Guide to Digital Identification for the Tax Administration (I)

The main reason is that the world has become irreversibly digital, and as a result, our government agencies no longer operate solely in a face-to-face environment. Fewer and fewer people prefer to visit our offices, since they can handle the same matters from home, from their phone, or from anywhere in the world.

Our relationship with taxpayers is increasingly one that is maintained through an omnichannel approach. Over the past decade, and accelerated by the pandemic, this relationship has become predominantly digital, utilizing websites, digital services, apps, contact centers, social media, and interoperable services.

In this context, digital identity has evolved from a technical component into a true institutional enabler for navigating this new world. It is the gateway that guarantees legal certainty and security against fraud.

Just as in the physical world, where the documents that identify us have evolved over the decades—from simple pieces of paper with a photo, a fingerprint, or a stamp to sophisticated documents with mechanisms that prevent tampering and comply with international frameworks and standards—the same is happening with digital identification.

We can no longer rely on a “username and password” model to support modern services; the centralization of credentials and the sophistication of cyber threats demand that we take different approaches. Digital identity is evolving and requires strategic, technical, and legal attention.

That is why we have developed this Guide.

Its purpose is to provide information, criteria, and guidance so that each government agency can make informed decisions on how to address the challenges posed by the evolution of digital identity. It does not seek to impose a single model or solution, but rather to help develop a strategic response to the issue, compare options, and choose possible paths forward.

Why?

• • To enable secure digital services and channels.
• • To reduce costs and processing times for both taxpayers and the government.
• • To facilitate interaction and encourage better tax compliance.
• • To provide interoperable public services and improve the relationship between citizens and the government.

 Why the “username and password” system is no longer enough

Digital identification has evolved continuously over the past few decades, especially since the beginning of this century. Forty or fifty years ago, in a world vastly different from today’s, we used usernames on each of our (largely disconnected) computer systems and simple methods to verify our identity. Typically, this involved a username that identified us in a very limited context and a password that did not comply with any security policies.

We used a username on each system, and, furthermore, there was generally no mapping linking digital and physical identifications. During the 1990s and early 2000s, this situation evolved along two main lines that could be classified as: (1) usage and (2) security.

In terms of usage, systems began to emerge that required users to adopt a more universal identifier, that is, an identifier that would identify them beyond a specific computer system and was often linked to their physical identity. This is how document numbers (ID cards, passports, etc.) or, failing that, an email address—which is globally unique—began to be used. In addition to this, systems began to delegate identification. On one hand, major digital identity hubs (Google, Microsoft, LinkedIn, Apple, etc.) developed identity providers that could be integrated into other systems, allowing people to use their Google or LinkedIn credentials to identify themselves (or log in) across multiple systems. This federated model, with robust and recognized protocols and standards, is now well-established. One could interpret that digital identification learned from physical identification and behaves similarly: we obtain a few digital identifiers from recognized providers and use them across broad ecosystems.

With regard to security, the evolution of threats over the past few decades, as well as the critical importance of and our reliance on digital tools in all our activities, means that the “username/password” model—even though it has been strengthened in various ways—is reaching the end of its useful life. The widespread use of smartphones has made biometrics, particularly facial recognition, an important tool for verifying identities. However, it has limitations and conditions that must be met for it to be reliable, it incurs significant costs, and it faces a major threat from Artificial Intelligence.

Currently, the most secure methods for identifying ourselves and validating our identity are based on the use of distributed credentials and cryptographic devices. As a result, centralized databases containing millions of credentials would no longer be necessary; instead, each person would hold their own credentials, and trust would be placed in cryptography—typically through the use of digital signatures to identify and validate our identities. To this end, FIDO2 standards such as passkeys and the concept of “passwordless” accesses have emerged.

On the other hand, while digital signatures—whether on cryptographic devices or in the cloud—offer highly secure identification mechanisms, verifiable credentials on mobile phones can achieve equivalent levels of security when implemented under certain conditions. The difference is that they are much simpler and more user-friendly. Furthermore, an identification credential on our mobile phone can be used both in in-person settings—via QR, NFC, or Bluetooth—and in digital environments, using QR codes and widely recognized, secure, and open protocols.