Key to any IT information system is the factor of digital identity, covering several aspects, such as economic growth, competitiveness and cyber security. These are explored within the evolution of digital identity in Europe.
Digital Identity is known as the sum of electronic identification plus electronic authentication. Electronic Identification is defined as ‘who I am’ and electronic authentication as ‘this is the proof I am the person I claim to be’. This impacts on all the actors of the State-Nation architecture, from citizens to central administrations, local authorities, the private sector and consumers. It is a topic of strategic importance that has been embraced by several leading countries in Europe since the beginning of the 2000s.
Already in 2015, digital identity has been massively implemented by governments across Europe: 21 European Member States are now issuing national eID documents. 20 of them are proposing secure electronic identification, authentication and digital signatures to hundreds of thousands of online services using the Internet, tablets and mobile devices.
More than 150 million eID documents are in circulation today, capturing more than 30% of the total European population. Market penetration rate is close to 100% in some countries, such as Belgium, and reaching half of the population in large countries such as Germany. This deployment trend is now progressing more quickly, helped by several initiatives from both the public and private sectors.
National initiatives
First, the regulation on electronic identification and trust services for electronic transactions in the internal market entered into force on 17 September 2014 (eIDAS Regulation), providing 500 million European citizens with a clear, legal and stable framework for electronic identification, electronic authentication and the associated trusted services. Furthermore, it establishes the mutual recognition and acceptance of electronic identification and authentication across borders, laying down the grounds of European interoperability.
Second, some major private sector initiatives were launched by mobile telecom operators such as the Mobile Connect solution, providing a worldwide interoperability of electronic identification and authentication, and by web giants such as the Fast Identification On-line (FIDO) specifications released in December 2014.
Finally, handset manufacturers have embraced the Near Field Communication (NFC) contactless technology for mobile payment, as well as for Digital Identity Management.
These macro market trends demonstrate that Digital Identity is at the heart of the digital economy, but also at the heart of societal concerns such as data protection, data ownership, behavior prediction and, in the end, who owns of the Digital Identity of 500 Million European Citizens sharing the same values of freedom and protection of private property (material or immaterial).
Future trends
The Digital Agenda addresses all relevant aspects of a European citizen’s daily life: Shopping 24/7, car share booking via smartphone, online activity on social media platforms, online banking at home, government web services, telemedicine over long distances and many other services demonstrate this trend today and in the near future.
On the other hand, there is an increasing discussion in the public domain about big data (previously named Data Mining) and on citizen profiling on the Internet, tablets and mobile devices, and, very soon, in smart objects and connected cars. These devices and their related networks create a new territory: cyberspace. Big data means more and more data about citizens is publicly available – and much of this data is identity-related.
Cyberspace plays a major role for citizens, and also for developing new business models or increasing the existing ones in both the public sector and other sectors such as energy, the automotive industry, production plants and healthcare. Securing transactions in cyberspace is critical to the economic prosperity of Europe, but also to protecting and promoting European values.
A secure and trusted digital identity is a key element in the digital world, as cyberspace plays an increasingly significant role when moving from the real world to the digital world. Electronic identification and authentication of the user forms the basis of trust in the cyber-security of all IT systems. In the past, citizens were physically in front of a service provider (e.g., at a shop), but today – and especially in the future – this physical process will not always exist.
For this reason, a secure electronic identification and authentication framework, such as an electronic ID-Document, could capture all relevant needs for privacy protection, convenience, efficiency, ease of use, security, confidence and many other requirements in the digital world. In order to provide an appropriate level of security, the digital identity shall be either issued or trusted by a government.
Public and private
Other initiatives than eIDAS legislation may have an impact on the “marketplace” in Europe in both the public and private domain, in particular: NSTIC in the U.S., FIDO and Apple Pay (from the private sector) and GSMA Mobile Connect.
Private initiatives are mainly focused on business cases. Public initiatives may address both public and private sectors and enable private players to benefit from the know-how and trust of governments in terms of the security and protection of citizen. National ID documents are amongst those with the earliest introduction in the area of governmental documents. Their initial purpose was to reliably verify the identity of a physical person, typically in front of a government official or in the case of a transaction requiring a trusted proof of identity, e.g., when opening a bank account. The main purpose of ID documents more than 200 years ago was for travelling [2]. The main purpose of eID documents in the future will be for online services, i.e., within cyberspace. Embedding a secure element into such an ID document, thus making it an eID card, was a logical step to increase protection against forging, counterfeiting and falsification, and so improve the reliability of authentication based on the eID document.
Electronic ID documents are based on four pillars: a secure element, secure card body, biometric data and cryptography mechanisms. Beyond the first generation of eID documents, today’s second generation needs to extend its reach: with today’s widespread online services and the ubiquitous presence of networked devices like computers, tablets and smartphones, the need for reliable and trusted authentication in the virtual world has become even more important than in the physical world.
Since online authentication is based on digital protocols and cryptographic algorithms, the secure element in an eID card becomes more than just an additional security feature; the secure element is now itself enabling the online identification. In order to prevent identity theft, it will have to be common practice to base online authentication on two factors: the eID card as a physical token (“to have”) and a PIN or password as the secret knowledge (“to know”), or a biometric sample (“to be”) used as the commonly known 2-Factor-Authentication (2FA). The 2FA-technology, completed with proven tamper-resistant device (like a certified secure element), addresses the highest security assurance level.
Based on the fact that around 17 million citizens in 2014 live permanently outside their home country, and given that this number will continue to increase by 2020, online services for cross-border purposes hold an important place in the future.
2020 outlook
In 2020, all citizens in the EEA who travel outside Schengen will have e-documents available – around 100 million, or 20% of the total population. It is expected that most of the EU Member States will have e-Gates in use, in order to accommodate EU citizens (e-Pass) and 3rd country nationals (Registered Traveller Program; RTP). Exit and Entry Schengen (EES) should be in operational mode. It is expected that more than 250 million eID-cards will be held by citizens and around 20 million e-Residence Permits by 3rd country nationals. The eIDAS-token specification will become mainstream in Europe. This approach paves the way for technical interoperability.
It is also expected that more than 10 States will use an e-Driving License, which can be used as a “pseudo-eID” document. In most of those States, an ID card is not mandatory by law. Digital identity is made up of several aspects, including different actors, different values and different timing. The ‘root of digital identity’ is and will be provided by member states and the eIDAS, and “Know Your Customer” Regulations are confirming this strategic aspect. It may be coming from several eID documents: National eID, eDriving License or ePassport, depending on the Member States’ business processes.
Europe has a strong digital identity strategy as per the Digital Single Market Strategy, and has to promote European values for the wealth of European citizens, Member States and the economy. The smart security industry is supporting this strategy by promoting the European Values in more than 120 countries.
by Eurosmart