On May 1, 2026, Malaysia's Road Transport Department (JPJ) switched off every other way of logging into the MyJPJ app. From that date, the national MyDigital ID became the sole single-sign-on method for the more than 14 million registered users — anyone aged 12 and above — who renew road tax, check licence status, manage summonses or pay fees through the app. JPJ framed the change as a move to strengthen cybersecurity and deliver services "through one verified digital identity." It is one of the most visible steps yet toward Putrajaya's stated goal of integrating 95% of public services into MyDigital ID by 2030.
The direction of travel is sound. The objection here is narrow and specific: not digitisation, not single sign-on, but the decision to make a single state credential the only door — with no parallel path — into an essential public service.
The case for the mandate is genuinely strong
It is worth stating plainly. Password-based logins to government apps are a real attack surface; credential reuse and phishing are how most account takeovers happen. A device-bound, certificate-backed identity is meaningfully harder to compromise than a username and password, and a single trusted login spares citizens the friction of juggling separate credentials across dozens of agencies. MyDigital ID's operator says verification checks against the National Registration Department's records in real time and stores no biometric data on its servers, with fingerprint and face matching done locally on the handset (digital-id.my). For a government trying to move tens of millions of interactions online, consolidating identity is a reasonable engineering instinct. Adoption bears that out: MyDigital ID passed roughly 10 million users by mid-February 2026 and is targeting 17 million by year-end.
A proportionate regulator could stop there and have a defensible policy. The trouble is the word sole.
Mandatory-with-no-fallback is a different policy
Making MyDigital ID the only accepted login converts a useful option into a chokepoint. When it works, it is seamless. When it does not, there is nowhere else to go. That was not hypothetical on day one: The Star documented users hitting "Oops! Something went wrong" errors, account lockouts after periods of inactivity, and people forced to revoke and re-register their IDs to get back in (thestar.com.my). One driver summed up the design flaw bluntly: "I still prefer using the physical ID." JPJ had already pushed the deadline twice — from February to March to May — precisely because registration was lagging (paultan.org). A deadline that slips because adoption is incomplete is a signal that a hard cutover is premature, not that it should be enforced harder.
The people most likely to be locked out are the ones with the least slack. A joint statement by the Centre for Independent Journalism, ARTICLE 19 and Sinar Project on October 10, 2025 warned that mandatory state e-verification "would disproportionately exclude persons or communities at risk, including undocumented persons, refugees, the LGBTQIA+ community, older adults and those living in rural or remote areas" (Aliran). For a smartphone-only credential gating a service as routine as road tax, exclusion is not an edge case — it is a predictable cost that an opt-out path would eliminate.
The state is asking for trust it has not yet earned
Proportionality also turns on whether the institution holding the keys is accountable. Two facts sit awkwardly against the 95%-by-2030 ambition.
First, the governance record is shaky. The Auditor-General found that the MyDigital ID project spent RM28.13 million without proper committee approval, redirected RM14.09 million of development funds to unrelated costs, and suffered from "weak internal controls and non-compliance with the established governance and mandate" at the special-purpose vehicle run by Mimos Berhad, over the period July 2023 to March 2025 (Biometric Update). A system asking citizens to route their entire civic life through it should clear a higher bar of operational discipline than that.
Second, and more structurally: Malaysia's federal and state governments remain exempt from the Personal Data Protection Act, even after the 2024 amendment modernised the rest of the regime (Act A1727, PDP Department). So the very actor building a near-universal identity layer is the one actor not bound by the statute that governs how everyone else handles personal data. Civil society's concern about a "single point of failure" and "centralised government control of our digital space" lands harder when the controller has written itself out of the rulebook.
The fix is small and keeps the upside
None of this argues for abandoning MyDigital ID. It argues for setting it correctly. A proportionate version of the same policy keeps three things: a working alternative login for essential services so a registration glitch never blocks a road-tax renewal; voluntary adoption driven by genuine convenience rather than a hard cutover, which the doubled deadlines suggest the public is not yet ready for; and independent oversight, starting with bringing government data handling inside the PDPA so the operator of the nation's identity spine is accountable under the same law it enforces on banks and platforms.
Malaysia is right that the future of public services is digital and identity-anchored. The lesson of May 1 is that the gap between a good digital ID and an overreaching one is not the technology — it is whether citizens are left a way through when the one door jams.