Secure issuance underpins identity trust — but implementation tradeoffs matter more than the industry often admits.

As governments and enterprises in the Asia Pacific region (APAC) expand national ID programs and digital identity ecosystems, “secure issuance” (the issuing of credentials securely) is frequently cited as the foundation of identity trust.

However, industry commentary on the topic often reads more like advocacy than analysis, blurring the line between technical best practices and vendor interests. It is worth noting that most serious national ID programs across APAC — from ePassports to national digital identity frameworks — already operate to established international standards such as ICAO Doc 9303, ISO/IEC 18013-5 and NIST guidelines. So, the more substantive debates in the field concern implementation tradeoffs: centralized versus decentralized architectures, assurance levels versus accessibility, open standards versus proprietary platforms, and privacy versus security.

Against that backdrop, a spokesperson for a major player in the security issuance industry asserts: “the conversation is no longer about printing IDs but issuing identities securely, consistently and at scale.” How? Why? CybersecAsia.net frames the views and opinions of Lee Wei Jin, Regional Director (Asia Pacific), HID, in a short Q&A, annotated with balancing points, as follows:

CybersecAsia: Is secure issuance really as important as the industry claims?

Lee Wei Jin (WJ): As governments and enterprises in the region accelerate the rollout of national ID programs and digital identity ecosystems, one reality is becoming increasingly clear: identity is only as trustworthy as the way it is issued.

Secure issuance has evolved into a critical pillar of national infrastructure: one that underpins trust across economies, borders and digital ecosystems.

Editor’s note: Many industry voices argue that secure issuance is the foundation of identity trust. In practice, most security professionals already accept that issuance must be secure. The real question is: how secure, for which use cases, and at what cost? Leaders in the industry have to juggle between assurance levels, cost, accessibility and privacy.

CybersecAsia: Where do the real risks in issuance actually lie?

WJ: Despite advancements, many vulnerabilities in identity systems still originate at the issuance layer. These risks often emerge at handoff points: between enrollment and personalization, between disparate systems, or between physical and digital processes.

Fragmented workflows, legacy infrastructure and inconsistent security controls create gaps that can be exploited. Common weaknesses include poor management of blank credentials, inadequate protection of cryptographic keys, and an over-reliance on manual processes.

Editor’s note: Other than technical vulnerabilities in issuance systems, risks also arise from governance failures, privacy concerns, exclusion of marginalized populations, and vendor lock-in. Leaders must also consider risks outside the technical layer: inadequate oversight, data misuse, and systems that exclude people who lack documents or connectivity.

CybersecAsia: How should leaders think about digital and hybrid identities, and what does this mean for cross-border trust?

WJ: The rise of digital and mobile IDs is fundamentally reshaping secure issuance. Issuance now includes secure key generation, cryptographic binding to devices, remote provisioning, and the ability to update credentials dynamically. Yet the core principles remain unchanged: authenticity, integrity and control. The future of identity is inherently hybrid — physical and digital credentials will coexist within a common trust framework.

As economies become more interconnected, identities must also be trusted beyond national borders. If credentials are issued using inconsistent standards, assurance levels or cryptographic frameworks, cross-border trust becomes difficult to establish. Aligning issuance practices with international standards and modular architectures can create identity ecosystems that are both secure and globally interoperable.

Editor’s note: The technical requirements described — device binding, remote provisioning, dynamic updates — are real and well-understood, but they also introduce tradeoffs the industry rarely foregrounds: what happens when a device is lost or compromised, who controls revocation, and how privacy is preserved when credentials are bound to personal devices. On cross-border interoperability, the aspiration toward federated trust models is legitimate, but the reality in APAC remains largely bilateral and fragmented. Divergent national sovereignty interests, inconsistent data protection regimes, and the practical dominance of proprietary vendor implementations over open standards mean that “globally interoperable” is a design goal, not a current condition. Leaders should pressure-test any vendor’s interoperability claims against specific standards compliance — ICAO Doc 9303, ISO/IEC 18013-5 for mobile IDs — rather than accepting architectural alignment as sufficient assurance.

CybersecAsia: What should leaders prioritize when designing issuance infrastructure?

WJ: First, adaptability. Identity systems must be able to support new credential types, technologies and assurance levels without requiring complete overhauls.

Second, security and governance must be embedded at the core. Cryptographic integrity, auditability and lifecycle controls cannot be afterthoughts. Real-time monitoring, role-based access controls, and comprehensive audit trails are essential.

Third, a shift in mindset from siloed systems to interconnected ecosystems.

Ultimately, secure issuance is not just a technical function. It is a strategic capability: one that underpins trust in an increasingly digital and interconnected world.

Editor’s note: Hard decisions to consider are: centralized vs decentralized models, privacy vs security, cost vs assurance, and avoiding vendor lock-in. Leaders need guidance on trade-offs, not just best practices.

Secure issuance is a necessary foundation for trusted identity systems. However, it is not sufficient on its own: leaders should treat it as one layer in a broader system that includes enrollment, verification, governance, privacy and inclusion.

CybersecAsia thanks Wei Jin for sharing his opinions with readers.