by Anthony Powers*

* J.D. Candidate, 2026, Indiana University Robert H. McKinney School of Law—Indianapolis, Indiana; B.A. 2018, Ave Maria University—Ave Maria, FL. Thank you to my faculty advisor, Professor Nehf, for the support and assistance in writing this note.

Introduction

When the Social Security Number (SSN) was introduced in 1936, it had a singular purpose—to track the lifetime earnings of American workers, determining whether they qualified for Social Security benefits.[1] While the cards are counterfeit-resistant, they were never intended to serve as a form of identification for the individual and carries no information allowing it to serve as proof of identity.[2] But in 1943, federal agencies began using the SSN to identify individuals in new record systems.[3] As its administrative uses grew, private industry began requesting SSNs as a unique identifier.[4] With this growing private use, abuse by malicious actors also became prevalent.[5] For example, in April 2024, 2.9 billion pieces of personally identifying information, including SSNs, were offered for sale following a single data breach.[6]

The uses and necessity of identification have grown to include a variety of applications, ranging from purchasing tobacco[7] to employment verification[8] to lending.[9] In the wake of the COVID-19 pandemic, desire for online versions of these processes skyrocketed and third-party services have appeared to capitalize on that need by filling the identity-verification gap.[10] Some countries had frameworks already in place before the pandemic, such as India. India’s Aadhaar system has been in place since 2016 and manages identities for a nation of over a billion citizens.[11]

The United States does not have a singular national identification system.[12] The closest it has is the social security system or tax identification number system, both of which assign a number to each person covered by the program.[13] Instead, states issue identification to their citizens that is mutually recognized by other states and the federal government.[14] This recognition is based on the states using the same requirements to prove the identity of citizens.[15] The process of proving the identity of an individual seeking a credential will be described as “identity proofing” for purposes of this note.

But simple national identification is seen as insufficient by some, instead advocating for a national digital identity system.[16] The widespread use of a digital identity would allow transactions that are typically limited to predominantly in-person affairs to be done at a distance.[17] The COVID-19 pandemic highlighted just how much impact having the ability to transact remotely could have, where digital identification systems served as one of the most important factors determining the impact a given government’s financial interventions had upon its populace.[18] The simplification of government service processes could save up to 110 billion hours globally, and the cost savings and fraud reduction that accompany it could save up to $1.6 trillion.[19]

In the United States, the Improving Digital Identity Act seeks to establish an executive task force to coordinate cooperation between levels of government in adopting digital versions of physical identity credentials.[20] Nine states have rolled out digital identity schemes focused on the concept of a “mobile driver’s license” which will be accepted at airports.[21] But the United States is not presently ready to take this system on at a federal level. Twenty years after the REAL ID Act was initially passed, it has yet to come into full force and some states issue identification cards without the required proof of identity.[22]

This Note argues that the United States is currently not prepared to implement a national ID system. Before establishing the rest of a digital identity scheme, the United States needs a basis to prove identities. Fortunately, the skeleton already exists in the United States, and lessons from Aadhaar in India, as well as the experiences of some states, can help build upon it. Part I provides an overview of the present landscape of federal legislation and regulations regarding establishing digital identity. Part II discusses and compares the Indian Aadhaar system to the current American identification scheme. Part III briefly describes some existing state initiatives to establish digital identity systems, focusing on California and Colorado. Part IV then compares all three regimes and draws some conclusions about best practices. Finally, Part V synthesizes these pieces to propose a recommendation for the present landscape to be used to establish a workable scheme of identity proofing for digital identification. A state-based system set up to meet federal requirements, much like the REAL ID Act has set forth, incorporating some of the pieces India has implemented to accelerate adoption, forms the best basis for an American digital identity system.

I. Overview of the Federal Digital Identity Landscape

In the United States, there are few laws regulating digital identity landscapes. Two acts—the Information Privacy Act and the Federal Information Security Modernization Act—protect the privacy of individuals accessing federal services.[23] The Improving Digital Identity Act has been introduced to Congress several times but would do little more than establish an exploratory team.[24] The primary obstacle legislation has encountered is the foundational idea that identity is established at the state level.[25] A method of working around that principle is the establishment of guidelines to be considered in state digital identity programs, such as the ones promulgated by the National Institute for Standards and Technology.

A. Physical Identification Requirements

Physical identification mandates for federal facilities began in May 2025 pursuant to the REAL ID Act.[26] The other leading form of federal identification available is the U.S. passport, controlled by Congress and the Department of State.[27] While neither of these identifications provide digital identities, they do demonstrate federal expectations for establishing a person’s identity.

The REAL ID Act has explicit expectations to prove identity. To receive a compliant identification, an individual must present: (1) either a photo identity document or a document with both the full legal name and date of birth; (2) documentation of the date of birth; (3) proof of the social security number or proof that the individual is ineligible for one; and (4) documentation showing the name and address of principle residence.[28] The documents must then be verified by the issuing state to ensure they are valid, complete, and legitimate.[29] All applicants must submit a photograph.[30] Anyone applying for an identification card must sign a declaration under penalty of perjury that the information presented is true and accurate.[31] Only after verifying their identity can the identification document be issued.[32] A REAL ID-compliant identification document must include the full legal name, date of birth, gender, digital photograph, address of principal residence, signature, card identification number, anti-tamper security measures, and machine-readable technology.[33]

Passports have fewer explicit requirements. An individual must appear in person to apply for a passport for the first time and verify by oath or affirmation that the information presented is accurate.[34] Proving the identity requires a previous passport, a government-issued photo identification, or “other identifying evidence” such as a witness affidavit.[35] A first-time applicant is usually required to present a birth certificate to show proof of citizenship.[36] The proofs may be gathered by a “passport acceptance agent,” but the application must be approved by a “passport authorizing officer” before the passport can be issued.[37]

Those two areas of law are the extent of the federal government’s formal requirements for establishing identity. There is no existing system for digital identities, although Congress has supported introducing one. The Improving Digital Identity Act of 2023 was one of a number of attempts to pass this legislation.[38] It sought to establish an executive task force to coordinate the adoption of digital identity credentials between different agencies and levels of government.[39] If enacted, the task force director’s first job is to produce guidance for federal agencies, followed by a report cataloguing options and recommendations for best practices.[40] The task force would be explicitly forbidden from recommending a single national identity credential provided by the federal government or a unified central registry of credentials for digital identification.[41] Likewise, it could not recommend a requirement for digital identification for a given public purpose.[42] These limits outline a system similar to how physical IDs already work, with no central database of credentials or a single national identity credential outside the passport.[43]

The REAL ID Act is the most important piece of legislation on identity systems in the United States, and it is key in forming a digital identity scheme. And while the Improving Digital Identity Act is only a proposed step towards an adoption of a digital identity system at the federal level, it is not the only move the United States has made toward legitimizing digital identity credentials. The National Institute of Standards and Technology (NIST) is in the process of revising its regulations on establishing digital identity in what will be the fourth version of the document.[44] It, combined with the REAL ID Act, make up the skeleton the United States already has in place.

B. NIST’s Digital Identity Framework

NIST’s mandate includes research, development support, and promotion of best practices to reduce cyber risk to critical infrastructure.[45] The Secretary of Commerce’s prerogative is to prescribe standards and guidelines for federal information systems based on NIST’s standards.[46] The NIST standards for digital identification, promulgated in a Special Publication, are obligatory for federal systems.[47] In establishing these guidelines, NIST subdivides the identification process into several constituent parts.[48] Most important for this Note is “identity proofing,” the process of providing evidence of identity.[49] NIST’s guidelines include the purpose for identity proofing, the rigor of verification, the necessary evidence, and the processes to follow, all discussed in more detail below.

To understand what is necessary, NIST outlines several goals for identity proofing to accomplish, each with specific names. It exists to ensure (1) a single, unique individual (identity resolution) provides (2) genuine, authentic and valid evidence (evidence validation) of (3) accurate attributes (attribute validation) (4) genuinely owned by the claimant (identity verification) and (5) is used to enroll the individual in an identity service (identity enrollment).[50] There must also be fraud mitigation protections in place to prevent a breakdown in any of those five goals.[51] The attributes are the heart of the identity proofing system.[52] Attributes are characteristics of the individual that, when aggregated and verified, uniquely and accurately distinguish the individual from the rest of the population.[53] NIST recommends using the smallest possible set of attributes necessary to reach the necessary level of confidence.[54] These levels of confidence are the “assurance levels.”[55]

Identity Assurance Levels (IALs) categorize groups of proof requirements and the level of confidence they establish.[56] The three levels increase in rigor of validation processes to ensure greater confidence in the identity of the individual.[57] IAL1 verifies attributes of the individual against a known database.[58] IAL2 requires more information and a more rigorous process to validate the evidence provided.[59] IAL3 requires on-site identity proofing sessions and collection of biometric identifiers, and more rigorous verification of other attributes provided by the applicant.[60] Selection of the assurance level should be based on the level of confidence the program needs to ensure the identity corresponds to a unique individual, that the evidence is accurate and valid, that the individual can be enrolled in the identity service, and that fraud is mitigated.[61] For purposes of establishing a form of digital identification sufficient to access federal facilities under the REAL ID Act, IAL2 is the closest fit, because it requires two different forms of proof, at least one of which must be verified against a known government database without requiring biometric markers to be taken.

Evidence can be produced to establish identity in two combinations, subject to verification:[62] either (1) one piece of “fair” evidence and one piece of “strong” evidence or (2) one piece of “superior” evidence.[63] “Fair” evidence includes accounts that require some sort of identification process to open, such as financial or telephone accounts, student identification cards, employment identification, or social security cards.[64] “Strong” evidence includes photo IDs issued by a governing agency, such as a driver’s license.[65] “Superior” evidence includes cryptographic verification, biometric markers, or both, such as passports and Personal Identification Verification cards issued by federal agencies.[66] Documents can be verified through several methods, including an on-site tactile inspection, a remote visual inspection, or an automated validation.[67] Without using one of these verification processes, a credential should not be issued because the identity is still unconfirmed.[68] If an individual has no documents, NIST requires a “referee” system, to determine whether to grant a credential if documents are lacking.[69] Additionally, there is an optional path to use references to attest to identity or status as an explanation for the absence of documents, but providers are not required to establish a reference process.[70]

To prevent problems, NIST states, knowledge-based verification is insufficient to establish identity.[71] To make it abundantly clear, NIST states, “[k]nowledge of the SSN is not sufficient for identity evidence.”[72] Likewise, being able to give a driver’s license number, full name, or birthdate without providing any form of credential is also knowledge-based verification.[73] Using those fields must come with comparing the machine-readable zone to the provided answers to ensure the consistency of the data and prevent forgeries.[74]

NIST also requires two processes, one remote and unattended, and one attended and either in-person or remote, both of which must be available to prove identities at IAL2.[75] Independent third parties may perform these processes.[76] While the actual attributes collected will vary, IAL2 has a best practice of gathering first name, middle initial, last name, a unique identifier associated with the individual in government records (such as a social security number, tax identification number, or driver’s license number), and a physical or digital address to which communications can be directed.[77]

The NIST IAL2 process is readily adaptable to the REAL ID requirements to establish an identity sufficient to use a digital identity credential. It resembles the REAL ID Act and can form a skeleton for what a nationwide system should look like. But a robust system requires more than a skeleton, and India provides lessons to supplement it.

II. India’s Aadhaar System

India’s Aadhaar system went live in 2016, so it has already experienced some of the early adoption problems the United States should avoid.[78] As explored below, Aadhaar has already had to create solutions for ensuring unique identities for over one billion people, including individuals who have no identification documents, and preventing fraud.

Aadhaar was designed to give Indian citizens unique identities and access to government services.[79] In order to ensure no duplication among India’s one billion citizens, enrollment also requires handing over biometric information via fingerprints and iris scans, unless the individual is under the age of five. [80] For those children, biometric and address information for a parent or guardian is required, in addition to name, date of birth, gender, and facial image of the child.[81]

Enrolling in the system must occur in person at enrollment centers.[82] The centers collect biometric information at the time of enrollment.[83] These enrollment centers are operated by third-party agencies, subject to quality control measures to continue their operation.[84] The agencies were appointed to carry out enrollment with additional temporary centers to handle the initial high volumes.[85] Appointing agencies are the purview of both state and central governments.[86]

To establish identity, individuals must present “one or more” documents providing proof of identity, address, and date of birth.[87] Acceptable documents for proof of identity include a passport, voter ID, driving license, student ID card, or other government-issued document with a photograph and name.[88] Proof of address can be established by certain proof of identity documents, recent bills, tax documents, or vehicle registration, among other documents.[89] Date of birth must be proven by birth certificate, passport, certificate of date of birth issued by a government agency, or the Indian equivalent of a secondary school diploma.[90]

India has also established identity verification methods for individuals who do not have all the necessary documents.[91] One of these, the “introducer” method, requires the applicant’s demographic and biometric information, and the introducer’s name, signature, and Aadhaar number, after the introducer registers for the role.[92] Alternatively, the head of a family may serve as the basis for establishing the identity of every member of the family for which a familial relationship can be proven.[93] In the first eight months the system was operational, nearly one million individuals registered using the introducer method, less than a tenth of a percent of the total.[94]

Once the proofs are collected, they are submitted to the Indian government remotely to verify that no one else has established this identity.[95] Upon clearing this check, the individual will then receive an Aadhaar number and be eligible to access welfare programs worth approximately three percent of India’s GDP, in addition to other benefits.[96]

Fraud is one of the biggest concerns with these identification systems..  India has established penalties to prevent fraud, including a three-year prison sentence for providing false demographic information.[97] Requiring the introducer to sign and affix their own Aadhaar number to the application also prevents introducers from hiding behind a secret identity.

India’s system has proven to be highly controversial, in large part due to the collection of biometric information.[98] It has been linked to identities so tightly that even everyday services are connected to Aadhaar numbers,[99] much like SSNs have become in the United States. India’s system may not be perfect, but it works.[100] And here in the United States, some states have also introduced efficient identification systems.

III. State Identification Schemes

Several states have begun the process of establishing forms of online identification to use services. More than fifteen states have passed legislation requiring age verification for adult-oriented websites.[101] Post offices help prove identities for federal benefits in both Arkansas and Hawaii.[102] Oklahoma implemented an in-person identification process after launching a digital-first process for unemployment benefits.[103] But California and Colorado are the leaders in this charge. Their programs will be introduced briefly here before their compliance with the REAL ID Act and the NIST guidelines are analyzed in Part IV below.

California is currently in the midst of a pilot test for a mobile driver’s license program.[104] However, in order to enroll in the program, a physical identity card is required.[105] Participants enroll by taking a picture of the front and back of the driver’s license and submitting a facial scan.[106] These are then sent remotely to the California Department of Motor Vehicles to process the request.[107] Right now, it is accepted only for limited government services.[108] Though limited elsewhere in California, users can present their “Eligible Digital IDs” at TSA checkpoints in American airports.[109]

Colorado was the first state to create a digital ID app.[110] Enrollment requires users to scan the back of their driver’s license or other government-issued ID and complete a facial scan.[111] The Colorado Division of Motor Vehicles then remotely elects to add the credential to a digital wallet.[112] When implementing the program, it was intended to be compliant with the REAL ID Act.[113] Despite that intention, unlike California, Colorado’s digital ID is not  universally accepted at all TSA checkpoints.[114] But  the myColorado app can handle more than just a driver’s license, such as fishing licenses and vehicle registrations.[115]

IV. Determining Best Practices

A. Aadhaar vs. NIST

India and the United States use similar foundations for establishing identity digitally, namely, using physical identification documents already obtained through a formalized process.[116] Both systems require similar attributes to establish identity, including an individual’s legal name, mailing address, and government photograph.[117] However, India requires multiple forms of biometric information, whereas NIST only requires biometric data at IAL3.[118]

NIST’s position on optional biometric markers for IAL1 and IAL2 is wise after India’s experience with privacy concerns. In 2018, the Unique Identification Authority of India launched a probe into unauthorized access to Aadhaar information after the demographic information for hundreds of millions of Indians was discovered to be for sale.[119] The biometric information was reportedly unharmed in that breach.[120] However, the breach demonstrated the great risk of using biometric information on such a large scale. Generally, biometric data cannot be re-issued once compromised, and biometric identity theft in the United States is an emerging area of concern for the FTC.[121] Requiring biometric data would introduce unnecessary risk. The risks and benefits are not the only part of the enrollment process that India and the United States have weighed differently.

Both India and the United States worry about access to the identification process.[122] However, they remedy their concerns in different ways. NIST’s first remedy is to offer remote identity verification processes to promote equity.[123] To combat these concerns, NIST requires trusted referees for individuals who lack sufficient proof of identity.[124] The role of referees is to determine whether an identity can be established in the face of missing credentials.[125]  This leaves wide latitude and a possibility for inequity in practice based on differences in individual referees. Contrastly, the references option, more similar to India, is a merely optional system that credential service providers would not be required to provide.[126] Unfortunately, research indicates that roughly twenty-one million Americans lack readily accessible identification documents, and nearly four million have no identification documents at all.[127] Meanwhile, India established the introducer and head of family proofs to account for the portions of its population who do not have access to identification documents.[128] However, the pre-verification process for people without identification documents is not the only difference between the two systems.

India’s Aadhaar system has seen more enrollments than there are people in the United States. In July 2022, six years after Aadhaar became mandatory, India witnessed fifty-three lakh (5.3 million) new enrollments.[129] In October 2022, nearly 128 crore (1.28 billion) living persons had Aadhaar numbers.[130] Contracting with third parties on both a temporary and permanent basis plays a significant role in India’s ability to handle these numbers. NIST’s recommendations allow third-party agencies to handle those enrollments, which will likely be necessary for purely logistical reasons. India requires government approval of every single application, even though third parties gather the information. The NIST third-party service provider process does not require a government agency to verify the information provided before issuing an identification card or number.[131] However, the NIST guidelines are also written to be used broadly[132] and provides a process for government agencies to take their own steps to improve the process.[133] And today, the passport enrollment process allows for third-party enrollment agents.[134] So although the two nations view third parties differently, the United States has the flexibility to emulate India’s identity verification system.

B. States vs. NIST

Likewise, states have implemented their own identity verification processes, but several do not follow NIST’s recommendations. Colorado and California have similar programs with similar problems. The biggest difference is that California requires users to scan both sides of the driver’s license while Colorado requires only the back, the side with the machine-readable zone.[135] Both require a facial scan, remote submission of an image of the ID and a facial image, and verification by the agency in charge of motor vehicles before the mobile credential will be issued.[136] Because of those similarities in fundamental elements of the scheme, both have the same relationship to NIST’s guidelines and other federal laws. Colorado and California’s processes are within the REAL ID Act’s purview because the Act mandates state-issued identification.[137]

But the proofs the two states require do not match NIST’s requirements. It is unclear if solely using a form of identification that already meets REAL ID requirements will be sufficient for establishing identity to issue a new REAL ID-compliant identification. On the one hand, to receive a REAL ID-compliant identification, all the necessary attributes must have already been established. On the other hand, the REAL ID-compliant card does not include all necessary information, specifically one’s SSN.[138] REAL ID-compliant cards also require multiple forms of identification, not just a singular one with all necessary information.[139] This will likely need to be clarified when the REAL ID Act goes into full force.[140]

States have already started transitioning to electronic identification programs, and the route taken by the REAL ID Act is sufficient to form a basis for a federal system, provided the federal system upholds certain standards. However, states will have to modify how they issue these records to comply with the NIST standards and use these identifications for federal services. California and Colorado’s systems are straightforward and rely entirely upon the identity-proofing process necessary to receive a driver’s license, because the driver’s license is the sole proof required. The driver’s license is already partially controlled by the REAL ID Act.[141] And as a basis for the system, a driver’s license has already been determined to be sufficient as a form of identification recognizable throughout the nation.[142]

There are other, smaller problems as well. Neither state program has any form of an attended process, either remotely or in-person, so for that alone, they presently fall afoul of the NIST standard.[143] Colorado requiring only the back of a driver’s license may run into problems with NIST, because NIST requires that a machine-read zone be compared against the plaintext to verify the document. If Colorado is using that machine-read portion to compare against the plaintext database, it is unclear whether this would be a problem.[144]

It is unclear from the information available whether California or Colorado require a human to review the submitted application, or whether a computer program performs the comparison and issues the credential.[145] NIST permits automated validation of an identity document, but state motor vehicle agencies do not have access to the database to validate SSNs automatically.[146]

The programs are both based entirely on a singular form of identification, which is not sufficient for IAL2 in NIST’s identity proofing manual, unless the proof meets the requirements for “superior.”[147] A driver’s license is not a “superior” credential.[148] Without requiring a second form of identification, Colorado and California’s processes do not meet the NIST’s requirements.

Despite these apparent discontinuities between the state and NIST requirements, the gaps are small. Filling in the gaps would sufficiently  establish a scheme that satisfies both the requirements set out by NIST and the REAL ID Act.

V. Crafting a Solution

NIST’s guidance places the United States on the right track to implement a national digital identity system. There are two key lessons the United States should learn from India, and two more the federal government should learn from Colorado and California’s experiences before evaluating a final form for the national scheme.

A. Lessons from India

The first lesson the United States should learn from India is founded in equity. The Indian system provides strong opportunities for those without sufficient identity documents to still enroll in Aadhaar, especially through the head of family proofs and the introducer process.[149] NIST’s trusted referees and references options are a step in this direction, but as drafted, they leave too much discretion to the individuals serving in those roles.

            Second, the United States should take cues from how India resolved logistical concerns, managing to enroll over 1.25 billion people in the system in only six years through permanent and temporary processing facilities.[150] The United States already mimics this structure to issue passports, where the individual seeking the credential can complete the application with a third-party provider, then send the application to the State Department for final approval.[151] This keeps issuance authority within the government, specifically the body actually issuing the credential, while also allowing for efficiencies in gathering the proofs. A national digital identity program should incorporate a similar structure to likewise experience India’s impressive enrollment numbers.

These two lessons from India will help the United States avoid India’s pitfalls launch an efficient digital identity program. However, further lessons from Colorado and California can enhance that efficiency and ensure the highest quality program at launch.

B. Lessons from States

            The first lesson the federal government should learn from the experience of the states is that adoption rates are lower when enrollment is optional. Unlike in India, where compliance was mandatory to receive benefits, states allow their citizens to opt in to digital identities. Accordingly, they have seen lower adoption rates. Colorado saw 1.5 million sign-ups in the program’s first five years.[152] With lower demand, there is also less demand for third-party agencies to intervene. Thus, while the Indian experience required a robust set of regulations for third-party agencies to receive contracts and issue Aadhaar numbers,[153] an opt-in scheme may allow the federal government to handle a national digital identity program through existing government agencies without third-party intervention.

            Second, the federal government should learn from how states have managed to merge several kinds of documents into the identification, such as hunting and fishing licenses and vehicle registrations.[154] One of the oft-cited benefits of digital identification is no longer needing to carry paper documents everywhere, allowing for a digital identity to serve as a repository for the cumbersome documents.[155] The federal government issues several licenses, such as the NMLS license for mortgage loan originators,[156] the TSA pre-check program,[157] national parks recreation passes,[158] and licenses for firearms dealers.[159] These licenses all require the applicant’s identity be verified before issuance, so integrating the credentials into a singular digital identity would save significant time. It would also provide important efficiency and security in the face of natural disasters, when individuals are likely to lose access to their paper documents, especially non-essential identification documents.[160]

            Colorado and California’s experiences can further strengthen the benefits and efficiencies of the digital identity scheme. After taking the lessons from India and the States into account, establishing the framework of a national digital identity scheme is possible.

C. Synthesizing the Elements

            The ultimate form a national digital identity scheme could take is an open question, but this Note has explored several characteristics to help. The necessary proofs to establish one’s identity can come from the REAL ID Act, but requiring a form of biometric proof will assume too much risk for the current program’s needs. There must be two processes available: one in-person and facilitated by a worker, and one remote and not proctored. Equity demands some form of introducer-based enrollment process for individuals who do not have access to identity documents, though this process must also come with strict fraud prevention methods, such as personal liability for the introducer. Efficiency may require third-party groups to collect the proofs, but the actual identity verification and  credential issuance should come from a government agency, like the U.S. passport.[161] To help incentivize adoption, these identifications should incorporate multiple credentials, such as national parks passes or TSA pre-check. Finally, a digital national identity system should remain optional, leaving paper documents as an option for those who decline to participate in this scheme.

The United States is close to being able to roll out a national digital identity service. As argued above, California and Colorado are not far from NIST compliance. But after that, state-based digital identification documents must reach NIST and REAL ID Act standards, establishing identity sufficiently for access to federal facilities and services. From there, the United States government need only take cues from India to ensure the system works by establishing equity-based alternatives, such as introducers, and allowing the use of third-party enrollment agencies to assist in the scale of adoption necessary when it becomes a legitimate alternative to accessing federal benefits.

Conclusion

It is possible for the United States to implement a uniform digital identity system, but to establish the necessary trust in those identities, the identity itself must have sufficient trust. While states are issuing digital identities, they are not operating at the necessary level to establish sufficient trust. The standards proposed by NIST, the REAL ID Act, and the corresponding regulations provide a basis that can be adapted into a useful framework. It should learn lessons from India, California, and Colorado, but until those standards reach the level NIST requires, the United States is not ready to validate identities for a national digital identity system.

---

[1] Carolyn Puckett, The Story of the Social Security Number,69 Soc. Sec. Bull. 55 (2009), https://www.ssa.gov/policy/docs/ssb/v69n2/v69n2p55.pdf [https://perma.cc/CE6K-3J9W].

[2] Id.

[3] Id.

[4] Id.

[5] Id.

[6] Class Action Complaint at 22, Hofmann v. Jerico Pictures, Inc., No. 0:24-cv-61383 (S.D. Fla. Aug. 1, 2024), Dkt. No. 1.

[7] See 21 C.F.R. § 1140.14(a)(2)(i) (2026).

[8] See 8 C.F.R. § 274a.2(a)(2) (2026).

[9] See 31 C.F.R. § 1020.220(a)(2) (2026).

[10] See, e.g., Tom Bradley, Revolutionizing Identity Verification and Fraud Detection, Forbes (June 29, 2023, at 16:32 EDT), https://www.forbes.com/sites/tonybradley/2023/06/29/revolutionizing-identity-verification-and-fraud-detection/ [https://perma.cc/D3JM-GBAG].

[11] Manu Balachandran, Aadhaar: A Shot at Unique Identity Through Twists and Turns, Forbes India (May 24, 2024, at 11:28 IST), https://www.forbesindia.com/article/15th-anniversary-special/aadhaar-a-shot-at-unique-identity-through-twists-and-turns/93174/1 [https://perma.cc/8VZ7-DZZR]

[12] Connor T. Jerzak, A Brief History of National ID Cards, FXB Center for Health & Hum. Rts. at Harv. Univ. (Nov. 12, 2015), https://fxb.harvard.edu/2015/11/12/a-brief-history-of-national-id-cards/ [https://perma.cc/9S9K-CHVG].

[13] Get an Individual Taxpayer Identification Number (ITIN) to file your tax return, U.S. Gen. Serv. Admin., https://www.usa.gov/itin [https://perma.cc/6MVQ-GE9L] (last visited Dec. 12, 2024).

[14] Stephen Ufford, REAL ID’s case for a National ID, Forbes (Feb. 28, 2020, at 7:00 EST), https://www.forbes.com/councils/forbestechcouncil/2020/02/28/real-ids-case-for-a-national-id/ [https://perma.cc/8NWG-DXBK]

[15] REAL ID Act of 2005 § 202, 49 U.S.C. § 30301.

[16] Biji Scaria, The Importance of a National Digital Identity System, Info. Sys. Audit & Control Ass’n (Feb. 3, 2022), https://www.isaca.org/resources/isaca-journal/issues/2022/volume-1/the-importance-of-a-national-digital-identity-system [https://perma.cc/PZ4B-6PPN].

[17] Id.

[18] Olivia White et. al, COVID-19: Making the case for robust digital financial infrastructure, McKinsey Glob. Inst. (Jan. 26, 2021), https://www.mckinsey.com/industries/financial-services/our-insights/covid-19-making-the-case-for-robust-digital-financial-infrastructure [https://perma.cc/FTW6-FD3S].

[19] Ash Johnson, The Path to Digital Identity in the United States, Info. Tech. & Innovation Found. (Sep. 23, 2024),https://itif.org/publications/2024/09/23/path-to-digital-identity-in-the-united-states/ [https://perma.cc/QVR9-6JMV].

[20] Improving Digital Identity Act of 2023, S. 884, 118th Cong. § 4(b).

[21] Suzanne Rowan Kelleher, TSA Now Accepts Digital IDs from These Nine States, Forbes (June 12, 2024, at 7:55 EDT), https://www.forbes.com/sites/suzannerowankelleher/2024/06/12/tsa-digital-ids-nine-states/ [https://perma.cc/B5VX-REJ6].

[22] 6 C.F.R. § 37.5 (2026).

[23] 5 U.S.C. § 552a (2026); 44 U.S.C. §§ 3551–3559 (2026).

[24] Edward Graham, Lawmakers want government to promote use of digital IDs, Nextgov/FCW (Oct. 1, 2024), https://www.nextgov.com/digital-government/2024/10/lawmakers-want-government-promote-use-digital-ids/399981/ [https://perma.cc/7XTP-JR4E].

[25] Jason Litalien, Why some states won’t comply with REAL ID requirements, Int’l Ass’n of Privacy Prof. (Jan. 30, 2017), https://iapp.org/news/a/why-some-states-wont-comply-with-real-id-requirements/ [https://perma.cc/5HNB-FYAT].

[26] REAL ID Act of 2005 § 202, 49 U.S.C. § 30301.

[27] 22 C.F.R. § 53.1(a) (2026).

[28] REAL ID Act § 202(c)(1).

[29] Id. § 202(c)(3).

[30] 6 C.F.R. § 37.11(a) (2026).

[31] Id. § 37.11(b).

[32] Id.

[33] REAL ID Act § 202(b).

[34] 22 C.F.R. § 51.21(a) (2026).

[35] 22 C.F.R. § 51.23 (2026).

[36] 22 C.F.R. § 51.42(a) (2026).

[37] 22 C.F.R. § 51.1 (2026).

[38] Graham, supra note 24.

[39] Improving Digital Identity Act of 2023, S. 884, 118th Cong. § 4(b) (2023); Edward Graham, NextGov: US needs an agency to call ‘balls and strikes’ on digital IDs, lawmaker says, Congressman Bill Foster, (Sep. 11, 2025), https://foster.house.gov/media/in-the-news/nextgov-us-needs-agency-call-balls-and-strikes-digital-ids-lawmaker-says [https://perma.cc/P94R-W5G6].

[40] Improving Digital Identity Act § 5(a)–(b).

[41] Id. § 4(h)(1)–(2).

[42] Id. § 4(h)(3).

[43] Stephen Ufford, REAL ID’s Case For A National ID, Forbes (Feb. 28, 2020, at 7:29 EST), https://www.forbes.com/councils/forbestechcouncil/2020/02/28/real-ids-case-for-a-national-id/ [https://perma.cc/8NWG-DXBK].

[44] NIST Releases Second Public Draft of Digital Identity Guidelines for Final Review, Nat’l Inst. for Standards & Tech. (Aug. 21, 2024), https://www.nist.gov/news-events/news/2024/08/nist-releases-second-public-draft-digital-identity-guidelines-final-review [https://perma.cc/US45-S54A].

[45] 15 U.S.C. § 278(c)(15) (2026); 15 U.S.C. § 278g-3(a) (2026).

[46] 40 U.S.C. § 11331 (2026).

[47] Nat’l Inst. for Standards & Tech., Special Publ’n 800-63-4, Digital Identity Guidelines 2 (2025) [hereinafter NIST800-63-4], https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-4.pdf [https://perma.cc/Y6QG-K87Y].

[48] Id. at 3–4.

[49] Id. at 10–11.

[50] Nat’l Inst. For Standards & Tech., Special Publ’n 800-63A-4, Digital Identity Guidelines: Identity Proofing and Enrollment 1 (2025) [hereinafter NIST 800-63A-4], https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63A-4.pdf [https://perma.cc/9KRM-ACKA].

[51] Id.

[52] Id. at 9.

[53] Id.

[54] Id.

[55] NIST800-63-4, supra note 47, at 34.

[56] Id. at 35.

[57] Id. at 46–47.

[58] Id. at 35.

[59] Id.

[60] Id.

[61] NIST 800-63A-4, supra note 50, at 1.

[62] This verification of the documents provided in identity proofing should not be confused with the process by which the connection between the individual attempting to access services and the identity, already proven when obtaining the credential, is established. See id. at 72. There is much that can be said about that in the process of establishing digital identities, but it is beyond the scope of this Note.

[63] Id. at 40.

[64] Id. at 83–84.

[65] Id. at 85.

[66] Id. at 86–87.

[67] Id. at 13.

[68] See id. at 41.

[69] Id. at 35–36.

[70] Id. at 36–37.

[71] Id. at 14–15.

[72] Id. at 66.

[73] See id. at 14–15.

[74] Id. at 27–28.

[75] Id. at 8.

[76] See id. at 93 (“A CSP may be an independent third party.”).

[77] Id. at 9.

[78] See Justice K.S. Puttaswamy v. Union of India, 2018 INSC 880 (Supreme Court of India).

[79] Id. at [24].

[80] Id. at [42].

[81] Id. at [307]; Aadhaar (Enrolment and Update) Regulation 2016, reg. 5 (amended 2024) (India).

[82] Id. at reg. 7(1)–(2).

[83] Id. at reg. 4.

[84] Id. at reg. 21.

[85] Id. at reg. 7.

[86] Id. at reg. 21(1).

[87] Id. at reg. 10(1).

[88] Id. at Schedule II.

[89] Id.

[90] Id.

[91] See id. at reg. 2(1)(m), 7(5).

[92] Id. Aadhaar (Enrolment and Update) Regulation 2016, reg. 10(4)(a). The statute has since been updated. The process for introducers to follow is no longer defined in the current version of Regulation 10. The term “introducer” still has a definition in reg. 2(m) and the Registrar is still instructed to “make reasonable efforts” to allow individuals who do not possess identification documents to register “through alternate modes of enrolment specified in Regulation 10.” Aadhaar (Enrolment and Update) Regulation 2016, reg. 7(5) (amended 2024) (India).

[93] Id. at reg. 4(4).

[94] Anjali Bhardwaj, Aadhaar: When the Poor Get Left Out, Hindu Ctr. for Pol. & Pub. Pol’y (Aug. 26, 2022, at 12:12 IST), https://www.thehinducentre.com/the-arena/current-issues/aadhaar-when-the-poor-get-left-out/article64931436.ece [https://perma.cc/NDH9-U2WK].

[95] Aadhaar (Enrolment and Update) Regulation reg. 13.

[96] See Justice K.S. Puttaswamy v. Union of India, 2018 INSC 880, [263] (Supreme Court of India).

[97] Aadhaar Enrolment & Update Charges, Unique Identification Auth. of India (July 20, 2022), https://uidai.gov.in/en/289-faqs/your-aadhaar/protection-of-individual-information-in-uidai-system/1944-what-are-the-possible-criminal-penalties-envisaged-against-the-fraud-or-unauthorized-access-to-data.html [https://perma.cc/5Q75-KWNN].

[98] Anvitha Sai Yalavarthy, Aadhaar: India’s National Identification Scheme and Consent-Based Privacy Rights, 56 Vand. J. Transnat’l L. 619, 670–71 (2023).

[99] Id. at 630.

[100] Id. at 671.

[101] Jordan King, Map Shows 16 States Increasing Porn Site Restrictions, Newsweek (May 30, 2024, at 10:35 EDT), https://www.newsweek.com/states-porn-age-verification-free-speech-1903108 [https://perma.cc/588S-K3VM].

[102] Andrea Vittorio, Digital ID Cards Spread Across US States with Range of New Uses, Bloomberg (Sep. 13, 2023, at 4:51 EDT), https://www.bloomberglaw.com/bloomberglawnews/privacy-and-data-security/X1SH4800000000?bna_news_filter=privacy-and-data-security#jcite [https://perma.cc/Z6UW-V7CL].

[103] Id.

[104] Digital Identity Project, Cal. Dep’t of Tech., https://cdt.ca.gov/digitalid/ [https://perma.cc/AL65-WE9W] (last visited Sep. 12, 2024).

[105] California DMV Mobile Driver’s License Software Terms of Service, Cal. Dep’t of Motor Vehicles, https://www.dmv.ca.gov/portal/ca-dmv-wallet/mdl-terms-of-use/ [https://perma.cc/F9K6-NDXE] (last visited Oct. 19, 2024).

[106] Nelson Aguilar, California Rolls Out Digital Driver’s Licenses for Phones: How to Sign Up for Pilot Program, CNET (Sep. 8, 2023, at 4:30 PT), https://www.cnet.com/tech/mobile/california-rolls-out-digital-drivers-licenses-for-phones-how-to-sign-up-for-pilot-program/ [https://perma.cc/2U7F-QFNW].

[107] Id.

[108] Cal. Dep’t of Motor Vehicles, supra note 106.

[109] Digital Identity and Facial Recognition Technology,TSA, https://www.tsa.gov/digital-id [https://perma.cc/GLC9-TL7W] (last visited Oct. 19, 2024).

[110] How we built the State of Colorado, myColorado app, Appit Ventures, https://appitventures.com/success-stories/mycolorado [https://perma.cc/68LJ-6NCD] (last visited Sep. 12, 2024).

[111] Account Creation,MyColorado, https://mycolorado.gov/account-creation [https://perma.cc/PD92-C93L] (last visited Oct. 22, 2024).

[112] Apple Terms and Conditions, Colo. Dep’t of Rev. Div. of Motor Vehicles,https://dmv.colorado.gov/apple-terms-and-conditions [https://perma.cc/W4PN-ST9Q] (last visited Feb. 10, 2025).

[113] See Colo. Exec. Order No. B 2019 013, at 2 (Oct. 30, 2019).

[114] TSA expands acceptance of Colorado digital IDs for identity verification at Denver International Airport, TSA (Nov. 16, 2023), https://www.tsa.gov/news/press/releases/2023/11/16/tsa-expands-acceptance-colorado-digital-ids-for-identity [https://perma.cc/4UP8-M6TK].

[115] State Celebrates Major Milestone: 1.5 Million myColorado Users, Colo. Governor’s Off. Info. Tech., (Sep. 27, 2024), https://oit.colorado.gov/press-release/state-celebrates-major-milestone-15-million-mycolorado-users [https://perma.cc/58PY-F66Q].

[116] See NIST 800-63A-4, supra note 50, at 9; Justice K.S. Puttaswamy v. Union of India, 2018 INSC 880 (Supreme Court of India).

[117] See NIST 800-63A-4, supra note 50, at 9; Puttaswamy, 2018 INSC 880, [28].

[118]See Aadhaar (Enrolment and Update) Regulation 2016, reg. 3 (amended 2024) (India); NIST 800-63-4, supra note 47, at 34.

[119] Yalavarthy, supra note 99, at 642.

[120] Id. at 643.

[121] FTC Warns About Misuses of Biometric Information and Harm to Consumers, Fed. Trade Comm’n (May 18, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-warns-about-misuses-biometric-information-harm-consumers [https://perma.cc/D3KA-3U64].

[122] See NIST 800-63A-4, supra note 50, at 69; see also Aadhaar (Enrolment and Update) Regulation 2016, reg. 1(2)(m) (amended 2024) (India).

[123] NIST 800-63A-4, supra note 50, at 69.

[124] See id. at 35–36.

[125] See id. at 36.

[126] Id. at 36–37.

[127] Kevin Morris & Cora Henry, Millions of Americans Don’t Have Documents Proving Their Citizenship Readily Available, Brennan Ctr. for Just. (June 11, 2024), https://www.brennancenter.org/our-work/analysis-opinion/millions-americans-dont-have-documents-proving-their-citizenship-readily [https://perma.cc/5S76-KCJ8].

[128] Aadhaar (Enrolment and Update) Regulation reg. 10(4).

[129] PIB Delhi, 152.5 crore Aadhaar authentications done in July 2022, Ministry of Elecs. & Info. Tech. (Sep. 2, 2022), https://pib.gov.in/PressReleasePage.aspx?PRID=1856299 [https://perma.cc/8Q27-MHSE]

[130] Shri Rajeev Chandrasekhar, Aadhaar Numbers, Unique Identification Auth. of India (July 20, 2022), https://uidai.gov.in/images/AADHAAR_NUMBERS_ENGLISH.pdf [https://perma.cc/3PHQ-RVLX].

[131] See NIST 800-63A-4, supra note 50, at 24.

[132] See NIST800-63-4, supra note 47, at 2 (“These guidelines apply to all online services for which some level of assurance in a digital identity is required, regardless of constituency.”).

[133] Id. at 22.

[134] 22 C.F.R. § 51.22(b) (2026).

[135] See Aguilar, supra note 107; MyColorado, supra note 112.

[136] See Aguilar, supra note 107; MyColorado, supra note 112.

[137] See generally REAL ID Act of 2005, 42 U.S.C. § 30301.

[138] Id. § 202(b).

[139] Id. § 202(c).

[140] Federal Agencies have discretion on how they enforce the ID requirements and may use phased enforcement until May 5, 2027. See 6 C.F.R. 37.5 (2026).

            [141] See REAL ID Act of 2025 § 202(b).

[142] See id. § 202(a)(1).

[143] NIST 800-63A-4, supra note 50, at 8–9.

[144] Id. at 29.

[145] The relevant state statutes and regulations lay out only that programs are permitted to exist. See Cal. Veh. Code § 13020 (West 2025); Colo. Rev. Stat. Ann. § 42-2-145 (2026).

[146] Puckett, supra note 1.

[147] NIST 800-63A-4, supra note 50, at 45.

[148] Id. at 85–86.

[149] Aadhaar (Enrolment and Update) Regulation, 2016, Reg. 10(4) (India).

[150] Chandrasekhar, supra note 131.

[151] 22 C.F.R. § 51.21–22 (2026).

[152] Colo. Governor’s Off. Info. Tech., supra note 116. For reference, the U.S. Census Bureau estimates that over six million people lived in Colorado as of July 1, 2025, with approximately twenty percent being under the age of eighteen. QuickFacts Colorado, U.S. Census Bureau, https://www.census.gov/quickfacts/fact/table/CO/PST045224 [https://perma.cc/YY5N-LCJB] (last visited Apr. 2, 2026).

[153] Justice K.S. Puttaswamy v. Union of India, 2018 INSC 880 (Supreme Court of India).

[154] Colo. Governor’s Off. Info. Tech., supra note 116.

[155] Brooke Norton, Comment, Navigating the Legal Framework: Implementing a Government-Backed Digital Identity in the United States, 64 Jurimetrics J. 169, 184 (2024).

[156] 12 C.F.R. § 1008.103(a) (2026).

[157] 49 U.S.C. § 44919 (2026).

[158] 36 C.F.R. pt. 71 (2026).

[159] 27 C.F.R. § 478.41 (2026).

[160] Norton, supra note 155, at 184.

[161] See 22 C.F.R. § 51.21–22 (2026).