The Malaysian government is currently expediting the implementation of the National Digital Identity initiative, also known as MyDigital ID. However, there are concerns from the public that the National Digital Identity initiative could be a potential security risk given the number of data breaches involving government apps and registries in Malaysia.
MIMOS, which is the key implementor of the project has recently held a media briefing to address the concerns as well as the potential use cases of MyDigital ID.
What is Digital ID?
MyDigital ID is essentially an online system which helps to verify and authenticate your identification in the digital age. It doesn’t replace your myKad (Identification Card) but serves as an extension to verify your identity online. It acts like a single sign-on authentication (similar to “sign in with Google“) for government services as well as for the private sector.
According to MIMOS, MyDigital ID is homegrown and developed in-house in Malaysia.
The single unified National Digital ID would eliminate the need to register different accounts when dealing with various online government platforms and you can access all services with just a single ID. For the private sector, MyDigital ID can offer a seamless and secure electronic Know Your Customer (e-KYC) process which eliminates the need for over-the-counter physical IC and fingerprint verification. This would be a game changer for digital banks as new unbanked customers will be able to create a savings account without the hassle of physical IC verification.
Does Digital ID store your personal data?
One of the major concerns is the potential data leak like the one which happened recently in India where 815 million personal records were put on sale on the dark web. According to MIMOS, Malaysia’s National Digital ID system is different as it doesn’t record or store personal information. It merely generates a certificate that’s linked to your IC.
When a user enrols for MyDigital ID, the system will perform a verification using your IC and fingerprint and it will generate a certificate that’s stored on your device. Your records including your fingerprints are kept by the National Registration Department and the MyDigital ID system only performs a verification process with NRD without storing any data on its servers or your device. MIMOS assured that the MyDigital ID servers are utilised for processing and it doesn’t collect or store your data.
Physical enrolment is required and it’s for one device only
Similar to online banking apps, MyDigital ID can only be enrolled on a single device. If you change or lose your phone, users can revoke their Digital ID from the kiosk before enrolling it on a new device.
At the moment, there are only a handful of MyDigital ID kiosks and they are planning to expand it to more touch points nationwide to ensure ease of enrolment. MIMOS said they are also working with various government agencies to expand its enrolment touch points and this may include the National Registration Department. It is possible to expand the MyDigital ID enrolment process in potential secure environments including ATMs and third-party kiosks.
Will losing your phone lead to identity theft?
Since MyDigital ID only stores a certificate on your phone, there’s hardly any useful information if your phone falls into the wrong hands. The app doesn’t keep your username, password, address, fingerprints or other sensitive information.
In a way, it is similar to enrolling your credit card via Apple Pay or Samsung Pay on your phone. Once you’ve enrolled the card, the system will generate a token on your device and it doesn’t store your card number, expiry or CVV code. The token is all it needs to authenticate a payment and it is non-transferable to other devices.
Of course, the user is also equally responsible for their devices which can be secured via PIN or biometric methods such as Face ID or fingerprint security. If a device enrolled with MyDigital ID is lost or compromised, they can revoke access as soon as possible.
Digital ID rollout for consumers in July 2024
For now, there’s no immediate need to register for a MyDigital ID. At the moment, it is being rolled out to government administrators before it is introduced to government civil servants. The MyDigital ID launch for the general public is only expected to take place in July 2024 and there’s still no confirmation of government departments, agencies and private sectors that will adopt MyDigital ID at the time of writing.
Besides having a secure single sign-on method for government platforms, MyDigital ID can also be used to distribute targeted financial aid as well as subsidies which could start sometime next year. The type of available MyDigital ID use cases greatly depends on the support and implementation of the various government departments.