South Africa’s digital ID regulations may be the clearest sign yet that government wants to push identity into the smartphone era, but experts say the draft still leaves too many unanswered questions for a system that is supposed to protect millions of people’s personal information.
The department of home affairs has published the draft framework for a digital identity system that will sit alongside the green ID book and smart ID card, with participation set to be voluntary. On paper, that is a major shift. In practice, though, specialists warn that the rules are still too thin on the mechanics that will decide whether the system is secure, trusted and usable.
Much of the draft focuses on the plumbing of the system: how information moves from the home affairs database to private and public-sector verifiers, and then to a person’s device. It also points to a strong cryptographic model, with the text saying standards may include asymmetric cryptography, elliptic-curve cryptography, hashing, encryption, digital signatures, token expiry and reissuance controls.
That matters, because digital identity is only as strong as its weakest link. If the issuing side is secure but the verification side is weak, criminals will go after the gap. If the wallet on the phone is vulnerable, the whole model starts to wobble. And if the user experience is clunky, adoption will stall before the system ever gets off the ground.
Lance Fanaroff, co-founder of digital identity company iiDENTIFii, told TechCentral the regulations are not the final word but rather the start of a far bigger process. In his view, the draft lays a flexible foundation that can evolve over time into something much broader, eventually allowing South Africans to keep multiple credentials in a digital wallet.
That future could include IDs, driver’s licences, payslips and proof of address stored in a cryptographically secured format. For SA Report readers, that would mark a dramatic shift in how citizens interact with both government and private institutions, from banks to telcos and landlords.
But the confidence around the long-term vision is not matched by certainty around the details. Industry leaders say the digital ID regulations need sharper rules on wallet architecture, stronger biometric verification and a much clearer framework for the organisations that will need to trust and read these credentials every day.
Why the digital ID regulations still leave major gaps
Gerhard Oosthuizen, chief technology officer at authentication specialist Entersekt, said the draft is directionally promising but incomplete. He argued that the regulations do not yet go far enough in defining how a secure, interoperable ecosystem should function in the real world.
One of the biggest concerns is biometric verification. The draft leans heavily on proof-of-liveness checks, where a user takes a live selfie to show they are a real person and not a static image, deepfake or replay attack. That is useful, but experts say it is not enough on its own.
As Oosthuizen pointed out, a 2D selfie can be manipulated far more easily than many people realise. A determined fraudster can prepare lighting, stage images and keep retrying until a fake identity passes. That is why top-end consumer devices, such as Apple’s Face ID, do not rely on a simple camera alone. They combine multiple sensors to verify depth and presence, making spoofing much harder.
His warning is blunt: a lone selfie camera is not a robust defence against modern AI-driven impersonation attacks. With deepfakes becoming more convincing by the month, South Africa cannot afford to design a national identity layer that assumes a single image is enough.
Both Fanaroff and Oosthuizen want to see multi-factor authentication built into the system. That could mean pairing “something the user is” with “something the user has”, such as tapping a physical ID card to a phone using NFC, or adding a PIN or fingerprint scan during enrolment and verification.
Another concern sits at the wallet level. The draft regulations refer to the MyMzansi app as the distribution channel for digital IDs, but say very little about the security architecture behind it. Oosthuizen’s bigger worry is that the wording suggests a single state-issued wallet rather than an open ecosystem of certified wallets.
That difference is not just technical. It speaks to how South Africa wants the whole system to work. If the model is closed and tied to one app, the country may miss out on the flexibility that international digital identity systems are building into their frameworks.
In the United States, for example, multiple states already allow digital driver’s licences to be stored in Apple Wallet or Google Wallet. That kind of approach is built on international standards and allows different certified wallets to coexist, rather than forcing everyone into one government-branded app.
Fanaroff and Oosthuizen are effectively asking: if South Africa is building a modern digital identity regime, why not design it for interoperability from the start? A rigid single-wallet model could leave citizens juggling different apps for different purposes, instead of enjoying one trusted identity layer across public and private services.
There is also the question of the verification side of the ecosystem, which gets too little attention in the draft. Digital identity does not work unless banks, retailers, employers, security firms and government departments can all read and trust the credentials they are being shown.
Oosthuizen said the global model usually has three actors: issuers, holders and verifiers. South Africa’s draft does a reasonable job of describing the issuer and holder roles, he said, but it barely addresses the verifier function. That omission matters, because the people and organisations checking credentials are just as important as those issuing them.
A system that does not properly define verifier responsibilities could create confusion, inconsistent standards and weak implementation across sectors. For a country like South Africa, where digital fraud is already a major concern, that would be a serious risk.
One area where the experts do praise the draft is data minimisation. The regulations say a credential should only contain the information needed for a lawful verification purpose. That aligns closely with the Protection of Personal Information Act (POPIA) and supports the idea that a bar, for instance, should be able to confirm a customer is over 18 without seeing the person’s full ID number or date of birth.
The same principle could protect citizens in everyday interactions. In a well-designed digital ID system, a person should be able to prove one fact without exposing everything else about themselves. That is the kind of privacy-by-design thinking South Africa needs if public trust is going to hold.
But even on consent, the draft still needs work. Oosthuizen says users should be able to see exactly who is requesting their credentials and why before they agree to share anything. That is the standard in parts of Europe, where verifier identity and intent are shown at the moment of authentication. Without that transparency, social engineering attacks become easier to pull off.
He also highlighted a series of unanswered operational questions. How many devices can a citizen load their ID onto? What happens if a phone is stolen or lost? How should offline verification be limited to prevent abuse? And how should wallet providers identify fraud signals like strange locations, abrupt behavioural changes or signs that a user is being coerced?
These are not minor details. They are the very issues that determine whether a digital identity system will be safe in the hands of ordinary South Africans, especially in a country where phishing, account takeover and identity theft remain persistent threats.
South Africa’s digital ID regulations therefore look less like a finished blueprint and more like a first draft that still needs serious scrutiny. The public still has time to weigh in, with comments on the regulations open until 6 June.
For now, the direction is clear: government wants a digital identity framework that can modernise how South Africans prove who they are. But as our reporting shows, the hard part is not the ambition. It is building a system that is secure, open, interoperable and trusted enough to survive contact with real-world fraud.