The gaps in South Africa's digital ID plan

The Department of Home Affairs has published draft regulations incorporating digital identity into South Africa’s national identity system, allowing citizens to opt in while maintaining the green ID book and smart ID card. The document outlines cryptographic security standards ranging from the home affairs database to user devices, including asymmetric cryptography and digital signatures. However, industry specialists argue the draft leaves significant gaps in wallet architecture and verification processes that require immediate attention. Lance Fanaroff of iiDENTIFii described the regulations as a flexible foundation rather than a prescriptive security mandate. He noted that proof-of-liveness checks, such as live selfies, are central to preventing presentation attacks using deepfakes. Both Fanaroff and Gerhard Oosthuizen of Entersekt warned that relying solely on 2D camera technology is dangerous given the sophistication of AI spoofing tools. They recommend multi-factor authentication combining physical credentials with biometric scans during enrolment. A primary concern raised by Oosthuizen is the implication of a single government-issued wallet via the MyMzansi app. This contrasts with international models where citizens can store digital driver’s licences in third-party wallets like Apple Wallet or Google Wallet. The draft also lacks sufficient detail on verifiers, such as banks and retailers, who need apps to read and trust credentials securely. Despite these concerns, both experts welcomed the principle of data minimisation, which allows verification without revealing unnecessary personal particulars. This aligns with the Protection of Personal Information Act by enabling entities to confirm age without seeing a full ID number. However, uncertainties remain regarding device limits, lost phone protocols, and offline usage throttling to prevent abuse. Public commentary on the draft regulations remains open until 6 June.