The main trend at the beginning of this millennium is that everything is going ‘e’: from health, commerce and police reports to hotel bookings. Across the world, public and private sectors are making huge efforts to connect citizens to the digital world. Internet connections are becoming cheaper, faster and more reliable. The number of internet users has doubled between 2005 and 2010 (see figure 1), passing the 2 billion mark last year1. As electronic literacy is increasing, more and more services are available online. People want to connect to social networks, manage their bank accounts remotely and interact digitally with their public administration. Diana Ombelli investigates whether the citizen is actually ready to use advanced electronic credentials on a major scale. The author’s experience shows that the technology is not (yet) consumer-friendly ‘plug and play’.
The increasing number of electronic communication methods require some changes in the way different parties interact on a basis of trust. In the past, trust was based on face-to-face interactions between service provider and customer, or on written documents that were used to interact in a reliable and non-reputable way. The digital world, however, needs adapted methods based on information technology. The access key to most digital services is some electronic identity, together with trusted credentials that are needed, for example, to log into a forum or bank account. There are numerous ways to create and manage credentials, and each of them has its pros and cons. Advanced methods have been developed to offer more security, because wherever new opportunities rise, lawbreakers quickly find breaches for easy gains. However, these new methods require a high degree of identity proofing in order to deliver the credentials. A balance between security and privacy concerns on the one hand and usability and cost on the other needs to be found, because adding security always comes at a cost. Since every service provider has its own security needs, users must constantly adjust their interaction. As each of them requires many and different types of credentials, this means reduced user friendliness and/or increased operative effort.
Governmental institutions and industry at large are aware of these topics. Experts are developing solutions to fit the countless possibilities that technologies offer into a legal framework with a wide mutual consent. The question is: are we really ready for electronic identification?
The multiple identities issue
This section is not about dissociative identity disorders, a condition in which a person displays multiple distinct personalities or alter egos. With the multiplication of electronic services on the World Wide Web the number of credentials citizens need to access them increases proportionally (see box 1). Most people use a nickname or an email address in combination with a password as their new user identity. Beside the fact that the combination user/password rarely fits the required level of security, there is a huge amount of combinations that we need to remember for each of the new services we access. Often, we use a memory aid to manage this. A couple of years ago, I used an application on my portable device to record this information. The only thing I needed to remember was… a single password.
When I bought my laptop I thought that the integrated fingerprint reader would once and for all solve all my password issues. However, the only pre-configured application is the operating system login. After having stored the fingerprints following an enrolment wizard, the user can access the desktop either by entering the password – I won’t bother you with the Odyssey which I had to endeavour for defining an acceptable string – or just by sliding the enrolled finger over the reader. Unfortunately, biometrics is not (yet) widely used in online authentication schemes, so I still need to remember dozens of usernames and passwords to access business and entertainment services. Even if some of them are sharing credentials for a single sign-in (for example Flickr with Yahoo credentials, YouTube with Gmail credentials), this remains an unsatisfying situation.
My first official e-ID
Last year in my home country Switzerland, a national implementation of electronic credentials (SwissID) was widely advertised. The Swiss State Secretariat for Economic Affairs (SECO) refunded part of the costs in order to promote the electronic identification in business relations. As identification is my core business, I am certainly aware of security risks in my interactions with the digital world. I therefore warmly welcomed the initiative and planned to integrate certificates in my emails after the summer break. By chance, last September I met the project manager in charge of SwissID, so I decided not to wait any longer and order the credentials. In the past few years I have always considered my IT skills to be above average. That was until I started to explore the area of hands-on electronic identification. Using all kinds of electronic devices on a daily basis, I imagined that the move towards electronic identification would be straight forward. However, in my naivety, I was proved to be very wrong.
Ordering the credentials was the easiest part. Two official providers share the market. I chose the one that supplies them on a chip card, which clearly has a closer similarity to identity cards than a USB key. In my choice I was mindful of the enthusiastic teachings of my IT security lecturer at university in the early nineties, who never ceased to highlight all the advantages of chip cards during his course. So I went to the website and followed the prescribed steps. The first sign that made me think: “This is serious business”, was when I received the password-protected identification form by email. I had to print off the form and take it to one of the authorised offices to verify my identity. After that, I had to wait a couple of days for my new techno-gadget to arrive, including the smart card reader (a thing that – inexplicably enough – was still missing in my cyber inventory). When I collected the package I felt like a little girl on her birthday. But my enthusiasm was quickly stifled when I realised that I needed codes and instructions to start using my brand-new card.
I stopped tinkering and accessed the installation website instead for detailed instructions. The instructions offered guidance for different operation systems. Although the semantics used there differed from those in the paper instructions, I was able to bridge this with some advanced IT know-how and managed to install the provided software and reader successfully. So I thought: “Well, I am ready now; what’s next?”
I proceeded to add the electronic certificate to my private mail. First I used my intuition to find out how to achieve this in my usual mail application. However, I soon discovered that certificates were managed in other parts of the personal computer. I saw the road to the goal suddenly becoming longer and ever steeper. So I opened some manuals and accessed user forums to find out why I could not add my brand-new, official authentication certificate to the application that is managing certificates in my PC. I won’t bother you with more technical details, but suffice to say it is still work in progress.
My first authentication with the new credentials took place a couple of weeks later, when I asked for the partial refund of the SwissID costs. I proudly inserted my card in the reader and added the credentials links in the browser to access the CashBack website. My SwissID and my personal data were validated online and I could securely add my bank details for the refund. I was really happy to successfully exploit this opportunity to test my credentials in a real-life application.
Deployments in Europe
Switzerland is not the only country which has set up a platform for e-ID credentials. Many other European countries issue credentials. There are basically two types of credential issuers:
• Governments
Governments are deploying e-ID credentials in order to encourage regional and local administrations to offer their services online. Those credentials are sometimes stored in the national identity card, which then becomes an electronic ID card. Figure 2 shows the European countries, which have implemented governmental e-ID credentials in an ID1-card.
• Private entities
Examples of credential issuers from the private sector are organisations such as financial institutions, health care companies and flight carriers. Norway has implemented a nationwide private e-ID called BankID. Denmark has an e-ID (NemID) based on a public-private partnership.
Identity proofing can represent an issue in the private sector where the citizen is required to provide detailed personal information without knowing whether it is relevant for the issuance of credentials, or how the data will be managed later on, beyond their control (distribution, retention, revocation, etc.). This represents a real risk. A solution may be found in partnerships, where a governmental entity or an authorised third party backs the identity proofing process, passing only a limited amount of personal information to the private sector.
The majority of our online credentials is privately-owned. This means that there is little interoperability of the credentials between issuers and service providers. Nevertheless, things are changing and federated approaches have been initiated where the user has only one digital ID for several services in the same area4,5.
Privacy concerns
Privacy concerns are taken into account with the minimal disclosure principle, which means that the service provider has to request the user’s permission to obtain the relevant personal information from a trusted e-ID provider. The user is therefore in total control of their attributes for those services. This is the so-called user-centric model, which is apparently the way it works with the new e-ID card in Germany. A critical note to this approach is that every single time a user’s sets of attributes will be disclosed to a new service provider, they will need to give their consent, which is somewhat awkward in practical life.
Standards and interoperability
One huge advantage of the digital world is that national borders can be easily crossed in order to get information or goods from abroad. From a technical and legal point of view, in order to allow a seamless use of e-IDs worldwide interoperability is required. International standards on e-ID management are still under development. Working Group 5 of ISO/IEC JTC1 SC27 is working on a range of standards on identity management and privacy, which will be released in the near future.
In Europe several directives have been introduced that set an initial legal frame. However, the existing EU legal frame provides insufficient assistance on liability and does not bridge legislative and policy differences in the European Union. Nowadays, the interoperability of electronic credentials abroad is mostly hindered by legal issues, for example the fact that the use of national identification numbers can be limited by the issuing country.
Nevertheless, there are cross-border pilot applications in place that support e-ID tokens from multiple countries. In Estonia companies can be registered online. Portuguese, Finnish and Belgian citizens can access the website by using their respective national ID cards and Lithuanian citizens can use their national Mobile-ID. A similar situation exists between Spain and Portugal.
Conclusion
This article proposed to investigate the readiness of citizens with respect to electronic identification. Several personal examples on the use of e-ID credentials show that there is a practical gap between the user and user friendliness on one side and the technology available on all levels of authentication assurance on the other. From a user’s point of view the current e-ID management has two major inconveniences: the multiplication of e-IDs and the awkward handling of credentials on higher levels of assurance. In fact, basic services require mostly proprietary low-security credentials, calling for a systematic management approach because of their large numbers, whereas services with a higher security risk demand advanced credentials and know-how to use them. In sum, the technology currently drives the use of credentials.
Perhaps e-ID stakeholders should put more effort in streamlining the service providers’ need for trust and user convenience, leading to a more pragmatic user-centric approach. For one thing, this could be achieved by reducing the number of e-IDs where it makes sense, as well as facilitating the use of high-level credentials, which are already applied in cross-border situations. But as long as the use of the electronic identity remains a challenge even for those people who are knowledgeable about IT, the average citizen will refrain from using the offered solutions. And the less people participate, the less interesting this solution will be to the different service providers.
To put my impression in a nutshell: yes, we citizens are ready to use e-IDs, but the technology is actually overwhelming us.
References
1 The World in 2010: Fact and figures, International Telecommunication Union, Switzerland, 2010 www.itu.int/ITU-D/ict/material/FactsFigures2010.pdf
2 G. Van Damme, K. Wouters, D. De Cock, D. Schellekens, Integrating the Belgian e-ID into Android, Leuven, 2011 www.slideshare.net/tcsdigitalworld/gauthier-vandamme-droidconbe-2011
3 EE: Launch of electronic identity for mobile phone use, www.epractice.eu/en/news/5277100
4 http://openid.net/.
5 www.incommon.org/basics.html.
6 W. Burr, D. Dodson, R. Perlner, W. Polk, S. Gupta and E. Nabbus, Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-63-1
Gaithersburg, MD, 2008.
7 B. Hulsebosch, G. Lenzini and H. Eertink, Towards pan-European recognition of electronic IDs (eIDs), D2.3 – Quality authenticator scheme, 2009 www.eid-stork.eu.
8 www.iso.org/iso/catalogue_detail.htm?csnumber=45138.
Diana Ombelli has a Master’s degree in Forensic Science from the University of Lausanne, Switzerland. Since 2008 she works as a freelance ID Management consultant, and in this role advises several companies and governmental entities in Europe and the Middle East. Diana was previously employed at Morpho, working on the development of travel and identity documents and the related IT systems.