-63B]
   2. Distribution of a physical authenticator to a validated address
   3. Distribution or on-site enrollment of an authenticator
3. SHALL confirm the presence of the intended subscriber through one of the following methods if authenticators are bound outside of a single protected session with the user:
   1. Return of a continuation code
   2. Comparison against a biometric collected at the time of proofing

4.2 IAL3 Binding Provisions

IAL3 Binding requirements are listed in SP800-63A-4 section 4.3.10 Initial Authenticator Binding. The provisions are as follows: 

The CSP 

1. SHALL distribute or enroll the subscriber’s initial authenticator during an on-site attended interaction with a proofing agent; 
2. SHALL compare a biometric sample collected from the subscriber to the one collected at the time of proofing prior to registration of the authenticator if  the CSP distributes or enrolls the initial authenticator outside of a single authenticated protected session with the subscriber, the CSP; and 
3. MAY request that the subscriber bring the identity evidence used during the proofing process to further strengthen the process of binding the authenticator to the subscriber.

5. Problems of the current documentation

There are several issues that can be pointed out in the SP800-63-4 binding processes. 

5.1 Issues around initial binding of the authenticator

Notably, it is missing the remote registration provisions, which could look like: 

4. SHALL enroll the subscriber’s initial authenticator during the same protected session in which a proofing agent established the identity to be registered to the identity register. 

This could be the oversight or the reflection of the American local condition, where remote identity proofing at IAL3 is difficult since there is no widespread digital identity document that can be meaningfully used in the remote identity proofing. 

When other jurisdictions that can utilize digital identity document (Digital ID) try to make use of SP800-63-4, it is probably wise to add the point 4 above. 

5.2 Issues around adding subsequent authenticators

As stated earlier, provision 1-3 is problematic. It states that 

• the CSP SHALL ensure that the process requires authentication at either the maximum AAL currently available in the subscriber account or the maximum AAL at which the new authenticator will be used, whichever is lower

This means that “AAL2” and “AAL3” authenticators can be bound to the subscriber account within the session created by an “AAL1” authenticator. 

This poses a problem: an attacker may have already compromised the victim’s ALL1 authenticator (such as a password) and binds their “AAL2/3” authenticator and uses it subsequently. 

Provision 1-3 should probably amended to: 

The CSP SHALL 

3. ensure that the process requires authentication at either the same or greater AAL that the subscriber is trying to add; or 
4. mark the registered authenticator as the same AAL of the current session even if the authenticator is capable of fulfilling a higher AAL; or 
5. redo the identity proofing at the matching IAL to raise the session quality to be equal or higher of the AAL of the authenticator being registered. 

 6. Conclusion

This paper summarizes the “Binding” provisions available in NIST SP800-63-4 series. It points out that there are implicit notions of “Binding Level” expressed in SP800-63A-4 and that the method referred by it (SP800-63B-4) is problematic because it is vulnerable to the attacker adding their higher level authenticator to the victim’s account. 

To mitigate it, this paper proposes some amendments/additional provisions to it. With the mitigation, CSPs can provide safer ways to bind the authenticator to the account, or avoid providing false sense of security to the RP.

Identiverse 2025, held June 3–6, 2025 at Mandalay Bay in Las Vegas, brought together over 3,000 digital identity and security professionals for four days of keynotes, panels, and workshops ¹. The conference buzzed with a renewed focus on identity as the foundation of modern cybersecurity, emphasising that identity is no longer just a tool for access but “the foundation of modern security and compliance”². Attendees noted a strong sense of community and collaboration, with industry leaders and practitioners sharing real-world challenges, bold ideas, and hallway conversations that often proved as insightful as formal sessions³. Across various talks and expert panels, several key themes and emerging trends repeatedly surfaced – from the push for frictionless authentication to the rise of AI-driven identity challenges, the explosion of non-human identities, and the imperative of digital trust in an era of deepfakes. Below is a structured recap of the most prominent trends and insights discussed at Identiverse 2025, along with expert opinions and notable takeaways from speakers and attendees.

Frictionless and Passwordless Authentication

A major theme at Identiverse 2025 was the industry’s drive toward frictionless authentication – making logins seamless without sacrificing security⁴. Identity and Access Management (IAM) providers acknowledged that user experience had been neglected in favour of security, leading to what one report dubbed the “digital equivalent of airport security” for logins⁵. In response, vendors such as Cisco Duo, Radiant Logic, Saviynt, and others unveiled new approaches aimed at eliminating cumbersome login steps (passwords, one-time codes, multiple prompts) and delivering what was likened to a TSA “fast pass” experience for authentication⁶. “You walk into your office, you put your phone on the table, you open your laptop, and you’re logged in”, explained Matt Caulfield, VP of Identity at Cisco’s Duo, describing a new proximity-based login that requires no manual credential entry⁷. He emphasised their goal of an experience where “you don’t need to put in a username, a password…no passwords anywhere”, reflecting a broader industry push toward passwordless authentication⁸.

This push is backed by clear trends in adoption. Recent industry research shared at the event showed multi-factor authentication (MFA) usage is at an all-time high – for example, 66% of workforce users now use MFA (91% of admins) according to Okta’s 2024 report, with a growing preference for phishing-resistant methods⁹. Meanwhile, passkeys and passwordless methods are rapidly gaining traction, with one vendor observing a 400% increase in passkey usage in 2024¹⁰. The global market for passwordless authentication is projected to quadruple over the next decade (from $19B in 2024 to $82.5B by 2034)¹¹, underscoring the momentum behind this trend. The consensus at Identiverse was that reducing login friction can actually improve security – by removing incentives for users to find workarounds – and that invisible or low-friction login experiences (e.g. biometric or behavioral authentication running in the background) are becoming an expected feature of modern IAM solutions¹².

Artificial Intelligence in Identity Security

AI’s impact on identity and security was front and centre in many discussions, with participants noting that “AI in IAM is here (and it’s not waiting for you to catch up)”¹³. Every major vendor showcased AI or machine learning-driven features: from behavioural analytics and risk scoring to AI-generated identity governance recommendations¹⁴. These practical use cases demonstrated real value, such as using machine learning to flag abnormal access patterns or to automate access reviews and approvals (reducing “review fatigue” for administrators)¹⁵. For example, Radiant Logic’s CEO described using generative AI to analyze identity data and recommend corrective actions via an “AI Data Assistant,” illustrating how AI can help manage complex identity environments¹⁶. At the same time, experts urged caution: the rise of AI also introduces new risks – adversaries are weaponizing AI through sophisticated phishing (leveraging large language models), deepfake voice or video impersonations, and automated attacks that can mimic legitimate users¹⁷. “Assume your voice, image, and behavior can be convincingly faked – and plan internal processes accordingly,” one CISO advised, highlighting the need for verification protocols and human oversight in an AI-driven world¹⁸.

A particularly hot topic was “Agentic AI” – autonomous AI agents acting on behalf of users or organisations. In a dedicated panel on Agentic AI and Non-Human Identities (NHIs), speakers noted that AI agents are still identities to be managed (they use credentials and access data), but “they behave differently” than traditional scripts or service accounts¹⁹. These agents are goal-driven, can operate across multiple systems, and may make decisions without direct human intervention²⁰. Experts warned that within five years, many domain-specific AI agents might be running with no humans in the loop, and if identity teams don’t establish strict privilege boundaries and governance now, “post-incident discovery will be futile”²¹. In other words, AI systems could amplify the impact of weak identity controls. The urgent consensus was that the identity community must develop governance frameworks for AI-driven identities as quickly as the technology evolves²². This includes requiring every AI agent or bot to be credentialed, enforcing fine-grained authorization for what they can do, and maintaining audit trails – essentially treating them with the same (or greater) scrutiny as human users²³. As one panellist put it, “We must distinguish [helpful bots], protect them, and ensure they act in our interest”, signalling that managing AI identities will be a key frontier for security professionals²⁴.

Non-Human Identities (Machine and Service Accounts) in the Spotlight

Hand-in-hand with the AI discussion was a strong focus on Non-Human Identities (NHIs) – a term encompassing machine accounts, service identities, API keys, bots, and other digital identities not tied to a human user. NHIs emerged as one of the most urgent and widely discussed risks at Identiverse 2025²⁵. Multiple sessions highlighted the sheer scale of the issue: in many enterprises, machine and service identities now outnumber human identities by as much as 20:1²⁶. These non-person accounts often live outside traditional governance and IAM programs, creating massive blind spots in security²⁷. One speaker likened the NHI landscape to an iceberg – most organisations only see the tip of their machine identities, with limited visibility into how many exist, what they’re used for, or who owns them²⁸. “We’ve created digital entities that act without oversight, and most security teams still treat them as side quests,” one expert observed, pointing out that many companies don’t even start managing NHIs until after a breach has occurred²⁹.

The risks of ignoring NHI governance were made starkly clear. A panel on “How Attackers Compromise NHIs” delivered the simple but chilling message that “Attackers aren’t breaking in, they’re logging in.”³⁰ In other words, attackers often exploit poorly governed machine credentials rather than hacking in through vulnerabilities. According to Verizon’s Data Breach Investigations Report, 31% of breaches involve stolen credentials³¹ – and many of those are things like leaked API tokens, hardcoded secrets in code, or orphaned service account passwords. Conference demos showed how easily such credentials can be harvested (for example, from public Git repositories or CI/CD pipelines) and then used to move laterally within an environment³². Because NHIs typically lack the lifecycle management that human accounts have, these breaches can persist unnoticed for long periods³³. Attendees noted that traditional defences (like endpoint security or MFA prompts) often don’t apply to these accounts, making them an attractive attack surface. The takeaway was loud and clear: organisations must bring NHIs into the fold of identity governance. As one recap put it, “Governance is mandatory” for machine identities – doing nothing is no longer an option³⁴.

Improving NHI security was a recurring discussion topic, with experts sharing both challenges and best practices. A common refrain was “you can’t protect what you don’t understand,” meaning the first step is to discover and inventory all machine identities in use³⁵. Practitioners stressed the need to track each NHI’s purpose, owner, and permissions – many noted that assigning clear ownership and accountability is critical, since “access reviews for machines are theatre unless we trim over-privileges and assign ownership”³⁶. Another major recommendation was to eliminate static credentials in favour of short-lived, dynamic ones. In fact, an entire conversation revolved around making CI/CD pipelines “secretless”: replacing embedded passwords and API keys with ephemeral tokens or automated identity assertions³⁷. “If you want to secure your production systems, you must secure your CI/CD pipelines…the fastest way to do this is to get rid of the secrets and adopt identities,” reported one blog, noting that “‘Secrets are not identities’ was a phrase heard more than once” at the conference³⁸. New tools are emerging in this space to help continuously discover and manage NHIs³⁹, and some organisations shared success stories. For instance, the security team at Grammarly outlined their strategy to get a handle on machine identities: inventory everything, map context to each identity, enforce least privilege (using scoped roles and short-lived creds), and establish automated remediation workflows – all while ensuring someone in the business “owns” each identity’s maintenance⁴⁰. The overarching insight was that machine identities can no longer be treated as an afterthought. They require the same rigour in governance (if not more) as human identities, including lifecycle management, monitoring, and integration into Zero Trust security models.

Identity as Critical Infrastructure (Resilience and Recovery)

Another key insight from Identiverse 2025 was the idea that identity has become “Tier 0” infrastructure for organisations – as critical to protect and keep running as networks, databases, or cloud services⁴¹. Several talks and panels emphasised identity resilience and incident recovery, reflecting lessons from recent security incidents. The question posed was: if your Identity Provider (IdP) or IAM system went down or was compromised, how quickly could your organisation recover?⁴². Breaches and outages are no longer hypothetical, and identity systems can themselves be targets. As one speaker noted, if you can’t restore your identity layer quickly, your entire business may grind to a halt⁴³. This marks a shift from viewing IAM purely in terms of prevention (keeping bad guys out) to also ensuring continuity (keeping the business running securely even when something goes wrong)⁴⁴. “Identity resilience” – the ability to roll back or restore IAM functions after compromise – was front and centre this year⁴⁵. In fact, identity backup and recovery capabilities were discussed as a board-level concern now, not just a technical detail⁴⁶. One CISO speaker quipped that if your IdP goes down, so does your business, urging peers to treat the identity platform with the same investment in redundancy and disaster recovery as any mission-critical system⁴⁷.

This trend goes hand in hand with treating identity as core infrastructure. The consensus among vendors and analysts was that IAM is no longer just a security checkbox or login gateway – it’s foundational to business operations, agility, and even compliance⁴⁸. As such, outages in IAM effectively mean outages in business operations⁴⁹. Attendees repeatedly underscored the need for “immutable identity backups, testable failover plans, and controls that work under pressure – not just under audit”⁵⁰. In practical terms, this means investing in capabilities like read-only backup directories, secondary authentication servers, or cloud-redundant IDPs that can take over if the primary fails. It also means regularly simulating identity-centric incidents (e.g. what if an admin account is breached, or thousands of user credentials are reset) to ensure the organisation can respond and recover. One takeaway was that identity governance and administration (IGA) programs should incorporate resilience metrics – for example, how long would it take to lock down all credentials in a crisis, or to re-issue trusted identity tokens after an incident? Such questions are now being asked in boardrooms. In summary, the message was to treat IAM like the core infrastructure it is: invest in its reliability and recovery, just as you would for your cloud platforms or databases⁵¹. As a blogger summed up, “identity isn’t just an IT function or a security project – it’s the connective tissue of digital business”, and ensuring its resilience is now a strategic priority⁵².

Digital Trust and Verified Identity

Ping Identity CEO Andre Durand delivering a keynote on the importance of “Verified Trust” amid rising threats like deepfakes at Identiverse 2025 ⁵³.
Establishing and maintaining digital trust was a recurring high-level theme, powerfully articulated in the opening keynote by Ping Identity’s CEO, Andre Durand. He characterized the current landscape as one where “trust is being tested like never before” – misinformation, deepfakes, and digital impersonations are eroding the assumption of authenticity online⁵⁴. “The real attack surface isn’t our infrastructure – it’s our assumptions,” Durand warned, meaning that attackers increasingly prey on the implicit trust we grant to what we see and who we think we’re interacting with⁵⁵. From business email compromise to SIM swapping to supply chain attacks, criminals target our fundamental trust. In response, the keynote introduced the concept of “Verified Trust” as a new imperative for the industry⁵⁶. “We must verify before we trust,” Durand urged, advocating for a shift to authentication and identity systems that are continuous, contextual, and invisible to the user by default⁵⁷. This isn’t just about adding more MFA prompts or stronger passwords – it’s about using multiple signals (device posture, location, user behaviour, risk scoring) and verifiable credentials in the background to ensure every interaction is authentic⁵⁸. The goal is to achieve high assurance with low friction, so users hardly notice the constant verification taking place.

Key tools enabling this “trust but continuously verify” model include behavioral biometrics, real-time risk analytics, and decentralized identity credentials that can be cryptographically proven⁵⁹. For instance, an authenticated digital credential might attest to a user’s identity or attributes, which can be checked automatically before a transaction is allowed. Done right, these measures can make digital interactions “always verified by default” without turning the user experience into an interrogation⁶⁰. The backdrop for this push is a world in which even our senses can’t be trusted – “today, we can’t even trust our eyes and ears – seeing is no longer believing,” as the keynote noted, referencing the rise of AI-generated fake content⁶¹. This has led to predictions that soon we’ll see “deepfake-resistant IDs” become legally required for certain online activities⁶². Durand even envisioned a future split between a “Verified” internet (with a trusted identity layer) and an unverified “wild west”, where anonymity might become a premium service people pay for⁶³. These provocative ideas underscored a broad agreement at Identiverse: the industry must double down on verifying authenticity – of users, devices, and even data – to preserve digital trust. The rallying cry “We Are the Guardians of Authenticity” was shared as a call to arms for identity professionals⁶⁴. In practical terms, this means building security solutions that can instantly detect imposters (e.g. spotting subtle signs of deepfakes or stolen tokens) and that make trust portable and transparent for users. Several demonstrations at the conference indeed showcased technologies like verified credentials and decentralized identity in action, which allow users to prove things about themselves (or their devices) without exposing raw personal data⁶⁵. All of this feeds into the larger mission proclaimed at Identiverse 2025: to restore and enhance trust in the digital world by ensuring every access decision and transaction is backed by verification, not assumption.

Compliance Pressures and Identity Security Posture

Emerging cybersecurity regulations and standards also loomed large in the conversations, with many noting that compliance requirements are now a major driver of identity security upgrades. Frameworks such as the EU’s DORA and NIS2, the proposed U.S. Cybersecurity Resilience Act, and other guidelines are putting identity in the spotlight, effectively mandating practices like least-privilege access, strong authentication, and auditability of identity systems⁶⁶. Internal auditors and regulators alike are asking organisations to prove that only the right people (or machines) have the right access at the right time⁶⁷. The sentiment shared was that compliance is no longer a checkbox – it’s a forcing function for modernisation in IAM⁶⁸. In other words, even organisations that might have been slow to adopt things like comprehensive identity governance or advanced authentication are being pressed into action by regulatory deadlines and fear of penalties. Speakers gave examples of companies scrambling to implement tighter entitlements review processes and automated access recertification to satisfy auditors⁶⁹. The challenge, discussed in hallway chats, is to meet these compliance obligations without slowing down business operations – hence the interest in solutions that automate identity controls and continuously monitor for policy violations⁷⁰.

One notable trend in this area is the rise of Identity Security Posture Management (ISPM) as a concept. Much like cloud security posture tools, ISPM tools aim to provide continuous assessment of an organisation’s identity configurations and policies across all systems⁷¹. Rather than point-in-time audits, they bridge the gap between security context and governance workflows, alerting teams to toxic combinations of privileges, inactive accounts, or policy drift in real time⁷². At Identiverse 2025, ISPM was highlighted as a “must-have” emerging capability for large enterprises, given the complexity of hybrid cloud environments and the speed at which access changes occur⁷³. For example, if a highly privileged service account suddenly gains even broader access due to a misconfiguration, an ISPM solution could flag that immediately. Unlike traditional IGA (Identity Governance & Administration) tools that focus mainly on provisioning or certification campaigns, ISPM is about continuous enforcement of least privilege and adherence to security policy. This trend aligns with the broader push for real-time, event-driven access management: instead of reviewing access quarterly or reacting after an incident, companies want to adjust and revoke access in the moment, based on triggers like role changes, detected anomalies, or compliance rules⁷⁴. The conference conveyed a sense of urgency here: staying compliant and secure will require more automation and intelligence in identity systems, and vendors in the IAM space are rapidly integrating these capabilities.

Inclusive Digital Identity and “Identity for All”

While much of Identiverse 2025 focused on cutting-edge technology and enterprise security, there was also attention on the human side of identity – specifically, making sure digital identity systems are inclusive and accessible to all. One notable session titled “Identity for All: Unlocking Economic Empowerment Through Inclusive ID” highlighted the sobering fact that over one billion people worldwide face barriers to establishing and verifying a digital identity⁷⁵. Speaker Kay Chopard (Executive Director of the Kantara Initiative) discussed the far-reaching consequences of this identity gap: individuals without reliable IDs are often locked out of basic services like banking, e-commerce, and even the exercise of digital rights⁷⁶. The session underscored that digital identity exclusion isn’t just a developing world problem – it affects vulnerable populations globally, from those lacking government IDs to those unable to navigate current identity verification processes. The economic repercussions are significant: without verifiable identity, people struggle to access jobs, education, healthcare, and financial services, perpetuating cycles of poverty and marginalization⁷⁷.

Chopard and other experts called on businesses to build “inclusion by design” into identity products⁷⁸. This means creating identity verification methods that account for people who may not have credit histories, smartphone access, or traditional Identity Documents. For example, solutions might leverage alternative attributes or community attestations to establish trust. The audience was reminded that expanding their customer base can go hand-in-hand with social impact: by designing services that welcome those currently excluded, companies can both “expand their reach” and empower new user segments⁷⁹. Organizations like Women in Identity are working to address bias and accessibility in digital ID systems, ensuring that identity technologies serve diverse populations⁸⁰. The takeaway is that inclusivity is an emerging pillar of digital identity discussions. Whether through government programs for national digital IDs or private-sector initiatives for age verification and accessibility, Identiverse made clear that “identity for all” is part of the future. After all, the effectiveness of digital identity solutions will ultimately be measured by how universally they can be adopted – and that means overcoming barriers of literacy, accessibility, and trust in underserved communities.

Cultural and Organisational Challenges

Finally, a candid undercurrent throughout Identiverse 2025 was the recognition that the hardest identity challenges are often not technical, but organisational. Experts repeatedly noted that deploying cutting-edge identity tech is only half the battle; “as experts it’s easy to focus on the technological solutions, but organisations are made up of people and departments,” one recap observed⁸¹. A recurring topic was internal friction and misalignment that can slow or even derail identity initiatives. Identity projects frequently span IT, security, HR, compliance, and beyond – and each stakeholder may have different priorities. It was noted that many IAM deployments struggle due to poor communication and change management, rather than flaws in the technology itself⁸². One speaker dryly remarked that in big companies, “multiple people are accountable, which means no one really is,” describing how lack of clear ownership can doom an Identity Governance and Administration (IGA) program⁸³. This was illustrated by a case study of a fast-growing SaaS firm: despite obvious risks and a capable security team, their IGA efforts failed until a regulatory audit forced action – and even then, the initiative was treated like “incident response” rather than a sustainable program⁸⁴. The lesson was that strong leadership support and defined responsibilities are critical for identity program success.

Another common insight was that new identity technologies will only succeed if they minimise disruption for end-users and IT teams⁸⁵. If adopting a security measure creates excessive inconvenience or requires massive process changes, it will face internal resistance. Therefore, many speakers advised focusing on “quick wins” and incremental progress: for example, rolling out passwordless authentication to a pilot group, or automating a few high-risk access reviews first, to demonstrate value. One panel summed it up: identity solutions must solve real-world problems and fit into existing business processes, otherwise they won’t gain traction⁸⁶. This pragmatic view was echoed by practitioners sharing hard-earned lessons. In essence, technology is only part of the equation – getting the humans (leadership, employees, developers) on board is equally important. The encouraging news shared at Identiverse is that the identity community is tightly knit and collaborative. Multiple attendees expressed that being among peers was a reminder “you are not alone” in facing these challenges⁸⁷. The conference itself fostered this sense of shared mission: identity professionals can learn from each other’s failures and successes. By tackling organisational hurdles collectively – through community frameworks, best practices, and mentorship – the industry hopes to accelerate the adoption of the vital trends and innovations highlighted above, turning vision into reality.

Sources: The insights above were synthesised from Identiverse 2025 session coverage, expert blog recaps, and commentary by attendees and sponsors. Key references include SC Media’s on-site reporting scworld.comscworld.com, analysis from industry blogs like GitGuardian blog.gitguardian.comblog.gitguardian.com, SPIRL spirl.comspirl.com, and MightyID mightyid.commightyid.com, as well as the official Ping Identity keynote highlights pingidentity.compingidentity.com. These sources provide a comprehensive view of the prevailing themes – from frictionless security and AI’s growing role, to the critical importance of machine identity management, trust frameworks, and inclusive identity – that defined Identiverse 2025.

Recordings and slides will be coming out in the near future, but till then, the following recap in can be useful. There is a podcast version of it created by NotebookLM based on this blog here as well.

Enjoy

Nat

Gail Hodges (Executive Director of OpenID Foundation) – Overview Report

Gail Hodges presented the major achievements of the OpenID Foundation over the past 6 months:

Specification Progress:

• FAPI 2 Security Profile and Attacker Profile reached final version
• FAPI 1 submitted to ISO as a publicly available specification
• FAPI 2 conformance tests now support DPoP
• DCP (Digital Credentials Protocol) Working Group progress: OpenID for Verifiable Presentations to 3rd implementers draft, OpenID for VCI to implementers draft 2, and HYPE profile to implementers draft 1
• eKYC (Electronic Know Your Customer) and IDA (Identity Assurance): OpenID Connect Authority specification to 1.0, and AuthZen 1.0 to Implementer’s Draft in November 2024

Events and Collaborations:

• Four different working groups are conducting interoperability testing
• Shared Signals: interoperability events in Texas and London
• DCP Working Group: hackathons in California, MOSIP event in the Philippines
• Collaboration with NIST: small group interoperability tests with the NCCoE program
• AuthSen: first interoperability event at Gartner (well-attended)
• Federation: SUnet-hosted event in Sweden (planned for the week of April 24)

Governance and Operations Progress:

• Finalization of process document and IPR agreement (first update in about 7 years)
• Development of specification checking automation tool by Mark Haine

Thought Leadership:

• Establishment of Australian Digital Trust Community Group
• SIDI Hub: nine reports published by Elizabeth Garber
• Government feedback: briefing to New York Federal Reserve Bank, feedback on NIST directive and NIST attributes services
• Participation in Aspen Institute’s fraud task force
• Blog post with specific recommendations on fine-grained authorization and rich authorization requests (by Dima)

Media Coverage:

• Promotion of foundation activities and events
• Active participation by co-chairs and editors in blogs and podcasts
• Recognition of identity field leaders by Okta: more than half of the 25 recognized people were from foundation members or partners

EKYC (Electronic Know Your Customer) and IDA (Identity Assurance) Update

Presentation by Hodari McClain:

• OpenID Connect Authority 1.0 implementations spreading worldwide (particularly in Australia and UK)
• Specs submitted to ISO as a publicly available specification, 12-week voting period almost complete
• New working group call for Identity Assurance starting at 5:30 JST in Tokyo
• Conformance testing suite out of Beta
• Next phase of work to include age assurance, authority use cases
• Attachments expected to reach final version in Q2 2025, Authority specification to implementers draft 2

DADE (Death and Digital Estate) Community Group

Presentation by Dean Sachs:

• Group established in September 2024 to develop understanding of how individuals can manage their digital estate
• Digital estate includes digital data such as online writing, images, photos, audio/video, code, etc.
• Developing use cases for temporary/permanent disablement or death
• Collecting data on legacy contacts and service mechanisms (highly inconsistent across platforms)
• Discussion of death can be difficult depending on culture and language
• DADE panel planned for Identiverse 2025
• White paper planned titled “The State of Digital Estate Management” including a planning guide
• Planned release for Cybersecurity Awareness Month
• Regular working group calls for North America/EMEA and APAC/North America

Q&A:

• Response to question about global vs. specific regions: Ideally global, but work at regional level needed. A group is starting up in Australia
• Response to question about cooperation with MOSIP: Wish to utilize insights from regions where MOSIP is active, such as India and Africa
• Discussion about accessing services on behalf of deceased individuals sometimes being a useful anti-pattern

AI Authentication Panel Discussion

Moderator: Tobin (researcher between MIT and Stanford) Panelists: Aaron Parecki, George Fletcher, Dima

Introduction by Tobin:

• AI community currently in chaos as chatbots discovered to connect to APIs and take actions, attempting to do so without authentication
• Startups and AI companies recognizing need for more robust authentication and authorization but trying to build from scratch
• OpenID Foundation well-positioned to take a clear stance to prevent AI community from reinventing the wheel

Summary of recent blog post by Aaron Parecki:

• Model Context Protocol (MCP) attempting to standardize access to AI tools but issues with authentication aspect
• Most issues can be addressed by applying existing OAuth thinking
• Tendency in AI world to create completely new things, but many existing API access patterns and authorization patterns apply one-to-one

Additional context from Tobin:

• Workshop at Stanford showed diverging opinions on authenticated delegation for agents
• OpenAI claimed consumers just want “robot to do the task”
• Others want to severely restrict actions AI can take
• Need to consider role of human in the loop and how OpenID-style tools can help

George Fletcher’s perspective:

• Liability and responsibility is an important issue
• Increasing user consent shifts responsibility to users but degrades user experience
• Complex authorization questions regarding degree of delegation to agents (e.g., scope of credit card information usage)

Panel discussion:

• Discussion on delegated authority, expression of intent, limitations of scopes
• Differences between AI use cases and normal use cases: unanticipated behavior, expression of intent, learning agents
• Importance of building on existing infrastructure
• Possibilities for extending existing OAuth mechanisms

Conclusion:

• OpenID Foundation needs to provide a voice to the AI community
• White paper planned
• Leverage knowledge from areas with existing solutions, such as open banking and digital ID credentials

OpenID Connect Working Group Update

Presentation by Mike Jones:

Key Developments:

• Security analysis of OpenID Federation completed, revealing significant security hole
• Certification team developing certification tests for OpenID Federation
• Interoperability event for Federation planned at SUNet in Sweden at the end of April

Newly Adopted Specifications:

• OpenID Federation Wallet Architectures draft
• OpenID Connect RP Metadata Choices specification
• OpenID Provider Commands specification (to be detailed later by Dick Hardy)

Security Analysis and Response:

• Federation security analysis by University of Stuttgart found bug or ambiguity in audience values sent to authorization servers
• Discussed privately for months with deployments vulnerable to the bug and fixed
• Fixes implemented for OpenID Federation, OpenID Connect Core (errata draft), FAPI 2, FAPI 1 (errata draft), CIBA Core (errata draft)
• Draft called 7523bis adopted to address OAuth specifications

Ongoing Work:

• Planning Federation interoperability event (about 25 participants, about 12 implementations)
• Considering review for implementers draft of RP Metadata Choices
• Assessing status of three dormant specifications (OpenID Connect Claims Aggregation, User Info Verifiable Credentials, Self-issued OpenID Provider V.2)

EAP (Enhanced Authentication Profile) Working Group:

• Updates to OpenID Connect EAP ACR Values specification
• Registration of ACR values for phishing-resistant authentication and phishing-resistant hardware-backed authentication in official registries
• Working group last call ending the next day

OpenID Provider Commands

Presentation by Dick Hardt:

• Simple concept of OP sending commands to RP
• Command is a JWT token signed by OP, which RP can verify signature like an ID token
• Supports all stages of account lifecycle (as defined by ISO): activating, maintaining, suspending, archiving, reactivating, restoring, and deleting accounts
• Also supports tenant-level commands (metadata command, audit tenant, suspend tenant, archive tenant, delete tenant)
• Uses Server-Sent Events to address challenges with long responses
• Aims to lower barrier to entry compared to SCIM (System for Cross-domain Identity Management)

Q&A:

• Current issues: proposal to rename command URI to command endpoint, among other small changes
• Improvements based on implementation feedback, such as adding error events

Authn (Authorization) Working Group Update

Remote presentation by Omri Gazitt:

• Working group established in late 2023 to standardize communication between policy enforcement points and decision points
• Published first core API draft (evaluation API) in November 2024, evaluations batch API draft in January 2025, search API draft in March
• Started developing API gateway profile at Gartner IAM 2024 London interoperability event

Interoperability Testing:

• Tested two policy enforcement points: API gateway (medium-grained authorization) and ToDo application (fine-grained authorization)
• Significant increase in participating vendors from December 2024 to March 2025
• PDP vendors (Authn implementations) increased to 17
• Seven new API gateway vendors joined (Amazon API Gateway, Broadcom’s L7 Gateway, Envoy, Kong, etc.)

Future Roadmap:

• Evaluation API and evaluations batch API stable with no planned changes
• Moving toward second implementers draft including search APIs, partial evaluation, and discovery
• Aiming for Authn 1.0 final in summer or fall 2025
• 2025 initiatives: formalizing API gateway profile, event delivery for stateful PDPs (leveraging Shared Signals), IDP profile consideration
• Commercial implementations: Topaz supporting native Authn endpoints, Zuplo with native Authn support, Amazon’s Cedar planning Authn support later in 2025

IPSIE (Interoperability Profiles for Secure Identity in the Enterprise)

Presentation by Dean Sachs and Aaron Parecki:

• Working group addressing interoperability and security challenges in enterprise identity
• Established in October 2024, addressing the challenge of many standards with many options in each standard
• Goal is to define profiles using existing standards, reducing optionality and ambiguity
• Level-based approach based on enterprise maturity: Session Lifecycle track (SL) and Identity Lifecycle track (IL), each with 3 levels
• OpenID Connect profile proposed as initial draft, with public call for adoption
• Another draft contributed describing how to apply SAML to achieve SL1 goals
• Work beginning on draft for ID (provisioning) lifecycle
• Aiming for SL1 interoperability event at Gartner IAM in December 2025

Q&A:

• Regarding columns for application and identity service: Identity service refers to everything the enterprise runs to manage identities (IDP, threat monitoring services, etc.)

Shared Signals Framework

Presentation by Atul:

Overview:

• Framework for reliably providing information asynchronously between cooperating parties
• Provides a framework for negotiating what type of information to exchange about whom
• Provides controls for starting, stopping, pausing, restarting streams
• Application profiles for Risk (account security) and CAPE (session management)
• SCIM Events is a draft for conveying account management changes

Architecture:

• Receiver initiates communication, telling the transmitter which events it wants to listen to
• Actual events sent through asynchronous transport as JWTs
• Uses specific structure of JWTs called Security Event Tokens (SET)

Specification Progress:

• Three specifications (Shared Signals Framework Core, CAPE, Risk) progressing to final after resolving some issues
• Addressing issues based on implementation feedback and organizing the specification

Interoperability Testing:

• Testing conducted at Gartner IAM in Texas (December 2024) with numerous vendors
• In London (March 2025), required transmitters to pass conformance tests to participate
• Progressively raising the bar for interoperability tests, with third event being more rigorous

Adoption:

• Apple, Okta, Signl, Jamf supporting SSF in actual products
• Increasing announcements of betas and implementation plans
• Preparing white paper for financial services
• Engagement with Aspen Institute: potential of shared signals in fraud prevention

Modrna (Mobile Operator Discovery, Registration & autheNticAtion)

Presentation by Bjorn Hjelm:

Working Group Status:

• CIBA Core specification has reached final version
• Completing working group last calls for Discovery Profile and Modrna CIBA Profile
• Working on errata for CIBA Core
• Outreach to GSMA community (industry organization of mobile network operators), ETSI, and Camara project (Linux Foundation)
• Working toward liaison agreement with GSMA

Plans:

• Targeting errata version 2 in Q3, agreement with GSMA by year-end

ITU (International Telecommunication Union) Submission

Continued by Bjorn Hjelm:

• ITU is part of UN, formal standardization organization like ISO
• Some governments require specifications from formal standardization organizations (ISO or ITU)
• Effort to have OpenID specifications adopted by ITU to enable implementations in more regions
• ISO used adoption by reference (specification published as-is with ISO cover sheet), but ITU requires adoption by implementation (specification reformatted to ITU format)
• Converted OpenID Connect Core specification to ITU format and submitted for review
• Feedback expected at meeting next week
• Testing process with one specification first rather than all at once

SIDI Hub

Presentation by Elizabeth Garber:

Overview and Principles:

• Global multi-stakeholder community collaborating on requirements for global interoperability of digital identity
• Over 25 countries participating, engagement with intergovernmental organizations like OECD, World Bank
• Five summits across five continents: Paris, Cape Town, Berlin, Washington DC, Tokyo (most recent)
• Next event in Addis Ababa (ID for Africa) in May 2025
• Principles include human-centricity, domestic sovereignty, multilateral engagement, grounding in real-life use cases, focus on both technology and policy

2024 Achievements:

• Nine reports published: reports after each event, three champion use cases (refugee, education/credentials, opening bank account)
• Report on global credential ecosystem governance
• End-of-year report setting short, medium, and long-term goals

Current Work:

• Building a “digital commons”: open suite of policy, technical, and other tools
• Technical workstream: focusing on trust management, analyzing existing models like OpenID Federation, LUCI’s work, Train
• Trust Framework workstream: expanding Open Identity Exchange analysis and bridging with cross-border ecosystems
• Considering trust frameworks in context of Financial Action Task Force (FATF)
• Approach to attestation rulebook in Europe

FAPI Update

Presentation by Joseph Heenan:

Key Developments:

• FAPI 2 Security Profile and Attacker Model published as final specifications
• Conformance tests in development, beta release planned for April 2025
• Ecosystem expansion: BIS (Bank for International Settlements) project, UK’s SelectID, Chile and Colombia considering grant management specification
• Continued engagement with Australian government
• FDX moving to FAPI 2

Major Changes from FAPI 2 Implementers Draft to Final:

• Change related to audience value in private key JWT client authentication (addressing security vulnerability)
• Migration expected to be relatively easy

Future Work:

• Working on moving FAPI 2 Message Signing specification to final
• Focus on implementation and deployment advice documents
• Planning Shared Signals white paper for regions interested in financial services (Chile, Brazil, etc.)

DCP (Digital Credentials Protocol) Update

Continued by Joseph Heenan:

Recent Implementers Draft Releases:

1. OpenID for Verifiable Presentations (VP) 3rd Implementers Draft:
   • Addition of Digital Credentials Query Language (DQCL, pronounced “duckle”)
   • Addition of transaction data (embedding data acknowledged by user)
   • Addition of SD-JWT profile and X.509 authentication method
   • Change in how client IDs are passed in presentation exchange (resolving security issue)
   • Addition of Browser Digital Credentials API appendix
2. OpenID for Verifiable Credential Issuance (VCI) 2nd Implementers Draft:
   • Implementation of Nonce endpoint (solving issues with multiple user interactions)
   • Batch issuance of same credential improving unlinkability
   • Removal of Batch Endpoint (reducing complexity)
3. High Assurance Interoperability (HYPE) 1st Implementers Draft:
   • Includes MDOC presentation profile over Digital Credentials API in browser
   • Coordination with ISO/IEC 18013-7
   • Mandates use of DQCL

Current Work:

• Complete removal of presentation exchange from OpenID for VP, standardizing on DQCL
• Support for Trusted Authorities
• Addressing Multi-RP authentication challenges

Conformance Testing:

• Alpha tests developed for Verifiable Credential Issuance (focusing on SD-JWT)
• Updated wallet tests for Verifiable Presentations (supporting implementers draft 3)
• Added verifier tests for Verifiable Presentations

Coordination:

• Close coordination with the European Commission to ensure OpenID specifications explicitly referenced in next revision of EU implementing acts

NIST NCCoE (National Cybersecurity Center of Excellence) Interoperability Testing

Presentation by Juliana (Microsoft):

Event Background:

• Part of NIST’s National Cybersecurity Center of Excellence project
• Work on mobile driver’s licenses/digital identity
• Use case for opening bank account and recurring access at high assurance levels

Test Overview:

• Testing with multiple wallets, multiple browsers, multiple operating systems, single verifier (Mattr)
• Testing Annex C profile from ISO MDL and four different OpenID for VP configurations
• Built architecture enabling remote interoperability testing

Results:

• Approximately 87% success rate in April 4, 2025 test
• For MDOC: 80 pairs tested, with 1 unsigned and 8 signed failures
• For SD-JWT: 27 pairs passed, 1 pair failed
• Report that some known gaps already closed over weekend
• No major feedback on protocols themselves

Future Plans:

• Additional tests on April 25 and May 5
• Detailed demo for SDO and government stakeholders on morning of May 5, public webinar in afternoon

Conformance and Certification Program Update

Final presentation by Joseph Heenan:

Test Development for Multiple Specifications:

• FAPI: Provided DPoP support, FAPI 2 final tests coming to beta soon
• Federation: Beta tests available, developing test with automatic registration flow for interoperability events
• EKYC: Upgrading tests, discussing certification program details
• Shared Signals: Conducted transmitter tests, starting receiver tests
• Verifiable Credentials: VP tests used in interoperability testing, VCI tests coming soon

Coordination with European Commission:

• Ongoing conversation about the potential use of tests

Closing

Group photo taken with all participants, workshop concluded. Board members informed they have another two hours of meeting ahead.

Introduction

Authorized Push Payment (APP) scams are a form of fraud in which victims are deceived into willingly authorizing a payment to a criminal. In an APP scam, the fraudster poses as a legitimate payee or authority figure and convinces the victim to send money under false pretenses ⁶. Unlike unauthorized fraud (where transactions occur without the account holder’s consent), APP fraud exploits the victim’s trust and social engineering tactics to trick them into approving the transfer. These scams can target individuals or businesses and often involve impersonation of banks, government agencies, service providers, or even friends and family members.

APP scams have gained significant attention because of their devastating impact on victims and the financial system. Every year, thousands fall prey to such scams, suffering major financial losses that can be life-changing ⁷. Victims frequently face not only monetary harm but also emotional and psychological distress – for example, one in three victims reports a negative effect on their mental health and confidence in managing money after an APP fraud incident ⁸. These scams have proliferated with the rise of real-time digital payments, which allow fraudsters to quickly receive and dissipate funds before they can be recovered ⁹. In markets with widespread instant payment systems, APP fraud has been one of the fastest-growing types of financial crime, undermining consumer trust in online payments and digital banking. Given the growth of APP scams and their impact on both consumers and the integrity of payment systems, regulators and industry stakeholders are increasingly focused on measures to prevent and respond to this form of fraud.

Prevalence and Financial Impact

APP scams are widespread and on the rise globally, accounting for a significant share of fraud losses in many regions. In the UK – one of the most transparent markets for fraud reporting – losses to APP scams reached £485.2 million in 2022 ¹⁰. This represented about 40% of all UK fraud losses that year, nearly rivaling losses from card fraud ¹¹. Updated figures for 2023 showed APP fraud losses of around £459.7 million in the UK ¹², indicating a slight decline from 2022 but remaining extremely high. Cumulatively, UK consumers and businesses have lost almost £2 billion over the past four years to APP scams ¹⁴. By volume of incidents, APP scams make up a large portion as well – by some estimates up to 80% of fraud cases in the UK banking sector are APP-related ¹⁵, since many lower-value scams (like purchase scams) are very common. This trend is not isolated to the UK. For example, France has reported that authorized push payment fraud now accounts for 59% of total fraud by value in their payments system ¹⁶, highlighting that many European countries face a similar challenge.

Across Europe as a whole, the scale of APP fraud is difficult to measure precisely (due to varying reporting standards), but industry analysts estimate that APP scam losses could be as high as €2.4 billion annually ¹⁷. Moreover, these losses are growing at an alarming rate of roughly 20–25% per year in Europe ¹⁸. The growth of instant payment platforms (which allow money to move faster with less opportunity to intervene) has provided new opportunities for fraudsters, leading to increases in APP scam activity in any market that adopts real-time payments ¹⁹. For instance, countries such as India, Brazil, and Australia – all of which have rapidly adopted real-time bank transfers – have seen significant surges in APP fraud incidents and losses ²⁰. Even regions like the United States, where instant P2P payments are a newer part of the landscape, are experiencing a sharp uptick: U.S. APP fraud cases grew by 151% in 2022 alone ²¹. This global pattern demonstrates that APP scams have become one of the most prevalent and dangerous financial scams worldwide.

The financial impact on victims and financial institutions is severe. Individual victims can lose anywhere from a few hundred euros in a small purchase scam to life-altering sums in high-value investment or business email compromise scams. In 2022, 57% of reported APP scam cases in the UK were purchase fraud (many relatively small transactions) ²², while investment scams – fewer in number but typically involving large transfers – made up about 24% of total APP losses ²³. Banks and payment providers also shoulder costs in preventing and reimbursing fraud. In the UK, firms voluntarily reimbursed £256.5 million to victims in 2023 under a voluntary APP fraud code ²⁶. In fact, banks managed to refund victims in roughly 4 out of 5 APP scam cases in recent years ²⁷. Even so, the net losses remain enormous, and reimbursement does not erase the harm. Many victims feel shaken – notably, 15% of APP fraud victims in one survey left their bank after the incident (even if they got their money back) due to loss of trust ²⁸. The broader economy also feels the impact: over £1.2 billion was stolen via fraud (authorized and unauthorized) in the UK in 2022 ²⁹, and fraud now constitutes a large share of overall crime reports in some countries (for example, fraud makes up around 40% of all reported crime in the UK by volume ³⁰.

It’s important to note that official statistics likely underestimate the true scale of APP scams. Many incidents go unreported due to embarrassment, lack of awareness, or low expectations of recovery. Research commissioned by Visa suggests that as many as one in three APP scam cases may not be captured in industry reporting ³¹. This under-reporting means the actual losses and number of victims could be significantly higher than the already startling figures reported by banks. In summary, APP scams are highly prevalent, with billions of euros in losses each year across Europe and globally, and their financial and societal impact is driving urgent action from both regulators and the financial industry.

Regulatory Responses

The growing threat of APP scams has prompted a range of regulatory responses in Europe, targeting different aspects of the problem. Key European regulatory frameworks – including the upcoming PSD3 (Payment Services Directive 3), anti-money laundering directives, the revised eIDAS 2.0 regulation on digital identity, and the European Digital Identity Wallet Architecture Reference Framework – all aim, directly or indirectly, to curb APP fraud and enhance consumer protection.

Payment Services Directive 3 (PSD3) and Payment Services Regulation (PSR)

In 2023, the European Commission proposed PSD3/PSR, which for the first time addresses APP fraud at the EU level. The draft PSD3 and its companion regulation introduce provisions to shift some liability onto payment service providers (PSPs) for APP scam losses, rather than burdening victims entirely ³².

In practice, this means establishing reimbursement rights for consumers who are defrauded, similar to how unauthorized transactions are handled, though the exact scope and procedures are still under discussion ³³.

PSD3 also seeks to mandate Confirmation of Payee (CoP) checks (termed “Verification of Payee” in the EU context) for bank transfers ³⁴. Under this requirement, when a customer enters a payee’s account details, the bank will check if the account name matches the IBAN and alert the customer to any mismatch before payment is executed.

This measure, already implemented in the UK, is aimed at preventing classic impersonation scams where victims think they are paying a legitimate person but the name/account don’t actually align. Additionally, PSD3/PSR will compel banks and payment institutions to improve fraud information sharing and customer authentication practices ³⁵. PSPs will be expected to share data on known fraudsters or mule accounts to create a coordinated defense, and to strengthen Strong Customer Authentication (SCA) rules (for example, making more use of device fingerprinting and analytics in payment risk assessments) ³⁶. PSD3 is slated to come into effect around 2026, reflecting a strong regulatory push to standardize how APP scams are prevented and how victims are compensated across all EU member states ³⁷.

Anti-Money Laundering Directives (AMLD) and AML Regulation

A critical aspect of combating APP fraud is disrupting the money laundering networks that scammers use to funnel stolen funds. European anti-money laundering laws, such as the 5th and 6th AML Directives and the proposed new EU AML Regulation, reinforce requirements that can help address APP scam flows. Banks are required to conduct thorough Know-Your-Customer (KYC) checks and ongoing monitoring of accounts, which makes it harder for fraudsters to open or use bank accounts anonymously.

Under AMLD, suspicious transactions – for instance, rapid receipt and onward transfer of funds by a customer (a pattern common with “money mule” accounts used in APP scams) – must be flagged and reported. The EU’s plans to establish a centralized Anti-Money Laundering Authority (AMLA) will further facilitate cross-border intelligence on fraudulent funds moving through multiple institutions. While not aimed solely at APP fraud, these measures tighten the net around the recipient side of scams, i.e. the fraudulent accounts that receive victims’ payments. In 2022, about €1.8 billion in payment fraud was reported in the EU (an increase of 7% from the prior year), underlining the need for stronger AML oversight. Regulators are encouraging banks to improve KYC and transaction monitoring controls to better detect potential scam-related transactions. For example, guidelines advise assessing inbound and outbound payments for red flags, and considering customer vulnerability indicators when evaluating fraud claims. By enforcing stricter customer due diligence and facilitating faster freezing/recovery of fraudulent transfers, AML regulations complement consumer protection rules like PSD3 in the fight against APP scams.

eIDAS 2.0 (Revised Electronic Identification, Authentication and Trust Services Regulation)

The eIDAS 2.0 regulation, agreed in principle in mid-2024, establishes a framework for a European Digital Identity that citizens and businesses can use across all member states. A cornerstone of eIDAS 2.0 is the introduction of a European Digital Identity Wallet (EUDI Wallet): a secure digital wallet (often a mobile app) provided under state authority that can store verified personal data and credentials (e.g. passports, driver’s licenses, diplomas, bank account attestations, etc.) ³⁸.

The regulation mandates that each member state must issue at least one compliant digital ID wallet to its residents by 2026, following common technical standards and with high security assurances ³⁹. While eIDAS 2.0’s primary goal is to enable convenient and trustworthy electronic identification and data sharing, it has important implications for fraud prevention.

By allowing individuals to prove their identity and attributes digitally with a high level of assurance, eIDAS 2.0 can make it harder for criminals to impersonate someone or use a false identity – a tactic often at the heart of APP scams. For example, under eIDAS 2.0, a bank or business could reliably verify a customer’s identity via their digital wallet when onboarding a new account or confirming a transaction, rather than relying on easily forged documents or self-reported information⁴⁰. Strong authentication mechanisms built into the wallets (potentially including biometrics and cryptographic signatures) also reduce the risk of account takeovers. In essence, eIDAS 2.0 creates a trusted digital identity ecosystem that, if integrated with banking and payment services, can help ensure that all parties in a transaction are who they claim to be. This can directly address certain APP scam scenarios (for instance, an imposter would have a much harder time posing as a bank official or a customer if robust digital identity verification is in place). Moreover, by giving users control over sharing only specific attributes (e.g. confirming one’s name and age without revealing other details) ⁴¹, the digital wallet can limit the unnecessary exposure of personal data that fraudsters might exploit. The eIDAS 2.0 regulation thus complements financial regulations by strengthening the identity layer of digital transactions, which is a key defense against social engineering fraud.

EU Digital Identity Wallet Architecture and Reference Framework (ARF)

Alongside eIDAS 2.0, the EU has developed a detailed Architecture and Reference Framework (ARF) for the European Digital Identity Wallet, currently in version 1.8. This framework provides the technical and security standards for implementing the digital identity wallets across member states. It covers how wallets should manage credentials, authenticate users, ensure privacy (through features like selective disclosure of information), and interoperate Europe-wide. While the ARF is a technical guideline rather than law, it is crucial for regulatory alignment: it ensures that the high-level goals of eIDAS 2.0 (security, trust, interoperability) are met in practice. From a fraud perspective, the ARF specifies rigorous security requirements (such as certified trust services, encryption, and anti-tampering measures) that make the wallets resistant to hacking or forgery. This is important because if the digital identity wallets themselves are compromised, scammers could abuse them to obtain credentials or authorize actions in the victim’s name.

The ARF also envisions integration points where wallets can be used for authentication and authorization in payments. For example, it could enable a scenario where a payment initiation or a Confirmation of Payee check is tied to exchanging verified identity attributes. By establishing a common standard, the ARF helps banks and fintechs incorporate wallet-based identity verification into their services in a consistent way. In summary, the European regulatory response to APP scams is multi-faceted – PSD3/PSR addresses payment processes and liability, AMLD tackles the flow of illicit funds, and eIDAS 2.0 (with the ARF) fortifies the identity verification process – with the overall aim of reducing fraud and enhancing consumer trust in digital payments.

In addition to these EU-wide measures, it’s worth noting the role of national regulators and industry codes. For instance, the UK (though no longer in the EU) has been a forerunner in APP fraud policy: the Payment Systems Regulator (PSR) is implementing mandatory reimbursement for APP scam victims from October 2024, requiring sending and receiving banks to split the cost 50/50 ⁴². This UK approach influenced the PSD3 proposals on liability. Other countries are also updating consumer protection laws and fraud strategies (for example, authorities are gaining powers to quickly takedown websites or phone numbers used in scams) ⁴³. Overall, the regulatory environment in Europe is evolving to impose greater responsibility on financial institutions to prevent APP scams and to provide consumers with stronger safety nets, while simultaneously building the infrastructure (like digital identities and verification tools) needed to thwart fraudsters.

Methods Used by Fraudsters

APP scammers employ a wide array of deceptive techniques to convince victims to send them money. At the core of almost all APP scams is social engineering – manipulating a victim’s trust, emotions, or sense of urgency so that they willingly authorize a payment they shouldn’t. Below are some of the most common methods and tactics used by fraudsters, along with recent evolutions in their approach:

Impersonation Scams

The fraudster pretends to be someone trustworthy – often a bank representative, police officer, government official, or utility company employee. They contact the victim by phone (vishing), text (smishing), email, or even in person, and create a false narrative that convinces the victim to transfer money. For example, a scammer might call claiming to be from the victim’s bank’s fraud department, warning of “suspicious activity” and instructing the victim to move funds to a “safe account” (which is actually the scammer’s account). Because the request appears urgent and comes from a figure of authority (sometimes even with spoofed caller ID matching the bank’s number), victims can be persuaded to act quickly. Bank impersonation and similar authority scams are particularly damaging – they often involve large sums and account for a substantial share of losses (many high-value APP cases start with a phone call from someone impersonating a bank or law enforcement) ⁴⁴.

Purchase and Sales Scams

A very common form of APP fraud involves fake purchases. Scammers post bogus advertisements for goods or services (for instance, a used car, concert tickets, electronics, or rental property) on online marketplaces, auction sites, or social media. When a victim attempts to buy the item, the fraudster will insist on a direct bank transfer (push payment) rather than using a protected platform or escrow. Once the payment is made, the supposed seller disappears and no product is delivered. Purchase scams made up about 57% of all APP fraud cases in 2022 by volume in the UK ⁴⁵, illustrating how frequent this tactic is. The values per case tend to be smaller, but collectively, it amounts to significant losses and can affect any consumer who shops online.

Investment and Cryptocurrency Scams

These schemes lure victims with the promise of high returns on investments. Scammers create professional-looking websites or profiles advertising opportunities in stocks, bonds, forex, or cryptocurrency that yield unrealistically good profits.

Often, they use social media ads or phishing emails to attract victims. Once a victim is interested, the fraudster (posing as an investment advisor or company representative) convinces them to transfer funds as an “investment.” In reality, there is no investment – the money goes straight to the scammers. Investment scams often involve larger sums per victim; in 2022 they comprised roughly 24% of APP scam losses by value in the UK ⁴⁶. A contemporary twist is the “crypto investment” scam, where fraudsters direct victims to fake cryptocurrency trading platforms – the victim sees fake account balances growing after their deposits, but when they attempt to cash out, the scammers either vanish or demand additional fees. By the time the victim realizes, the crypto (or fiat funds) have been moved and laundered. These scams leverage the complexity of financial markets and cryptocurrencies to exploit victims’ hopes of quick gains.

Romance and Friendship Scams

Here, fraudsters target individuals on dating apps, social networks, or forums by creating a fake persona to build an emotional connection. Over weeks or months, they gain the victim’s trust and affection. Once trust is established, they fabricate a reason to request money – it could be an emergency (like a medical bill or legal trouble), a travel cost to visit the victim, or a lucrative investment they want to share with the victim. Believing they are helping someone they care about, the victim authorizes one or multiple payments to the scammer. These scams can be particularly cruel, as they exploit emotions and often leave victims not only financially hurt but also heartbroken and embarrassed.

Invoice and Business Email Compromise (BEC) Scams

Businesses are frequently targeted through invoice scams or CEO fraud. In an invoice redirection scam, fraudsters impersonate a legitimate supplier or contractor and inform a company that the supplier’s bank account details have changed. They often do this by hacking or spoofing the email account of the supplier or by sending a convincingly formatted letter. The company then unwittingly sends the next payment to the fraudster’s account. CEO fraud is another BEC tactic: attackers spoof the email of a high-ranking executive (or hack it) and send urgent payment instructions to an employee in the finance department (e.g., “We need to wire €50,000 to this account immediately for a confidential acquisition – I’ll explain later”). The employee, thinking the request is legitimate and time-sensitive, executes the payment. Because these scams involve authorized payments by the company, they fall under APP fraud (even though the company itself is the victim). They can result in very large losses for businesses in a short time.

Emerging AI-Driven Scams

Fraudsters are increasingly leveraging advanced technology like artificial intelligence to enhance their social engineering schemes. One alarming development is the use of AI-based voice cloning and deepfakes. Scammers can obtain a sample of someone’s voice (for example, from a social media video or a phone call) and use AI software to create a voice model. They can then call a victim using that cloned voice – for instance, mimicking a CEO, a relative, or any trusted person – to convincingly request a transfer of funds. This has already been reported in cases where company employees received calls that sounded exactly like their boss instructing a payment, when in fact it was a scammer with a cloned voice.

According to industry insights, the use of AI deepfake content has spiked dramatically – one report noted a 780% increase in detected AI-powered deepfakes in Europe between 2022 and 2023 ⁴⁷. Video deepfakes (though more complex to deploy in real-time scams) and AI-generated realistic profile photos are also being used in romance or investment scams to create the illusion of legitimate identities. By making scam communication more authentic and personalized, these AI techniques make it much harder for victims to discern truth from fraud. As Visa’s fraud experts observe, scammers are “harnessing tools like AI to devise ever-more sophisticated tactics,” using AI-driven voice imitation and deepfake tech to produce communications that seem genuine ⁴⁸. The quality of scam attempts is improving to the point that even vigilant individuals can be fooled ⁴⁹.

Use of Spoofing and Malware

Many APP scams are facilitated by technology that obscures the scammer’s true identity or location. Caller ID spoofing is widely used – fraudsters can mask their phone number to display the number of a bank or any trusted entity on the victim’s phone. This greatly increases the credibility of phone-based scams (“vishing”). Similarly, email spoofing or domain spoofing is used to send emails that look like they come from a legitimate company (e.g., using an email address almost identical to a real one). In some sophisticated cases, malware may be involved – for example, a trojan on a victim’s computer might intercept a legitimate payment they are trying to make and silently swap in the scammer’s bank details (though this blurs the line into unauthorized fraud). More commonly, malware might be used to gather information that aids social engineering (such as reading bank texts or emails to know how to impersonate). However, the hallmark of APP fraud is that the victim ultimately authorizes the payment themselves; malware generally plays a supporting role by stealing data rather than directly making the transfer.

Mule Accounts and Money Laundering

After tricking a victim into sending money, fraudsters rapidly try to launder the funds to prevent recovery. This often involves networks of “money mules” – individuals (sometimes complicit, sometimes duped via work-from-home scams) who allow their bank accounts to be used to receive and forward funds.

The stolen money might hop through several mule accounts in different banks and countries within minutes. Increasingly, criminals convert funds into cryptocurrency soon after receipt, since crypto exchanges and mixers can obscure the money trail ⁵⁰. They may also purchase high-value goods or gift cards with the stolen money to quickly convert it. The speed of instant payments makes this process faster than ever – in a matter of hours, stolen funds can become effectively untraceable. This laundering step doesn’t directly involve the victim, but it’s a crucial part of the scam lifecycle that allows fraudsters to cash out and makes APP fraud particularly hard to combat after the fact.

APP fraudsters are adaptive and opportunistic

In summary, APP fraudsters are adaptive and opportunistic. They exploit human psychology through social engineering in its many forms – fear (imminent account compromise), greed (investment opportunity), love (romance), or authority (obedience to a supposed official). The channels used range from social media messages to phone calls and emails. Notably, a large proportion of APP scams now originate online: around 78% of cases start via online platforms (such as social media, e-commerce sites, or messaging apps) according to UK data⁵¹, and roughly 70% of scams in the US have been linked to social media platforms (Meta’s platforms in particular) ⁵². The remaining cases often start with telephone contact (vishing or SMS), which, while fewer in number, tend to involve higher-value scams (e.g. impersonating police or bank officials)⁵³. Fraudsters take advantage of whatever medium the target is most likely to trust. With the advent of AI and vast amounts of personal data available from data breaches and social networks, scams are growing more convincing. The authenticity of fraudulent communications is improving, making it increasingly challenging for individuals to spot a scam before it’s too late⁵⁴. This ever-evolving toolkit of the fraudsters underscores the need for equally adaptive defenses.

Implications for Digital Identity Wallets

The emergence of European Digital Identity Wallets (as enabled by eIDAS 2.0 and the ARF framework) introduces both new opportunities and new considerations in the context of APP scams. These wallets will allow individuals to store and share verified personal data (such as identity documents, certificates, bank account information, etc.) through a secure mobile app under their control ⁵⁵. The integration of such digital identity systems with financial services can significantly influence the security and trustworthiness of personal data sharing and, by extension, the fraud landscape.

On one hand, digital identity wallets can bolster security and trust in online transactions, potentially reducing certain risks of APP scams. With a trusted wallet, users can prove their identity or attributes to service providers with a high level of assurance. For example, a user could share a verified credential (issued by a government or bank) attesting to their name and bank account number. If banks and payment apps utilize this feature for Confirmation of Payee, a sender could confirm the identity of a payee before sending money. Imagine receiving an invoice from a contractor: using a digital wallet, the contractor could send you a signed credential proving their business identity and the IBAN of their bank account. You as the payer would then be confident that your transfer is going to the right entity, not an impersonator. This kind of identity verification for payees could thwart many impersonation and invoice diversion scams, which rely on victims not realizing the account details are fraudulent. In essence, the wallet can serve as a source of truth about who owns a given account or who is on the other end of a transaction.

Additionally, digital ID wallets can help with strong authentication and consent for transactions. Since the wallets will be secured (likely with PINs, biometrics, and cryptographic keys), they could be used to approve sensitive actions. For instance, a bank could integrate wallet-based login or payment confirmation: the user would receive a request in their wallet to confirm a payment or share data, which they approve with a high-assurance digital signature. This reduces reliance on more phishable methods like one-time SMS codes. If the wallet is used to authorize payments, it could include built-in checks or more visible information about the recipient, possibly alerting the user to any discrepancies. The high level of identity assurance provided by eIDAS-compliant wallets means that if both sender and receiver in a transaction use verified identities, it becomes much harder for a scammer to masquerade as someone else. The trust framework behind the wallets (with government-backed verification and accredited providers) strengthens the overall ecosystem of digital trust, ideally making users more secure when sharing personal data or making payments online ⁵⁶.

However, there are also risks and challenges associated with digital identity wallets in the context of APP scams. By design, these wallets enable the sharing of personal data at the user’s discretion. A savvy scammer might attempt to exploit that trust by tricking a user into sharing certain credentials or authorizing an action via the wallet. For example, a fraudster could impersonate a legitimate organization’s website or app and trigger a fake identity information request to the user’s wallet. If the user isn’t careful, they might see a prompt in their wallet and approve it, thinking it’s a routine verification, when in fact they are sending a copy of their ID or other sensitive data to a scammer. Similarly, a scammer could socially engineer a victim into signing a transaction or document using their digital ID wallet under false pretenses. Because the wallet is a powerful tool (a bit like a digital passport and signature device), if a victim can be convinced to misuse it, the consequences could be serious – e.g., unwittingly signing a “consent” that allows the scammer to debit their bank account or share all their personal details. The success of such fraudulent ploys would depend on defeating the wallet’s safeguards (like confirming the genuine identity of the requesting service), but human error or sophisticated phishing could potentially overcome those safeguards.

Another consideration is that digital wallets themselves could be targeted by criminals. If a fraudster manages to compromise a person’s wallet (through phone malware, phishing the wallet credentials, or exploiting a security flaw), it could grant them access to a trove of verified personal information. That data could be used to perpetrate APP scams (or other identity fraud) against the wallet owner or others. For instance, stolen identity credentials could be used to open bank accounts (to be used as mule accounts) or to impersonate the victim in other contexts. The Architecture and Reference Framework addresses many security aspects to prevent unauthorized access, but no system is entirely immune. Thus, the security of the wallet software and the care users take with it are critical. Users will need to be educated to treat their digital identity like a sensitive document – if a scammer convinces them to divulge their wallet PIN or recovery phrase, it would be equivalent to handing over all their IDs.

There’s also a potential false sense of security issue. Users might believe that because they are using a government-backed digital ID, everything they do with it is safe. Scammers could capitalize on this by, say, creating fake government portals or communications asking citizens to “update” their digital wallet or to make a payment verified by their digital ID. If users do not learn to verify the authenticity of who is requesting data through the wallet (for example, checking that the service has a valid trust certification in the wallet interface), they could still be deceived. Essentially, the wallet can prove who you are to a service – but it cannot alone prove whether a service or person is legitimate. That still requires user judgment and/or additional trust infrastructure.

To maximize the positive impact and mitigate risks, regulatory alignment and implementation choices will be key. The rollout of EU digital wallets will need to be accompanied by anti-fraud measures and user education. This could include features like warnings to users if a large amount of personal data is being shared, AI-based anomaly detection (e.g., alerting if a usually inactive wallet suddenly tries to share many credentials, indicating possible coercion), and clear displays of the requesting party’s identity (so users can spot if something looks off). Regulators might also encourage or require that certain high-risk transactions use identity wallet verification. For example, future regulations could mandate that any request to transfer above a certain amount to a new payee must involve a “verify payee identity via eIDAS wallet” step, adding friction to high-risk scenarios. The Confirmation of Payee (CoP/VoP) system planned under PSD3 could potentially be enhanced by integration with digital identity: instead of just matching a name, the system could leverage an identity credential to confirm the beneficiary’s identity with certainty.

In the big picture, European digital identity wallets have the potential to enhance trust in digital interactions – a benefit for fighting scams – but they are not a silver bullet. APP scams ultimately prey on human trust and decision-making. The wallets will provide new ways to establish trust (through verified identity data) which can deter fraud, but users and institutions must use those capabilities wisely. If widely adopted, these wallets could make impersonation much harder: a bank official could prove their role via a credential, a business could prove its identity to customers, and individuals could verify each other in peer-to-peer transactions. This creates an environment where transactions and data sharing are backed by mutual proof of identity, potentially squeezing out a lot of fraud opportunities. Conversely, if adoption is low or the systems are not user-friendly, scammers will continue relying on the weakest link – which is often the human element. Therefore, the implication for personal data sharing via digital wallets is that it can be far more secure than today’s ad-hoc methods (scans of documents, etc.), but it must be deployed alongside robust fraud awareness. Users should be trained to treat wallet data requests with the same caution as any other sensitive approval: always confirm the source. Aligning the regulatory frameworks – payments, AML, digital identity – will be essential so that, for example, a bank accepts a digital ID credential for KYC (making it easier to verify identities)⁵⁷, or that law enforcement can use digital identity logs to help trace fraud. The good news is that the EU’s strategy is indeed multi-pronged, and the digital identity initiative is being developed with privacy and security at its core, which should strengthen trust online⁵⁸. In summary, digital identity wallets can significantly improve the security of personal data sharing and transactions by providing trusted verification, but they must be integrated thoughtfully into the financial ecosystem with attention to new fraud tactics that might arise.

Recommendations and Future Outlook

Combating APP scams requires a coordinated approach that spans policy, industry practices, and technology. Below are key recommendations and insights for mitigating APP scam risks, as well as a look at the future outlook:

• Enhance Cross-Sector Collaboration: Banks alone cannot eliminate APP fraud; cooperation with technology platforms, telecom companies, and law enforcement is crucial. A large portion of scams originate on social media and online platforms⁵⁹, so those platforms need to actively police fraudulent content and accounts. Recent initiatives show the way – for example, Meta (Facebook) partnered with UK banks and the nonprofit Stop Scams UK in 2024 to share data on scam ads, leading to the removal of thousands of scam accounts and posts ⁶⁰. This kind of cross-sector data sharing and rapid takedown of scam infrastructure (fake websites, phone numbers, profiles) should be expanded. Regulators should enforce obligations on online platforms (as in the EU’s Digital Services Act or the UK’s Online Safety regime) to prevent fraud at the source. Telecom providers must continue efforts to block spoofed calls and scam SMS. Governments can facilitate information exchange through fusion centers or centralized fraud databases while respecting privacy.
  
• Strengthen Customer Education and Warnings: Public awareness is one of the strongest defenses against APP scams. Banks and authorities should continuously educate customers about the latest scam techniques – for instance, running awareness campaigns about AI-driven impersonation or circulating examples of common scam scripts. In banking apps and online banking interfaces, well-timed warnings can be very effective (e.g., if a user is about to transfer a large sum to a new payee, flash a warning: “Could this be a scam? Banks/police will never ask you to move money to a ‘safe’ account.”). Studies show many victims ignore generic warnings, but personalized or contextual alerts can give pause. Some banks use short delays on first-time payments to new beneficiaries, during which they may message the customer with fraud prevention advice – this gives the customer a moment to rethink. Educational efforts should also extend to businesses (training employees about BEC scams) and vulnerable groups in society. Ultimately, a well-informed user is less likely to fall for social engineering. As the UK’s fraud prevention community emphasizes: stopping fraud requires a broad coalition and keeping consumers vigilant⁶¹.
  
• Adopt Advanced Fraud Detection Technologies: Financial institutions should leverage modern technologies – particularly AI and machine learning – to detect and prevent APP scams in real time. Traditional rule-based fraud engines are not always effective for APP fraud because the transactions are initiated by legitimate users, so the usual red flags (like an unauthorized login) may not appear. However, AI can analyze a wider range of risk signals. For example, banks can deploy behavioral analytics to notice when a customer’s behavior during a session is unusual (perhaps indicative of being coached by a scammer) – such as atypically fast navigation, unusual hesitancy, or the use of copy-paste for information that is normally typed⁶². Device intelligence is another signal: if a user is authorizing a payment on their phone but their device location and behavior seem inconsistent with their past patterns, it could warrant additional verification⁶³. AI models can also cross-reference fraud data across institutions: companies like Visa are developing real-time payment analytics networks to identify patterns of APP fraud that single banks might miss⁶⁴. For instance, if multiple customers at different banks are suddenly sending money to the same payee, an AI network could flag that payee as suspicious in all banks simultaneously. Monitoring of payee accounts is as important as monitoring payers⁶⁵. Fraud platforms now aim to score not just the transaction but the recipient – if an account is receiving funds from many unrelated people or has other mule-like characteristics, new incoming transfers to it can be halted pending review. By embracing such technologies, banks can move closer to preventing scams before funds leave the victim’s account.
  
• Implement Confirmation of Payee (CoP) and Beyond: While Confirmation of Payee (the system that checks if the beneficiary name matches the account) is not a foolproof solution, it has been shown to intercept some mistakes and scams. The UK’s CoP system, launched in 2019, has helped catch mismatches (e.g., when an impersonator gives a victim an account number that belongs to “John Doe” but the victim intended to pay a company named “XYZ Ltd.”). The upcoming Verification of Payee requirement in the EU (via PSD3) will extend this safeguard across Europe ⁶⁶. Banks should implement these name-check systems as soon as possible and make the results very clear to customers. If a name does not match, the payment should be paused and the customer explicitly asked to confirm they still want to proceed. That said, scammers can sometimes work around CoP by opening mule accounts in names similar to their cover story. Therefore, CoP should be seen as one layer – helpful but not sufficient. In the future, integrating CoP with digital identity verification (as discussed in the previous section) could take this a step further, essentially confirming payee identity, not just name spelling.
  
• Establish Liability and Reimbursement Frameworks: A critical policy measure is the establishment of consistent rules for reimbursing victims of APP fraud. When victims know they have some safety net, they are more likely to report scams promptly (helping authorities respond) and less likely to suffer devastating financial ruin. Moreover, when banks are liable for fraud losses (even partially), they have a stronger incentive to invest in prevention. The UK’s move to mandate reimbursement for most APP scam victims (with costs split 50/50 between sending and receiving banks) is a promising model⁶⁷. The EU’s PSD3 proposal hints at similar liability shifts⁶⁸. Policymakers should refine these rules to ensure fairness – for example, setting reasonable conditions under which a claim could be denied (such as proven gross negligence by the customer, which should be a high bar)⁶⁹. A balanced reimbursement regime will spread losses in the system but ultimately drive them down by motivating all parties to prevent fraud. It’s also important that such schemes cover not just consumers but, where feasible, small businesses who can be equally victimized. Clear liability also pushes innovation: if receiving banks know they might eat half the loss, they will do more to vet and monitor new accounts (to avoid onboarding fraudsters). Law enforcement mechanisms should complement this by aggressively pursuing organized fraud rings so that fewer scams occur in the first place.
  
• Leverage Digital Identity and Authentication: As the European Digital Identity Wallets come online, banks and payment providers should incorporate them to strengthen user authentication and verification. For instance, using the wallet for customer login or transaction approval can add an extra layer of security (with cryptographic proof of identity) beyond passwords or SMS codes. Over time, encourage customers to verify important payees or documents via the wallet. Industry groups and regulators can develop standard protocols where, say, an online merchant or a charity can present a digitally signed credential to the payer’s wallet confirming who they are. This would create a chain of trust in transactions. In addition, banks could issue their own credentials (like a proof of account ownership or a payment mandate) into the wallet, which customers could use in interactions with other institutions. Embracing the wallet ecosystem not only improves security but also helps banks meet KYC/AML obligations more efficiently (since they can rely on eIDAS-verified identities)⁷⁰. As a best practice, financial institutions should be actively participating in pilots and working groups for the EU digital identity framework, to ensure that the system is designed with fraud mitigation in mind from the start.
  
• Invest in Anti-Fraud AI and Analytics: The same AI that is empowering scammers can be used by defenders. The industry should invest in machine learning models trained on large datasets of fraud cases to identify subtle signals of APP scams. These models can continuously learn and adapt as new fraud patterns emerge. For example, natural language processing (NLP) algorithms might be used to analyze the content of payment references or communications (if available) to detect scam-related language. Voice analytics AI could potentially be employed on customer service lines to detect if a caller is under duress or being coached in real time. As suggested by Visa’s whitepaper, data-driven strategies and AI tools are among the best countermeasures to the AI-enhanced tactics of scammers⁷¹. The future might also see shared utilities or consortia where multiple banks contribute data to a common AI service that flags risky transactions across the network (since a fraudster often strikes at multiple institutions). While respecting privacy, pooling non-personal fraud telemetry can greatly improve detection accuracy.
  
• Rapid Response and Recovery Mechanisms: Despite best efforts, some scams will succeed. Thus, improving the post-incident response is important to mitigate impacts. Banks should have procedures to quickly freeze funds that are suspected to be fraudulent, and inter-bank communication channels to notify the receiving bank to hold the money (many countries are adopting rapid freezing orders or networks for this purpose). The sooner a scam is reported, the higher the chance of recovering funds before they are moved or cashed out. Law enforcement agencies in Europe are increasingly treating fraud as a top priority (given its high incidence), which is leading to dedicated fraud task forces. Strengthening public-private partnerships for fraud (as seen in the UK’s Joint Fraud Taskforce model) can ensure swift action when scams are reported. Moreover, continuing to take down mule networks is key – if we make it hard for scammers to find mule accounts, we choke their ability to cash out, thereby disincentivizing the scams. AML regulations will support this by clamping down on those who recruit or operate as mules.
  
• Future Outlook – Staying Ahead of Evolving Scams: Looking ahead, APP scams are likely to continue evolving in sophistication. The arms race between fraudsters and defenders will persist. We can expect scammers to further abuse emerging technologies like deepfake videos, AI chatbots (perhaps to run dozens of simultaneous scam conversations), and even malicious uses of upcoming technologies (for instance, exploiting any weaknesses in digital identity systems, or using augmented reality to fake identities in video calls). On the flip side, financial institutions and regulators are becoming more proactive and collaborative. By 2026-2027, the combined impact of PSD3, the new AML Authority, and eIDAS 2.0 should create a more hostile environment for APP fraud in Europe – with better cross-bank cooperation, stronger identity verification, and more consistent protections for customers. Real-time payments will soon be the norm across the EU (with the push for SEPA Instant Credit transfers), so improving security around them is paramount; the measures being put in place now aim to balance speed with safety.
  

In the best-case scenario, a few years down the line, we will have a Europe where: most consumers use a secure digital ID wallet to authenticate important transactions; name-checking of payees is standard; banks share fraud data instantly; and victims are promptly reimbursed and supported. Fraudsters, facing more hurdles (e.g. difficulty in anonymizing themselves or retaining proceeds), may shift to other types of crime or be deterred altogether. However, reaching that point requires diligent implementation of policies and continuous innovation in fraud defenses. Industry best practices – such as those listed above (multi-layered detection, user education, collaboration) – need to be ingrained and regularly updated. Policymakers should remain open to adjusting regulations as new threats emerge (for example, if AI scams become too advanced, perhaps certification of audio/video communications could be considered to verify authenticity).

In conclusion, Authorized Push Payment scams are a significant challenge for the European financial ecosystem, but not an insurmountable one. By addressing the issue from multiple angles – regulatory frameworks (PSD3, AMLD, eIDAS) that protect and empower consumers, technological tools that detect and prevent fraud in real-time, and cooperative efforts across industries – Europe can substantially reduce the prevalence and impact of APP scams. The introduction of European digital identity wallets, in particular, heralds a new era of trusted digital interactions, which if harnessed correctly, will bolster the fight against fraud. Stakeholders must ensure that security, vigilance, and user-centric design remain at the forefront. As fraudsters innovate, so too must the defenders: the same advanced tools and data analytics that scammers exploit can and should be used to outsmart them⁷². With ongoing commitment, the balance can be tilted in favor of secure and fraud-resilient digital payments, preserving consumer confidence in the fast-evolving digital economy.

Informative references

Visa APP Scam Whitepaper (2023) – Visa Europe’s commissioned research detailing the scale, impact, and evolving tactics of APP scams, including data from a Mintel survey of 2,000 UK respondents.

UK Finance Fraud Report (2023) – Annual fraud statistics published by UK Finance, detailing losses and trends in APP scams and financial crime in the UK.

European Commission PSD3/PSR Proposal (2023) – The official EU proposal introducing new regulatory measures addressing APP fraud, liability frameworks, and mandatory verification of payees.

Anti-Money Laundering Directives (AMLD) and EU AML Regulation – Legislative measures focused on preventing financial crime, including money laundering related to APP fraud.

eIDAS 2.0 Regulation (2024) – European digital identity framework enabling secure authentication and verification, with implications for preventing identity fraud in financial transactions.

European Digital Identity Wallet Architecture and Reference Framework (ARF) v1.5 – Technical specifications for implementing secure digital identity wallets in the EU.

Financial Conduct Authority (FCA) and Payment Systems Regulator (PSR) Reports (2023-2024) – Updates on UK regulations mandating APP fraud reimbursements and industry-wide fraud prevention measures.

Interpol and Europol Reports on Financial Crime Trends (2023) – Analyses on the global rise of real-time payment fraud and law enforcement strategies.

Reports from National Regulatory Agencies (France, Germany, Netherlands, and Italy) – Country-specific fraud prevention initiatives and banking sector reports on APP fraud trends.

Banking and Fintech Industry Reports (2023-2024) – Insights from major financial institutions, fintech providers, and security research firms on real-time fraud detection using AI and analytics.

Let me take you on a journey taken by OpenID Community through the evolution of digital identity – a story that continues to unfold even today. I do so as I have been in the community from the beginning and probably quite authoritative. You can probably draw analogy from it as well.

It all began with OpenID 1.0 – a simple yet innovative solution that allowed blog owners to prove their identity online. At its core was a self-asserted identity system, where trust was built through one’s history and interactions in the blogging community.

The transition to OpenID 2.0 marked a significant expansion. What started as a blog-centric solution attracted a diverse community of similar initiatives. The introduction of OpenID Providers brought major platforms like Yahoo into the ecosystem. The movement gained international momentum, and I’m proud to say that here in Japan, the formation of OpenID Foundation Japan made headlines across major television networks and magazines.

While the community was growing rapidly, we faced challenges. The informal nature of our early days meant that even intellectual property rights weren’t properly managed – a situation that took me four years to resolve.

OpenID 2.0, despite its success, had its limitations. We encountered issues with cryptographic brittleness and complexity that hindered wider adoption. Traditional solutions like XML Digital Signatures proved equally problematic. This led us to develop entirely new signature formats – JWS and JWT – which became the foundation for OpenID Connect.

The impact was remarkable. Google led the implementation, followed by numerous others, and eventually even Apple joined the movement. With the smartphone revolution, OpenID Connect spread across the connected world, reaching both private sector applications and government services.

But are we done? Far from it.

We face three critical challenges:

1. Only half of the world’s population has smartphone access
2. Many governments still lack the infrastructure to provide legal digital identity to their citizens
3. Traditional identity providers can only verify a limited subset of information about us and puts a heavy burden on issuers that need to provide scalable 24/7 systems. 

Japan’s advanced digital identity infrastructure, while impressive, is more the exception than the rule globally. We need more versatile solutions that allows issuers to be sometime connected. 

The path forward requires an even stronger, more collaborative community. Here in Japan, we’re fortunate to have such a community that transcends organizational boundaries. This August, we witnessed this collaboration in action when FIDO, W3C, and OpenID Foundation Japan united for a joint event that drew over 200 participants – limited only by venue capacity.

SIDI Hub Tokyo today represents another step forward in this journey. It gathers even wider community. I extend my sincere gratitude to the Digital Agency for bringing us together and providing these excellent facilities. I look forward to the meaningful discussions ahead.

Thank you.

Slides: https://gamma.app/docs/The-Evolution-of-Digital-Identity-OpenIDs-Journey-sb1lbqdx3ozjhg1

Meeting Summary

Introduction and Housekeeping

• The workshop on the NIST Special Publication 800-63 Revision 4 second public draft began with housekeeping notes, including the recording of the session, the availability of slides, and the use of the Q&A function for questions. [00:00]
• Today’s Agenda is as follows:

Overview of NIST Special Publication 800-63 Revision 4

• The workshop focused on the second public draft of the Digital Identity Guidelines, covering major changes, the public comment period, and how to submit comments. [02:00]
• The guidelines are foundational requirements for digital identity management across the federal government, published in four volumes: a base volume and Volumes A, B, and C. [05:00]

Key Motivations for Change

• The primary motivations include improving equitable access to government services, addressing emerging threats and technologies, and incorporating real-world lessons from previous implementations. [07:00]

Major Changes in the First Public Draft

• Changes included revamped risk management, updated biometric requirements, new identity proofing processes, and considerations for privacy, usability, and equity. [09:00]

Timeline and Public Comment Period

• The timeline for the revision process was reviewed, highlighting the issuance of the first public draft in December 2022 and the second public draft in August 2023. The public comment period for the second draft is 45 days. [12:00]

Major Changes in the Base Volume

• Connie Lassalle discussed the incorporation of the user-controlled wallet model, the inclusion of an initial step in the identity risk management process, and the introduction of metrics for continuous evaluation and improvement. [16:00]
• Notably, subscriber-controlled wallet, which is a variation of an IdP, and an “issuer” is captured as a “CSP” was introduced.

• The updated digital identity risk management process includes defining the online service, conducting an initial impact assessment, and tailoring controls based on ongoing risk assessments. [20:00]

• Continuous evaluation and improvement are emphasized, with recommended performance metrics and redress practices to handle issues fairly. [25:00]

Major Changes in Volume A (Identity Proofing and Enrollment)

• David Temoshok highlighted updates to proofing roles and types, rebalancing of IAL 1, new identity verification pathways, fraud management requirements, and updated evidence validation requirements. [30:00]

• Proofing roles now include proofing agents, trusted referees, process assistants, and applicant references. [32:00]
• IAL 1 rebalancing focuses on reducing friction and increasing optionality for applicants and credential service providers. [35:00]

• New identity verification pathways at IAL 2 include non-biometric options and digital evidence verification. [38:00]

• The new fraud management section includes requirements for credential service providers and relying parties, mandatory fraud checks, and communication channels for suspected fraud cases. [42:00]

• Updated evidence validation requirements include performance metrics for document authentication systems and training for proofing agents. [45:00]

Major Changes in Volume B (Authenticators and Authentication)

• Andy Regenscheid discussed incremental refinements, new requirements for syncable authenticators, and clarified guidelines for subscriber-controlled digital accounts. [50:00]
• The revamped account recovery section provides clearer paths and more flexibility for implementing account recovery processes. [55:00]
• Syncable authenticators like passkeys are now accommodated, with additional requirements for sync fabrics. [52:00]

• The use of digital wallets as authenticators is clarified, and new account recovery methods are introduced, including saved recovery codes and trusted recovery contacts. [57:00]

Major Changes in Volume C (Federation and Assertions)

• Ryan Galuzo explained the updated structure of 863 C, modifications to Federation Assurance Level 3, and the introduction of protocol-based examples. [01:00:00]

• The new structure includes core common federation requirements and separate sections for general-purpose IDP federation and user-controlled wallet federation. [01:02:00]
• Federation Assurance Level 3 now includes Holder-of-Key assertions and bound authenticators. [01:05:00]

• Protocol-based examples provide high-level illustrations for implementing federation protocols like OpenID Connect and SAML. [01:08:00]

Public Comment Period and Next Steps

• The public comment period closes on October 7th. Comments can be submitted via email or using an Excel spreadsheet. The timeline for finalization depends on the volume of comments received. [01:15:00]
• The team emphasized the importance of public feedback and encouraged participation in the review process. [01:20:00]
• Feedback sought especially on the following fields:

• This will be the last public consultation and the publication is expected in the new year.

• You can engage through the following channels:

Q&A Session

• Various questions were addressed, including those on document false acceptance rates, biometric performance, and the use of passkeys. [01:25:00]
• The team provided clarifications on specific requirements and encouraged further comments and feedback from participants. [01:30:00]

Closing Remarks

• The workshop concluded with a reminder to submit comments and participate in future workshops. The team expressed gratitude for the participants’ time and feedback. [01:35:00]

Deepfake technology has rapidly developed due to advancements in AI. Early deepfakes were low-quality and easily identifiable as fake. However, from 2018 to 2019, AI-driven image generation technology improved, significantly enhancing image quality with the advent of GANs. Since 2020, Transformers technology has improved consistency in long-duration videos. By 2023, the amount of deepfake content increased by 3000% compared to the previous year.

The Damage from the Misuse of Deepfakes

According to Deloitte’s estimates, fraud losses due to deepfake misuse in 2023 amounted to $12.3 billion and are projected to reach $40 billion by 2027. This represents an average annual growth rate of 32%, with losses more than tripling in four years. New generative AI tools have made it possible to create deepfakes at low costs, particularly targeting the financial services industry. In 2023, deepfake incidents in the fintech sector increased by 700%. Annual losses due to voice deepfakes in contact center fraud are estimated at around $5 billion. It is predicted that deepfake-related incidents will increase by 60% year-on-year in 2024, reaching 150,000 cases globally. Concerns are also rising over unauthorized sexual content and forged identification documents. An illicit industry has emerged on the dark web, selling fraud software.

Real Cases of Fraud Due to Deepfakes

Deepfake fraud targeting corporate executives is on the rise. One example involves a WhatsApp scam targeting the CEO of the world’s largest advertising agency group, WPP. In another case in Hong Kong, a corporate executive impersonation incident led to losses of tens of millions of dollars. There are reports of increasing cyberattacks that exploit AI.

Cyberattacks Using AI Beyond Deepfakes

According to research by Ivanti, many companies report an increase in AI-driven cyberattacks. Such attacks are expected to grow further. Particularly concerning threats include phishing (45%), attacks targeting software vulnerabilities (38%), ransomware attacks (37%), and attacks targeting API vulnerabilities (34%).

Current Status of Deepfake Countermeasures

Banks and other financial institutions are introducing fraud detection systems using AI and machine learning. JP Morgan uses large language models for detecting email fraud. Mastercard has developed a “Decision Intelligence” tool to predict the legitimacy of transactions. However, existing risk management frameworks may not fully cope with new AI technologies.

National Efforts to Counter Deepfakes

There are concerns that it is becoming increasingly difficult to visually distinguish deepfakes. OpenAI plans to offer a deepfake detection tool using its AI. However, since deepfakes are rarely created by a single tool, the effectiveness of such tools is limited. The C2PA initiative is developing standards to display the production process of AI-generated content, akin to food ingredient labels. The UK government has launched a “Deepfake Detection Challenge.” Public awareness campaigns are also being promoted.

Thoughts from an Identity Perspective

The impact of generative AI on identity is extensive, with deepfakes being just one aspect. In terms of deepfake management strategies:

1. Digital Sender Authentication for Organisational use-cases
2. Provenance Transparency for disseminated information through web and social media
3. Human Measures

are some of the countermeasures that come to one’s mind.

Sender Authentication

Rather than relying on humans to judge based on voice or facial images, high-level authentication of the information sender should be conducted before important transactions (technical measures). An example of sender authentication would be using CIBA to push notifications to pre-registered devices for user authentication in response to requests via phone or video.

There has to be organizational measures to ensure this as well. it is also important to guarantee that someone won’t lose their job if they make such requests. A typical scam tactic involves applying pressure by saying, “The company’s survival depends on this. If you don’t act immediately, you’ll be fired.” Protecting employees from such pressure is crucial. This requires not just technical measures but also organizational rules within the company.

For deepfake-related forgery of identification documents, moving to digitally signed documents is effective. Fortunately, in Japan, public individual authentication and digital agency digital authentication apps are available, so it is necessary to rely on these for high-level identity verification.

Provenance Transparency

It is essential to clarify both how the disseminated information was generated and who the information source is. This is crucial for maintaining the consistency of identity. For example, what would happen if someone created and spread unauthorized sexual content or videos of a person committing a crime? If believed, it would undoubtedly damage others’ perceptions of the person and lead to a loss of trust.

The role of C2PA and Originator Profile is crucial here. They help identify whether the video or image was generated by AI and who the sender is. However, care must be taken regarding free speech.

C2PA and Freedom of Speech

C2PA is a technology designed to prove the origin and editing history of digital content, aiming to prevent the spread of fake news and deepfakes. However, if misused, it could restrict freedom of speech. For instance, the C2PA system could be used to identify journalists, allowing governments to suppress speech. There is also concern that C2PA could be used to enforce specific laws.

Originator Profile and Freedom of Speech

Originator Profile is a technology to verify the authenticity and trustworthiness of web content senders, aimed at preventing misinformation and ad fraud. However, by identifying the sender, anonymity may be lost, potentially restricting freedom of speech. If sender information is misused, it could lead to self-censorship.

Impact on Freedom of Speech

1. Privacy Concerns: Both technologies collect and manage sender information, raising privacy concerns. This could make it difficult for senders to freely express their opinions.
2. Risk of Misuse: If these technologies are misused by governments or other authorities, there is a risk that freedom of speech will be restricted, especially targeting journalists or activists.
3. Transparency and Accountability: Transparency in how these technologies are used and how data is managed is necessary. Without appropriate accountability, freedom of speech could be threatened.

These technologies are important for improving the reliability of digital content, but careful consideration of how they are used and managed is essential to protect freedom of speech.

Human Measures

Finally, human measures are also critical. Even if technical measures are implemented, they are meaningless if not used. However, this is challenging. While it is possible to enforce organizational education and penalties for members within an organization, it is difficult to do the same for the general public. We would have to rely on the school education and public advertisement for it. This is an area of concern.

Conclusion

While the capabilities of tools used by attackers are evolving exponentially, human skills do not evolve in the same way, making it impossible to counter them with skills alone without technical support. Therefore, it is necessary to strongly promote technical measures.

At the same time, in terms of social communication, the relationship with freedom of speech is also important, so it is essential not to overdo it. Additionally, the difficulty of human measures must be kept in mind.

Considering all these factors comprehensively, it is crucial to implement balanced measures.

YouTube Summary

The video covers a discussion between Gabriel, Alex, and David on the topics of attribute-based access control (ABAC) and relationship-based access control (ReBAC), also known as policy as graph. They explore the key differences between these two approaches to fine-grained authorization, their respective benefits, and potential use cases. The discussion touches on the importance of providing a good developer experience, integrating authorization into the software development lifecycle, and the potential for SaaS and COTS vendors to adopt these approaches based on customer demand. Additionally, they discuss the future of policy languages like Alpha and the potential for standardization efforts.

Key Points

Introduction and Background

The video begins with Gabriel introducing Alex and David as experts in ABAC and ReBAC. They discuss the concept of fine-grained authorization and how it differs from traditional role-based access control (RBAC) by considering additional dimensions such as resource attributes, context, and relationships.

00:07:06 Benefits of ReBAC (Policy as Graph)

David highlights the benefits of using a graph-based approach for authorization, including the availability of existing tooling and frameworks, the ability to perform open-ended queries (search or reverse query evaluation), and the visual representation of policies, which can aid in understanding. Alex adds that graphs are well-suited for analytics and can leverage existing graph algorithms.

00:11:50 Benefits of ABAC (Policy as Code)

Alex discusses the benefits of ABAC, also known as policy as code. He suggests that it may have a lower learning curve for developers accustomed to coding and that it builds upon the mature XACML standard. David adds that ABAC policies can closely mirror plain English requirements, making them easier to understand and maintain.

00:17:20 Managing Complexity and Adoption

The discussion turns to managing the complexity of fine-grained authorization and the potential adoption by SaaS and COTS vendors. Gabriel suggests segmenting users and resources into coarse-grained roles or groups and then applying fine-grained policies on top of those segments. David mentions the OpenID Foundation’s AuthZen working group, which aims to standardize authorization APIs, potentially driving adoption by vendors.

00:51:00 Developer Experience and Integration

The panelists emphasize the importance of providing a good developer experience and seamless integration with the software development lifecycle. They discuss the potential for new policy languages or tools to improve the experience, as well as the trend towards no-code solutions. David mentions the ongoing efforts to evolve the Alpha policy language and potentially standardize it.

00:55:46 Distinguishing Authorization from Application Logic

In response to a question from the audience, David provides guidance on distinguishing between authorization policies and application logic. He suggests that authorization policies should be side-effect-free and focused on reporting requirements, while application logic can handle business rules without strict reporting needs.

Overview of NIST’s Digital Identity Guidelines Update

• NIST has updated its draft digital identity guidance to enhance security and accessibility.
• The update reflects feedback from various stakeholders, including private industry and advocacy groups.
• The guidelines aim to balance anti-fraud measures with equitable access to digital services.

Key Features of the Updated Guidelines

• The draft includes guidance on modern digital pathways, such as syncable authenticators and user-controlled wallets.
• Syncable authenticators (passkeys) provide enhanced security compared to traditional passwords.
• User-controlled wallets can store various digital credentials, including identification documents.

Accessibility and Traditional Identification Methods

• The guidelines ensure that individuals without smartphones or digital credentials can still access services.
• Expanded guidance includes in-person identity proofing and handling exceptions for those lacking traditional identification.
• The concept of “applicant reference” allows trusted individuals to vouch for those without identification.

Biometric Identification and Privacy Considerations

• The updated guidance maintains the use of biometrics for identity verification, emphasizing accuracy and privacy.
• Alternatives to biometric methods are encouraged, especially for public service systems.
• NIST aims to ensure that biometric systems include manual processes to address potential errors.

• https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives_en?text=European%20Digital%20Identity%20Wallets

There are five documents attached to the public consultation. You can view the introduction of each document by clicking the links above, but for convenience, I’m listing them here as it might be more useful to have them displayed together.

European Digital Identity Wallets – certification

This initiative aims to lay down the requirements for certification of the conformity of European Digital Identity Wallets. Where Member States cannot use European cybersecurity certification schemes based on Regulation (EU) 2019/881 or if such schemes are not sufficient, they must establish national certification schemes to supplement them. These schemes must, for instance, specify the competence requirements and an evaluation process.

European Digital Identity Wallets – protocols and interfaces to be supported

This is one of four initiatives on the main set-up of the European Digital Identity Wallets. It aims to ensure the proper implementation of protocols and interfaces crucial for the effective operation of the wallets.

By supporting common protocols and interfaces, the wallets can guarantee:

• successful issuance and presentation of identification data and electronic attestations;
• successful data sharing between wallet units; and
• efficient communication with relevant parties.

European Digital Identity Wallets – integrity and core functionalities

This is one of four initiatives on the main set-up of the European Digital Identity Wallets. It aims to lay down rules to ensure that Member States provide wallets that are interoperable and can be used for all their intended purposes.

For example, the wallets should enable:

• secure online cross-border identification for a wide range of public and private services;
• sharing of electronic attestations; and
• issuance of electronic signatures.

European Digital Identity Wallets – trust framework

This initiative is one of four initiatives on the main set-up of the European Digital Identity Wallets.

It aims to ensure that the electronic notification system established by the European Commission acts as a secure and transparent communication channel for exchanging information between the Commission and the Member States.

European Digital Identity Wallets – person identification data and electronic attestations of attributes

This initiative is one of four initiatives on the main set-up of the European Digital Identity Wallets.

It aims to ensure the smooth lifecycle management of both personal identification data and electronic attestations, covering issuance, verification, revocation and suspension. This guarantees that users’ personal identification data and electronic attestations are issued to the wallet and can be disclosed to relevant parties.