Digital identity at scale: fraud, lifecycle failures, and what Europe needs to fix

1747029705-1080x987_blog_telco_ecosystem-2

What happens when a digital identity system that worked perfectly for thousands of users also has to work for millions? That's exactly what Olaf Jonkers and the team behind itsme^® had to figure out. And at EIC 2026 in Berlin this May, Olaf will be sharing exactly how they handle it.

When scale meets sophistication

Digital identity fraud often evolves slowly, and then all at once. What starts as isolated incidents becomes organised, adaptive, and relentless the moment a platform reaches the scale that makes it worth targeting.

During a recent Road to EIC webinar, Olaf Jonkers, itsme^®'s Head of Risk & Compliance, explained this inflection point: "In its early years, the system saw no fraud attempts at all, right up until it hit critical mass. Today, itsme^® serves more than 8 million users, holds an eIDAS High-Assurance certification, and operates as a qualified trust service provider. It's one of Europe's most mature consumer-facing identity systems. But that maturity was hard-won."

Those lessons aren't unique to itsme^® but a blueprint for anyone operating at scale in the identity space. The pattern Olaf described is one every identity practitioner recognises: counter a fraudster's modus operandi, and they adapt, rapidly. They find angles you didn't anticipate, test edges you didn't model, and move on before you've even finished your post-mortem. In this context, agility is the absolute baseline.

The lifecycle problem

While authentication and onboarding get all the attention, lifecycle management gets almost none. What happens when a user loses their phone, forgets their PIN, or gets their device stolen?

Olaf is clear on this: “Recovery must be fully online and fully mobile-native. Not ‘partially digital.’ Not ‘you can make an appointment and come into an office.’ It must be entirely self-served from a new device.” Fellow panelist David Brossard (CTO, Axiomatics) described the absurdity of being locked out of his Swedish digital identity after his phone died. David was unable to book a bank appointment because – guess what – you need a phone to call, and he obviously had no phone. 

“Scheduling an appointment with a public official to reactivate an account isn't scalable, and front-line staff aren't equipped to handle it," says Olaf. "The systems being set up under eIDAS 2.0 need to reckon with this reality before it becomes a crisis. The life experience of actually being a locked-out citizen hasn't yet fully reached the people steering these programmes.”

A new model for fraud prevention

A very compelling idea in the webinar came from a Belgian banking practice: the ‘guardian angel’ model. A bank can detect when a customer is likely being socially engineered through subtle behavioural signals or out-of-the-ordinary transaction patterns. But rather than simply blocking the account and frustrating a potentially legitimate user, the bank reaches out to a pre-designated trusted person (a family member, a close friend) and flags what's happening: this person is doing something unusual, can you check in on them?

It's fraud prevention built on real human connections, using the sheer scale of society and people's natural instinct to watch out for each other. It doesn't frustrate legitimate users, and it directly addresses one of the hardest problems in identity: protecting people who don't realise they're being duped.

Eve Maler, former CTO at ForgeRock, summed up the reaction from the rest of the panel: “Human trust networks may be the most underused tool in the entire identity industry. One of the biggest protections available is simply: don't make people face it alone.”

Digital literacy isn't what you think

Itsme^®’s operational data surfaced a finding that upends a common assumption: digital literacy is not correlated with age in the way most people expect. Older users, it turns out, are often highly capable with formal digital services. They’re motivated by concrete needs, like checking pension status or interacting with healthcare systems. Meanwhile, a significant cohort of younger users who are entirely fluent with social apps and messaging platforms find formal government services online genuinely confusing and unfamiliar.

This has implications for design. You cannot target a single ‘less technically confident’ demographic and consider the problem solved. The full spectrum of users includes tech-native young adults who have never had reason to engage with formal digital identity, and who need to be met where they are.

European wallets and the road ahead

Olaf is cautiously optimistic about the EU Digital Identity Wallet under eIDAS 2.0. Belgium's experience positions itsme^® as one of the most instructive and trusted reference points in Europe for where wallet-based identity can succeed, and where the gaps remain.

“The cross-border ambition is real and the legal architecture is in place: mandatory adoption for certain sectors, portability across member states, high-assurance grounding in national identity documents. But digital sovereignty is becoming an increasingly live political issue. The near-acquisition of Dutch digital identity infrastructure DigiD by a US-based IBM spin-off triggered parliamentary questions in the Netherlands and regulatory attention from supervisory authorities.” Olaf has been in those rooms and is watching closely.