By Adam Ross and Benjamin Drisch, cryptovision.
eID Documents have a high security level and are under full control of the government, however realizing practical real world use of these documents is difficult and typically requires specialized hardware readers in a PC environment. The trend for mobility and BYOD is driving the need for different use cases that utilize the eID as a trust anchor – such as deriving credentials from the eID or tokenizing certain aspects of the document as a companion to the document. These strategies are limited in scope, and not as secure as the eID itself, offering the security of a software certificate, which can be copied or duplicated.
Could mobile devices ever be used as a replacement for an eID? Using an embedded secure element, enhanced SIM, or secure micro SD card in a phone or tablet could provide a security equivalent of a sovereign eID document, but how are these SE’s provisioned? Who controls these aspects, the chip manufacturer, the device hardware manufacturer, the MNO, the application developer? Because there is no clear trend, the market is fragmented, creating a need for specialist solutions for each implementation.
National governments around the world are shifting their focus from traditional security printed documents to issuing highly secure electronic identity cards. Currently, the number of countries issuing smart eID cards exceeds the number of issuers of traditional paper documents by nearly 4 to 1. While the typical aim of these governments is to increase the security of the document with a chip, the inclusion of these chips also enables a number of diverse uses, for example digital signing or two-factor authentication. However, these use cases typically require specialized card readers and middleware software to be used in PC environments.
Just as there is an overwhelming increase in the number of eID cards being issued, there is perhaps an even larger growth in the number of mobile and tablet devices that are used by billions of people worldwide. The computing environment is no longer bound to wired workplaces or WiFi networks in homes. It now extends to everywhere mobile devices can travel and this convenience is driving a demand for extending the usage of eID documents to new mobile platforms. By making the use of an eID convenient on personal devices that citizens carry with them practically every- where, governments hope to encourage the usage of these documents by the cardholders or commercial services.
One such strategy for bridging the gap between using an eID and the need for mobility was adopted in Estonia, with the Mobil- ID product. This service allows for an eID cardholder to use their mobile phone as an additional form of secure electronic ID to access government e-services, strong authentication to commer- cial websites, and sign documents digitally without the need for a card reader. It is even possible to electronically vote on the Internet via the phone’s web browser. The Mobile-ID software process requires equipping the mobile phone with a specially enhanced SIM card, one with an additional secure element for storage of the digital certificates and key material from the citizen’s eID card.
This strategy of using the eID card as a trust anchor for replicating the same identity on another device, is commonly referred to as derived credentials. These derived credentials, enable more efficient and effective authentication, while still ensuring the security and integrity of mobile device information access. The combination of assured digital identity security, with a new degree of convenience, is sure to drive many new use cases and potentially reshape the way governments offer and deliver eGovernment services to their citizens.
One of the key concerns of using derived credentials on a mobile device, is how to effectively store the digital certificates and private keys that are derived from the eID. Since the use of derived credentials is relatively new, it is still very much of a “wild West” environment, where there is no simple answer. There are techniques that could involve using an embedded secure element, enhanced SIM, or secure micro SD card in a phone to provide a security equivalent of a sovereign eID document, but how are these secure elements provisioned? Who controls these aspects – The chip manufacturer, the device hardware manufacturer, the mobile network operator, the application developer, or perhaps the document issuer? Because there is no clear trend, the market has fragmented, creating a need for specialist solutions for each implementation.
It is clear that mobile phones will never completely replace eIDs, especially since they still need to function as an ID document for visual inspection, so there is a real need for special solutions that allow mobile application developers to bridge the gap between an eID and mobile device. Mobile application developers typically have no experience or understanding of the security features of an eID document; there are very few applications using them. However, eID experts like cryptovision can deliver a comfortable programming interface that allows application developers to interface with the documents programmatically in a simple and familiar fashion. This enables mobility trends that improve the convenience of using eIDs, while still preserving identity security.