The incoming EU Digital Wallet will be both convenient and a tempting target, warns Marie Boran
Blogs
Image: cottonbro/Pexels
Somewhere in the next year or two, a very boring interaction is going to change: proving who you are. Not in the ‘upload a scan of your passport and wait three days’ way, but in the ‘tap-to-verify and share only what’s needed’ way. Ireland’s new Digital & AI Strategy explicitly points to delivering a digital wallet app as part of properly bringing public services into the 21st century. And the EU is steering the whole bloc toward EU Digital Identity Wallets by the end of 2026, meaning cross-border expectations will land whether we feel ready or not.
This is the part where we’re told it’s all upside: less paperwork, fewer in-person checks, smoother onboarding for everything from banking to rentals. And yes, digital credentials can reduce the current madness of e-mailing PDFs around like it’s 2009. But there’s an uncomfortable truth behind the convenience story: a wallet on your phone turns identity into a single, high-value target.
When identity lives in documents, stealing it is messy. When identity lives behind a login and a recovery flow, stealing it becomes a product. That’s not hypothetical; it’s already how account takeovers scale.
The moment a digital wallet becomes the default proof-of-personhood, attackers won’t just go after passwords, they’ll go after the routes around passwords: compromised recovery channels, social engineering, and the kind of urgent verification nudges that exploit people’s instinct to comply. Ireland’s National Cyber Security Centre warns that phishing and social engineering are getting harder to spot as attackers become more sophisticated.
Social media bans and a new normal
Here’s where the wallet story gets more interesting, because it isn’t only a risk, it could also be a rare privacy win in one of the most contentious policy fights Ireland is about to have: restricting social media access for under-16s.
Right now, the under-16s debate tends to collapse into a grim choice: do nothing or force age checks that turn into mass ID collection. The government has announced a trial of a digital wallet age-verification mechanism for accessing social media platforms. If that sounds like a technical footnote, it isn’t. The EU’s wallet blueprint treats age verification as a first-class use case: people can prove they’re above an age threshold (for example, over 16) using a verifiable credential in the wallet, with selective disclosure so a platform learns ‘over-16: yes/no’ without getting your full date of birth or other identity data.
Done properly, that’s materially better than normalising having to upload your passport or pushing facial age estimation as the default.
That aside, the not so hot take is that we’re sleepwalking into ‘tap-to-prove’ without doing the cultural work of ‘lock-to-protect’. A wallet that’s good enough to act as an age gate, a log-in gate, and a public-service gate is also a juicy target. Which means rollout can’t be treated as a branding exercise. It has to be treated as security engineering at population scale.
Ireland’s NCSC is unusually direct about what actually works. In its MFA guidance, it describes phishing-resistant MFA as the current gold standard. That matters because the wallet era will fail in the boring places: device security, account recovery, and the unfortunate human habit of approving prompts when something ‘looks official’.
Three practical rules for the digital wallet era
- Treat your phone like a house key. Strong PIN, biometrics, automatic updates; this is non-negotiable if the device is also your ID.
- Fix account recovery before you need it. Most hacks are really recovery abuse. Tighten the e-mail and phone number that can reset your accounts.
- Prefer phishing-resistant authentication where you can. If a service offers stronger MFA options, take them because ‘approve this login’ prompts are exactly what scammers farm.
The digital wallet shift will be sold as convenience – and I’m not denying that; it will be – but the real story is that identity is becoming an attack surface. If we don’t write that into the public narrative early, we’ll do what we always do: learn the hard way, one compromised account at a time.