A Tunnel Under the Castle Walls: Why Trust Cannot Be Assumed in the Digital ID Era
*Please note that these thought leadership pieces represent the views of the contributing companies and do not necessarily reflect techUK’s own position.
To help build a shared understanding of digital ID, we must talk openly about the security that underpins it.
I’m the co-founder and CEO of Licel, a mobile channel protection company whose technology safeguards billions of app installations across more than 70 countries.
Every hour, Licel systems process over 300,000 live threat intelligence events. That gives us a unique window into how trust in the digital world can be strengthened, but also how it can sometimes quietly erode.
We see camera injection attacks that bypass eKYC controls, social engineering fused with remote access tools, and maliciously modified apps that trick users into signing something they never intended to. These aren’t fringe cases, but rather are becoming the new normal.
This is a problem, because societies like the UK are built on trust by default. We tend to trust the systems we use and trust that those systems will protect us. But trust in the digital world cannot be assumed. It has to be engineered.
The New Reality of Digital Identity
The world is entering an exciting new phase of identity. Digital IDs that are stored on smartphones are quickly being planned and rolled out by government task forces around the world - including in the UK. These national identity schemes will be used to prove who we are, and to streamline access to public services and the digital economy.
The potential is immense. Faster verification, improved accessibility and efficiency, and seamless cross-border interactions, to name only a few. But alongside this great promise is a new reality; where our digital identity lives inside mobile applications that by their very nature exist in an unpredictable, untrustworthy, and often hostile environment.
Physical passports are protected by hardware, border controls, and hundreds of years of anti-fraud mechanisms such as holograms and secure chips. A digital equivalent faces very different types of risks that float around in the dark spaces; in the ether between the application, the operating system, and the backend. These include mobile malware, remote access tools, and zero-day exploits.
The danger isn’t that Digital ID initiatives are misguided - far from it. It’s more that it seems that security at the mobile application level isn’t yet treated with the same rigour as backend or architectural security. And without it, the entire chain of trust can be undermined.
Imagine that you’ve built an impressive-looking castle, but have failed to examine the soil around it. That soil could be just the right quality and consistency to enable attackers to construct a tunnel under the castle walls, all the way to the crown jewels.
The Dark Spaces: The Digital ID Threat Landscape
The success of Digital ID initiatives will arguably rest on whether citizens believe that their identities are safe. This is a legitimate concern. After all, digital identities on personal devices can become exposed to:
Tampering - attackers modify apps to inject malicious code or steal and misuse cryptographic keys.
Malware interference - malware strains can silently observe Digital ID interactions and signatures, and siphon credentials.
Synthetic enrolment - sophisticated eKYC Fraud using deepfakes and virtual camera apps can create bogus citizens in the database.
NFC-based fraud - contactless scans via NFC interfaces can be manipulated and relayed to other devices around the world.
The threats above can be prevented, but only if we see the mobile channel as a critical component of trust. Citizens don’t see - and are almost certainly unaware of - backend systems and encryption protocols. What they do see and experience is the mobile application; that’s why it’s so important that it is able to defend itself and is capable of proving its integrity every time that it runs.
A Manifesto for Secure Digital ID Initiatives: Building a Foundation of Trust
At Licel, we’ve spent 15 years in the field, building security solutions that solve real-world problems and protect the entire mobile channel. We believe the following principles should underpin every secure Digital ID initiative.
Secure Enrolment. We work with financial institutions around the world to help them battle eKYC Fraud. This threat could also endanger the success of Digital ID initiatives, which is why it’s vital that biometric data and personal identifiers be integrity verified and secured from the device to the backend.
Integrity Across the Lifecycle. Runtime Application Self-Protection (RASP) and integrity checks are absolutely vital for identifying and preventing some of the threats I mentioned earlier that float and flicker around mobile applications (malware and compromised environments).
Visibility is vital. Real-time threat and device intelligence is crucial for painting a thorough picture of the threat landscape and how it’s evolving over time. Without it, it’s difficult to get a clear view of where attacks are coming from.
Privacy and Transparency. Security isn’t only about preventing attacks, but about maintaining the confidence of citizens that their identity and data belongs to them. Open communication and education is crucial.
A Shared Mission
The regulatory frameworks for Digital ID already exist: eIDAS 2.0, ICAO DOC 9303, ISO/ IEC 18013-5. These standards set the baseline for interoperability and assurance, but compliance alone doesn’t equal security.
I’m convinced that to build sustainable trust, security has to be embedded from the inside out. And that begins with the Digital ID application on each citizen’s device. A holistic approach (what we at Licel call mobile channel protection) that combines protection mechanisms such as runtime security, verified threat and device intelligence, and trusted execution, can go beyond compliance to build lasting end-user trust.
Digital ID initiatives are some of the most ambitious digital infrastructure projects of the modern world. They have the potential to completely revolutionise the way that government, private enterprise, and individual citizens interact. That’s why it’s so important that they are built on solid foundations if we want them to stand the test of time.
Trust cannot be assumed, but it can be built. Here at Licel we’re excited to be a part of the conversation and we stand ready to help Digital ID fulfil its enormous promise and potential.
Find out more about Licel’s vision for Digital ID Security- https://licelus.com/
Ivan Kinash
co-founder and CEO, Licel
Digital Identity programme activities
Digital identities will provide a gateway for citizens and SMEs into the digital economy. techUK members demonstrate the benefits of digital identity to emerging markets, raise their profile as thought leaders, influence policy outcomes, and strengthen their relationships with potential clients and decision-makers. Visit the programme page here.
Digital ID campaign week 2025! 🔐
Discover insights from industry leaders exploring the crucial themes shaping digital identity throughout this Campaign Week.
Our members develop strong networks, build meaningful partnerships and grow their businesses as we all work together to create a thriving environment where industry, government and stakeholders come together to realise the positive outcomes tech can deliver.
Sue leads techUK's Technology and Innovation work.
This includes work programmes on cloud, data protection, data analytics, AI, digital ethics, Digital Identity and Internet of Things as well as emerging and transformative technologies and innovation policy.
In 2025, Sue was honoured with an Order of the British Empire (OBE) for services to the Technology Industry in the New Year Honours List.
She has been recognised as one of the most influential people in UK tech by Computer Weekly's UKtech50 Longlist and in 2021 was inducted into the Computer Weekly Most Influential Women in UK Tech Hall of Fame.
A key influencer in driving forward the data agenda in the UK, Sue was co-chair of the UK government's National Data Strategy Forum until July 2024. As well as being recognised in the UK's Big Data 100 and the Global Top 100 Data Visionaries for 2020 Sue has also been shortlisted for the Milton Keynes Women Leaders Awards and was a judge for the Loebner Prize in AI. In addition to being a regular industry speaker on issues including AI ethics, data protection and cyber security, Sue was recently a judge for the UK Tech 50 and is a regular judge of the annual UK Cloud Awards.
Prior to joining techUK in January 2015 Sue was responsible for Symantec's Government Relations in the UK and Ireland. She has spoken at events including the UK-China Internet Forum in Beijing, UN IGF and European RSA on issues ranging from data usage and privacy, cloud computing and online child safety. Before joining Symantec, Sue was senior policy advisor at the Confederation of British Industry (CBI). Sue has an BA degree on History and American Studies from Leeds University and a Masters Degree on International Relations and Diplomacy from the University of Birmingham. Sue is a keen sportswoman and in 2016 achieved a lifelong ambition to swim the English Channel.
Associate Director - Technology and Innovation, techUK
Laura Foster
Associate Director - Technology and Innovation, techUK
Laura is techUK’s Associate Director for Technology and Innovation.
Laura advocates for better emerging technology policy in the UK, including quantum, future of compute technologies, semiconductors, digital ID and more. Working alongside techUK members and UK Government she champions long-term, cohesive, and sustainable investment that will ensure the UK can commercialise future science and technology research. Laura leads a high-performing team at techUK, as well as publishing several reports on these topics herself, and being a regular speaker at events.
Before joining techUK, Laura worked internationally as a conference researcher and producer exploring adoption of emerging technologies. This included being part of the team at London Tech Week.
Laura has a degree in History (BA Hons) from Durham University and is a Cambridge Policy Fellow. Outside of work she loves reading, writing and supporting rugby team St. Helens, where she is from.
Elis joined techUK in December 2023 as a Programme Manager for Tech and Innovation, focusing on Semiconductors and Digital ID.
He previously worked at an advocacy group for tech startups, with a regional focus on Wales. This involved policy research on innovation, skills and access to finance.
Elis has a Degree in History, and a Masters in Politics and International Relations from the University of Winchester, with a focus on the digitalisation and gamification of armed conflicts.
