The success of a digital identity scheme based on an e-ID card is not measured in the number of documents issued or the number of functions it supports. The user adoption and satisfaction rates are much more telling, as they result in a constantly growing number of online transactions involving e-ID cards while the proportion of conventional interactions with customer service centres decreases. When it comes to implementation, however, there are various challenges that have to be addressed before such a programme can be called a success.
In today’s booming digital economy, we expect many services to be just a few clicks or swipes away. In order to meet these expectations, governments around the world are planning to take as many public services online as they can, but they do face some serious challenges which need to be addressed. If we go beyond basic interactions such as downloading printable application forms from government websites, more complex, two-way online interactions are needed, and the need for a national digital identity scheme becomes clear: the user of the e-service has to provide a form of identification, so the e-service provider can grant or deny access after verification. Governments have several options when it comes to building digital identity schemes. They have to choose the underlying technologies and establish legal frameworks. Each of these choices will affect user adoption and the eventual success of the scheme.
Governments face several challenges when they implement e-ID card-based digital identity schemes. Although these are not always publicly admitted, they are certainly discussed between the experts working on e-ID card programmes. Before I share these with you, I would like to clarify a few things about e-ID cards and payment cards.
e-ID card-based schemes
When discussing e-ID cards, we mean a plastic ID-
1-sized identity document – usually a national identity card equipped with an integrated computing device (chip) with the cardholder’s data, digital keys and certificates, which offers functionalities such as electronic identification, authentication and digital signatures, based on the principles of public key cryptography. The most common digital identity schemes are based on e-ID cards, which have been around for two decades now. A typical authentication or electronic signing transaction with an e-ID card involves inserting it into a smart card reader and entering a PIN to gain access to a private key in the context of a requested transaction – in other words: approving a transaction.
e-ID cards vs payment cards
The transaction described above is certainly not unique to e-ID cards. Looking at the penetration of smart payment cards and the growing number of transactions with this instrument – which normally requires the same actions by the holder (inserting the card into a terminal and entering a PIN) – we probably should not blame smart card technology for not being user-friendly or intuitive in general. Nowadays, consumers rarely complain about being forced to pay cash because of issues with their card payment systems. There is, however, a trend in cashless payments towards more sophisticated or general purpose instruments such as smartphones and wearables. They either complement smart cards or replace them altogether and may allow a certain number of low-risk contactless transactions with no need for a PIN.
However, there is one significant difference between payment transactions with smart payment cards and authentication or electronic signature transactions with e-ID cards: the operational environment and the responsibilities for setting up and maintaining this environment. With operational environment we mean a host computer, a payment terminal with a PIN pad and a connection to an acquiring bank or a payment processor. Cardholders rarely think about these things and consider it the merchant’s responsibility to make sure their payment can be processed. However, in the case of e-ID cards, the cardholder is the one responsible for the operational environment: the computer, smart card reader and normally some piece of software.
The road from point ‘A’ – the cardholder receiving a newly issued e-ID card and a PIN, to point ‘B’ – the cardholder successfully completing their first transaction can be a long and winding one (figure 1). Experience shows that not all cardholders are ready and willing to make this journey, some fall at the first hurdle and only a certain number ever get there at all. What makes this journey so challenging for many?
Access to a smart card reader
Let’s start with the most obvious obstacle: access to a smart card reader. Unfortunately, unlike the familiar slots for various memory cards, most computers do not have one for smart cards. Built-in smart card readers are only found in high-end or specialist products and, of course, don’t expect to find one in your Mac. In case you are wondering why, every feature takes up space and weight in your laptop and comes at a cost (at least from the manufacturer’s point of view). If there is insufficient demand for such a geeky feature, it simply does not make the cut.
This only leaves us the option to add a smart card reader as an external (usually USB) device which is hopefully plug-and-play (figure 2). However, it is often up to the cardholder to acquire one. Although it would be logical to issue a smart card reader together with the e-ID card, only few issuing authorities do this. The Estonian e-Residency programme may be the best known example of an e-Residency kit, which includes a smart card reader in the price (the state fee is EUR 100). There may be various simple reasons for not including a smart card reader though – let’s name two. First, buying readers and keeping stock of them increases the initial cost, which can be difficult to justify politically. Second, a government entity may not be set up for selling or providing electronics efficiently, so it is tempting to leave this to the private sector. The absence of a smart card reader and any effort from the e-ID cardholder involved in acquiring one is certainly a barrier when it comes to successfully onboarding a new e-ID card user.
The right driver
Once the e-ID cardholder has acquired and installed a smart card reader and inserted their card, the next obstacle may present itself. It is not very likely that the e-ID card’s e-functions will be accessible without installing additional software or drivers – even using the most popular and recent operating systems. As generic support for smart cards is usually present in most computer operating systems, we can hardly blame the vendor. The actual question is whether this specific e-ID card is recognised and supported by the target platform without any further actions from the cardholder. It is up to either the e-ID card vendor or the issuing authority to support the user with setting up the operational environment.
On the Windows platform this can, to some extent, be achieved by using a minidriver – an interface layer specific to the card (or more precisely, the chip and its software) to access low-level functionality such as encryption and decryption, integrated within the common cryptography service provider of the operating system. The plug-in type minidriver, which is usually developed by an e-ID card vendor, contains identifiers of the supported product, which tell the operating system which minidriver to access in order to communicate with a discovered smart card. This minidriver can be, at least in theory, distributed and updated with a conventional operating system update service without user interaction. A computer with an up-to-date operating system should then be able to support some of the basic functionality of an e-ID card such as authentication for e-services.
The middleware solution
The above applies in an ideal scenario, yet it is still more common to enable e-ID card support on target platforms using a dedicated piece of software called ‘middleware’. This needs to be downloaded and installed by the e-ID cardholder and may be bundled with application software for the electronic signature functionality. Middleware is usually intended to bridge the gaps with the generic smart card frameworks on the various operating systems, to enable additional product-specific and rich features and to provide cross-platform cryptographic support and a graphical user interface to manage the e-ID card’s e-functions such as changing or unblocking PINs, viewing data stored on a chip and renewing digital certificates. Unfortunately, even if the middleware installation process is very straightforward and well-documented, it can still be an additional hurdle for e-ID card users. This is especially true if something goes wrong during the process. The download could, for example, be blocked by antivirus software or administrator privileges may be required for installation.
The operational environment
The third barrier for the card user is the nature of the operational environment for the e-ID card itself. Unlike the specific, closed and standardised operational environment for payment cards, e-ID cards should operate in a very open, general-purpose and loosely governed environment which is constantly evolving: the environment of standard internet-enabled computing devices. This environment is dominated by major players such as Apple, Amazon, Google, Facebook and Microsoft. Since governments and other e-ID card programme stakeholders around the world have done very little to standardise their e-ID cards and underlying services, I would be surprised if support for government-issued smart cards such as e-ID cards was high on their priority lists.
e-IDAS regulation in the European Union (EU) can be considered a step in the right direction. After all, it has already resulted in some real-life improvements. Adobe Acrobat Reader, for example, now supports electronic signature verification based on the EU Trusted List of Trust Service Providers. Yet e-ID card programmes around the world remain very fragmented in comparison with the uniformity and interoperability that ICAO achieved with e-MRTDs. In this situation, we cannot reasonably hope that the operational environment will be tailored for e-ID cards – we should figure out how e-ID card programmes can survive in an environment controlled by the internet, software and consumer electronics giants. An environment where even the largest smart card vendors have very little influence.
In practice, firstly this means that updates of almost any general-purpose software such as internet browsers and operating systems can impact the functionality of e-ID cards. Considering that e-ID card programmes usually aim to support various versions of multiple browsers and operating systems in active use by the target users, trying to provide an uninterrupted service to all can be a real headache. Secondly, on smartphones, tablets and other popular devices e-ID card and smart card support in general is even more cumbersome, unless both communication partners (the smart device and the e-ID card) can fully utilise the NFC interface, which in turn is not an option for Apple iOS and many Android devices. It would be reasonable for the cardholder to ask: Why can I not use my e-ID card on the same device I do online banking with? Unfortunately, there is no good answer.
In order for the new e-ID cardholder to open their wallet to buy a smart card reader, overcome the challenges of setting up the operational environment, and become an active user of the e-functionality, they will need to be motivated. This is another important factor, which is difficult to quantify. Although each case will be different, this could be defined as the convenience of accessing services using the e-ID card compared to accessing services via alternative channels multiplied by the frequency of use. One of the most popular e-services in both the private and the public sector is making online payments. As this payment method is cheaper than paying at a bank and needed frequently, the time and money saved explain its popularity. In Latvia, there was a huge increase in e-ID card use as a signature creation device when the share capital of companies had to be converted from LVL to EUR after the country joined the Eurozone. Even though it sounds like a one-time service, submitting electronically signed documentation was significantly less expensive and time-consuming than queuing at the Companies Registration Office, so for many business owners it was as real incentive to start using the e-ID card.
The main obstacle in the public sector may be that the majority of the population will not access sufficient services (such as submitting online tax returns) to make their time and effort invested worthwhile. In turn, the active e-ID card user base may remain too small to justify the resources spent on the programme. Especially if the e-government philosophy is proactive rather than reactive, the number of signed applications may become a critical factor when decisions are made on starting a new e-ID card programme or modernising an existing one.
Despite the numerous challenges that e-ID card-based digital identity schemes face, they may still be the best option for many countries and scenarios. The strength of this approach is a single tool for both offline and online identity verification created during the enrolment phase. If a traditional national identity card programme is already in place, upgrading to an e-ID card will probably be the most cost-effective solution. As the e-ID card is essentially a good concept, (joint) investments in the e-ID card ecosystem will be key to the success of digital identity schemes. In order to overcome some of the challenges, every e-ID card programme should ideally have communication and user experience professionals on board from the start. Proactive interaction and experience sharing with the private sector may further improve the success chances of an e-ID card programme. Finally, international cooperation, standardisation and liaison between the main internet, software and consumer electronics players is a must for any e-ID card ecosystem in order to survive in the long term