In April 2015, the Silicon Trust Program organized an expert forum on the topic of Mobile ID and related services. The year 2015 marks the 15th anniversary of the Silicon Trust Program which started the millennium by educating the technology industry and governments throughout the world on the use of silicon-based security and biometrics.
Fifteen years on and the world has changed remarkably. Secure Identification in the digital and hyper-connected world – and the technologies associated with ID security – is no longer just the domain of the public sector. Mobile handset manufacturers (OEMs), for example, invested in biometric technology to secure mobile access like one would in a rough diamond. Companies like Samsung Electronics and Apple polished up the technology in terms of usability, they cut it and what sparkles like a 2 carat engagement ring at the end of the process is: Convenience and a unique customer experience. Another example is the use of contactless cards. The payment sector has made a massive progress and success of using contactless technologies in many parts of the world, with a reader infrastructure that is now ready to take on mobile usage. So were does that leave governments? What role does the private and the public sector play when it comes to ID and the security and commercialization of personal attributes and/or credentials? At the 2015 Mobile ID Forum, the Silicon Trust invited international stakeholders across the value chain to present their visions, solutions and technologies.
The Forum kicked off with a presentation from Andrea Servida, Head of the eIDAS Task Force at the European Commission (see photo above). The presentation on the EU policy on electronic identification and trust services stressed the relevance of the eIDAS Regulation to strengthen the EU Single Market and the Digital Agenda of the EC by booting trust and convenience in secure and seamless cross-border electronic transactions. Key to this is the mutual recognition of e-identification means, technical neutrality as well as interoperability and cooperation between the 28 member states. The EU differentiates its regulation to private sector digital identification initiatives as trust building and empowering by turning personal data into a private asset rather then a digital currency.
Representing the payment industry, Visa Europe’s Can Bayindir stressed in his presentation that consumers will ultimately drive adoption and that success will be built on existing infrastructures. This, as pointed out by the session’s expert moderator Marc Sel, PwC Brussels, puts Visa in a good position to tackle the topic of how to ID and enroll existing customers on new channels and how to use their digital ID across multiple channels.
The GSMA joined the Silicon Trust Forum with an introduction to the MNO’s answer to the topic of Mobile ID: Mobile Connect. In her presentation, Claire Maslen identified online privacy and security as the biggest threat to sustainable digital growth. The reliance on username and password, she told the audience, leads to abandoned log-ins and shopping cards, online fraud and, as a consequence, high data costs. The solution, called Mobile Connect, is a two-factor authentication approach, using the inherent security of the mobile device thanks to secure embedded hardware and a PIN. Mobile Connect was presented as an operator service for secure authentication and identification – a convenient alternative to passwords to protect the consumer’s privacy.
But payment providers and MNOs are not the only ones that have a plan when it comes to the authentication of users in a secure manner. The FIDO Alliance has rapidly expanded since it was started formed in the summer of 2012 as an industry program, with PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio as the founding companies. The three private sector initiatives are not stand-alone though, with Visa Inc. being a board member of the FIDO Alliance and the GSMA working closely with the FIDO Alliance to align FIDO and Mobile Connect. Dr. Kim Nguyen, Managing Director of the German trust center D-Trust, spoke at the Mobile ID Forum about adding identification to authentication and the usage of certificates on a FIDO token. He stressed that typically, there is no interaction between the world of authentication and identification. Authentication systems are typically proprietary, relying on usernames/passwords, AppleID or tokens whereas governmental eID identification solutions are set up on the basis of a officially verified ID. With the FIDO standard, these two worlds can be bridged, bringing advantages for users and relying parties. One popular reference, which is based on the FIDO approach, is Google Chrome. For Nguyen, the solution is the token, which is FIDO and PKI enabled. And with a nod to the Forums Keynote Speaker, Andrea Servida, he pointed out that such a FIDO token is, in fact, eIDAS ready.
Next up were two examples of national business cases – based on very different technologies. Anne Marie Pellerin presented the rather successful US Mobile Passport solution by Airside Mobile. Ms. Pellerin, a security expert with past employers such as the Department of Homeland Security and the U.S. Transportation Security Administration, generated a lot of interest with her use case of using the mobile through an app as a digital credential for a border control process in the US. As the company’s next step include the extension of use beyond US passports and Canadian passport, the largely European audience (EU Member States along the Visa Waiver Program) engaged in an interesting debate afterwards. The app is a pointer system to a central data base and the traveler can be identified without a passport. This program is voluntary, needs a pre-registration and works only in the US. In this case the passenger needs the travel document for border control procedures outside of the US.
As a nice transition to country presentations in the second session, Dr. Detlef Hühnlein, Head of the German publicly funded SkIDentity project, pointed out that most European countries have some form of national ID yet only two Member States make use of the existing infrastructure to implement a Mobile ID solutions. Hühnlein put forward the idea of a generic eID Mobilizer and introduced to the delegates the concept of the award-winning SkIDentity concept, which enables eID and Strong Authentication in the (trusted) cloud and proposes a Mobile eID as a Service approach.
The International Mobile ID implementation session, moderated by Gemalto’s Eric Billiardt, focused on three countries: Germany, Austria and Estonia. Germany, represented by the Ministry of the Interior’s Achim Hildebrandt, was quite frank – and humorous – about the convenient amnesia of the private sector on the debate about developing useful applications for the German National ID card. Back in the early 2000s, he told the audience, the big roundtable, made up of industry representatives across the board, was full of promises of the wonderful use cases for a secure eID token, such as a contactless ID card. Now that the card is rolled out to over 40 Mio citizens, with an optional eID functionality, all paid for by the state, nobody remembers that enthusiasm, stated Hildebrandt in his presentation.
One of the lessons learnt in Germany, is that the communication of an NFC-enabled phone and the contactless eID card is having some technical issues. Neighboring country Austria sent Herbert Leitold of the A-SIT Secure Information Technology Center, to take the delegates through the Austrian system, which has successfully rolled-out eID cards (named eCard) as well as Mobile eID with the Secure Element “in the Cloud”. Interestingly, according to Leitold, Austrian citizens clearly prefer the mobile option with activation being 15 times higher than, for example, activation of the health smart card. For Austria, the next steps forward are how to make best of use of the new smartphone generations in terms of device binding and support. Estonia, of course, is the poster boy for innovative eID usage in Europe. Of 1.3 Mio Estonians, there are more than 550000 active ID-card users and more than 48000 mobile-ID users. With 12 Mio transactions being made each month, it is interesting that of that 25 transactions are done by eID card users and 38 by Mobile-ID users.
The Estonian mobile ID solution, Tarvi Martens of the SK Trust Centre explained, needs no special software combined with a special SIM-Card and works on any handset. The fact that more then 300 services use the Mobile-ID offer explains the high usage. So, is there still room for innovation? Yes, according to Martens, the next step for Estonia is to introduce a Digi-ID with NFC. The Digi-ID card would work as an ID-card but also with an NFC-enabled phone and would also be available to e-Residency holders.
The 2015 Mobile ID Forum concluded with informal “unconference” sessions, where delegates grouped together to work on specific questions around the topic of Mobile ID. In terms of attendance, it was a great turnout with 85 delegates registered to attend the Mobile ID Forum. Some of the delegates switched between the Mobile ID Forum and the parallel Open Standards Forum. In the breaks and during the Networking Lunch, all speakers and attendants engaged in lively discussions. No doubt, the market will be move fast in the next 12 months when, once again, the Silicon Trust will invite its network to meet and discuss.