South Africa’s draft digital identity regulations lay a workable foundation but leave critical gaps around wallet architecture, biometric strength and the verification side of the ecosystem, according to industry specialists who spoke to TechCentral.

The department of home affairs published the draft regulations this week, incorporating digital identity into South Africa’s identity system. The digital system will run in parallel with the green ID book and smart ID card, with citizens able to opt in.

Much of the document focuses on cryptographic security from the home affairs database, through public and private sector verifiers and to user devices.

“The standards … may provide for the use of asymmetric cryptography, including elliptic-curve cryptography or comparable cryptographic methods, hashing, encryption, digital signatures, token expiry, and reissuance controls,” the draft document said.

Lance Fanaroff, co-founder of digital identity specialist iiDENTIFii, said the methods listed are not prescriptive but lay a flexible foundation that can evolve. He described the regulations as “the beginning of a massive process” that will eventually see citizens carrying digital wallets containing cryptographically stamped IDs, driver’s licences, payslips and proof of address among other documents.

Gaps that need attention

But Gerhard Oosthuizen, chief technology officer of authentication specialist Entersekt – whose company is one of two large-scale pilots running under the EU’s eIDAS 2 framework – said the draft has several gaps that need attention before implementation.

Fanaroff said proof-of-liveness checks, where users take a live selfie to confirm they are real, will be central to security. Such checks defend against presentation attacks using deepfakes or printed images. But these alone are not enough.

Read: Schreiber publishes draft rules for South Africa’s digital ID system

Both he and Oosthuizen warned against relying on a 2D selfie alone, especially as AI deepfake attacks get more sophisticated. Apple’s Face ID, for example, uses three sensors: facial recognition, a thermal check and a projected dot pattern that measures depth – precisely because a single 2D image is easy to spoof.

“If I’m at home, I can set up the lighting in the right way. I have time to prepare and create a fake identity. I can play with things and just delete and retry. Unless we force in liveness with additional sensors, the risk of a 2D camera on its own is dangerous,” said Oosthuizen.

Both experts recommended multi-factor authentication, combining something the user has with something they are, would be stronger. Examples include requiring users to tap their physical ID card against their phone using NFC during enrolment or adding Pin entry or a fingerprint scan to the verification process.

The regulations name the MyMzansi app as the distribution mechanism for digital IDs but say little about its security architecture. Oosthuizen’s bigger concern is that they imply a single, government-issued wallet rather than an open, certified ecosystem.

This is in stark contrast to what is happening internationally. Twelve US states, for example, allow citizens to carry their digital driver’s licence in Apple Wallet or Google Wallet, he said. International standards – including the ISO mobile driver’s licence (mDL) specification – allow for it.

“Will only the MyMzansi app be the purveyor? It would have been better if the regulation said there will be approved wallets and they need to comply,” he said.

A single-wallet model also raises the question of whether non-government credentials such as employee badges or building access can sit alongside a citizen’s national ID, or whether South Africans will end up juggling several wallets for varying use cases.

Digital identity ecosystems globally are built on three roles: issuers, holders and verifiers. Oosthuizen said the draft describes issuer (home affairs) and holder (citizen) responsibilities reasonably well but says almost nothing about verifiers – the banks, retailers, security companies and government departments that need apps to read and trust credentials.

International standards

He said South Africa should anchor the system in international standards such as OpenID Connect for verifiable credentials and the mDL specification.

One area both specialists welcomed is the principle of data minimisation. The regulations state a credential “may encode only such mandatory particulars, or cryptographic derivatives of such particulars, as are necessary for the lawful verification purpose for which the credential is presented”. This is in line with the Protection of Personal Information Act and means a bar can confirm a patron is over 18 without seeing their date of birth or ID number, for example.

Read: Estonia’s digital ID lesson for South Africa

Oosthuizen added that users also need clear visibility of who is requesting their credentials and why before consenting, citing European requirements that verifier identity and intent be displayed at the moment of authentication. Without that, he said, social engineering attacks become easier.

He flagged further silences in the draft: how many devices a citizen can hold their ID on, what happens when a phone is lost, how offline use is throttled to prevent abuse, and how wallet providers should collect fraud signals such as unusual locations, behaviour changes or signs of duress.