How Do Verifiable Digital Credentials Support Audit and Compliance Requirements?
Verifiable digital credentials can help agencies turn audit readiness from a manual scramble into a built-in part of service delivery.
It is one of the first questions people ask when they hear about digital driver's licenses or mobile credentials: what happens if I lose my phone?
It is an understandable question. For most people, losing a phone means losing access to everything on it - photos, messages, apps, accounts. The assumption is that a digital ID would be no different. In practice, a well-designed verifiable digital credential system handles a lost device more securely than most people expect, and in some ways more securely than a lost physical wallet.
What Is Actually at Risk
When you lose a phone with a verifiable digital credential on it, the credential itself is protected by layers that do not exist for a physical ID.
A physical driver's license, once out of your hands, can be used by anyone for visual verification. There is no PIN, no biometric, no authentication barrier. If someone finds your wallet, they have your ID.
A verifiable digital credential on a phone is different. To present a credential, the holder typically has to unlock the device first, through a PIN, fingerprint, or facial recognition. A credential stored in a compliant digital wallet cannot be accessed or presented without that authentication step. Someone who picks up your phone cannot use your digital ID without getting past the lock screen. That is not a policy protection. It is a technical one, built into how the credential is structured.
Remote Revocation: Turning Off a Lost Credential
The more significant protection a verifiable digital credential offers over a physical one is remote revocation.
If your physical license is lost or stolen, there is no mechanism to invalidate it. Anyone using it for visual verification has no way of knowing it has been reported lost.
A verifiable digital credential can be revoked remotely. When you report a lost or stolen device, the issuing agency can revoke the credential, updating the credential's status so that any verifier checking it receives a signal that it is no longer valid. The credential does not disappear from the device immediately, but it can no longer be successfully verified.
This is a meaningful shift. It means the window during which a lost credential poses a risk can be significantly shorter than with a physical ID, measured in hours rather than years.
Re-Enrollment on a New Device
Once a lost device is reported and the credential is revoked, re-issuance on a new device follows a straightforward process in a well-designed system.
The holder re-verifies their identity with the issuing agency, typically using the same process they used for initial enrollment. The agency reissues the credential to the new device. Because the credential is issued fresh rather than transferred from the old device, there is no dependency on recovering the old phone or its contents.
This is an important architectural point. A credential is not a file that lives on a device the way a photo or document does. It is a signed attestation issued by an authority. When the issuing authority re-verifies and re-signs, a new credential exists on the new device. The old one, revoked, is no longer functional.
What About the Data on the Device?
A related concern is whether personal data stored in a digital wallet is accessible if a phone is lost.
In a well-designed wallet, credentials are stored in an encrypted, hardware-secured element on the device - not in a general storage location accessible to other apps or to someone browsing the file system. The encryption keys that protect the wallet are typically tied to the device's secure enclave, which means they cannot be extracted without the device's authentication credentials.
For the vast majority of lost-phone scenarios, the combination of device authentication, encrypted credential storage, and remote revocation provides meaningful protection. A separate but related concern is whether the credential system itself creates a data trail, whether the issuer can see when and where credentials are used. The Importance of Protecting Digital ID Users from "Phone Home" Surveillance covers that question directly, and it is worth understanding alongside the lost-device question when evaluating how a program handles resident data.
What Programs Should Have in Place
The protections described above depend on how the verifiable digital credential program was designed and what infrastructure the issuing agency has in place.
A well-designed program communicates the recovery process to residents at enrollment, not after a device is lost. It has a clear, tested procedure for reporting a lost device, revoking the credential, and re-issuing it. It builds revocation infrastructure that propagates quickly, so the window of risk after a loss is as short as possible.
Debunking Myths About the Mobile Driver's License addresses this and related concerns that residents commonly raise before adopting a digital ID. And What Is a Digital Wallet and What Does It Actually Hold? explains how credentials are stored and protected within a compliant wallet application.
The Broader Point
Losing a phone raises a legitimate concern, not about verifiable digital credentials in general, but about whether a specific program was designed with the resident's security in mind from the start.
A verifiable digital credential built on open standards, stored in a certified wallet, protected by device authentication, and backed by a functioning revocation system gives the holder more control over what happens when things go wrong and a device goes missing. You can report a loss and disable the credential, or you can re-enroll on a new device. You cannot do any of that with a physical card sitting in someone else's hands.
That is what it means to design digital identity infrastructure that is voluntary, user-controlled, and rights-respecting - not just in normal use, but also when something goes wrong.
For more on how verifiable digital credential programs are designed to protect residents across their full lifecycle, contact us.
Building digital services that scale take the right foundation.
About SpruceID: SpruceID builds digital trust infrastructure for government. We help states and cities modernize identity, security, and service delivery — from digital wallets and SSO to fraud prevention and workflow optimization. Our standards-based technology and public-sector expertise ensure every project advances a more secure, interoperable, and citizen-centric digital future.
