How Strong UX Turns Digital ID Into Strong Security

Digital identity programs are often evaluated through a narrow lens: encryption strength, authentication protocols, and compliance checklists. These safeguards matter, but they don’t tell the whole security story. A system that residents can’t easily use, understand, or recover can introduce new security risks.

Consider a common real-world moment: a resident tries to present their new digital ID at a government office, only to find the front-desk agent isn’t sure how to accept it. The resident fumbles through their phone, taps the wrong menu twice, and eventually gives up, pulling out the plastic card instead. Both walk away frustrated. Nothing about that interaction reflects a failure of cryptography, yet it erodes trust in the system just the same.

When usability breaks down, people turn to workarounds, adoption stalls, and risk concentrates among those who are least supported. The result isn’t just frustration, it’s a security gap. For digital identity to function as civic infrastructure, it must serve real people in real conditions, not ideal users in ideal environments.

Usability is a security requirement. And for those building the next generation of digital identity, recognizing that truth changes how we plan, deploy, and measure success. Read on to learn how treating usability as a core security principle strengthens adoption, accessibility, and trust in digital identity systems.

Usability As a Security Requirement

Usability and user experience are central to success: if the solution is difficult or confusing, adoption will lag and even security could be compromised, yet designing an intuitive experience for diverse populations is not trivial. We believe that states should expect the initial rollout may have imperfections; therefore, building in the capacity to adapt and iterate quickly based on real-world usage and feedback will be essential.

Usability must also be treated as a component of security. A system that requires perfect user behavior to remain secure will, in the real world, fail to be a secure system. Security mechanisms such as key management, rotation, and recovery must be usable in practice. For example, if residents are required to manage their own cryptographic keys or identifiers, the risks should be clearly explained, the user experience must be fully usable by someone with no technical experience other than familiarity with a mobile device through their day-to-day use. There must be robust account recoverymechanisms in place for worst-case scenarios like key compromise or loss of device. It is possible to add additional protection mechanisms to prevent unlawful situations such as device handover under state digital identity. NIST guidance and established computer security principles emphasize this linkage between usability and security, and state digital identity should adopt the same standard: mechanisms that are secure on paper but unusable in practice should not be deployed.

The Adoption Challenge

The largest barrier to success will not be technical feasibility but adoption. The industry's experience with mobile driver's licenses shows that uptake can be slow without clear incentives for both residents and verifiers. Coordination with federal authorities and private sector businesses will be essential to ensure state digital identity is accepted in critical contexts such as TSA checkpoints and other REAL ID-covered access points, or presentation for access to regulated financial services such as banking, lending, or stablecoins. If verifiers outside a state must make custom changes to support a state’s digital identity, uptake may stall. Interoperability with established ecosystems is therefore the most important lever states can pull to drive real-world use.

Equally important, residents must be able to use state digital identity credentials without facing steep learning curves or complex wallet setup; minimizing barriers to entry ensures adoption is not limited to only technically sophisticated users.

Accessibility and Inclusivity

Ensuring accessibility and inclusivity in a state's digital identity program requires thoughtful technical design, clear policies, and supportive service delivery. First and foremost, the program should prefer simplicity wherever possible, ensuring that residents can use state digital identity credentials without needing advanced technical knowledge. Digital credentials should remain optional, with physical credentials available for those who prefer them, so that no resident is excluded for lack of access to technology. 

Wallet applications should seek to comply with WCAG and Section 508 accessibility standards when possible, supporting screen readers, high-contrast modes, multiple languages, and intuitive, plain-language interfaces. These requirements should span interactions that the user has with issuer components and verifier components, to the extent they are run by a state. It should be generally encouraged as a best practice for the private sector as well. Accessibility requirements for state employee or contractor usage should apply to internal-facing interfaces such as dashboards and control panels.

Education and Support

Education and transparency are also critical. End users should be informed not only about how to use state digital identity compliant credentials, but also about the technical risks, their responsibilities, and the protections available to them. In-person assistance at DMV and county offices, multilingual tutorials, and partnerships with community organizations can help reach populations with limited digital literacy or English proficiency. We recommend that the education is built into the user interfaces as part of the digital onboarding experience for digital wallets and any other user-facing components. Without training and awareness and effective visual indicators, it is difficult to prevent users from oversharing their data whenever they are requested, resulting in data privacy risks.

User Choice and Fallback Options

The program should build in user choice, recognizing that residents' circumstances differ. This includes providing both online and offline options for credential use, so that residents can decide what works best in their situation, as well as fallback options such as printed QR codes, smartcards, or service kiosks for those without personal devices. States should evaluate uptake and use by various population segments to safeguard against leaving people behind. By combining simplicity, usability, education, and user choice with strong accessibility requirements, states can ensure that state digital identity protects all residents while remaining consistent with the statutory principles of privacy, unlinkability, and individual control.

Turning Usability into Security in Practice

Usability isn’t an add-on to security, it determines whether a digital identity system works in the real world. Strong cryptography and protocols matter, but a system that residents cannot use confidently and independently is not fully secure.

Treating usability as a security requirement changes how readiness is evaluated. States should:

• Test with real users early and often to uncover diverse failure modes.
• Design recovery for stressed, non-technical users so lost devices or compromised keys don’t create security gaps.
• Measure adoption as a security metric (low uptake signals risk and exclusion).
• Build accessibility into security requirements to prevent failures that disproportionately affect vulnerable populations.
• Plan for continuous iteration, making real-world feedback a core security control.

Usability failures don’t just inconvenience users, they drive insecure workarounds, concentrate risk, and erode trust. When programs make usability foundational, they build digital identity as civic infrastructure that is resilient, inclusive, interoperable, and privacy-preserving.

SpruceID advances this standard, pairing human-centered design with open, interoperable technology. We invite governments and organizations to contact us to partner on digital identity systems that are secure, usable, and trusted by all residents.

About SpruceID: SpruceID is building a future where users control their identity and data across all digital interactions. We build privacy-preserving digital identity infrastructure that empowers people and organizations to control their data. Governments, financial institutions, and enterprises use SpruceID’s technology to issue, verify, and manage digital credentials based on open standards.