By Steve Warne, HID Global.
Everyone now looks upon the ‘mobile lifestyle’ as completely normal. For instance, for a recent London conference visit I booked my train tickets and parking, and then had them delivered to my smartphone. I checked in to my hotel via my smartphone. I took a call and read emails on my smartphone. All very normal. The whole process of leaving my home, getting into London and checking into the hotel was all facilitated via my smartphone. I couldn’t operate without it anymore. And I am not alone.
There was a survey done recently by the Boston Consulting Group for their Consumer Impact Survey (FIG 1) that asked the question, “What are people prepared to give up to keep their mobile device?” The answers were illuminating, ranging from dining out to having a pet to going on vacation — all the way to having sex and giving up 20 percent of their salary. In my mind, some of these things are crazy to give up, but at the same time, it is very indicative of the impact mobile technology is having on people’s lives today.
In the U.S., users value their mobile phone so much that they are willing to spend 11 percent of their income to maintain their mobile status. In other parts of the world this percentage is even greater. For instance, in South Korea, mobile spend is 12 percent of income and in Germany, it is 13 percent of users’ income. In emerging countries, it is even more jaw-dropping with Brazilians spending 20 percent of their income on mobile phones; in China, up to 43 percent; and in India, 45 percent. It’s clear that this is indicative of a trend that is continuing to both move forward and increase in value for those who regularly use mobile technology. (FIG 2)
What does this mean for ID documents?
Consider the evolution of ID documents from paper to the secure printing of plastic documents and later including a chip, converting them to smart cards. Given this progression, it is hardly surprising that Governments are evaluating ways to migrate a citizen’s identity onto a mobile phone in ways that are most convenient for citizens, yet cost-efficient for the agencies issuing the IDs. For example, Australia and New Zealand recently announced a bilateral agreement allowing citizens of either nation to use a mobile token to visit each other’s countries. Estonia is exploring how to integrate mobile IDs into its existing eID infrastructure to expand its Government-to-citizen services within its borders. Finally, in the U.S., there is an active request for proposal (RFP) in process to enable the provision of mobile driver’s licenses to citizens of a particular state, and 12 others are in the process of passing laws that would allow the use of mobile driver’s licenses within their state.
Whether we like it or not – this is a trend that is happening in some form in many countries today, as governments and relevant authorities look to move ID cards onto users’ mobile phones.
HID Global is at the forefront of this trend, recently introducing its HID goIDTM technology engine for mobile identity solutions. Our goID platform enables a government-issued credential to be authenticated, both online and offline on a smartphone, which is unique, enabling a user’s smartphone to become a secure government-to-citizen ID.
It is important to note that HID believes that mobile IDs will be complimentary to physical ID documents for quite some time to come. While we see many elements moving quickly onto the mobile, we do not believe that ID will make a similar leap in such a short time period, due to the many standards (ICAO, for instance) that must be discussed, developed and then ratified.
Not only that, citizens are just more comfortable having some- thing physical in their hand that represents their identity document. Therefore, HID Global expects that this transition from the physical world to the mobile world, when discussing identification, will take some time. However, this is not a bad thing. When looking at the technology involved in smart cards or other smart devices containing chips, it could be complimentary to the mobile solution and add value to a particular mobile application. As we have talked to customers in the market about our goID solution, we have learned that some users actually would like to have some- thing that not only issues a mobile ID, but also issues a physical ID at the same time.
In Africa, for example, some citizens highly value the physical ID card as a token of their citizenship. So while it is convenient for them to have access to their ID on a smartphone, citizens also want a physical token or representation of their citizenship.
Physical and Mobile IDs Can Co-exist
The physical and mobile ID “worlds” are already co-existing. The Irish Passport Card is an example of an ICAO-compliant document that allows travel across borders in the European Union, that can be applied for using a mobile phone. Irish citizens can apply for their passport card by:
- Downloading the passport card app on their phone.
- Entering their personal information.
- Taking a selfie with their mobile phone.
- The applicant pays the passport card fee via mobile.
- After confirmation that the information submitted (including the selfie) matches the applicant’s data on file, the passport card is sent to the citizen via post.
Global banks are also allowing customers to order credit cards and other products by simply submitting a selfie for verification purposes. We will continue to see new and different applications of physical IDs converging with mobile applications in the months ahead, including but not limited to mobile driver’s licenses.
What can prevent an identity project from being successful is often not the documents themselves, but the infrastructure required to read them or the expense in distributing them. If this is the case, then how about using your smartphone as a single reader, that can read both physical and mobile IDs? In so doing, the citizen has a choice in what they want to use – a mobile or a physical ID or both – while the issuing authority can implement a cost-effective and widely available reader. From our perspective, there is no reason why both physical and mobile IDs can’t co-exist.
One of the elements that we built into our goID roadmap is the use of a second level of authentication, such as a physical card or a key fob in someone’s pocket. Multi-factor authentication (MFA) is particularly important to protect and manage verification devices. If you were a verifier using a mobile phone to authenticate a mobile driver’s license, there needs to be a way of managing who has access to that verification device. MFA ensures that if the device were to fall into the wrong hands, an unauthorized person would not have access to the central database.
Another use for secondary authentication could be for the visual identification of a mobile driver’s license or other identity document. In today’s technologically advanced world, there is no way to tell if a photo on a smartphone is authentic or if it’s been retouched. This is a real issue in the case of verifying the holder of a driver’s license or other credential. With a secondary authentication factor, you could potentially introduce a second security feature to the image that only appears in the presence of that second authentication factor, such as a graphic that appears in the photo image on the driver’s license (similar to security printing holograms). This allows another level of verification, proving that what is being shown is the genuine credential. Multi-factor authentication works for all sorts of applications both online and offline, such as allowing access to an individual’s health records or vehicle registration information.
The Secure Element
To be able to issue a virtual ID to a secure element on the citizen’s device (either SIM or embedded Secure Element), the issuance agency must integrate either with a mobile network operator (MNO – issues the SIM) or the handset manufacturer (OEM – issues the handset and embedded Secure Element), as they are in control of the keys that allow the loading of the virtual ID applet onto the respective secure element. The keys then perform the subsequent personalization of the virtual ID (sending the citizen specific data elements, picture and authentication keys).
This means potentially integrating with most of the MNOs in a specific country. Alternatively, the issuing agency could integrate with what the industry calls a Trusted Service Manager (TSM) that would work directly with the MNO on their behalf.
Both options are heavy in integration and carry a considerable cost to the issuing agency. Additionally, this makes it very impractical for temporary virtual IDs for citizens that are in roaming mode or where it is almost impossible to quickly determine the MNO they are using.
Another consideration here is that the Secure Element is currently accessible via NFC, so an external virtual ID reader could easily interact with the virtual ID applet on the citizen’s smart- phone. This interface is not available on the Apple® iOS platform and their popular iPhone® devices. For the Apple ecosystem, it would be necessary to use Bluetooth® Low Energy (BLE) proximity technology, which unfortunately is currently not standardized.
There are efforts to close this standardization gap on-going in the GlobalPlatform organization.
Despite the above limitations, there are merits to having a Secure Element, and new technologies like goID are complementary to such hardware-based security.
Mobile IDs are coming – whether we like it or not. Consequently, as an industry, we have three possible strategies to manage this transition:
- We can put our heads in the sand.
- We can try to crush the oncoming technology.
- We can “Keep Calm…and Embrace Mobile.”
The first two options are unrealistic. Perhaps the sound strategy is the third option – and it’s the only one that will really work in the long run.