Digital Identity and Age-Verification Rollouts for Online Access
Organizations are expanding digital identity verification for online services, with one effort focused on privacy-preserving age checks and another on stronger identity proofing for access to U.S. government healthcare accounts. Ars Technica reported on the OpenAge Initiative and related “age key” technology, which stores proof-of-age signals locally using FIDO passkey concepts and shares them through an encrypted, double-blind exchange rather than exposing full identity data. The article says providers including Incode, Persona, Socure, and Veratad, along with platform participants such as Meta and Konami, are backing the model as platforms prepare for broader age-gating requirements.
Separately, CMS expanded login options for Medicare.gov, allowing beneficiaries to verify identity through ID.me, CLEAR, or Login.gov under NIST IAL2 standards to reduce fraud and unauthorized access. CMS said biometric checks used by some providers are limited to one-time identity verification with user consent, and that medical records remain in CMS systems while identity data is held separately by the selected provider. While both reports concern online identity assurance and user verification, they describe different initiatives with different operators, use cases, and security goals rather than a single incident or coordinated event.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CMS adds ID.me, CLEAR, and Login.gov login options to Medicare.gov
CMS introduced enhanced Medicare.gov identity verification options allowing beneficiaries to verify their identity through ID.me, CLEAR, or Login.gov. The agency said the free options meet NIST Identity Assurance Level 2 standards and are intended to improve security, reduce fraud, and protect against identity theft and unauthorized access.
CMS awards identity verification contracts to ID.me and CLEAR
Before the Medicare.gov login expansion, CMS awarded contracts to ID.me and CLEAR as part of prior identity verification procurement activity referenced in the rollout announcement.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Identity and Age Verification Security Risks Amid Rising Fraud and Regulatory Pressure
Identity and age verification controls are under strain as organizations expand remote onboarding and governments mandate stronger online age checks. Intellicheck’s analysis of nearly **100 million** cloud-based identity verification transactions in 2025 found an overall **97.85%** pass rate, but with significant variation by industry; failures were primarily driven by **expired IDs** (potentially indicating operational gaps, stolen credentials, or poor user hygiene) and **failed IDs** (often associated with attempted fraud and **synthetic identity** activity). Reported failure indicators included missing barcode authorization data, mismatches between barcode and printed fields, uploads that appear to be digital copies, and biometric mismatches between the presenter and the ID photo. In parallel, platforms and regulators are pushing broader deployment of online age assurance, raising privacy and security concerns about collecting and storing identity data at scale. Research cited in coverage of age verification initiatives (including Discord testing age checks and new requirements in the UK, France, and Australia) warns that expanded identity-data handling increases exposure to **breaches, identity theft, surveillance abuse, and discrimination**, even as it argues privacy-preserving approaches are feasible. Separately, Cisco’s *State of AI Security 2026* highlights that enterprises are rapidly integrating **agentic AI** into sensitive systems (ticketing, code repos, cloud dashboards) with limited security readiness; testing showed **multi-turn prompt-injection/jailbreak** techniques achieving up to **92%** success across eight open-weight models, underscoring the risk of automated workflows being steered into unsafe actions when agents have tool access and memory.
Mar 21, 2026
Consumer Attitudes and Regulatory Shifts in Online Data Privacy and Age Verification
Recent research highlights that a majority of consumers believe they are primarily responsible for their own data privacy, with 67% of survey respondents indicating personal agency as the main factor in protecting their information. Despite this, consumers expect technology companies and regulatory agencies to support privacy through transparent systems and informed consent. However, practical decisions, such as choosing between free, ad-supported services and paid, privacy-focused alternatives, reveal that cost remains a significant factor in user choices, often outweighing privacy concerns. Simultaneously, 2025 saw the widespread implementation of online age verification requirements across Europe and the US, particularly for adult content and other regulated sites. These measures, intended to protect minors, have resulted in increased use of ID checks, geo-blocking, and VPN circumvention, raising new privacy and usability challenges. The tension between safety and privacy is evident, as most age verification methods require users to submit sensitive personal data, increasing the risk of exposure in the event of a breach. Regulators continue to push for stronger identity verification, but the practical impact has been confusion and restricted access for many users.
Mar 21, 2026
India Expands Digital Identity Use Amid Security and Privacy Concerns
Indian officials and agencies are pushing to broaden the use of digital identity in both public and private contexts, while explicitly raising cybersecurity and accountability concerns. In Hyderabad, Police Commissioner **V.C. Sajjanar** publicly argued that autonomous **AI agents** operating in critical sectors (e.g., banks, hospitals, power grids) should be issued a verifiable *digital identity* and be subject to strong **logging and traceability** so investigators can determine “which agent opened which file,” what changes were made, and where data was sent—framing the need as a safeguard against errors and the risk of **cybercriminals hijacking agent behavior**. Separately, India’s **UIDAI** is expanding **Aadhaar** into more day-to-day use via a new Aadhaar app and an **offline verification** framework intended to reduce reliance on real-time checks against the central database, while enabling *selective disclosure* (e.g., proving age without sharing full birthdate). The initiative also extends Aadhaar into consumer ecosystems (including planned **Google Wallet** integration and discussions with **Apple Wallet**) and into operational deployments such as policing and hospitality—e.g., Ahmedabad City Crime Branch integrating Aadhaar-based offline verification with the **PATHIK** guest-monitoring platform—prompting critics to reiterate concerns about **security, consent, and privacy** as Aadhaar’s footprint grows.
Mar 21, 2026