The Future of Digital Identity: What’s Next in Securing Who We Are

Simplistically, identity is the fact of being who or what a person or thing is, while the future of identity – human or machine – is decidedly digital. And in the era of AI-powered deepfakes, synthetic identities and nation-state attackers, the creation and protection of trusted digital identities is paramount for personal, economic, and even national security.

Key Takeaways:

• Trusted digital identity is the foundation of modern cybersecurity, essential to personal, economic, and national security.
• New NIST Digital Identity Guidelines (SP 800-63-4), which are expressly focused on human identities, provide a practical framework to improve security, privacy, and user experience across the identity proofing, authentication, and identity federation ecosystem.
• The future is identity-centric security, with passwordless and phishing-resistant MFA, adaptive risk-based authentication, AI-powered biometric verification and fraud detection, orchestration across identity providers (IdPs), and the implementation of post-quantum cryptography (PQC).

Digital identity security – there’s a lot at stake

To highlight exactly what’s at stake, here are a few examples. Earlier this year, an AI-generated deepfake voice of U.S. Secretary of State Marco Rubio was used to contact foreign ministers and government officials, raising global alarm bells over the potential for state-to-state disinformation and manipulation. Another example on the machine identity side is the ongoing campaign of OT cyberattacks targeting European water utilities and other critical infrastructure that is believed to be attributable to Russian-affiliated state actors.

Identity is the root of trust

Over the past few years, identity has emerged as the primary attack surface, driven by intensifying ransomware and credential-based attacks in an environment that is also characterized by heightening geopolitical tensions. Meanwhile, CISOs cite identity system complexity and a lack of full visibility as identity security weaknesses, especially when charged with a myriad of users and IoT and OT devices to manage. In essence, identity is the root of trust. And for human identities, biometrics have emerged as the root of identity, while certificates play this critical role for machine identities. Let’s take a closer look at the future of digital identity security for people.

Biometrics is the root of human digital identity

While still not a pleasant experience, it is relatively easy to change out a compromised debit or credit card. Even a Social Security number (SSN) can be reissued in extreme cases of identity theft. However, changing one’s biometrics typically requires medical intervention, something which is neither desirable nor practical. Plus, biometrics are easy for users – nothing to remember, nothing to update. This is what makes biometrics so appealing for digital identity security. However, not all biometrics are created equally. Today, facial and fingerprint recognition represent the mass market, while voice print biometrics are increasingly panned by experts as being relatively easy to fake. And then there’s the continuous flow of patent applications for all sorts of biometrics, from vein monitoring to palm recognition and beyond.

New NIST Digital Identity Guidelines SP 800-63-4

Against this backdrop, NIST released Revision 4 of Special Publication 800-63 (SP 800-63-4) Digital Identity Guidelines on August 1, 2025. These updated guidelines emphasize security, privacy, and improved user experience for identity proofing, authentication, and identity federation. Key provisions include:

• Updated risk management context with the addition of recommended continuous evaluation metrics
• Expanded fraud requirements and recommendations for identity proofing processes
• Added controls to better identify and prevent injection attacks and AI-generated deepfakes
• Integrated syncable authenticators (passkeys) and subscriber-controlled wallets into authentication and identity federation models
• Recognition of mobile driver’s licenses (mDLs) as valid identity proofing credentials for online and in-person scenarios, opening new avenues for secure remote onboarding
• Preparation for future cryptographic changes, including quantum computing

Realizing identity-centric security

These updated NIST guidelines provide a practical framework to attain identity-centric security with:

• Passwordless and phishing-resistant multi-factor authentication (MFA) as the default:
  • FIDO2 and WebAuthn standards leverage public/private key cryptography to boost phishing resistance
  • Shift from SMS and one-time codes to passkeys
• Continuous risk-based monitoring paired with adaptive step-up authentication to identify and protect against contextual anomalies based on device posture, location, and session history
• AI-powered fraud detection and prevention with the addition of checks for deepfake media and injection attacks to biometric verification and fraud detection systems;
• Alignment of identity assurance with Zero Trust principles:
  • Identity orchestration to both secure and streamline the user experience across multiple identity providers (IdPs) with seamless policy enforcement
  • Micro-segmentation and least-privilege controls that span hybrid and multi-cloud environments
  • Use of a cryptographic security platform to easily gain and maintain enterprise-wide visibility of all identities – human and machine
• Decentralized identity frameworks (e.g., W3C Verifiable Credentials, DIDs) that shift trust anchors away from central databases and toward issuer-signed credentials and user-controlled identity wallets
• Quantum-safe digital identity infrastructure including:
  • Tokens – OIDC, verifiable credentials, and other identity standards depend on tokens, which in turn rely upon encrypted digital signatures
  • Certificates and Transport Layer Security (TLS) – Digital identities often employ digital certificates such as TLS and code signing certificates
  • Hardware security modules (HSMs) – HSMs secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data and creating digital signatures and certificates.

Digital identity on the horizon

Looking further out into the future of digital identity, here are some predictions of what’s to come:

Evolution of MFA into “multi-biometric authentication” (MBA)

Essentially the use of two or more biometrics vs. other authentication factors, reflecting an ever-increasing preference for biometrics thanks to their ease of use and security, along with the need to stay ahead of increasingly realistic AI-powered attacks.

Merger of identity verification (IDV) and MFA/MBA into one integrated identity ecosystem

The new NIST digital identity guidelines already emphasize the need for continuous evaluation metrics with contextual checks across the identity proofing, authentication, and federation ecosystem. Plus, MFA is simply something you have, know, or are, and the latter is literally biometrics, which is also the foundation of modern IDV.

Adoption and evolution of Agentic AI is adding new risks

In addition to human users, organizations that are adopting AI are in effect building communities of non-human users staffed with machine accounts and autonomous agents. These hybrid “human-machine” identities inherit privileges, access data, and make decisions, but they aren’t secured by biometrics and frequently operate outside traditional security frameworks, raising significant cyber risk. A proactive coordinated approach now across identity, data, and security teams is needed to catalog agents, monitor behavior, and establish escalation procedures in event of compromised identities.

Convergence of payments and identity

This isn’t that much of a stretch, as both the EU Digital Identity initiative and NIST SP 800-63 already reference and support an integrated digital wallet – identity and payments. One potential step beyond would be biometric-enabled payments as the norm rather than the exception.

Identity-centric security is the future

Trusted digital identities – human, machine, and agentic – are the foundation of our digital ecosystem, essential to continued economic prosperity and national security. NIST’s new digital identity guidelines provide a template to attain identity-centric security for people and reinforce the need for ongoing vigilance as technology and the threat landscape continue to evolve.