Identity is going digital, and moving to the mobile. For most, this is a positive step. Identity is proliferating at an incredible rate. From the low level ‘sign-in through Facebook’ variants to high security access to, and usage of, a new range of central government and smart city services, the ability to prove who we say we are (when we’re mobile) is a strategic imperative. And It’s not just about convenience or security.
While the social and financial wellbeing of nation states can hardly be said to “rely” on getting digital and mobile identity right, there’s little doubt that doing so offers a tremendous economic boost.
Estonian President, Toomas Hendrik, certainly thinks so. In 2014 he was quoted as saying the use of electronic signature in his country was saving the equivalent of a weeks working time per person. Similarly, wider studies have shown significant cost savings to the public purse – one notable report from the SIA and Boston Consulting Group predicts savings in the region of $50 billion by 2020.
Everyone’s doing it
It’s not only Northern European countries where examples of e/m identity initiatives can be found. The United States with its National Strategy for Trusted Identities in Cyberspace (NSTIC), the European Union’s electronic identification and trust services for electronic transactions in the internal market (eIDAS) initiative and a raft of smart city projects across the United Arab Emirates are also engaged in tackling the issue.
It must be remembered, of course, that the acronyms, regulations and technologies are sources of complete indifference to the citizen. They just want to pay their taxes, buy goods and services, manage bank accounts and enjoy simple, fast and secure access to whatever private or public service they choose to use.
Of course, a user-centric approach is all very well for the actual solution. The identities themselves – the “things” on which this brave, new, inclusive and financially beneficial world is built – must begin with a trusted framework. And for many, including the SIA, sovereign states have a clear role to play.
Certainly these government institutions will be joined along the way by internet giants, banks, technology providers and many more ecosystem players. However, in a world as complex as mobile identity - one that touches privacy, public safety and national security - leveraging existing trusted state identities is crucial.
Building the framework
As providers of essential online services to whole populations, governments can (and should) take a lead in promoting high value, highly secure, trust-based economic and social interactions on the mobile.
This could be empowering eDemocracy and personalized health services, or the creation of a new citizen-to-citizen economy in which private individuals can transact with one another in a trusted environment where accountability and the rule of law exists.
It doesn't matter what the service is, it matters what identity is offered, and how that identity is authenticated to give secure access to the citizen.
Clearly, there are challenges associated with online identity that extend from convenience through to trust. For example, identities used to access online banking and government services are typically derived from strong registration processes that straddle both the physical and virtual worlds: citizens present a physical credential – a birth certificates, identity card or passport - and are provided with the authentication tokens to enable online access.
Other online services rely on self-registration, where citizens create their own user names and passwords to access social networks, eCommerce accounts or webmail: in these instances citizens may choose to protect their personal information by using pseudonyms to access services.
What is clear though is that without a trusted digital identity, the digital economy can’t function effectively. Which is why governments have such a clear role to play in establishing a clear national policy strategy for digital identity management – and in acting as the national validation gateway for ID service providers.
Unlocking the potential of mobile
In recent years a number of high profile eGovernment implementations around the world have helped unlock the identity authentication conundrum, making it possible for citizens to create and use an online government account that could very well form the root identity for their trusted digital ID.
But with mobile devices fast becoming the access channel of choice for populations the world over, tackling the challenges relating to mobile identity (m-ID) and authentication is clearly the next priority.
Why mobile ID
By 2018 the OECD predicts that 96% of the world population will be equipped with a cell phone. The growing adoption of smart devices means more and more people are using their mobile to get online – indeed, one study indicates that by 2018 there will be 8.9 billion mobile internet consumer devices and connections.
Mobile identity is set to become an essential factor in enabling secure access to a vast array of services – including banking, payment, retail, healthcare, transport, energy and other advanced identity-based digital services – via a mobile device, no matter where in the world we are.
A number of pioneering countries are already tackling the challenge of adopting new structures and codes to govern associated services and transactions – and are the process of defining what mobile identity and mobile identity solutions should (and do) look like.
For some, the answer begins at the network operator level. For others, it’s rooted in the existing physical and digital identities already created by government.
Authentication and mobile-ID
The mobile identity solutions employed by today’s innovators are flexible, in terms of how they deliver a wide range of applications and use cases. However, all are reliant on an authentication solution that’s appropriate for delivering secure access to an eService via a mobile device.
Authentication lies at the crux of m-ID, demonstrating assurance that the individual engaging – or about to engage – in a transaction is indeed the person defined by the identity that’s being used. Ideally, this identity will have been created during a prior enrolment process, such as a government program.
Furthermore, context aware authentication will be required to ensure identification methods are appropriate to the user case in hand. This framework should include multi-factor authentication options that assure the high levels of security that users need when accessing government, banking or health services.
For very strong authentication use cases - for example when a legally binding proof of authentication or authorization transaction is required - the introduction of mobile signature based on PKI (Public Key Infrastructure) technology would be critical to making robust identity proofing possible and supporting the generation of digital certificates for identity validation.
The question of where these identities are stored is crucial for obvious security reasons. While the form factor of the electronic identity may vary, it should be stored or accessible using a secure element such as a mobile UICC (SIM card), an embedded secure element in a mobile device or a microSD card, for example.
Whatever the approach taken, there’s a common theme that underpins the most successful m-ID programs currently in operation around the globe. All are highly dependent on the active and effective collaboration between public authorities, banking and financial institutions and private service providers to establish a highly secure standard for mobile environments.
This enables all parties to participate in an interoperable and universal approach that establishes the practices, security standards and ease of use that needs to characterize a mobile identity infrastructure – and sets out the authentication modes that are expected for defined use cases.
Mobile ID goes live
A number of countries have already developed advanced m-ID initiatives that bring together a large of number of service providers, commercial organisations and government agencies to deliver mobile digital services to their populations.
In Finland, the city of Helsinki is using mobile technology to engage with citizens and deliver innovative new public services; for example, a new tax receipt app now allows citizens to calculate the total amount of direct or indirect taxes they pay monthly. Today over 300 public and private services across the country now accept mobile ID; the most popular services include getting involved with citizen initiatives, reporting incidents to the police, working with insurance services and accessing health services
In Estonia the national mobile-ID service is now being used to boost export and trading activities with Lithuania and Azerbaijan by making it possible for companies to set up in just minutes. The service also allows non-nationals residing in the country to access local citizen m-ID services and participate in key infrastructure services such as DigiDoc and banking applications. The initiation of a non-resident ‘investor passport’ approach has made satellite citizenship a reality that’s attracting new investment into the country – and creating the potential for ‘digital embassies’ in friendly foreign countries.
What matters in adoption?
Ultimately, there are two critical elements within the m-ID environment that will support successful strategies.
The first is the role of the state in driving the trusted framework. The second is the need to deliver user protection that is appropriate to the use case.
If we’re logging into a social network, there’s little need for high levels of multi-factor authentication. If we’re accessing/making a government or financial service/transaction – particularly if it is cross-border in nature – the highest levels of confidence in the proffered identity, and in its security, are paramount.
For example, the eIDAS regulation, which is set to foster the use of identity solutions across the Digital Single Market, offer three different assurance levels for transactions: low, substantial and high. For the SIA, just how “appropriate” low or even substantial levels are for cross-border transactions - when there’s a high alternative that offers full protection - is a point of debate.
Over the next 12 months we are likely to see a raft of new m-ID initiatives planned and launched. And they’ll be much discussion on a range of connected issues – from whether regional frameworks can offer answers in a globally interconnected world to how to gain the highest levels of assurance on and off the device. One thing is clear, m-ID is not going away.