Threats to consider when integrating Digital ID solutions into your organization

Digital identity is the latest innovation in the governmental sector. The eIDAS regulation introduced in the European Union requires that all EU member states implement a fully digital version of identity documents. The trend, however, is global and soon all your government-issued documents will be easily accessible through your smartphone, no matter where you live.  

Connect with the author on LinkedIn!

Consequently, this means that some processes within your organization, particularly those related to identity, will have to change and embrace this innovation. This, in turn, can introduce potential new threats you need to consider to seamlessly adapt to the new technology. We hope that this article will help you gain a better understanding of the threat landscape associated with Digital ID solutions.  

Vulnerable integration 

During the integration phase, you’re tasked with embedding the process of Digital ID verification inside processes within your organization. This is also the process where the first and possibly most critical security hurdles can appear. Digital identity solutions are inherently complex, as they all have multi-step processes with cryptography involved to perform identity verification. It’s safe to assume that dabbling with novel cryptographic protocols is not a part of the daily routine for most developers, it’s understandable that mistakes are bound to happen. 

There have been many other cases where similar Identity-related products have been found to be vulnerable to easy-to-exploit vulnerabilities, allowing for a complete bypass of authentication. Creating a secure SSO integration is no easy feat, and even the biggest tech giants such as Apple or Microsoft have been found to be vulnerable. 

What’s more, since Digital ID solutions are relatively new, there are no easily accessible guides or best practices to follow. This, in turn, can make the process of integration full of anxiety and second-guessing yourself – especially considering what’s at stake. Additionally, since every digital identity system might work in a slightly different way, each integration attempt should be looked at on a case-by-case basis rather than follow a universal guideline. 

Having everything in mind, you should take great caution when integrating digital identity solutions within your organization. Considering they can potentially replace a critical part of user authentication, an extreme attention to all aspects of the integration is required. Start off with an extensive threat model, cover all potential use cases of the new feature, and proceed with extensive security testing before deployment to verify that there are no hidden edge cases waiting to be exploited by a potential threat actor. 

The human factor 

Introduction of Digital ID into your organization can introduce a wide range of new attack vectors. This section covers threats related to quite possibly the easiest target to attack within your business – the human itself. 

As an example, let’s say you’re representing a telecommunications company that wants to integrate Digital ID system into all aspects of customer service. Naturally, for some sensitive operations such as issuing a replacement SIM card, great care must be taken to ensure that the identity of the customer is verified properly. Knowing that verification of digital identity might look different than your traditional plastic document, all employees should be trained on how to properly verify it. 

Let’s assume that in our example, customer service employees were not trained on how to properly verify clients’ digital ID documents. As a result, an attacker could potentially tamper with the official, government-issued document to appear as though he’s a completely different identity.  Have a look at the following video where we showcase how easy it can be to hijack someone’s identity if the verification process is not performed properly. 

Such an attack could be used against the organization to perform a popular SIM-swapping attack and successfully receive a duplicate SIM card of the victim. To visualize how dangerous yet easy to execute this attack is, have a look at our real-life attempt at one of the biggest telecommunications companies in the region.  

Now, think of all the processes within your organization that directly or indirectly require ID verification and human interaction. Bear in mind that these are not limited only to interactions with your potential or existing customers but are also commonly found in high-risk procedures within the organization itself, such as employee account recovery or onboarding. 

Have you assessed the risk and potential consequences of improper Digital ID verification and mitigated the issue? Have you ensured that all employees are up to date with the latest attacks involving Digital ID solutions? Consider performing a red-team assessment and verify whether you’re resilient against a sophisticated attacker in real-life scenarios. 

Vulnerable Digital ID 

Let’s say you’ve mitigated all the above-mentioned threats. You’ve performed an extensive threat modeling, your integration is rock-solid in terms of security, and last but not least, you’ve extensively trained all of your staff. Even if you feel like you’ve done everything that can be done to ensure the security of your organization, there are still major threats impacting your business that are out of your control. What if the digital system itself is not considered secure? What if there are hidden vulnerabilities that allow any attacker to take over anyone’s digital identity and subsequently use it against your organization? After all, you’re integrating third-party solution into your codebase, and as a result, you should not rely on the government having performed the required due diligence.  

Those things do happen, and we’ve seen it firsthand 😉. During one of our latest research projects, we audited the Digital ID system created by the Government of Poland and uncovered critical vulnerabilities that would allow an attacker to hijack someone’s identity and bypass even the most secure way of Digital ID verification. For additional context, have a look at our other article where we describe in-depth technical vulnerabilities found within.

How we helped secure Poland’s digital ID system – technical analysis

Szymon Chadam 2025.04.11 ·10 MIN reading

Summary 

Digital ID systems are the latest innovation that directly impacts how you carry out your business. No matter the industry or scale, you will have to adapt and embrace this new technology.  

As with all things new, one can’t simply integrate it on a large scale and hope for the best. A solid, comprehensive and in-depth security assessment across all domains is required to ensure proper resilience against any potential bad actors. Consult experts in the field with proven experience with Digital ID systems to cover all bases. 

Connect with the author on LinkedIn!

Szymon Chadam IT Security Consultant