Indonesia is consolidating 27,000 government apps behind a single sign-on called INA Pas. The system uses face biometrics and liveness detection. It launched in limited form on September 30, 2024, built by INA Digital, PERURI, Ditjen Dukcapil, and BSSN. Every government service behind one login.
In 2024 alone, the country allocated Rp 6.2 trillion ($386.3 million) for new government app development. Consolidation makes obvious sense.
Here is what consolidation actually does. It takes 27,000 services with 27,000 different trust levels and puts them behind one door. A citizen who walks through that door can no longer tell which room is safe.
Brand is a membrane
A brand is the boundary between what is inside an organization and what people outside perceive. It is permeable. The inside leaks out, always.
When you put 27,000 apps behind INA Pas, you are making a brand promise. You are telling citizens: everything behind this login meets a standard. The biometric face scan signals seriousness. It says: trust this.
But a membrane works in both directions. What is inside leaks out. And what is inside these 27,000 apps is not uniform. Data is still stored by individual ministries and organisations. The membrane is promising coherence. The interior is incoherent.
The interior has already leaked
On June 20, 2024, the Temporary National Data Center (PDNS) in Surabaya was hit by Brain Cipher, a LockBit 3.0 variant. It disrupted 282 public services, immigration and airport services among them. BSSN head Hinsa Siburian admitted that 98% of data in one of the two compromised data centers had no backup. President Jokowi ordered an audit of all government data centers.
INA Pas launched three months later.
Before the PDNS attack, data from 1.3 million residents leaked from PeduliLindungi and eHAC, the COVID tracking apps. Someone leaked President Jokowi's own vaccine certificate from PeduliLindungi. His censored ID number and vaccination times circulated online. These are not edge cases. These are the services that will sit behind the same login as everything else.
A super-app inherits its worst constituent's trust
This is the design problem nobody in the rollout seems to be addressing. When services are separate, a breach at one ministry is that ministry's problem. Citizens can choose not to use that particular app. They can maintain different credentials, different exposure levels.
A single sign-on removes that option. If one service behind INA Pas is compromised, the biometric credential is compromised. The face scan you gave to access your tax records is the same face scan that now sits in whatever ministry stored 98% of its data without backup.
A GovInsider analysis of the rollout captured the tension: "Digital transformation shouldn't merely be a technology modernisation project, but an effort to rebuild public trust in the state." The same piece noted that data protection has to be the top priority to ensure citizen trust in INA Pas, INA Ku, and INA Gov.
These are the right words. But words are not a membrane. A membrane is a designed thing. It requires someone to decide: which services are ready to sit behind this credential, and which are not? What does a citizen see when a service behind INA Pas has a known vulnerability? How does the system communicate differential trust?
Nobody is designing the membrane
The team is running the rollout as a systems-integration project. Consolidate the backends and unify the identity layer. This is necessary work, but it stops short.
Someone needs to design what a citizen perceives when they use this system. Not the login screen. The trust signals. Can a citizen tell which ministry stores their data, and where? Can they revoke access to one service without losing access to all? Can they see which services passed a security audit and which have not?
Without these decisions, INA Pas is a clean front door on a building where some rooms have locks and some have holes in the walls. The front door makes the holes worse, not better, because it convinced you the building was safe.
What is INA Digital's plan for the day one constituent service behind INA Pas gets breached, and every biometric credential in the system sits behind that same login? That day is not hypothetical. The PDNS attack already showed the interior. The membrane is already leaking. Either someone starts designing for that reality, or the login screen is the entire plan.