Digital Identity: Best Practices

Providing a frictionless experience isn’t anybody’s first step—it’s the objective or goal. Getting there is hardly an easy task. We’ve identified best practices in authentication and digital identity management that balance the need to reduce fraud but create a good user experience:

• Evaluate the source of the application. How did an applicant get to the FI’s website? Applicants coming from a product comparison site (e.g., BankRate) or a marketing-related email are less likely to be fraudulent than if they typed in the main URL of the FI’s website. In addition, applicants coming in on a mobile device are less likely to be fraudulent as it’s harder to write bots and copy/paste data from fraudulent sources. Mobile devices are used in fraudulent applications, however, so determining if a device is on a known blacklist or whitelist can provide an indication of fraud or of a valid application.

• Examine the data elements provided. Was a picture of an ID submitted? This is a sign of a legitimate application, as it costs fraudsters time and money to create fake IDs. In addition, it’s rapidly becoming a best practice to incorporate alternative data sources (e.g., social media data, mobile network operator databases) following the Equifax breach. As one interviewee for this report put it, “We’re building a ‘web of authentication’ that develops a score with risk factors pulled from a variety of data sources, including visible data points that verify channel access against what we already know.”

• Assess the funding source. How was the application for a deposit product funded? An ACH transaction enables an FI to determine the age of the funding account. An account that’s been in place for a while is less likely to be involved with a fraudulent application, whereas a relatively newly created prepaid account may be a red flag, as it is easier for fraudsters to create that kind of account.

• Create cross-channel involvement. Banks don’t need to force applicants to come to the branch to prove they’re who they say they are. A Facetime chat can help determine if a person looks like a person in the ID they submitted a picture of. One bank we spoke with captures voice prints of customers during phone contacts and uses those voice prints to verify applications from existing customers. It’s not all high-tech, though—an online bank we interviewed said manual efforts to contact and verify applicants are required in some cases.

In addition, banks can take steps to improve today’s onboarding processes, including:

• Eliminate duplicate data entry. Digital Banking Report found that many banks and credit unions still require the duplicate entry of information, even when customers apply for new products from banks they already do business with. To reduce frustration, customers should never have to enter information more than once, especially when switching from one channel to another. Accomplishing this requires having “one version of the truth,” which many institutions struggle to get to. Ensure information is up-to-date and in sync across channels to reassure customers that they have anywhere access to always-accurate data.

• Reduce average onboarding process time. When onboarding takes too long, consumers seek other solutions. At some banks, customers abandon up to 90% of new account applications. The root cause is legacy systems that still require manual intervention and paper-based interactions. Reduce onboarding time by 1) Eliminating disconnected, manual processes in favour of integrated, automated processes; 2) Offering customers their choice of onboarding channels; and 3) Providing customers with process transparency.

• Eliminate business bottlenecks. Many banks don’t have visibility into where bottlenecks exist or what’s causing them. Bottlenecks typically have one or more of four causes: 1) People; 2) Process; 3) Systems; and/or 4) Data. Review employees’ roles and responsibilities in the onboarding process for clues to identify and eliminate bottlenecks caused by people. Data issues are typically caused by legacy silos, which often produce different versions of the same document (and data).

• Measure onboarding satisfaction. To measure and monitor the onboarding process, banks need tools that provide information not only about past performance, current processes and how to improve them. Banks should look for: 1) Customizable dashboards that provide key performance indicators and metrics, and 2) Reporting and analytics that are tailored to facilitate faster, more informed decision-making.

Government

Estonia

Estonia is known for pioneering digital governance. Having gained independence in 1991, Estonia, like a true millennial, leverages technology in every aspect of governance. This is the concept behind “e-Estonia”. Estonia is the first nation to hold elections over the internet and to provide e-residency. The Estonian identity card is another step in the direction of e-government.

The ID card is a mandatory identity document for citizens of Estonia. It serves the twin function of giving proof of identification and establishing one's identity specifically in the electronic environment, including serving as one's digital signature.

Under Estonia’s Digital Identity Programme, the ID System is leveraged in three ways:

ID Card

This card contains the general components of a legal photo ID. However, in addition to the legal photo ID components, a chip on the card carries embedded files, and using 2048-bit public key encryption, it can be used as definitive proof of ID in the electronic environment.

Mobile ID

Mobile-ID allows people to use a mobile phone as a form of secure digital ID. Like the ID-card, it can be used to access secure e-services and digitally sign documents but has the added feature of not requiring a card reader. The system is based on a special Mobile-ID SIM card, which the customer must request from the mobile phone operator.

Smart ID

Smart-ID works as an identification solution via a mobile application and thus does not require a SIM card in the mobile smart device.

With the ID-card each citizen also receives a personal @eesti.ee e-mail address. The government uses this email address to send important information. In order to use the @eesti.ee e-mail address, citizens must forward it to their personal email addresses.

The ID card contains a chip used to store digitised data about the user, such as the user's full name, gender, and national identification number. In addition, the ID system leverages public key cryptography as the mechanism for authentication. The ID cards use 2,048-bit open-source public-key/private-key encryption, holding two separate digital certificates: one for confirming the holder's identity and the other to allow an individual to sign documents with a digital signature.

The ID cards are used pervasively in health care, electronic banking and shopping, to sign contracts and encrypt email, as tram tickets, and much more besides — even to vote. In all, the Estonian state offers 600 e-services to its citizens and 2,400 to businesses.

In October 2017, the news broke that a security flaw existed in the cryptographic keys in about 750,000 Estonian national ID cards. This flaw potentially allowed the private keys of the users to be inferred from the public keys. The vulnerability, called the ROCA vulnerability, was discovered in one of the code libraries, “Infineon”, in the smart card system. It is important to note that for a public key cryptography system to work, while the public key is shared with everyone, the private key must be kept private. This flaw left the ID cards vulnerable to identity theft.

The Estonian prime minister, recognising the “imminent risk” of attack, announced that the certificates of affected ID cards would be disabled effective 4 November 2017. Updates to the certificates were also accordingly laid out. The updates were released in the form of a certificate update.

The Estonian experience with a digital ID programme, while an example of one of the most highly sophisticated implementations, demonstrates the scale of the impact when vulnerabilities are discovered, even when a population is technologically savvy. Notably, despite the fact that Estonia has a small population and boasts a highly developed infrastructure, it was necessary to take significant measures to mitigate the risk. In developing countries with vulnerable infrastructure and populations, the impact would likely have been much greater.

Additionally, while in this particular case, the risks were considered “theoretical” and authorities were able to avoid irreparable damage, had the vulnerabilities metastasised, the impact could have been much worse and the effort to restore normalcy more drastic. Estonia’s response, in this case, was prompt. Most developing countries have not and would not be able to respond with such vigour and promptness due to multiple factors, including capacity gaps and lack of awareness within the public and implementing agencies.

The Estonian example, a near-miss with catastrophe, is also an argument against the push for biometrics-based digital IDs. Estonia uses public key cryptography as the authenticating attribute, and this may provide a more secure, rights-respecting alternative to biometrics.

e-Residency

A program launched by Estonia that allows non-Estonians access to Estonian services such as company formation, banking, payment processing, and taxation.

The program gives the e-Resident a smart card that he/she can use to sign documents. The program is aimed toward location-independent entrepreneurs such as developers and writers.

An application for e-residency can be made over the Internet by filling in a form, supplying a scan of a national passport and a photograph, and giving the reason for applying (which does not strongly affect the outcome of the application. The blockchain notary service allows e-residents, regardless of where they live or do business, to notarise their marriages, birth certificates, and business contracts on the blockchain.

Estonian e-residents can sign in using their physical ID card and perform digital signatures on the blockchain. Bitnation provides a P2P version of e-governance. This offers foreign people to become e-residents. This does not grant the same rights as residents in the traditional sense but offers many facilities when dealing with the country.

Tunisia

Envisaged as a project to improve the quality of administrative services and operations, Tunisia first saw a draft law introducing changes to the current national identity card in July 2016. While the current ID card contains a unique identifier number and barcode, the legislation proposed amending Law No. 27 of 20 1993 on the national identity card to further equip the card with an electronic chip that contains sensitive personal data.

At first, the project garnered favourable media attention, given the country’s post-revolutionary focus on combating corruption and advancing administrative reforms. However, once the draft became public for all to see, leading civil society activists — both in Tunisia and globally — as well as the leadership from the national data protection authority began to shed light on the privacy implications of the bill, which we explore below.

The Ministry of Interior presented to the Ministerial Council the draft law to amend current legislation on national identity cards. The Ministerial Council approved and submitted the draft to the Assembly of the Representatives of the People (ARP) on 27 July 2016. The draft was then assigned to the Legislative Commission on Rights and Liberties for review and amendments.

This initial draft contained provisions representing a severe threat to the protection of Tunisians’ personal data, privacy, and cybersecurity. It contained vague, ambiguous language and lacked essential safeguards for privacy. For example, Article 2bis of the initial draft stated: “[The encrypted part of the chip will contain] the administrative data related to the digitisation and registration of the card”. Nowhere in the draft were the terms “digitisation”, “registration”, and most importantly, “administrative data” defined. This left the door open for all sorts of personal information to be included in the chip.

The initial bill also raised serious concerns about data security. The draft consolidated access to Tunisians’ sensitive personal information, such as biometric data (like fingerprints), address and date of birth, into a single database, creating a single point of failure in the case the data is hacked or stolen. The draft did not indicate what kind of data would be stored, who would have access to it, or what measures would be taken to ensure the data would be secure. Worse, the bill did not give Tunisians the ability to access the information about themselves that would be stored on the card — imposing a five-year prison sentence for anyone who tried — while leaving in provisions giving police, national security agencies, and administrative agents broad access to rich data profiles of millions of citizens.

Roughly a year later, on 7 July 2017, the Commission on Rights and Liberties completed its review. The bill was supposed to be debated at the plenary session 23 on 18 or 19 July 2017. But because of other legislative commitments, the debate was postponed, and the draft was sent back to the Commission on Rights and Liberties. The bill remained there until it was finally placed on the plenary’s agenda on 9 January 2018.

On 4 January 2018, Chawki Gaddes, head of the national authority on data protection (INPDP), spoke before the Commission on Rights and Liberties to discuss the risks the bill poses to data privacy, clarifying that it was not the biometric format per se that was problematic, but the alarming absence of protections and guarantees for the privacy and personal data of citizens. A day later, the Minister of Interior, Lotfi Brahem, spoke before the same Commission to argue for passage of the bill. He claimed that nobody “could hack the personal data of any individual and that the Ministry of Interior is a strongly protected entity”, adding that Tunisians must “trust that”. Legislators were not convinced by the minister’s testimony, adopting several amendments to ensure the safety of all Tunisian personal data the day before the bill was scheduled to hit the plenary floor. The amendments the legislators adopted abolished the creation of a national database. In the course of the debate, many insisted that while having fingerprints in the card itself could be useful for verification purposes, storing them in a national database raises digital security concerns that provide anything but safety.

On 9 January 2018, the day the amended draft was scheduled to go to plenary, the Ministry of Interior withdrew the bill from the docket of the Assembly of the Representatives of the People (ARP). While this means the bill was defeated in the legislative context for now, fears remain that the government will bring the project back either through an executive decree to change “technical specifications” or through another bill presented to the ARP under a different political composition following the next legislative elections.

It is important to note that the draft bill amending the identity card law in Tunisia was withdrawn once amendments protecting citizens’ fundamental right to privacy were adopted. The amendments removed the necessity of maintaining a database at all — for example, following the revisions to the bill, authorities could take fingerprints for the sole purpose of including this data on the chip, but the data was then mandated to be destroyed. This, in essence, ensured that the fingerprints would act solely as a tool of authentication. While global human rights organisations celebrated the victory, they are cognizant of the Ministry’s intention to go on with the process and remain vigilant to ensure that Tunisia meets its human rights obligations with whatever identity programme may be proposed.

India

India’s national programme for Unique ID (UID), known now as “Aadhaar” (a Hindi word that loosely translates to “foundation”), was established in 2008. It is a unique 12-digit number provided to each resident of India, which is linked to a person’s biometric and demographic data. With more than one billion claimed enrollments in India, it is considered the largest biometric-linked national ID system in the world.

This was not the first national identity-related project undertaken by India’s Union Government. The first major one was an explicitly national security-focused ID card effort launched soon after the conclusion of the Kargil conflict, with the objective of having all Indian residents enrolled in a National Population Register, which would distinguish between citizens and non-citizens. In 2008, the new administration began work on a Unique ID effort broadly focused on creating a master database that would track social welfare programmes in order to de-duplicate “ghost beneficiaries”.

When established, authorities said the Aadhaar Unique ID would be voluntary and would help the Indian government achieve the twin objectives of (1) closing gaps in welfare delivery systems through better targeting and (2) increasing the efficiency of welfare delivery systems by leveraging technology.

The Aadhaar ID programme is administered by a government-run (and now statutory) entity called the Unique Identity Authority of India (UIDAI). Enrollment of residents into the scheme -- including the collection of biometrics -- has been done through agencies selected by the UIDAI, comprising a wide spectrum of private vendors along with public sector agencies. The primary idea behind Aadhaar has been proper authentication of identity through requests sent by requesting agencies to the central database of Aadhaar: the Central Identities Data Repository (CIDR). The requesting agencies ask for authentication by sending Aadhaar information along with the demographic and/or biometric information of the authenticator. The CIDR has all the information of individuals registered under Aadhaar. The CIDR processes each request and provides a yes/no reply along with other information to the requesting agency. In the case of “know-your-customer” or KYC authentication under the Aadhaar programme, the CIDR returns “e-KYC data'' (electronic know-your-customer), which includes the demographic information as well as the photograph of the authenticator. Such KYC authentication can only be done using biometric information or one-time passwords generated and transmitted to the registered mobile number of the authenticator.

Over the years of its operation, the Aadhaar scheme has become more explicitly connected with the Government of India’s digital service delivery and tech-enabled civic engagement efforts. Aadhaar has been cast as a major pillar of the current Union Government’s Digital India programme for government services that are made available to citizens electronically. As a result, Aadhaar has been tied to multiple services, from banking and internet services to international travel and marriage registration. Aadhaar use by private tech firms with respect to their consumer-facing digital services has also been on the rise, and there have been reports of Facebook testing new logins to its platform that would require Aadhaar. All these services are envisioned to use authenticating services as described above.

The use of Aadhaar has not gone without significant controversy and challenge in India. Aadhaar has faced a gamut of issues which can be divided in the following buckets:

implementation issues;
privacy issues;
security issues,
and surveillance issues.

Implementation issues

According to its supporters, Aadhaar was envisaged primarily as a tool for better delivery of welfare provisions in India. However, multiple technological and infrastructural problems, such as connectivity issues, hardware malfunctions, and duplication, have hindered the effective application of Aadhaar for this purpose.

Stories of labourers and the elderly unable to access services because their fingerprints do not work on the authentication machines are important to illustrate the gap between the Aadhaar concept and reality. Prominent economists such as John Dreze and Reetika Khera have written extensively on the subject of the exclusion of citizens from welfare delivery due to the implementation of the Aadhaar. Scholars and public interest groups have indicated that the requirement for Aadhaar enrollment and authentication for an ever-increasing number of welfare schemes and government entitlements has caused considerable harm and exclusion for India’s poor, particularly around Aadhaar-triggered exclusion from the public distribution system (PDS) for foodgrains, causing starvation and restrictions on social security, particularly harming the elderly and differently-abled.

Questions have also arisen about the narrative that Aadhaar has helped provide identities to those who did not have them before, with data uncovered by Right to Information Act requests indicating that only 0.3% of the 840 million Indian residents who had obtained Aadhaar as of 2015 had taken the “Introducer” route available to those without existing proof of identity. The overwhelming majority appear to have obtained Aadhaar enrollment using their existing authenticated documents to establish identity and address.

Privacy and fundamental rights issues

India’s regulatory framework for privacy, or the lack thereof, has been one of the most contentious points in the discourse around Aadhaar. Many individuals and organisations active in the Indian digital rights community have repeatedly expressed concern that the Aadhaar programme is not consonant with principles of privacy, which the Indian people should be inherently provided for.

The Supreme Court of India is currently hearing a series of challenges to the Aadhaar programme. A constitutional bench of the Supreme Court is holding hearings to determine the legality of the programme. One of the key pillars of the challenges to the Aadhaar scheme is its abrogation of the fundamental right to privacy.

The Supreme Court of India, in its seminal judgement in the Puttaswamy v. Union of India case in 2017, affirmed that each Indian has a fundamental right to privacy under the Constitution of India. However, the impact of this judgement on the fate of the challenges to Aadhaar is yet to be determined. The primary argument with regard to privacy is the semi-coercive nature with which the state is capturing biometric data and building a centralised database. While Aadhaar is considered a voluntary scheme, over time, the government has made Aadhaar necessary for carrying out basic functions in society, such as filing taxes or getting rations or even using a bank account and conducting a range of private sector activities, including the activation of telecom SIM cards. This has, in effect, made Aadhaar mandatory for the Indian public. It is being argued that requiring people to provide their biometric data to get services violates the fundamental right to privacy and does not comport with the necessity and proportionality standards that determine the exceptions to the right to privacy.

During the final hearings of the case against Aadhaar before a constitutional bench of the Supreme Court, in the end, April-early May, it was clarified by the court that the government was using an order passed by it on February 6 last year as a “tool” to seed Aadhaar with telecom SIM cards. The Supreme Court further clarified that there had been no such direction by the court for mandatory linking of Aadhaar and SIM cards.

The Government of India, for its part, has taken steps to formulate a legal framework for data protection in India. This framework is supposed to address the questions related to Aadhaar, privacy, and more. In order to build this framework with expert input and stakeholder consultation, India’s Ministry of Electronics and Information Technology created a committee under the chairmanship of former Supreme Court Justice Shri B N Srikrishna. This committee has been tasked with producing a report and a draft bill on data protection and is expected to publish its recommendations in the summer of 2018. The prior UPA government had previously established a committee of experts under the Planning Commission chaired by former Delhi High Court Chief Justice AP Shah, which published a 9-point focused report, in addition to a departmental effort working on an inter-ministerial draft legislative text for a proposed privacy bill across 2011-2015.35

Security issues

The security of the data under the Aadhaar programme is yet another disconcerting issue. Repeated reports of data breaches and the exposure of personal information, and biometric replay attacks along with access to the 37 databases by unauthorised persons signal not only the deficiency of protections provided by law but also deficiencies in the technical architecture and safeguards for Aadhaar.

The use of biometrics as an authentication mechanism carries significant security risks. Given the unique and singular nature of biometric information, biometric leaks may be irreversible. Unlike a system that relies on a password, in the Aadhaar system, once biometric information is compromised, you may be unable to restore a pristine identity.

While encryption can enhance the security of a central database, experts such as Bruce Schneier consider that such systems are liable to breach through attacks on computers using the data. Even if the encryption is not cracked, it is liable to be circumvented. News reports of data breaches by collection agencies, along with replay attacks to bypass authentication, further signal unaddressed vulnerabilities. Another reason for concern highlighted by Troy Hunt is the centralisation of data, an inherently insecure means for storing data. A central database creates a single point of failure. While one may employ the best mechanisms for securing a database, it is the cybersecurity equivalent of putting all your eggs in one basket. Security researchers have also pointed out the flaws in the cybersecurity culture of the Unique ID Authority of India: it does not have a public bug disclosure programme, in addition to issuing subordinate legislation to treat its cybersecurity policy framework as classified and denies the Right to Information Act disclosure requests.

Surveillance issues

The authentication mechanism under the Aadhaar system leads to the creation of authentication logs. Each time Aadhaar is used to authenticate one's identity, the log notes metadata of such authentication. Experts have noted that when done at scale and over a long period of time, such authentication logs can be a tool for pervasive profiling and surveillance.

In addition to the data being stored, the standards for such data being shared with law enforcement and other agencies are another cause for concern. The legislation provides a broad standard of “national security”, which must be assessed while evaluating requests for data, and overall, it uses a legal process that is weaker than that in Indian law regarding the interception of telecommunications data. It must also be noted that currently, only the executive branch of the government is involved in making and evaluating such requests, with a lack of judicial oversight of the process. It is illustrative to note that the government of Uttar Pradesh recently processed and accepted 10,000 telephone surveillance requests in two days.

China

The Resident Identity Card

https://en.wikipedia.org/wiki/Resident_Identity_Card

EU

EU NATIONAL SSI AND ELECTRONIC IDENTITY WALLET INITIATIVES

Germany

Description and current status

The German Federal Ministry of Economic Affairs initiated the Showcase Programme “Secure Digital Identities" in 2019, aimed at the development of German eIDAS solutions that are user-friendly, trustworthy, and economical, accessible for the administration, businesses – especially SMEs – and the population. In total, four projects have been selected to implement and test their solutions throughout Germany in different cities and communities over the next three to four years. The selected projects can be regarded as a wide-ranging test lab for SSI applications, as all act in the field of SSI.

The aim is to create new ID ecosystems in which users can digitally identify themselves to service providers or authorities with a mobile device, without media discontinuity and regardless of location. The solutions refer to the identification of people, the identification of things or a combination of both.

The use cases of the projects cover 10 fields: Education, health, hospitality, tourism, trade, logistics, mobility, energy, Industry 4.0, IoT, access management, public administration, and the financial sector.

The main objectives are:

Strengthening the digital sovereignty of the citizens,
Demonstrating the everyday benefits of secure digital identities to citizens, • Showing wide application possibilities,
Simplifying access to digital business and administrative services, and
Improving the usability of secure digital identities (e.g., replacing the username-password paradigm).

Applicability to eIDAS, SSI and European eID

The aim is to build an infrastructure that allows the secure exchange of proofs that is suitable for Europe-wide use and works equally for the identities of people, institutions and things on the basis of SSI. The implemented solutions are smartphone-based, and the verifiable credentials are filed in digital wallets. So far, three of the projects have begun the implementation phase.

The first project, IDunion, implements a decentralised public key infrastructure, using the European cooperative Societas Cooperativa Europaea S.C.E as a governance authority, which, as a legal entity, determines the rules of the network and its implementation. They have developed their own wallets (Lissi and esatus) and agents.

The second project, ONCE, develops and implements secure digital identities for administration, transport and the hotel industry. The ID systems used in ONCE are eIDAS-compliant and correspond to the security and trust requirements that the different areas of application demand.

The final project presently undergoing implementation, ID-ideal, focuses on the development of a trust framework considering existing SSI standards based on W3C and DIF.

These solutions must all be GDPR and eIDAS-compliant and based on available standards. The specific use cases in the field of personal identification should be usable on a mobile device and address the security levels "low" and "substantial" described in eIDAS. Application scenarios in business and administration, which require the security level "high" in eIDAS, should use the eID function of the identity card / electronic residence permit / eID card for EU citizens or another available solution according to eIDAS "high".

Applicability to governance

The proposed open ID ecosystem and interoperable ID solutions rely on the development of a trusted network, for example, that concerns semantic interoperability and procedures for dealing with different levels of assurance (LOA). One focus of the implementation should be the interaction between different ID solutions or different providers.

The solutions should thus build on the existing European electronic identity infrastructure and ensure the state remains the origin of the citizen’s core identity. They should be based on international norms and standards so that the results can easily be transferred to other municipalities, cities or metropolitan regions, including outside of Germany.

Security risks and mitigation

A potential challenge is to achieve interoperability among the different projects and their approaches, especially with regard to other ongoing projects of the German chancellery or EU initiatives such as GAIA-X.

Spain

Spain released its first standard defining a reference framework for the management of identification in 2020. This standard allows individuals and organisations to create and self-manage their digital identity without resorting to a centralised authority. It was produced by Aenor, the Spanish Association for Standards, and has become a UNE (One Spanish Norm) standard, entitled UNE 71307-1.

This standard was published on 9/12/2020, and on 11/1/2021, it was published in the BOE (Spain Official Bulletin), a process which officially approved and made it legally binding. The next step is to promote this standard to the CEN/CENELEC to become a European standard. On 11/2/2021, an autonomous community in Spain legislated the Blockchain Digital Identity, though it is waiting for approval at the national level.

More information can be found on the UNE website.

Description and current status

This standard, entitled “Digital Enabling Technologies. Decentralised Identity Management Model based on Blockchain and other Distributed Ledgers Technologies. Part 1: Reference Framework”, is about DIDs, blockchain and other identity management solutions for decentralised identity.

Standardised decentralised identity information management models ensure that organisations maintain the security of their processes and that individuals protect their privacy and avoid identity theft, in contrast to traditional centralised models.

This Spanish norm meets the following conditions. It:

Is technologically neutral;
Is compatible with other international standards related to digital identity;
Meets the requirements of GDPR;
Meets eIDAS and the ENS (Spanish National Security schema);
Allows the implementation of DID management systems;
Takes into consideration the SMB needs;
And Is adequate for the use between natural and legal persons.

The standard, which has begun the process of becoming a European standard, has been developed as part of UNE’s committee covering blockchain and distributed ledger technologies, CTN 71/SC 307, with the participation and consensus of all parties involved.

The CTN 71 on digital enabling technologies was established at the behest of the Secretary of State for Digitization and Artificial Intelligence. Technical standards establish a common language, providing security and confidence in new technologies, and are thus a pillar for the success of the digital transformation.

Applicability to eIDAS, SSI and European ID

This standard sets a reference framework to manage decentralised identities and takes into consideration the different standards for SSI, for example, from the W3C and those related to the EU electronic identity. This standard is also compliant with the requirements set forth by eIDAS and GDPR.

Applicability to governance

This standard indicates some governance protocols related to:

DID and credentials lifecycle,
DID and credentials requisites, and
Requirements for protocol messages.

Security risks and mitigation

Alastria, which is a not-for-profit association of multi-sector entities and is one of the main contributors to the development of this standard, has released a model based on 10 key principles for SSI.51 These 10 principles are grouped by different pillars, which are Security, Controllability and Portability, with specific governance processes for all of them, illustrated in the figure below.

There is presently an ongoing project named PNE 71307-2: Digital Enabling Technologies – Decentralised Identity Management Model based on Blockchain and other Distributed Ledgers Technologies, Part 2: Guidelines.

Netherlands

Description and current status

Delft University is a government partner for digital identity. The University is receiving five-year funding for a research project to develop an open-source, production-ready SSI. Their operational open-source prototype for digital identity is integrated with the European Commission EBSI infrastructure. Furthermore, they are currently in discussions with the Netherlands, Sweden and Singapore about a live cross-border trail of SSI+Euro. Delft University released some specific documents regarding the Netherlands and SSI during the last few years. This section focuses on two such documents, which were published in 2018 and 2020.

The 2018 study reflects how digital identity largely remains unresolved because, after many years of research, there are still concerns over trusted communication over the Internet (e.g., phishing). One solution for the provision of identity within the context of mutual distrust, this paper presents a blockchain-based digital identity. The proposed solution achieves a passport-level, legally valid identity without depending upon a trusted third party. This solution for making identities self-sovereign builds on a generic provable claim model for which attestations of truth from third parties need to be collected. The claim model is then shown to be both blockchain structure and proof method agnostic. Four different implementations in support of these two claim model properties are shown to offer sub-second performance for claim creation and claim verification. Through the properties of SSI, legally valid status and acceptable performance, this proposed solution is considered to be fit for adoption by the general public.

The 2020 study reflects how digital identity is essential to access most online services and that digital identity is often outsourced to central digital identity providers, introducing a critical dependency. While SSI offers citizens ownership of their own identity, proposed solutions concentrate on data disclosure protocols and are unable to produce identity with legal status. It has been identified how related work attempts to legalise identity by reintroducing centralisation and disregards common attacks on peer-to-peer interactions, missing out on the strong privacy guarantees offered by the data disclosure protocols. IPv8 is presented to address this problem, a complete system for passport-grade SSI. This design consists of a hierarchy of middleware layers which are minimally required to establish legal viability. IPv8 comprises a peer-to-peer middleware stack with Sybil attack resilience and strong privacy through onion routing.

Applicability to eIDAS, SSI and European ID

IPv8 was initiated in 2016 and created in tight collaboration with both government and industry. This design complies as much as possible with existing standards for authentication. The IPv8 design choice for security and privacy is that the verifiable claims are stored in encrypted form.

Unlocking these encrypted claims requires passport-grade facial recognition. This component in IPv8 is supplied by IDEMIA, the Netherlands’ paper-based passport supplier. All code of IPv8 is available on GitHub and is provided under the GNU LGPL 3.0 licence. This approach is also GDPR compliant.

Applicability to governance

The cited documents were created in cooperation with the Dutch National Office for Identity Data (Ministry of the Interior and Kingdom Relations). As such, it was the second digital identity model in the world to be sanctioned by a government after Estonia.

Security risks and mitigation

For a central trusted third-party: the solution is from D-H to PGP and PKI, but this requires identity to be tied to a public key. With the variety of solutions, these become honeypots for attacks. For a non-central trusted third party: the solution is based on SSI. The paradigm of trust changes from trusting each other to trusting the user. This can be achieved by the use of blockchain, though risks still remain.

One solution would be SSI over blockchain, with no power to the owner, no third-party control of attributes, and therefore it would be a permissionless, open enrolment. An IPv8 application may also be defined and implemented.

Poland

Description and current status

In 2018, Poland introduced a public mobile application, which is provided by the Ministry of Digital Affairs. The legal basis for the application was established at the same time by law. An application called mObywatel (English: “mCitizen”) allows downloading, storing, and presenting electronic documents, such as an ID card or a driver’s licence, and transferring these documents between mobile devices or ICT systems. Additionally, the application allows verification of the integrity and authenticity of the electronic document.

The mObywatel app is supported by the IT system provided by the Ministry of Digital Affairs. The system allows downloading an electronic document containing the user’s information from public registers, and other information corresponding to the legal situation of the user, containing data used for identification of the user. A downloaded electronic document is an official copy of an official document issued in a form other than electronic form.

Functionally, mObywatel is a digital wallet for documents and services. The application presently offers the following functionalities:

Download and presentation of identification data from the identity card
ePrescription data presentation
Large family discount card presentation
EU vaccination passport
Presentation of driver's qualifications
Check a driver’s penalty points
Show and review the details of the vehicle document
School or student card document presentation
Electronic identification to online services
Electronic tickets, e.g., train, local transport

Application to the enrolment process authenticates to state registers with Trusted Profile, a national identification scheme (substantial level of assurance) or an electronic national identity card (high level of assurance). Access to the application is secured with a password. It is also possible to turn on the fingerprint or face recognition authentication with an additional PIN confirmation at the user's request. The application creates a secure internal environment, encryption based on random data (salt) and data provided for user authentication (password).

User keys and X.509 certificates are generated by the supporting IT system and stored in a secure environment. User certificates are valid for one year, and after that period the user is asked to repeat the enrolment process using nationally recognised identification means. After enrolment, a new set of keys and certificates are generated and secured by a password-protected environment; thus, it is impossible to change the password. In cases when a new password is needed, a new enrolment is required.

All credentials stored in the app are signed with the digital signature of the Ministry of Digital Affairs – which is only one authoritative source for the application. The application allows the presentation of stored credentials by signing them with user keys. mObywatel application and other verification applications (mVerifier) use signed credential presentation to validate the presented document on another smartphone. The application keeps track of all validations. The validity of user and validator certificates can be additionally verified online.

Electronic identification with mObywatel

mObywatel allows electronic identification to external online services. The online service initiates electronic identification by presenting a QR code and online use of the IT system from the Ministry of Digital Affairs. A mObywatel user then uses their smartphone to confirm private data to be transferred to the online service.

To date, mObywatel is neither an official nor a notified electronic identity scheme. However, mObywatel is presently one of the most developed case studies for a solution for the development of a European Digital Identity Wallet.

Further information on mCitizen can be found on the Polish government website (Polish only).

Applicability to eIDAS, SSI and European eID

mObywatel is the only official eID application with the European Digital Identification Wallet functionalities. While mObywatel uses its own PKI X.509 certificates for credential issuance and presentation, it does not follow common structures for verifiable credentials. For example, it is not known if a non-traceability rule is obeyed. mObywatel does not allow the use and storage of credentials issued outside of the Ministry of Digital Affairs IT system. The application uses a software-protected environment for the storage of keys and data; no internal or external secure component is used to store user keys, and keys are generated on external HSMs.

Based on digital signatures and X.509 certificates for data exchange, credential issuance and credential presentation, mObywatel can be used as an electronic identification scheme for online services. Validity and trust are based on PKI and root certificates. The revocation is checked in every transaction. Additionally, the application allows offline electronic identification based on device-to-device data presentation. The enrolment process also makes use of electronic identification schemes.

Applicability to governance

mObywatel is under the internal governance of the Ministry of Digital Affairs (Prime Minister's Office), and there is no publicly available information about applicable standards. However, all public administration systems in Poland are legally mandated to have an information security management system following standards like ISO 27001.

Security risks and mitigation

The mObywatel secure environment is based on software encryption in tandem with the user’s random data (salt) and password. Keys and certificates have a one-year period of validity, requiring a re-key and recertification every year to complete a full (re-)enrolment process. Data stored in the wallet is from an official state registry and digitally signed by the Ministry of Digital Affairs.

Businesses & Startups

ShoCard

A startup company developing an identity platform built on blockchain. The company strives to be as easy to understand and use as showing a driver’s licence and simultaneously be so secure that a bank can rely on it.

A ShoCard is a digital identity that protects consumer privacy; it is basically a tiny file that only you can manipulate. Creating a ShoCard ID can be done either through the App or via the SDK; when you create your ShoCard, you first scan your identity document and sign it. Then, the app will generate a private and public key to seal that record. It is encrypted, hashed and sent to the blockchain, where it cannot be tampered with or altered.

The key is that the ShoCard Identity Platform is built on a public blockchain data layer, so as a company, it is not storing data or keys that could be compromised. ShoCard uses the BlockCypher Transaction API to publish identity data to other blockchains such as Bitcoin and Ethereum.

ShoCard customers include SITA (an IT and communication service to the global airline industry), banks and financial services companies, including the third largest bank in Canada.

Uport

A project by ConsenSys3 focused on identity management. Uport is a secure system for a self-sovereign identity built on Ethereum.

Uport represents the next generation of identity systems: the first identity system to enable self-sovereign identity, allowing the user to be in complete control of their identity and personal information. Uport identities can take many forms: individuals, devices, entities, or institutions.

Ascribe GmbH

A startup working with the blockchain to create new technological tools in the area of identity management for artists and creators.

It describes itself as a “fundamentally new way to lock in attribution, securely share and trace where digital work spreads”.

Ascribe leverages blockchain technology to make it possible to transfer, cosign or loan digital creations similar to physical pieces of work.

Ascribe creates a permanent and unbreakable link between the creator and his or her creative work by allowing ownership to be forever verified and tracked.

Ascribe partnered with Creative Commons to create a method for content creators to essentially stamp their work with proprietary information. Each work gets a unique public URL and all relevant metadata (title, creator, year, and licence).

I/O Digital

A startup company building an identity-management platform based on the blockchain. I/O Digital provides the technology for businesses to have their own interoperable private blockchain/sidechain and the possibilities to store data in the blockchain for smart contracts, identity management, messaging and more.

The I/O Digital project started as I/O Coin or IOC; it is the digital currency of their blockchain and can be traded on several exchanges. With data storing capabilities, alias sending, side chain technology and decentralised (encrypted) messaging.

I/O Digital's first venture into blockchain-based identity management was the IONS. The project's main purpose was to enable aliases on the I/O Coin blockchain but in a semi-centralized manner.

After testing, I/O Digital decided to move forward with a more advanced system, the Decentralised I/O Name Server. Key features of the DIONS will include transferring aliases from user to user, storing identities on the blockchain and an encrypted messaging system. DIONS will utilise the I/O Digital blockchain to attach sensitive identity credentials to a specific Bitcoin or I/O Coin address.

BlockVerify

A startup company developing blockchain-based solutions.

It uses blockchain technology to improve anti-counterfeit measures in different industries such as pharmaceuticals, luxury items, diamonds and electronics.

BlockAuth

A startup company developing a service which enables you to own and operate your own identity registrar that allows users to submit their information for verification.

UniquID

A startup company which aims to provide identity and access management of connected things, as well as humans, utilising biometric information.

UniquID allows for the authentication of devices, cloud services, and people. It provides secure identity management, integrated with fingerprint and other biometry on personal devices. Ready to be deployed on custom hardware, servers, personal computers or smartphones and tablets.

Jolocom

A startup company developing applications for everyone to own their personal digital identity, using linked data and blockchain technologies.

Cambridge Blockchain

A startup company working on an Identity Blockchain for validating secure digital identity documents, processing electronic signatures, and recording transactions.

Cryptid

A startup company developing a solution that eliminates the possibility of counterfeit identification by adding factors of identification and encryption.

Cryptid takes the data provided in the form and packages it into a compact format readable by our systems, and generates your Cryptid identification data. All of the data is encrypted with the provided password, after which it is permanently transferred to the blockchain. The customer is then given a unique identification number that points to the information on the blockchain and can be stored on almost anything from magnetic stripes to QR codes.

CredyCo

A cryptographic service built on top of bitcoin's blockchain.

A document verification “software as a service” (SaaS) uses smart contracts and identity technology built on top of the blockchain to ensure the credibility and irrefutability of all statements.