Embracing mobile identity for eGovernment - Trends in electronic identification May 2020 - European ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
May 2020 Trends in electronic identification Embracing mobile identity for eGovernment CEF eID SMO Version 1.0
This study was carried out for the European Commission by Deloitte. Authors: Marie Eichholtzer Icon first page : Icons made by Freepik from https://www.flaticon.com/ Internal identification Framework Contract DI/07624 - ABC IV Lot 3 ABC IV-000123-6000184687-REQ-01
CONTENTS The digital transformation of Government services ..............................................1 Government identity going mobile .................................................................................3 Making smartcard-based eID compatible with mobile devices ..................................................3 Using mobile devices as identification means.....................................................................................6 Using mobile devices as a generator of digital identity .................................................................8 Accessing eGovernment services at your fingertips ..........................................10 Benefits of mobile first strategy...............................................................................................................10 Recommendations for improving the mobile experience of cross-border authentication ....................................................................................................................................................................................11 Conclusion ...............................................................................................................................14
THE DIGITAL TRANSFORMATION OF GOVERNMENT SERVICES 01 The digital revolution is driving the transformation of our a smooth and tailored experience to their citizens. economy and society. In this new highly competitive In the last decade, governments have therefore focussed market, businesses have focussed on user centric on how to improve the experience of public services. Their approaches to capture the time and attention of first efforts focussed on the digitalisation of public customers. Products and services are designed to provide services, providing the possibility for citizens to complete a tailored and positive experiences. In parallel, the use of series of administrative procedure digitally. Yet these mobile devices (smartphones and tablets) to achieve services were developed and maintained by siloed improved connectivity has quickly risen in popularity, with departments. adoption levels now having reached a plateau in most The next step was the creation of eGovernment platforms, developed markets. 1 gathering all relevant public services on a single website. Customers are also citizens. They now expect a similar Behind this one-stop shop, however, the complexity and personalised customer experience from public services as lack of complementarity between services remained. from private services. Today, governments focus on user-centric journeys for Governments must adapt to these new expectations. citizens in order to offer tailored services and remove any Failure to provide user friendly and mobile solutions will frustration linked to the lack of communication between result in losing the majority of public service users. government services. The nature of public services, based on general interest Digital identity is a key asset to enhance user experience. rather than profit, makes it difficult for them to keep up It allows public services to remotely authenticate citizens with market innovations and standards in order to deliver in a secure way. Most importantly, it allows public services 1 Deloitte, Deloitte Global Mobile Consumer Survey 2019, https://www2.deloitte.com/us/en/insights/industry/telecommunications/global- mobile-consumer-survey.html 1
to offer more seamless and more personalised services to citizens and improve the automated exchange of information between different administrations. European governments have been developing electronic identification solutions (eID) to facilitate access to their eGovernment website, at the national level and in a cross- border context. The first eIDs developed by governments in Europe were based on smartcard solutions. Citizens were given the possibility to use their national eID card to access eGovernment services. These cards required the use of a card reader and therefore applications were mainly developed for desktop. The world is now becoming mobile, and in response governments have started to explore mobile digital identity and ‘mobile-first strategies’. eID solutions need to be conceived to work as well on mobile devices as on desktop computers, rather than being adapted for mobile use a posteriori. Whereas the concept of ‘digital by default’ already provides a benchmark for the development of more inclusive services, the concept of ‘mobile first’ represents the next evolution of digital public services. In the following chapters, we will explore the key trends in terms of mobile identity and how it impacts governments’ strategies in designing and delivering public services. This includes identifying and discussing the main pain points that users may encounter when accessing online services via their mobile identity. 2
GOVERNMENT IDENTITY GOING MOBILE 02 There is no such thing as “mobile identity”. Today’s expectation is for citizens to be able to manage their Making smartcard-based eID identity from their mobile device. A wide array of electronic compatible with mobile devices identification solutions exists: some mobile by design, Over the course of the 20th century, governments started others seeking greater compatibility with mobile devices in providing identification means to their citizens. The creation order to secure a smooth user experience for citizens. of the welfare state required better control of the state over More and more EU Member States are deciding to launch the potential beneficiaries of the newly created public mobile by default strategies, including for electronic services. Today, all EU Member States issue national ID card identification. Yet some Member States face challenges to their nationals with the exception of Denmark, Ireland, and due to legacy systems developed during the early ages of the United Kingdom. eGovernment and must therefore find tweaks to make With the emergence of the information society, Member their solutions more compatible with mobile devices. This States progressively upgraded their paper based ID is especially the case of Member States that have documents into smartcards. Electronic certificates have deployed electronic identification cards, based on smart been added to the chips in the cards in order to enable their card solutions. owners to authenticate remotely for online public services. In the following sections, we will see what have been the Electronic signature certificates may also be integrated. latest trends in Europe in order to enable citizens to Most of these smartcards started to be issued before the manage their digital identity from their mobile device. The mobile revolution. Online public services were designed for use of mobile phones as second factor authentications desktop-based sessions, where an external card reader (e.g. to receive one-time passwords) is therefore not could be plugged into the computer in case the latter was covered in this analysis. not already equipped with the necessary reader. Today, 18 EU Member States2 issue smartcards with a chip. 2 Austria, Belgium, Croatia, Czech Republic, Estonia, Finland, Germany, Hungary, Italy, Latvia, Lithuania, Luxembourg, Malta, t he Netherlands, Poland, Portugal, Slovakia, Spain 3
The fact that an ID document is equipped with a chip does government to develop the use of mobile to access not necessarily mean that the eID can be used for eGovernment services. eGovernment functions. Some countries may decide to only However, until recently, it was not possible for iPhone users store biometric information on the holder, for example. to use their smartphone to read their NFC-enabled The real challenge for governments consists therefore in smartcards. Access to the NFC interface of Apple mobile building mobile-friendly smartcards from components that devices was instead restricted to a handful of mobile were not initially designed with a mobile experience in mind. applications such as Apple pay. This restriction adversely affected the uptake of mobile NFC technology as a key enabler for mobile eGovernment solutions by iPhone users. With Apple mobile compatibility devices accounting for 28% of the European market in The ability of governments to enable a smooth transition to 2019, 5 the situation was limiting the possibility for a mobile strategy for their eID schemes is highly dependent governments to fully embrace mobile first strategies. on the technology choices that were made at the launch of To remedy this situation, on 30 January 2019, the EU the smartcard. Out of the 18 Member States that have Member States called on Apple to open access to its NFC issued electronic ID cards, only nine 3 have issued smartcards interface to support secure mobile use of electronic with Near-field communication (NFC) technology. identification means. 6 NFC technology allows access to the stored information on With the release of iOS 13 in September 2019, Apple the smartcard through a contactless connection. While finally allowed access to the NFC interface. 7 Apple non-NFC enabled smartcards require the use of a card smartphones can finally be used as readers for contactless reader, NFC smartcards can be directly read by a smartcards. compatible mobile device with an associated app. Just a few years ago reserved to a handful of high-end and expensive devices, the NFC technology has quickly become a must have for all the new devices introduced on the market. In 2019, the penetration rate of NFC enabled smartphones has reach 81% worldwide.4 The success of contactless mobile payment has been a driving factor of change. ID scanning finally available on iPhones Member States have been able to develop strong mobile authentication solutions based on NFC-enabled national cards. Android phones offer open access to their NFC interface and provide key attestation functionality allowing 3 Estonia, Germany, Hungary, Italy, Luxembourg, Malta, Poland, Spain, Sweden (but not for eID functions) 4 TechNavio, NFC Enabled Smartphones . Penetration Rate Worldwide Between 2014 And 2019, see: http://beta.evolita.com/explore/nfc- enabled-smartphones-penetration-rate-worldwide-between-2014-and-2019/5oqme/ 5 Statcounter, Mobile Vendor Market Share Europe, Dec 2018 - Dec 2019, see: https://gs.statcounter.com/vendor-market- share/mobile/europe 6 eIDAS Cooperation network, Decision Of The Cooperation Network On The Need For Open Access To NFC Interface To Support Secure Mobile Use Of Electronic Identity Means, CN-2019-03, 30 Janvier 2019, see: https://ec.europa.eu/cefdigital/wiki/x/PgEABg 7 Apple, Core NFC framework, see: https://developer.apple.com/documentation/corenfc#overview 4
Figure 1 – Screenshots from AusweisApp2 identity via mobile devices for their holders. Shortly after the release of the new IOS, Germany updated Making contact smartcards mobile friendly the AusweisApp2 app to enable iPhones’ users to read their national eID card and resident card with their smartphone Half of the Member States that issue national eID cards to in order to access eGovernment functions from their mobile their citizens don’t yet have NFC-enabled smartcards. device.8 For these countries, the challenge is to make the link EU regulation imposing contactless between the secure identification provided by the eID card and a mobile device. A recent change in EU legislations will foster even greater roll-out of NFC-enabled smartcards by governments. Using Bluetooth card readers The EU Regulation 2019/1157 on strengthening the security Contact smartcards require the use of a card reader. of identity cards of Union citizens and of residence Although this requirement can be easily achieved by documents, requires Member States to standardise the connecting a reader to a computer, the experience is less format of all ID cards in the ID-1 format, which is typically straightforward when a reader needs to be connected to a the size and shape of smartcard based eID or payment mobile device. cards. Additionally, the identity cards will have to include a 9 Most card readers use USB ports to connect to other highly secure storage medium containing a facial image of devices and are not compatible with mobile operating the holder and two fingerprints. The regulation mandates systems. In order to read a contact smartcard, it is also that this information be available contactless. possible to use a bluetooth card reader to establish the By August 2021, EU Member States will have to start issuing connection with the smartphone. new ID documents complying with this regulation. Identity However, this situation is not ideal as it requires the user cards not meeting those requirements will be progressively to have the card reader with him/her. This does not provide phased out until August 2031. a smooth experience for the user and limits the This is an opportunity. All existing smartcard solutions will possibilities for using the smartcard when this was not have to be upgraded to enable contactless technology, while planned for. the remaining ten EU Member States with non-electronic Additionally, the fact that a card reader can be associated documents will have to migrate to a smartcard-based to a mobile device does not necessarily mean that the user solution for their national ID card. will be able to effectively use his or her digital identity if Although the contactless availability requirements only the associated application has not been specifically applies for the biometric information, we can expect that developed to make use of the digital identity on mobile. several Member States will take this opportunity to apply it This is nonetheless one approach being followed. Czech to e-government and e-business functions. Contactless Republic currently has a contact smartcard. The Ministry of reading of smartcards will support a smoother use of digital the Interior has developed a mobile app, called 8 Ausweisapp2, press release: ausweisapp2 for IOS now in the app store, see: https://www.ausweisapp.bund.de/newsdetail/?tx_news_pi1%5Bnews%5D=28&tx_news_pi1%5Bcontroller%5D=News&tx_news_pi1%5 Baction%5D=detail&cHash=f502bdf15990d53a527e75d2476001cc 9 Regulation (EU) 2019/1157 of the European Parliament and of the Council of 20 June 2019 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement, see: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32019R1157 5
eObčanka, 10 which can be paired with a Bluetooth card telecom operator along with a mobile device can be used reader to enable users to access eGovernment services to store electronic certificates enabling the users to from their phones. identify and authenticate to eGovernment websites. With Mobile PKI, secure operations are taking place within the tamper resistant environment provided by a SIM card. Identification information is not exchanged via the internet but “travels through the SMS and back-end channels to the service provider and is verified by the operator”. 11 In order to infect the encrypted SMS message, an attacker would have to gain access to the mobile operator network on top of access to the users’ mobile device. Estonia and Finland have introduced digital identity solutions based on SIM cards. The Estonian Mobiil-ID solution can be requested by the holders of an Estonian ID card or Estonian residence permit card from a telecom Figure 2 – Screenshot of the CZ eObčanka mobile app operator. The SIM card used for this solution is not a regular SIM card. It also includes a secure element on which Using mobile devices as sensitive information is stored. Identity information is identification means derived from the eID card already in possession of the Mobile devices have become a natural and favourite citizen and checked against the country’s identity means to host identities. The use of smartphones has database. A specific application, independent of the reached a complete market penetration, becoming the telecom operators, must be used in order to make use of most popular entry to the digital world. the mobile identity to access eGovernment website and applications. When talking about digital identity on mobile, one pictures a mobile app allowing citizens to authenticate to a service. In Finland, Mobile ID, 12 a collaboration between three However, not all mobile apps function in the same way and telecom operators (DNA, Elisa and Telia) is gaining market identity on mobile can take different forms. share compared to the highly popular eBanking solutions in the country used for online authentication (including to Leveraging SIM-cards for secure eGovernment online services). identification A consortium of Belgian banks and telecom operators draw A subscriber identification module (SIM card) is a chip, and on the secure technology 13 provided by SIM cards to create is therefore no different from the chips integrated in a secure mobile identity - “itsme®”. The solution has been national identity cards. As such, the SIM card provided by a recognised by the Belgian federal government, with a 10 Google Play, eObčanka, https://play.google.com/store/apps/details?id=cz.mvcr.eobcanka&hl=en 11 Gemalto, When eID becomes Mobile for a whole nation, see: https://www.gemalto.com/brochures-site/download- site/Documents/gov_cs_finland_valimo.pdf 12 Mobiilivarmenne, see: https://mobiilivarmenne.fi/eng/ 13 Note that the final scheme – FAS/ITSME – notified by the Belgium government under the eIDAS Regulation did not draw on the secure element technology, but relied on other measures to ensure a high level of security. The use of the secure element remains optional, in part because not all SIM-cards are able to support this function. 6
Royal Decree allowing the recognition of private eID Secure Elements – a component soldered to the solutions to promote innovation and reduce government circuit board or within the system-on-chip that is costs. The application offers a mobile friendly alternative isolated from other computing environments; to access online public services. The creation of an itsme® Secure Enclaves – a type of secure element that requires the possession of an eID card or resident card that is included within the same chip as the main users must use one time on the solution’s website to processor. Apple now includes a Secure Enclave generate a 5-digit activation code. 14 within its devices17; Trusted Execution Environments (TEE) – an isolated software environment that is used to execute code securely. Android-based devices are equipped with TEEs18. These computing components are being drawn upon to enable new types of SIM cards that are themselves integrated within the mobile device: Figure 3 – Comparison between mobile application itsme® and Embedded SIM (eSIM) – A SIM card containing a smartcards 15 secure element that is embedded in the mobile As presented in the illustration above, a potential device. Available in some Android phones since advantage of this type of solution is that it can be 2017 19; combined with biometric technology integrated to the Integrated SIM (iSIM) – A SIM card that is device. embedded within the secure enclave of a mobile A disadvantage of such solutions is that governments device. remain dependent on the telecom operators, meaning that The great advantage of these new types of SIM cards is such solutions may be complex to implement and costly. that they enable users to download and use multiple profiles from different carriers over the air20. So, for Using the secure computing environments example, a user could simultaneously have on their phone within mobile devices an account with Deutsche Telekom and Vodafone, or any There are a number of different types of computing other number of telecom operators, and easily switch environments now incorporated within mobile devices that between these providers. 21 could also be used to enable secure mobile identification16. This functionality can also be turned to mobile These environments allow the secure storage and use of identification, allowing users to download identity cryptographic keys, and include: 14 Itsme, see: https://www.itsme.be/en/ 15 Tom van den Bosch, Itsme, Your Digital ID, see: https://www.slideshare.net/ChrisAdriaensen/itsme-your-digital-id 16 ENISA (2020), eIDAS compliant eID solutions 17 Apple Support, see https://support.apple.com/guide/security/secure-enclave-overview-sec59b0b31ff/web 18 ENISA (2020), eIDAS compliant eID solutions, see https://www.enisa.europa.eu/publications/eidas-compliant-eid-solutions 19 The Verge (2017), Google’s Pixel 2 phones are the first to use built-in eSIM technology, see https://www.theverge.com/2017/10/4/16424740/google-pixel-2-xl-esim-technology-project-fi-first-ever 20 1OT blog, Differences between SIM types - which SIM to choose?, see https://1ot.mobi/resources/blog/differences-between-sim-types- which-sim-to-choose 21 Mondato blog, eSim: Fresh paint for mobile, payments and identity? see https://blog.mondato.com/esim-fresh-paint/ 7
credentials from an identity manager 22. These credentials The Danish NemID solution is based on a public key (certificates and cryptographic keys) would be stored infrastructure. The user’s private keys are protected in an within the secure element or secure enclave, while the HSM in the NemID server. The user must use his or her applications used for authentication and identification password associated to a NemID key card or mobile app would draw on these credentials and use them within the to access the private keys. Trusted Execution Environment. Software token Utilising server signing Alternatively, the private key and certificates can be stored Mobile identification solutions using server signing store in the operating system of the mobile device, protected by key pairs and associated certificates in a hardware security encryption. To access the saved keys, the user must use a module (HSM) of a trusted service provider. password. As the storage of the keys is not done in a tamper-resistant environment, this solution is less safe Access to the key pairs and identity certificates is only than mobile eID solutions leveraging secure elements of a granted to their owner. To do this, the user must SIM card or mobile device. authenticate using an identifier, password and an additional authenticator factor in the form of a one-time password (obtained via a SMS or a push notification sent Using mobile devices as a to a registered phone number). generator of digital identity Portugal is currently using a server-based mobile solution Mobile devices could revolutionise the domain of digital using a hardware-security module (HSM) called Chave identity even further. Previous solutions all rely on the fact Móvel Digital. In 2019, the monthly average number of 23 that the identity of the user is a given. Governments define authentications with this solution was slightly under 100K, and approve the identity of a person at a given time. This preceding the 70K authentications performed with the identity is then stored securely. national eID card (Cartão De Cidadão). 24 The ability of smartphones to keep track of typical user behaviour enables the definition of behavioural patterns that can be used as a dynamic identifier. Such behaviours include the unique print the user leaves when handling the smartphone and using its applications, such as finger pressure and swiping patterns on the touchscreen, typing speed, and customary way of holding the device. By collecting data on the user’s travel and working habits, behavioural authentication can also apply geographical patterns, for example denying access to a user whose geographical profile does not correspond (e.g. the user is in a location that represents an outlier compared to the user’s Figure 4 – Screenshot of the Chave Móvel Digital app usual profile). Behavioural solutions are already being used 22 Mondato blog, eSim: Fresh paint for mobile, payments and identity? see https://blog.mondato.com/esim-fresh-paint/ 23 Autenticacao.gov, Chave Móvel Digital, see: https://www.autenticacao.gov.pt/a-chave-movel-digital 24 Autenticacao.gov, Estatísticas, see: https://www.autenticacao.gov.pt/stats-cartao-cidadao 8
in the online banking and e-commerce industry, and are the current technological state of the art. Moreover, often used in combination with biometric solutions. technological precision is required to keep the risks of ‘false positives’ to a minimum. The challenge is to be able to The combined use of biometric and behavioural identifiers detect slight variations in human behavioural patterns allows for the conception of mobile digital identity as a without linking them to an alleged risk of identity theft. ‘dynamic identity’ – an identity that is not merely grounded Another potential drawback is the acceptability of these on static identifiers but on a set of parameters that are practices related to privacy concerns, as users may not constantly monitored throughout the use of the device by wish for their behaviour and/or location to be constantly the identity owner. The success of dynamic identities monitored. Strong safeguards may therefore be required to depends on the potential of ‘continuous authentication’. ensure the confidentiality of their behavioural traits. This concept depicts authentication as a process rather than a one-off occurrence. In continuous authentication, the starting and default status for users is not ‘logged out’, but ‘logged in’. Instead of having to log in each time they want to use a service, users remain logged in permanently on their mobile device as long as the authentication system detects that the device holder complies with the biometric and behavioural patterns of the owner’s profile. To measure compliance users are assigned a score. As soon as the score drops below a certain threshold, the system detects a potential risk of the holder not being the identity owner, and asks him/her to authenticate through traditional means (e.g. passwords, PIN codes, or biometrics) and prove his/her identity. The main advantages of behavioural authentication are, first, that it builds on and improves the security and reliability of biometric authentication means, as it is grounded on constantly evolving data and identifiers, which are difficult to steal or forge. From a user perspective, continuous authentication exempts users from actively authenticating each time on a new session, as the device automatically maintains access as long as the handler’s action on the device complies with the risk parameters linked to the identity owner’s profile. Continuous authentication has also some drawbacks, mainly due to technological readiness. Continuous authentication can be reliable only if it manages to constantly capture and analyse behavioural biometric data through machine learning, which is still a challenge given 9
ACCESSING EGOVERNMENT SERVICES AT YOUR FINGERTIPS 03 Governments are slowly but surely adopting mobile-first identification solution – the Mobile Phone Signature26 – to strategies to deliver eGovernment services. This approach citizens since 2009. It is also leading an effort to develop consists in designing public services for mobile phones first a “European Statement for m-Government”, which will be before adapting the designs to computer based sessions. discussed during a 2020 high-level conference on The concept of mGovernment is emerging as a label for mGovernment 27. this trend. Although the trend of mGovernment has been developing Mobile first strategy implies that citizens can use a mobile for several years now, these examples of pro-active action friendly solution in order to access online services. The remain rare. Governments and agencies have been slow to objective is to develop mobile applications providing take a leap to make this radical transformation. Most personalised journeys based on the needs of different public service websites are still not ready for mobile groups of the population. access. In November 2016, Malta was among the first country to issue a “Mobile Government Strategy” to enable citizens Benefits of mobile first strategy and business to access public services on mobile devices Adopting a mobile first strategy is not just a fashionable at any time and from anywhere. 25 The strategy highlights trend. It is a critical step for governments to take or risk eleven principles that provide the foundations for the becoming irrelevant and disconnected from their citizens. creation of new mobile-first services. Mobile first strategy relies on the principle of empowering Austria has been another leading country in promoting citizens as much as possible. Better designed services, mGovernment and mobile identity. It has offered its mobile 25 MITA, Mobile Government Strategy 2017-2018, see: https://publicservice.gov.mt/en/Documents/Mobile_Government_Strategy_2017- 2018.pdf 26 See description of the Mobile Phone Signature at https://www.buergerkarte.at/en/ 27 DigitalAustria.gv, https://www.digitalaustria.gv.at/eng/High-Level-Keynotes.html 10
tailored to the needs of their users enable citizens to satisfaction for the public services will be. If possible, become more autonomous in their interactions with public citizens prefer not to be dependent on a clerk or an administrations. opening hour. Key resulting advantages are: Figure 5 – Internet usage (MITA Mobile Government Strategy) Cost reduction: More autonomous citizens imply fewer More security: unlike for computers, security updates staff will be required to perform administrative tasks. on mobile devices are often done automatically. It is Information runs more smoothly between different therefore harder to exploit vulnerabilities both on the public services. Services are accessible 24/24, 7/7: and side of the citizens, and on the side of administrations. remotely, reducing the need to maintain physical This is particularly relevant as damaging disruptions locations for requesting services. of public sector activities due to the lack of appropriate management of computer pools regularly Boosting productivity: if citizens are more autonomous make the headlines. 28 and face-to-face interactions are reduced to a minimum, officers can concentrate on more complex tasks. The automation of low added value and Recommendations for improving repetitive activities also increases the satisfaction of the mobile experience of cross- administrative staff and can attract younger talent. border authentication Increased reach and citizen satisfaction: the EU Member States are currently supporting the uptake of digitalisation of services is often criticised for reducing electronic identification (eID) to enable secure and the quality of services provided to citizens. On the seamless electronic interactions between businesses, contrary, more and more citizens find unbearable the citizens and public authorities, within the context of the need to physically visit an office in order to perform a eIDAS Regulation (EU 910/2014). 29 procedure. Less advantaged populations also tend to The Regulation foresees that if an EU/EEA Member State prefer mobile interactions as they cannot always offers an online public service to citizens/businesses for access computers. The greater the autonomy of which access is granted based on an electronic citizens and the smoother the journey, the higher the identification scheme, then they must also recognise the notified eIDs30 of other Member State In the context of national and cross-border authentication in Europe, a series of attention points can be highlighted to ensure a smooth user experience on mobile devices when accessing online services. 28 The Telegraph, Cyber attack: NHS ordered to upgrade outdated systems as disruption continues , 15 May 2017, see: https://www.telegraph.co.uk/news/2017/05/15/cyber-attack-nhs-ordered-upgrade-outdated-systems-disruption/ 29 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, see: http://eur-lex.europa.eu/legal- content/EN/TXT/?uri=uriserv:OJ.L_.2014.257.01.0073.01.ENG 30 By notified eIDs, we mean all eID schemes that have completed the notification process. The notification process refers to the selection, peer review and official addition of national eID schemes to the eIDAS Network. Notification ensures that the eID schemes connected to the eIDAS Network satisfy the conditions of quality and security set out by the eIDAS Regulation. 11
Service providers websites must be available, users should receive a message explaining that responsive for mobile devices the service is only available from a computer. Responsive design principles are key especially for This type of issue should be particularly taken into account solutions built to work on multiple devices. Responsive in a cross-border context, where Member States may have design requires websites to be set up in such a way as to different levels of maturity in terms of mobile strategy. enable the most efficient and readable display of information, regardless of the device. The content of a web Develop a mobile-friendly country selector for eIDAS page ‘responds’ to the screen size of the device used and displays the information accordingly. The eIDAS regulation enables citizens to access online public services from a foreign country thanks to their Encourage service providers to develop national eID scheme, providing that it has been notified at mobile applications the EU level. Imagine being able to open an app on your smartphone When seeking to gain access to a foreign online public and pay your taxes with one click, access the status of your services, users are prompted to select the identification benefits and their payment on an intuitive dashboard, means that they want to use to remotely authenticate to notify the government of your change of status like you the service. would edit a social media profile and snap a picture of the Member States have developed a country selector to justification document. Although this seems like an redirect the citizens to the appropriate country. It is critical inaccessible dream, these are nothing more than basic that this country selector be mobile friendly and uses all features of most commercial applications. possibilities offered by mobile devices (e.g. picker wheel) Governments should adopt strategies to support the to make the selection as smooth as possible. development of dedicated apps for their public services rather than websites. Ensure that the eIDAS nodes’ interfaces are mobile friendly Adapt the authentication options to the user’s device Member States can either develop their own eIDAS node or reuse a sample implementation provided by the European In case a user is browsing a mobile app and he is prompted Commission to enable the mutual recognition of eID for authentication, it is important for the country providing schemes across borders in Europe. The demo interface the identification means to take into account that the user provided by the European Commission has been mainly is using a mobile device. developed for desktop. Member States should pay In case a Member States has both mobile and non-mobile attention to the mobile experience of their eIDAS node. A friendly eID schemes available, it should avoid presenting specific paper will further address potential improvements authentication options that are not mobile-friendly to such to be made in this domain. users. The adaption of the eID selection interface to the type of device that the citizen is using might be particularly Test the overall mobile journey needed for Member States that have implemented eID Upon the implementation of the previous gateway: a single page, which groups all authentication recommendations, final tests should be performed to options available in the country. identify potential remaining pain points or stumbling blocks In case no mobile-friendly authentication option is hindering smooth experiences for citizens accessing online 12
services with their mobile device. Complete end-to-end testing allows respective Member States to take into account potential issues emerging due to different approaches taken by other Member States, as well as differences in the maturity of their mobile strategies. 13
CONCLUSION 04 This paper has provided an overview of the technologies In the meantime, countries without NFC-enabled smart and strategies pursued to provide users with mobile access cards can attempt strategies such as using bluetooth to to eGovernment services. It has situated the shift to mobile connect mobile devices to card readers. This, of course, as the continuation of governmental efforts to provide requires users to carry a card reader with them. Other user-centric public services. technological options explored in the paper include the use of SIM cards issued by telecoms providers to enable the Digital identity plays a key role in enabling mGovernment, secure transmission of ID information. Alternatively the use allowing remote authentication and the possibility of of new eSim technology embedded in mobile device offers providing seamless and personalised services. As the trend similar functionality while avoiding reliance on any single towards mobile services intensifies, eID schemes must telecoms operator. Another possibility is the server signing also be provided in mobile compatible forms. option, drawing on private keys stored on a hardware- In the previous sections we have seen that smartcards security module, which has been adopted in Portugal and were an early eID format of choice. Those countries which Denmark. integrated NFC technology into their smartcards from the Finally, a new frontier is opening up with the promise of start (9 of 18 MS with smartcards) have been able to enact dynamic identity enabled by a combination of biometrics a relatively smooth transition towards mobile. and behavioural identification. These technologies can allow This technology allows contactless communications for continuous authentication of users, only requesting an between smartcards and mobile devices. With both alternative authentication method if a risk is identified. At Android and now also Apple providing open NFC interfaces, present, this approach has not reached full technological governments can commit to mobile strategies and develop maturity, and faces the challenge of avoiding false positives applications drawing on contactless smartcards. without diminishing the user experience, as well as possible This paper has also noted the upcoming opportunity resistance due to privacy concerns. associated with the proposed Regulation 2019/1157 - on The trend towards mGovernment and mobile electronic strengthening the security of identity cards of Union citizens identification is gathering pace and the paper has closed and of residence documents. This legislation will require with recommendations for governments trying to apply this government to integrate contactless technology into their approach in a cross-border context. smartcards and some may choose to upgrade these Organisations attempting this should specifically design smartcards so that a full range of identity credentials can be their websites to be responsive to mobile while also accessed drawing on this feature. 14
developing specific mobile applications. They should ensure the authentication schemes drawn upon are suitable for mobile, ensure the development of a mobile friendly “country selector” when choosing the appropriate eID scheme, and ensure that eIDAS nodes themselves are mobile friendly. Finally they should conduct end-to-end testing to ensure that the entire mobile user journey is smooth and efficient. Following these suggestions can help governments move towards the level of service users have come to expect from mobile private sector applications. With citizens increasingly demanding a smooth user experience in accessing public services, authorities must embrace the shift to mGovernment or risk being left behind. 15
.European Commission Embracing mobile identity for eGovernment 2020 – 15 pages
You can also read