The Spanish DNI arrives on mobile phones: innovation and confusion

BarcelonaThe Spanish government has begun rolling out the new digital ID this week, a document that will allow citizens to authenticate themselves with their mobile phones in numerous everyday situations. This is a long-awaited development for those of us who carry our lives on our pocket-sized devices, but the solution adopted has several weaknesses and is part of a still highly fragmented and inconsistent national ecosystem of digital identities.

How the digital ID works

The new digital DNI will not replace the physical one, but will coexist with it, offering citizens the possibility of proving their identity through a mobile app called MiDNI. Obtaining it requires completing three phases: a prior registration that links the citizen's identity to the mobile phone number, downloading the app, and verifying the process.

Registration can only be done online (on the website www.midni.gob.es) if the digital certificate for the physical DNI is activated and the corresponding reader is available. Otherwise, it is necessary to go in person to the document update points (PAD) located in police stations and town halls. During the process, the DNI is linked to the mobile phone number using a one-time code.

Naturally, access to MiDNI can be protected with facial or fingerprint biometrics from the phone. A key aspect of the system is that the app does not store identity data on your device. When a citizen needs to identify themselves, their mobile app checks the police database for its validity in real time and generates a temporary QR code that can be scanned by another device with the same app installed. This QR code is only valid for a short period, after which a new code must be generated to verify their identity again. The QR code can also be read with webcams and optical scanners, such as those used for accessing venues or at hotel receptions.

Uses and limitations

With the new digital DNI, you can perform various everyday tasks: identify yourself to agents or officials, access public or private spaces, exercise your right to vote, check into hotels, rent cars, collect packages, open bank accounts, and sign deeds before a notary. However, in this first phase, it will not be used for online procedures or as a travel document to cross borders or prove identity abroad, despite Spain's signing of the eIDAS regulation for interoperability between the electronic identification systems of EU member states.

The Spanish government has established a 12-month period for public and private entities to adapt to the new system. During this period, acceptance of the digital format will not be mandatory, but starting in April 2026, citizens will be able to demand identification solely with the digital DNI, and it will also be enabled for online procedures and electronic signature operations.

A step towards self-sovereign identity

One of the positive aspects of the new digital DNI is that it enables self-sovereign digital identity—a concept enthusiastically promoted by former Catalan Minister of Digital Policies Jordi Puigneró. This principle allows citizens to provide only the essential data on each occasion, thus avoiding the unnecessary exposure of sensitive information such as address or parents' names when only proof of, for example, legal age is required.

In the case of the new digital DNI, the application offers three levels of information. The Age DNI shows only the photograph, name, and legal age; the Simple DNIAdd the last name, gender, and ID validity, and the Complete ID card displays all the document's data.

Weaknesses of the digital ID card

Despite these advantages, the new digital DNI has several weaknesses that are causing concern. First, it requires an internet connection to view, which can be a problem in areas with limited coverage. Furthermore, the source code has not been made public and is therefore not independently auditable.

A particularly controversial aspect is that each verification is performed against a central server. This means that the police know when each citizen's DNI is used, and when combined with the mandatory link to a mobile phone number, this opens up extensive tracking possibilities. This link to the phone number also makes the system vulnerable to cyberattacks such as identity theft (swapping) of the SIM card, a type of scam that has plagued telephone operators for years.

The icing on the cake is that MiDNI reaches the Android and iOS stores with a certain degree of arrogance, because in both there was already an app called "my digital ID," published by International Eidas LLC, which in several respects is much more useful—and infinitely easier to configure—than the official one. This opens the door to confusion among citizens that could have been avoided through diplomacy, choosing another name, or simply adopting the existing app as the official one.

A fragmented digital identity ecosystem

The confusion over apps reflects a larger problem: the difficulty Spanish authorities face in deploying a coherent digital identity system. The current ecosystem is a patchwork of solutions that are difficult to combine, redundant, or downright incompatible.

For example, the Spanish driver's license can be virtualized on a mobile phone (with the official MiDGT app) with a digital certificate already installed, but the new digital DNI doesn't allow this. In fact, one or more digital certificates can be saved on a mobile phone with an FNMT app, but it doesn't make them directly visible in the phone's keychain. For other apps—from CatSalut to the aforementioned MiDGT—to see them, they must be exported and added manually.

Beyond mobile phones, another paradigmatic case of distrust between official bodies is the IdCat certificates issued by CatCert, the Catalan certification authority: they are valid as personal digital credentials throughout the country, but are not accepted to accredit you as a representative of a company. For this purpose, only a personal certificate from the FNMT is accepted, to the point that I have let my IdCat expire and now use the FNMT everywhere.

Added to all this is the state administration's age-old custom of forcing citizens to use specific software, which has now been modernized: while many official websites previously only worked with Internet Explorer, Chrome is now the requirement. The practical mobile application, Citizen Folder, which collects most of the data the State accumulates on us, only lets you activate it with a digital certificate if you have the aforementioned Google browser installed. Since this is not my case – despite using Brave, which is based on the same Chromium code – I had to do it with the alternative system Key PIN, which depends on the link to a mobile number where you receive a one-time code via SMS.

Spain, at the bottom of Europe in digital identity

Given this scenario, it's no surprise that Spanish citizens, despite the high social penetration of digital technology, are at the bottom of Europe in the use of digital identities. Progress is being made, but at varying speeds and with uncoordinated solutions. Unfortunately, Spain is not yet Estonia.