GOVERNMENT PROGRAMS - National Mobile ID schemes WHITE PAPER - Security Document World
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
GOVERNMENT PROGRAMS WHITE PAPER National Mobile ID schemes Learning from today's best practices December 2014
Mobile ID – a universal and immediate bond
Looking ahead to 2020, many studies show the
predominant role that mobile devices and - more broadly
- connected objects, will have in our lives. The OECD
reports that over 96% of the world population will be
equipped with a cell phone by 2018 with over 7 billion cell
phones in circulation. Mobility will be an essential factor
for the agility and adaptability of the individual.
Some visionary countries have made the leap to mobile
identity or m-ID, meaning the creation of a mechanism -
initiated using the eID component - for accessing online
services with a high level of security thanks to mobile
devices. Electronic identity can be one of the bonds of
trust between citizens and online public services, and in
some countries banking services. This intuitive choice
was founded on the hope of achieving better market
penetration, better take-up by citizens and, as a corollary,
a more optimum distribution of e-Government services.
The pioneers included countries where market In 2014, Oman was the very first country in the middle
penetration of cell phones and new technology is strong east to complement its national electronic ID card with a
such as Austria, Estonia, Finland, Norway and Turkey. It mobile ID scheme.
was sometimes (Austria 2003) spurred by the need for
a universal form of identification, sometimes (Estonia Over the last few years mobile identity (mID) has seen
2007) supplementing the national card program and growing uptake by citizens thanks to its ergonomics and
accelerating the development of identity and electronic high level of security.
signature with the success that we know. Estonian
President Toomas Hendrik Ilves recalled in Brussels on The success and rapid uptake by citizens of
October 14, 2014 that the use of electronic signature in m-Government services in all countries that have chosen
the country, has helped save the equivalent of one week of to focus intensively on mobile communication devices to
working time per person. foster proximity and e-inclusion have demonstrated the
strength of the bond of identification offered by mobile.
2
Learning from past experience and today’s best practices
We have learned from fifteen years of experience and implemented and the legal validity of the system only
practice that the greatest uptake of mobile identification generates mistrust. It spreads the idea that if there
will only be obtained if we keep the following principles in is still pride in the fact that the system is so different
mind: and unique, the system is still certainly immature.
> The principles governing the digital world are no The presence of airbags and the best stopping distance
different from those ruling the physical world. have ceased to be factors in choosing a car. Cars have
> The uptake of new uses is first and foremost about the become comfortable, practical and functional everyday
value of the application. These hold true regardless of objects: this is their real purpose. Mobile internet too
the tool in question. has become an everyday practice; it follows the same
> Complexity should be masked. The governance rules.
organization for the identification system, its principal
identities, secondary identities, authentication servers, The 14 mobile ID schemes detailed in this document are
the control and validation system and associated part of the most ambitious ones and set a pattern that
expertise should stay in the backstage where it should be considered when creating and implementing a
belongs. mobile identity infrastructure. Moreover, it is clear that
> Technology and innovation will not motivate users. the key components involve technology which is robust
Communication on the extraordinary security effort and certainly capable of delivering the results required.
3
Public supervision is needed to coordinate approaches
and experiences
Mobile identity is on the march. What remains is to adopt because mobile citizens, going from one city to another,
the new structure and codes that are needed to govern will need to find similar modes of services wherever
associated services and transactions. they may be.
In this context, the role of the public authorities is to: The dynamics of a digital framework of trust is then
> Build and nurture a national momentum accelerated with mobile identity.
> Support and coordinate the local government
investments through which local transformations, Evidence of uptake is confirmed and giving us clear
close to the community, can operate effectively and signals of momentum in particular with the success of
efficiently; mobile online services.
> Make sure that these multiple local experiments create
a coherent and interoperable spectrum of solutions,
4
Usage and feedback
from national experiences
The most advanced public initiatives in the field of m-ID This panorama will give us a better understanding of
are historically to be found in the following countries: the processes at work today and the trends that can be
Estonia, Austria, Finland, Turkey, Moldova and Azerbaijan. discerned. In each case, we will address the following
2014 has seen acceleration in pilot programs or projects aspects:
such as those in the United Arab Emirates, Oman, Iceland, 1. Governance: Who is at the head of affairs and what
Korea, India, Japan and Russia. Other large countries organization has been put in place?
such as Brazil, Mexico, Italy and Spain are taking an
2. Trust framework: What is the legal framework for the
interest.
digital identity program?
3. State of eID program: What is the state of progress of
In 2014, the most successful private program in the field the digital identity program?
of m-ID is without a doubt the PKI SIM-based Bank-
4. State of mobile ID program: What is the state of
ID program in Norway which brings together a very
progress with the national mobile ID program and what
large number of service providers and mobile network
method of mobile authentication has been chosen?
operators.
5. Other comments relating to eID and/or m-ID
6. Leading applications of mobile ID and developments in
Telenor had already been offering its subscribers the
process
mobile Bank ID service for a number of years and in
2013 the other Norwegian MNOs started joining the
service making it possible for their subscribers to have Our journey will take us:
secure mobile authentication within the framework of > To Europe and the United States in order to understand
the local BankID solution used in Norway for secure the two cultures of trust and their models of
online identification and signature. The new mobile identification
identity functionality works on all networks and all types
> To the north and east of Europe to countries that have
of telephone and has already been adopted by more
been the pioneers of m-ID for a number of years
than 250 service providers in the country, including the
major banks, as well as numerous other commercial > To the Middle East, which has been boldly and
organizations and government agencies. The arrival determinedly treading the path of eGov 2.0 and digital
of mobile identity has doubled the average number of trust since 2005, with strong technological competition
transactions per user to 12 transactions per month. between the GCC countries and also between SMART
According to the Bank ID website, 10% of the population is CITIES such as the sister cities of Dubai and Abu Dhabi
using mobile ID as of October 2014. > To Belgium and Austria, two pioneers of eID and
modernization and who are preparing for eGovernment
and SMART CITY convergence
To help gain a better understanding of what is being done
in the pioneering countries, we propose a rapid overview > To France and Germany, Europe's heavyweights, but
below of the approaches being adopted in eID and m-ID in also heavy structures to manoeuver, albeit with
the form of 14 country data sheets. numerous initiatives in France for its Smart City
programs using NFC and m-payment structures.
> Finally a diagonal sweep west then east - from Iceland
to Turkey - with the latter putting a strong national
spin on its leap into the future with mobility, a
movement underway for the last 7 years.
5
EUROPE – UNITED STATES:
Two cultures of trust – two models of identification
Europe: a top-down model, where eGov 2.0 and SMART > Fifteen years after the electronic signatures Directive
CITY converge and interoperate to advance towards the 1999/93/EC, the eIDAS European Regulation voted in
sustainable society set out in the Digital Agenda for Europe July 2014 sets up a framework of trust for electronic
exchanges for 28 countries
> Europe is characterized by the dominant faith in the > Contactless and mobility have seen a rapid take-off since
sovereign state, seat of national trust and ultimate point 2012, particularly through the adoption of NFC by many
of reference in terms of authority. mobile operators and local authorities
> The prevailing model in national identification is based > We are seeing a true paradigm shift in eGov, moving to
on the population or civil register (as the root) and either SMART CITY programs and local services
a unique ID (Belgium, Estonia), federated multiple IDs
(Austria) or separated IDs (Portugal).
Foundations State of
Governance of Trust State of eID mobile ID Comments Leading mobile
framework program program applications
Europe
(extended)
21 card-based European European 150 million The eIDAS The eIDAS None in
eID programs Commission Directive Europeans Regulation, to Regulation existence yet but
in Europe (16 DGCONNECT 1999/93/EC have an eID the extent that renders the the ingredients
for EU28 in the in Brussels concerning card, which it addresses 1999/93/EC for success are
strict sense) electronic corresponds electronic directive null and in place as of
CEN: European signature to 30% of the identification void on 2014:
Turkish eID Committee for population and signature, July 1, 2016
card about to Standardization eIDAS regulation also applies to eIDAS legal
be launched (Comité adopted in July Sharp contrast in mobile ID. Technical framework
throughout Européen de 2014 on trusted usage between -------------- proposal adopted,
the country Normalisation) electronic countries from German CEN technical
(parliamentary exchanges Currently and French framework
decision in -------------- The regulation Electronic different IT security currently in the
progress) will give rise to signature used implementations agencies (BSI process of being
ETSI: European more technical mainly by certain with PKI SIM in and ANSSI) for defined
Telecommunica- specifications for professions and the majority of eIDAS tokens as
Alternative tions Standards Member States applications cases. of the summer 92% of the
of national Institute (CEN) of 2014 population in
digital identity/ In the countries 1st launch in The most Europe has a
identification: Generally Vision - The 1998 and 21st in successful Certainly an mobile telephone
Denmark (see coordinated by Sustainable 2014 mobile ID important as of the start of
data sheet) the Ministry of Society: Model of programs building block 2014
and the United the Interior with growth defined 100M euros worldwide are in as a legal
Kingdom the national in the Digital invested by the Europe framework NFC is getting
population Agenda for EC over the for trusted strength
register at the Europe 2020 last 10 years in Many pilots in exchanges both after the
core of the interoperability many cities for Europe and announcement
system when one programs Under SMART with a view to made by Apple in
exists (STORK 1 and 2 CITY programs a transatlantic September 2014
programs) in contactless partnership
Coordination of mode coupling agreement on
eGov schemes mobile ID and free trade
often falls under NFC
the responsibility
of the prime
minister and
technical IT
resources are
often transverse
6USA: a bottom-up, liberal model where the strength of the principle of identification (identity here is fundamentally
commitment makes it binding. declarative and the citizen does not lie given the heavy
penalties for misrepresentation), the principle of mobile
> Faith in a model where individual freedom dominates the trust is making inroads in mobile payments in the US:
need for cohesion and a stronger social bond. Model • The SUBWAY restaurant chain is embarking in late 2014
where the customs and the market eventually end on the largest NFC deployment in the country, with NFC
up making the standard. The reliability of commitment of payment terminals by Softcard (a joint venture between
private operators is controlled by stringent laws but it is AT&T, T-mobile and Verizon)
admitted that money ultimately covers the risk of across 26,000 service points
prejudice due to accidental invasion of privacy or even • Apple is launching its payment application Apple Pay
fraudulent use of private data. promoted as a Killer App with the iPhone 6
• San Francisco is rolling out a city-wide extension of its
> Though mobile identity is struggling to establish itself NFC PayByPhone parking system.
for want of a culture that embraces the sovereign
Foundations State of
Governance of Trust State of eID mobile ID Comments Leading mobile
framework program program applications
USA
No national The White House Homeland DoD No centralized The question of Not yet in place
identity card Security (Department of mobile ID project national ID is not
Department Presidential Defense) cards just about digital But numerous
No national of Homeland Directive 12 for military In March 2014, ID. There is no solutions in the
digital identity Security (HSPD-12) dated personnel in the NSTIC official Federal private sector
program August 27, place since 2001 published document. Very use mobile
Department of 2004 (HSPD-12) (cryptography, a guide to fragmented telephones
But driver’s Commerce defines a policy PKI) derived mobile situation with for two-factor
license serves --------------- for a common identity making regard to birth authentication
de facto as an Standardization identification Electronic it possible, certificates
identity card body: standard identification and within certain (14,000 different
The National for Federal authentication limitations, to formats) and
Digital Institute of employees and by contact- use derived driver’s licenses:
identity cards Standards and contractors. based PIV smart identity a de facto form
issued by the Technology Smart cards card for many credentials on of ID
State for its (NIST) arrive on the government mobile from PIV
personnel Department of scene as of 2007: administrations cards. 34 states require
Commerce Personal Identity a form of ID to
No national --------------- Verification (PIV) Pilot projects Very recent vote, such as an
population Various cards financed by projects on invoice, social
register initiatives taken the NIST in derived identity security number,
in particular Presidential September 2014 credentials on etc.
by the DMV initiative in 2011: to implement a Mobile within the
(Department of NSTIC (National reliable system framework of the Cases of massive
Motor Vehicles) Strategy for digital DoD’s CAC and data theft which
With a view for Trusted identification driver’s licens were again on
to studying a Identities in as part of the the rise in 2014
mobile-based Cyberspace) NSTIC initiative pushing large
driver’s license supervision of companies like
(Georgia and the Department Google, Amazon
Florida) of Commerce and Apple to
move towards
simple OTP
solutions (Apple
iCloud)
7The pioneers of mobile ID
Estonia: banked on mobility as early as 2007 to boost eID usage
Foundations State of
Governance of Trust State of eID mobile ID Comments Leading mobile
framework program program applications
Estonia
National Involvement European Electronic Since 2007, The technology More than
program of the Public Directive identification and mobile identity for mobile ID 300 private
Authority at the 1999/93/EC and authentication on SIM card can is the same as and public
eID and highest level the subsequent by contact-based be activated that for eID and organizations
mobile ID are to coordinate Estonian law national identity online by means applications use mobile ID
part of daily life deployment concerning smart cards as of a specific which require
since 2005 and across public electronic of 2005. application a high level of e-Banking is
2007. and private signature which uses security such the flagship
entities. adopted on 100% of the the electronic as e-voting application
Level of maturity Technical December 15, population has identity card are available
of use: Very Management 2000 this card. as a means of immediately. Numerous
high thanks in of the Program identification. applications
particular to by the Ministry agreement for eID and its Then by The rapid for students &
education and of Economic recognition three functions acquiring a modernization universities
communication Affairs and of qualified secured by special SIM card of government
Communications signature a national from mobile administrations The GoSwift
with Finland, PKI network: operators. and the private application for
Estonia is Choice of a Belgium, identification, Certificates are sector in Estonia reserving one’s
proving to be single Certifica- Portugal and authentication valid for 3 years has clearly place to cross
a source of tion Authority SK Lithuania for and qualified Electronic demonstrated borders won the
inspiration to its (AS Sertifitsee- the creation of electronic signature the benefits of 2013 prize for
neighbors and rimiskeskus), companies signature (with and mobile a secure and innovation. It
is cooperating Linked by a same validity authentication multimodal dematerializes
with Lithuania, Public-Private Law prohibiting as written by PKI SIM. sovereign digital the queue by
Latvia, Denmark Partnership. the government signature) identity. creating a
and Finland The Authority from requesting Mobile ID is virtual queue.
was created by data that it Heavy promotion accepted by An application
four companies already has in its of the model at 90% of online developed at the
from the world possession international services request of the
of banking and level available in Ministry of the
telecoms: EMT, Introduction the country in Interior.
Hansapank, of criminal September 2014
Eesti Ühispank sentences for
and Eesti Telefon cyberattacks
Moldova: bypassing eID to shift straight to mobile ID
Foundations State of
Governance of Trust State of eID mobile ID Comments Leading mobile
framework program program applications
Moldova
No card-based Coordinated by Electronic No eID national Launched since Mainly used by 96 e-services
national digital the eGovernment signature identity card the end of 2012 companies in available
identity program Center created adopted in The process of B to G
in August 2010, Moldova on registering with 23% of social
Mobile ID responsible for July 15, 2004. the operator International security forms
program with implementing the takes 15 minutes recognition with approved with
electronic country’s eGov On May 29, 2014, the GSMA Mobile mobile ID as
signature Agenda the new law Strong Award in 2013 of 2013
service since the on electronic authentication
end of 2012 Active communi- signature is and PKI SIM
cation with users adapted to electronic
bring it into line signature
Certification with Directive service; secret
authority CTS 1999/93/EC with PIN code
Agreement Applicable on
between the January 4, 2015 The MNOs have
two operators pending eIDAS invested in their
Moldcell, Orange, systems and
the CA and the users pay for
authorities the service.
The Government
is financing the
certificates
8Finland: The creation of the circle of trust bringing together the MNOs, the private and the public sectors enabling
interoperability with the three mobile ID services and the seamless use of the mobile ID service for all users is something
unique in the Finnish Mobile ID model. It will be adopted also in the soon to be revised legislation on strong electronic
authentication services.
Foundations State of
Governance of Trust State of eID mobile ID Comments Leading mobile
framework program program applications
Finland
National Initiative European Unit cost of eID The creation Before: For Over 300 public
program coordinated by Directive card: €53, Not of national nearly 10 years, and private
the national 1999/93/EC and mandatory. mobile ID the method of services
eID card population the subsequent 10% of the standard authentication in accepting
launched in register center Finnish law population has supported by the Finland, for the mobile ID.
1999, electronic (VRK) in concerning one. three operators banks, business
certificate on all association with electronic The health in 2010 allowed and eGov, was Most popular
cards. the Ministry of signature insurance card rapid progress an OTP on a services are:
Card updated in the Interior adopted in 2003 Kela can also be to be made with paper list + PIN Getting involved
2003 to support incorporated into services. code, which is with citizens’
electronic VRK is no longer Modification of the ID card. a legal form of initiatives
signature. responsible the law in 2009 Acquisition of authentication. Working with
for the issuing to take account a special PKI (The BankID Insurance
Health insurance of electronic of mobile Electronic SIM card from system) services
information certificates for signature and identification and mobile operators Checking
added on the Mobile ID but make it legal for authentication at a face-to- Today: mobile ID one’s medical
card upon issues a unique the signature by contact-based face meeting, or with PKI SIM as prescription
request. identification of contracts, national identity pre-registration the method of Applying for
number (SATU) agreements, etc. smart cards. online via Tupas authentication benefits
The to citizen or is making rapid Opening a
interoperable resident. Very low level of progress. 50,000 gaming account
mobile ID use online. The regular mobile Reporting an
service The mobile ID private BankID, ID users in 2014. offence to the
developed by the working group Tupas system mobile ID is police
three national members is in fact the free for users Accessing health
operators was include the country’s official and paid for by services
launched in Nov three MNOs and authentication the providers of
2010. FiCom (Finnish system. online services. source
Federation for www.mobiili
Communications varmenne.fi/
and en/
Teleinformatics)
Denmark: an atypical model of trust secured simply using a login and password
Foundations State of
Governance of Trust State of eID mobile ID Comments Leading mobile
framework program program applications
Denmark
National digital Nem-ID program Law on Nem-ID: No specific National DDoS Single point
identity program coordinated by communication requested online mobile ID in the attack on April of entry to
since 2007 the Ministry of by e-mail with with unique same way as 11, 2013 blocking services: Portal
Finance government citizen number in Finland or the banking for citizens,
No physical authorities + passport or Estonia. system businesses and
identity card Cooperation (mandatory in driver’s license healthcare
between banks 2015 – no more number. Cross- Nem-ID can Browser security
and government paper letters) checked by be used on middleware eGov
police and mobile as only rewritten in July applications have
Managed by a issuing of a a simple login 2014 in java to be extensively
private company login/password and password is adapted to
Bank + public and a list of required Considering mobile mode
sector. passwords on move towards
Steering by paper. other
(STS) ministries, Simple OTP authentication
regions and Easy to use and factors
municipalities popular: (biometrics, etc.)
for the country’s 90% of citizens
eGov strategy. 99% of
businesses
9Middle East: daring to tread the road of eGov 2.0 and digital trust
since 2005
United Arab Emirates: in the technological vanguard, and not waiting around for Europe
Foundations State of
Governance of Trust State of eID mobile ID Comments Leading mobile
framework program program applications
UAE
National The program to Created in Nearly 95% of As part of The first mobile No major
program modernize the 2004 by decree the population is a project apps appeared at deployment yet
sovereign identity No. 2 of the registered and announced the end of 2013
eID: Pilot phase system has been independent 80% are holders in May 2013, with support for Generalization in
in 2005 and entrusted to an authority EIDA of the eID card. mobile ID is geolocation in progress
national launch independent responsible for The biometric being tested in particular.
in 2007 public authority, the national card is issued 2014 with a pilot These are
the project the EIDA register and the to Emiratis and involving PKI applications
combines (Emirates distribution of residents who SIM cards (with redesigned for
registration of Identity eID cards account for operators) with smart phones as
the population Authority) Federal Law No. the majority of face-to-face part of the Smart
and issuing of responsible for 1 of February the population identification. eGovernment
the card implementation 2006 concerning (80%). The card project.
of all phases of Electronic is a contact AND
mobile ID: pilot the program. Transactions and contactless card Project at a very
phase in 2014 The core of Commerce advanced stage
the system is (electronic to make the eID
the national signature) Electronic card work as a
population identification and payment and
register authentication withdrawal card
by contact-based 500,000 readers
Infrastructure national identity handed out
that is intero- smart cards. in 2013 to
perable for all encourage use
ministries and EIDA manages
government a PKI public key
administrations, infrastructure
and is open to
the private sector
Qatar: looking to move quickly and integrate citizens and residents
Foundations State of
Governance of Trust State of eID mobile ID Comments Leading mobile
framework program program applications
Qatar
National The eID program Decree Law 90% of Qataris The PKI mobile ID Not yet in place,
program is managed by No. 36 of 2004 and residents infrastructure will enable still in project
the Ministry of establishing have the and certificate authentication phase
eID was the Interior. ictQatar biometric card authority put in and signature of
launched in 2005 Ministry of place in 2007. applications
Information information and Electronic eGov available
Next steps technology, and communication identification and It may be on the country’s
may include in particular technologies authentication by hosting the federated portal.
extending the aspects contact-based/ mobile ID pilot
program with the concerning Law of August PKI national program in a few
use of mobile identification, 19, 2010 on identity smart months time.
PKI where authentication Electronic cards.
citizens log on and signature, Commerce and 500 services on
to the Hukoomi is managed by Transactions the country’s
portal using the Ministry of and electronic eGov network by
either their eID Information and signature in ictQatar offering
or mobile phone. Communications particular. Single Sign On
Technology and Electronic
(ictQatar) for all Signature since
ministries. February 2014
10How two pioneers of eID and eGovernment are facing up to m-ID
Belgium: eID on road to sustainable society and Smart Cities
Foundations State of
Governance of Trust State of eID mobile ID Comments Leading mobile
framework program program applications
Belgium
National eID Coordinated by European 10 million Program ready eID program mobile ID not yet
program the Ministry of Directive contact- but pending is founded on in place
the Interior 1999/93/EC and based cards in decision by new excellent regional
Launched in Main parties the subsequent circulation (100% government cooperation, But ambitious
2004 involved Belgian law of the target formed in extending the NFC mobile
National adopted on population) September. 2014 scale of the payment
mobile ID population October 20, success by program
program: register (Ministry 2000. 30% of cards investing in all very well
technical of the Interior) Royal Decree on activated for local services. disseminated
solutions studied FEDICT eID in 2004 and use for online since 2012
and in validation (FEDERAL law on access to identification. «Marketing»
phase PUBLIC SERVICE, personal data approach SMART CITY at
INTERIOR) 2012 : Fedict More than 700 with in-depth the forefront
Transverse responsible, applications use consideration A European first:
body providing for security eID given to the European Bank
technical IT and respect product and its investing 400
resources for the of privacy in Electronic presentation, million euros to
deployment of the exchanges of identification, distribution, support
interoperability personal data authentication acceptability «Smart Cities
infrastructure and electronic and signature by and promotion & Sustainable
A Public Trusted cooperation contact-based (communications) Development»
Third parties between national identity in all Cities
Organization to services. smart cards. Notion of role
protect data flows Law on the non- allowing for use
Five personal duplication of Signature widely in the professional
data protection administrative used in the sphere
organizations at information professional
the core of the requests in 2014 sphere Health card
technical system merged with the
deployed eID card in 2014.
Austria, a pioneer of eID and paperless government, launched mobile ID as early as 2004
Foundations State of
Governance of Trust State of eID mobile ID Comments Leading mobile
framework program program applications
Austria
eID available Chancellery European Digital identities eID and Signature In 2012, all the More than 200
since March 2004 Directive derived from on mobile since developments for applications use
on all media eGovernment 1999/93/EC National 2009 developed ID, signature and the federated
including cell Innovation and Austrian law Register per within STORK the signature identity for
phones Center with the of December domain (Liberty project server were businesses and
technical support 2001 Alliance model). made available citizens
New mobile ID of the University The citizen’s In 2014: 300,000 online as open Job search with
signatures a
since 2009 of Graz Law of March electronic card source eJob room
month and 20 to
2004 for eGov can be used for Online services
25,000 new mIds/
The citizen can National program identification and month Close synergy for breeders
choose the population authentication with the cities SMART CITY Lots
medium used to register (citizens (signature Authentication of Vienna, Graz, of innovative
store their eID: and residents) and mandate). uses the mobile Salzburg and applications at
either on card or Physical medium phone number Linz city level
mobile. MODEL Center for online can be a bank + password + VIENNA in Top 10
IS THE ONLY security card, health OTP code. The Austria No. of SMART CITIES
ONE OF ITS KIND card, student eID is stored in 1 in eGov in KLAGENFURTH
IN EUROPE card, signature the mobile ID the EU28- NFC City - a
card, service system’s database Benchmark genuine mobile
card or mobile - not in the phone reports for last library
telephone - and accessed seven years Generalization of
after successful Mobile payment
authentication in progress
with the system.
SMS channel, no
cryptography
11The European heavyweights, hard to steer, some remarkable
success stories
France: lagging behind on eID- booming with Smart City, and mobile payment projects with NFC
Foundations State of
Governance of Trust State of eID mobile ID Comments Leading mobile
framework program program applications
France
No sovereign The French European The federated No national No national eGov 2.0
national digital National Agency Directive portal «mon mobile ID population blends with
identity program for Secure 1999/93/EC and service publique» program register the numerous
(either for eID Documents the subsequent («My public SMART CITY
or mobile ID) (Agence French law service) provides No private Multiple programs
Nationale des concerning a single login/ m-ID offer from identification
Numerous Titres Sécurisés electronic password operators at this credentials for a CITIZY
semi-public and - ANTS) created signature for several time single citizen consortium
private initiatives in 2007 – body adopted in March government and created by
such microchip- under the 2000 healthcare/social France Connect The French post the Operators
based service supervision of The French Data security services. announced in office «La Poste» and Public
smart cards for the Ministry of Protection Act . The Sept 2014 will be provides a digital Authorities
many public the Interior of 1978 («Loi payment of VAT in pilot phase in identity in the to develop a
organizations Informatique et is secured by PKI 2015. It will act form of a login/ deployment of
Ministry of Liberté de 1978» token. Various as a proxy and password after Mobility-oriented
France connect Industry and the initiatives in the will not be an ID a face-to-face local programs
national scheme Digital Economy Law on eID banking sector provider. registration with use of NFC
announced as in 2012. The based on OTP… for identification
a state driven The CNIL Constitutional The INES eID and payment
facebook (National Council has France Connect card project from
connect (digital Commission limited the announced in 2005 has not
ID federation) on Information scope of the Sept 2014 will be come to fruition
Technology and card. Project not a public service The IDéNum
Civil Liberties) launched; not like facebook project from
currently on the connect and will 2010 has not
Standardization agenda (Sept. federate public come to fruition
body dependent 2014) identities for the
on the prime second half of
minister French 2015
national agency
for the security
of information
systems (ANSSI)
12Germany: an eID infrastructure in place but austere, mobility conquers payment
Foundations State of
Governance of Trust State of eID mobile ID Comments Leading mobile
framework program program applications
Germany
National eID Coordinated European More than Possibility Digital identity No national
program by the Ministry Directive 30M eID and considered of and biometric project in 2014
launched in Nov of the Interior 1999/93/EC and residents cards deriving a digital option free-
2010 for the card the subsequent in circulation in identity from of-charge and not yet on
component German law 2014. the contactless upon request the agenda
Credit card But no promotion concerning 30% of cards card by reading submitted to (September
format of services electronic activated for with an NFC the municipal 2014)
contactless Standardization signature use for online telephone. authorities In Germany,
smart card body: BSI identification. modification of MasterCard
with The Fraunhofer Legal Electronic Project PIN code upon working with
identification national amendments identification and abandoned mid- request Deutsche
but no signature institute for in 2012 and authentication 2013 due to lack Telekom,
capabilities yet public research 2013 for online by contactless of public and 1 M readers Telefónica
conducted the identification; national identity private financing handed out free- Deutschland,
No national pilot scheme signature with smart cards Six- for development of-charge Vodafone to
mobile ID provided the new identity figure PIN code create a new
project technical support card and the No offer in Hundreds of mobile platform
proposed for startup electronic eID not promoted Germany at this public and and to accelerate
either by the Cards are residency permit by municipal time (September private services development of
government or issued by the as an electronic authorities 2014) used the eID mobile payment
operators country’s 3,200 equivalent of the Difficulty of card online in the country.
-------------- municipalities physical form training over Google, eBay
electronic ---------------- only came into 136,000 people Amazon,
signature In the private effect in 2013. Facebook…not
available since sector, Trust interested
2000 by token or Centers issue The card does
OTP signature not always
certificates. Used have signature
by professionals capabilities at
this time
13From east to west, Smart cities, eID, and NFC pave the way
for sustainable European society
Iceland: firmly committed to the sustainable society
Foundations State of
Governance of Trust State of eID mobile ID Comments Leading mobile
framework program program applications
Iceland
National digital Project Law on Certificate National launch eID on bank Banking
identity program coordinated by electronic available on of mobile ID in cards was not a applications are
since 2008 the Ministry of signatures credit cards 2014 financed by great success now available and
Finance and adopted in the banks using Mobile ID
mobile ID Economic Affairs Iceland in 2001 NO national PKI network to authenticate
program and financed by identity card compliant with and validate
launched in 2014 the banks. On the same international transaction
National PKI PKI network standards. with digital
1 national Infrastructure deployed in 2008 signature. eGov
CA: Audenni since 2008 (PKI SIM) Desire not to applications are
responsible for have to opt for also in service,
technical Little use by custom solution. and government
aspects of citizens between department are
project, itself 2008 and 2013 Sharing of best using mobile
under the practices with ID for its own
responsibility involvement in purpose.
of the Ministry the European
of Finance STORK project Reykjavik at the
forefront of the
SMART CITY
trend
For a Sustainable
Iceland
Turkey: the south-eastern pioneer of mobile ID, opted for the mobility route from the outset in 2007
Foundations Sate of
Governance of Trust State of eID mobile ID Comments Leading mobile
framework program program applications
Turkey
National eID Very strong Electronic Pilot carried Started to deploy For the launch Main uses in the
card project willingness at Signature Law out successfully an mobile ID of eID: close world of banking
initiated since political level 5070 of January in the city solution in 2007 coordination due to the initial
2010 with Coordinated by 2004 of BURSA. (electronic with central and support of main
full-scale pilot the Ministry of Project ready signature local authorities, banks
conducted. the Interior Law on eID set for national by mobile and post offices,
Main parties to be adopted at launch. Project telephone), with Integration Identification on
Mobile ID involved the end of 2014 on standby since based on PKI with banks (ATM, eGovernment
Turkcell 1st August 2014. with the operator eSignature) portal with
generation General Adapted banking Parliamentary Turkcell Garanti Bank mobile ID
Then 2nd gen Directorate practices and decision -------------- shall place
with Turkcell, of Population law on financial expected at the First generation certificates on
with Cloud-ID and Citizenship crimes end of 2014 with applet on the national eID
Project for Affairs -------------- SIM and SMS card.
2015-2016 Signature and second
Partnership with widely used by generation eID will act
public research professionals on based adaptable as the key
body Tübitak the PKI network Secure Element for access to
which defined in the Cloud - Turkey’s eGov
the technical Tests in 2015. portal
environment Proof of concept
(cryptography, planned for 3Q
key management, 2015
etc.)
Coordination
of industry and
suppliers with
national test
laboratory placed
at their disposal
14Conclusion
These nationwide mobile ID schemes are part of the The countries that are now moving forward are in fact
most ambitious ones and set a pattern that should be so many laboratories, all developing standards, patterns
considered when creating implementing a mobile identity of growth and technological development, practice and
infrastructure. policy.
The experiences in pioneer countries show a surprising The name of the game is therefore:
degree of convergence: > By establishing the sustainable digital society to
strengthen and renew social bonds, through SMART
In terms of the objective of the eID and mobile ID CITIES programs which make it their emblem,
programs > Through the understanding that with mobility becoming
the norm, these social bonds from now on will "go
The objective is to foster and to drive the digital through" those mobile devices with which it is
modernization of social bonds with trusted identities, for expected that 96% of the world's population will be
a new era of prosperity known as "sustainable society". equipped within 5 years.
All programs converge and express an awareness on the > Active and effective collaboration between public
part of a majority of public authorities to take action to: authorities, operators, banking and financial
> Make our society more cohesive, more human, more institutions and manufacturers, to establish a highly
local and more connected, secure standard for mobile environment and a
> Adapt to the new situation where mobility is becoming universal approach to build in and guarantee this
the standard for connectivity, security in close-up contactless information exchanges
> Take on board the need for meaning, ease and agility through NFC technology in particular, thereby opening
that must govern all exchanges of information between communications to the world of the Internet of Things.
people, between people and urban connected objects,
between people and the information resources that
make up the wealth of modern digital society.
Reflecting on and redefining the future therefore equates to
considering smart cities as the broad frame of reference, where the
vast majority of the interactions of the modern connected world are
played out.
15In terms of the governance framework
Our journey shows that development is the fastest, the most
productive in bringing effective progress and most secure
where strong leadership is exercised by the public authority.
This creates a framework for collective confidence, which
local authorities and stakeholders in public and private
services can use to deploy their offerings and propose all
manner of exchanges conducive to creating value. These in
turn can be beneficial for the prosperity of society as a whole.
The overall dynamic fosters adoption by the greatest number
of citizens or users.
Creating this environment is also known to take time as
This is sociologically interesting and it has to be
experienced by all pioneers. The political will to take action
considered to be a confidence factor parameter to be
can then be a catalyst for a faster set up.
included in the solutions. We have probably reached a
maturity threshold comparable to the use of the smart
In terms of the legal framework of trust and the chip credit card. Experience of protection in the event of
sovereign source of identity an incident has created a very high level of confidence.
Although it does not appear in our travel log, it is important
The popularity of the mobile channel and contactless
to remember the source of the legal certainty or security
services through NFC is now a reality.
that underpins the reliability of any form of identification in
general, and digital in particular, in most of the countries
In terms of technological approach
along our journey, and, paradoxically, also in the United States.
90% of the technical authentication methods in these
The personal identity of a person, from a legal point of view,
projects are based on PKI and SIM infrastructures. NFC
resides in the vast majority of countries in the civil registry
technology is envisaged as of 2013 to derive sovereign
and is hence guaranteed by the State. Although control of this
identity credentials and under test in several countries in
identity in countries like the United Kingdom or the United
2014.
States may be purely declarative, it essentially consists of a
This ID derivation trend seems to be confirmed even
set of factual and legal data relating to an individual (date and
in the United States: As of March 2014, the American
place of birth, full name, affiliation, etc.) that has been legally
standardization body, the NIST (National Institute of
recognized, witnessed or certified, and which allows the
Standards and Technology – Department of Commerce)
individual to be identified uniquely.
has issued recommendations for deriving mobile identity
credentials from Federal PIV cards (Guidelines for
The function, constituting the parent repository for any
Derived Personal Identity Verification Credentials).
identification data, is typically sovereign and protected. The
major efforts to secure this function, observed in all countries
This goal is to create a mobile identity (mobile ID ) that
in recent years, are testimony to a new awareness of its
provides access to online services securely. The creation
fundamental value and its potential role in the protection of
of this mobile identity is a technical extension - aka
the social bond.
derived credentials - of the eID card. It provides the same
This is why even in countries where identity cards are not
high level of authentication.
customary, we see a trend to looking for ways to create a
reference point for identity that can then be transposed
Mobile identity would appear to be on the march and
into the digital world where there is a need for a way of
set to become a new norm. What remains is adopt -
guaranteeing the identity of the parties to a transaction or
fundamentally and permanently - the structure and
exchange.
codes that are to govern mobile services and the world
of transacting in mobility. It is also time to get ready to
In terms of citizen uptake massively educate citizens to prepare for the future, for
the expected success and growth.
Our journey has shown strong support for translation of
eID and eGovernment programs to the mobile world, as if
the privacy and personal control of exchanges were better
on mobile devices by virtue of the fact that we carry them
with us everywhere, about our person.
16Public supervision is needed to coordinate approaches Evidence of uptake is multiplying and giving us clear
and experiences. In this context, the role of the public signals that have been awaited for some fifteen years. The
authorities is to: future is being decided now and the sustainable society of
• Build and nurture a national momentum 2020 is everywhere within striking distance, just one bold
• Support and coordinate the local government Mobile eGovernment or Smart City program away.
investments through which local transformations, Ultimately, these programs share a common mission:
close to the community, can operate effectively and to bring people closer together, connect them, boost their
efficiently communication and exchanges, and why not to nourish
• Make sure that these multiple local experiments the hope of better life.
create a coherent and interoperable spectrum of
solutions, because mobile citizens, going from one
city to another, will need to find similar modes of 2020 is today.
services wherever they may be.
17Notes: 18
About Gemalto
Gemalto is the world leader in digital security with 2013 revenues of €2.4 billion.
In the public sector, Gemalto provides secure documents, robust identity solutions and services for
governments, national printers and integrators in the service of citizens. Its products and solutions
are deployed in more than 80 government programs worldwide.
Gemalto is contributing to more than 25 ePassport initiatives and to 27 national eID programs.
Leveraging on its Valimo Wireless activities, Gemalto is the leading solution provider for mobile
user authentication and digital signatures with over 20 ongoing mobile Identity projects and
enabling millions of mobile users to start accessing government services with enhanced security.
Among those projects, 8 are used specifically in national eID schemes to secure the access to
eGovernment services.
Our contribution to these projects provides us with an excellent overview of the technology
involved, its applications and the quality of information systems, as well as the social context of its
use.
Gemalto also collaborates with its clients to report and share best practices from around the
world. This is the purpose of the present white paper.
19This white paper presents the experiences of 14 advanced countries in terms of eID and mobile ID
and models of partnership with banks and operators. Its goal is to give all public stakeholders and
their partners the understanding, insight and tools to include mobile services and Mobile Identity
as defining features of their modernization process for the years to come.
We hope it will give you the courage and desire to join forces with those at the forefront of
pioneering the sustainable society of tomorrow.
© Gemalto 2014. All rights reserved. Gemalto, the Gemalto logo, are trademarks and service marks of Gemalto and are registered in certain countries. December 2014 - Credit photos: Thinkstockphotos
GEMALTO.COMYou can also read
