By Steve Warne, HID Global.
In a world where many of our daily tasks and authentication needs are migrating to mobile applications, the number of physical ID cards distributed by governments continues to grow, despite the emergence of new convenient mobile identity solutions. So why are ID documents still predominantly physical cards? Will this change soon? Will mobile ID adoption see the replacement of physical cards?
Global events such as war, terrorism, refugee relocation, economic migration and political change are driving the need for better identification of individuals. Governments are naturally considering how to securely identify individuals that live and work within their country or cross their borders for work, leisure or migratory purposes.
The instinctive reaction is to deploy physical identity cards that are well established and, in many places, widely accepted by the population. These cards are protected by physical security features, combinations of which, make them difficult to forge, particularly if these features can be further enhanced by personalisation.
For increased protection, many countries have deployed electronic identity cards (eIDs) containing additional security in the embedded chip. These credentials can be used to access governmental services via the chip. In countries like Estonia, it is now commonplace for citizens to identify themselves on Government websites or in Government offices using eIDs.
The challenge for physical identity schemes is how to verify document authenticity. Most cards are verified visually in either official or commercial use. The person verifying the card must be trained in the type and positioning of various card security features. Since only government officials generally have such knowledge, these cards have been a target of fraud in commercial applications. They are either forged or the fraudsters produce “pass-off” copies that resemble the genuine documents but aren’t exact replicas. Where eID credentials have been issued, projects often do not realise their full potential due to the cost and complexity of delivering an electronic reader infrastructure that supports all document verification use cases.
Digitisation helps to overcome some of these issues and enhance privacy security and convenience for citizens, while use of third-party verification devices can reduce the need for specialised training when authenticating someone’s identification. In fact, new technologies enable identity credentials to be enrolled, provisioned and used on mobile devices. Credentials are securely delivered to citizens’ mobile phones, where they can be presented in a way that does not compromise security or privacy. This approach also gives citizens greater control over what identification information they share, in person or remotely, including over the telephone, on websites, or when accessing other digital services. For instance, they need not divulge their name, address or any other identifying information except age to a cashier when purchasing age-restricted goods.
Mobile credentials also lower deployment barriers by eliminating the need to create a reader infrastructure. In many cases, the mobile credential can be verified by another mobile device over a Bluetooth® Low Energy (BLE®) or near-field communication (NFC) connection. This verification process may also take place in an on-line or off-line scenario, with the BLE connection providing additional functionality for verifying at distances up to 30 metres.
As the real benefits of digital IDs are discovered, governments will adapt their single-purpose use into a multi-service model where a variety of functions are enabled through a single device. However, the advent of mobile credentials should not be considered the end for physical documents. Identity and travel documents are defined by numerous standards that ensure commonality of authentication and encryption approaches, and they do not yet exist for digital credentials. It could be several years before these standards are completed and mobile credentials are widely accepted as IDs or proof of privilege. Additionally, the functionality and security of mobile identity relies on the use of smartphones, which are not universally carried by citizens and the distribution of which varies greatly across demographics.
With these challenges to the adoption of mobile identity, there is a need to bridge the gap between the physical credentials of today and the mobile credentials of the future. New solutions need to evolve which will allow the issuance of a physical or mobile credential, or both, from a single source. These credentials then need to be efficiently authenticated via a single verification infrastructure. Ideally, this infrastructure will be low cost and easily distributed, such as an app on a mobile phone or a simple, low-cost hardware device.
Even when mobile IDs are widely accepted, there is a good case for their co-existence with physical credentials in the long term, primarily to increase security and trust. The physical document could be used as the “trust anchor” for the enrolment of a citizen to a mobile scheme. For example, a multi-factor authentication strategy would then require both a physical and mobile credential to access a secure government website or an individual’s health records.
Governments are looking at new approaches to enhance citizen identity schemes. Physical ID cards will continue to be widely used as the primary source of identity documentation – at least for now. At the same time, the use of mobile citizen ID credentials is gathering pace as Governments seek to improve convenience and communication with their citizens. Smart solutions to enable the smooth transition to mobile enabled credentials need to be developed which respect the requirements of citizens and governments, while still delivering a high degree of security and trust