Government ID as Universal Mobile Identity
April 12, 2016 - How are legacy or political willingness affecting the pace of modernizing government identity programs?
When it comes to modernizing their government identity programs, not all countries are moving at the same pace. Neighboring or culturally close countries can have wildly different solutions deployed.
We will explore how legacy or political willingness are affecting this pace of modernization, and why democracies are not necessarily leading the pack.
When you look at my own country – France – a convenience-driven issuance process has led to the following paradox: to obtain the most secure identity document - the passport – you need to provide one of the least secure ones - the birth certificate.
It is noteworthy that France also has a National ID card, more difficult to counterfeit, but it’s the birth certificate, with its retro typewriter-style which is the most important document you can hold. A local government internet service will mail you copies for free, as long as you can provide your full name and date of birth, alongside your parents’; altogether information relatively easy to obtain.
In such scenario, the burden of avoiding identity fraud is mainly assumed by the issuing entity, spending considerable effort to verify the validity of the request, with mitigated results. A report submitted to the French Ministry of Interior in 2011 suggested that breeder fraud could be several percent of the biometric passports in circulation [ref1].
This scenario occurs in many other countries, sometimes with dramatic consequences. The 19 hijackers responsible for the September 2001 attacks have taken advantage of the inefficiencies in the US ID system to achieve their nefarious goal. Some of the states involved in delivering valid Driver Licenses to the hijackers have since launched modernization programs involving more thorough background check and more secure documents, however using technology from the previous battle (embossing, hologram, magnetic stripe …); but it’s a start.
In Europe, UL is currently involved in initiatives such as the Origins project [ref2] , which underlying idea is to fill the gaps in the issuance of Breeder documents, such as the birth certificate, and restore the confidence in the application process and issuance of e-passports.
So how come the main identification document obtained from your bank (say, your debit card) has such a technological edge over the official identification document you used to open your account?
“The answer is obvious” - you would say - “It’s the cost!” We would argue that the way incentives are set are more relevant than the cost itself.
Deploying a full scale digital identification solution is complex and costly; it’s evident. And the bigger, the less centralized the country is, the higher the cost. It should then not be a surprise to see a country such as the US among the bad students. In addition, large infrastructure modernization projects are never politically popular. As for diet or money management, people tend to favor glamorous short-term solutions rather than sane, long-term, incrementally improving solutions. In other terms for the younger audience: it’s more rewarding to read tweets than books.
As a result, the good students in the digital identity field are often countries smaller in size, and with a different political leadership.
Are the United Arab Emirates the most dynamic identity market in the world?
We will develop the example of the United Arab Emirates, where the federal digital identity program, the Emirates ID, has become an inherent part of the day-to-day life.
Launched in 2004, the Emirates ID program mandates every resident (citizen or expatriate) to have a digital identity in the form of a dual-interface smart card hosting:
• PKI certificates
• Public and signed content data (Name, Nationality, Date of Birth, picture …)
• PIN and Biometrics (fingerprint, palm print, iris).
A back-end service hosted by the Emirates Identity Authority (EIDA), allows verifying this information on-demand.
Opening a bank account becomes suddenly a much safer and cheaper operation; authenticity and validity of the identification document can be verified automatically and on-the-spot, sparing the cost and time required to process a paper trail.
This process has already been made mandatory in certain parts of the economy, in order to reduce risk associated to identity fraud. Every mobile operator vending desk is equipped with a card reader provided by the Emirates Identity Authority, mandating the same instant verification before opening a new line. Surfing on this mandate, Etisalat - one of the mobile operator – is trialing a vending machine, using the Emirates Id and the cardholder biometrics to open a new line in a fully automated fashion.
We talk a lot about the Supply side of the equation; what about the Demand side?
We argued that the high cost and the political risks involved means that governmental ID solutions for the population were often behind other industries. However, the public is often showing concern for the risk of identity fraud. This is particularly vivid in the United States where identity fraud regularly tops the list of perceived risk (69%), scoring higher than the perceived risk of a terrorist attack (27%) [ref3].
There are usually good reasons for that; as opposed to payment fraud, where the risk is mostly assumed by a financial institution, the cost of identity fraud is directly assumed by the victims. Any individual victim of such fraud will invariably recall the ordeal he went through to clear his name, often up to many years after the first fraud, and with very unpleasant consequences: time and effort, banishment from the institutions targeted by the fraudster(s), etc …
We touch here the heart of the issue behind identity fraud; or why losing your ID card is much more important than losing your credit card or a stack of banknotes. As opposed to a one-time loss, identity fraud is often recurrent and compounded over time. Your identity, once “collected”, is sold to one or multiple parties. Each of those parties can then use it for something without any direct consequences to you, but quite often, the identity ends up being used for financial gain. Typically by opening credit lines, phone lines, etc … And once an institution has detected the fraud, the fraudster can carry on with the next institution, lengthening the individual ordeal.
You can probably see the whole weakest link metaphor all over again. Deploying the best technical solution to secure border-crossing, airline boarding or payment transaction is not going to help if the initial document required to obtain all of it is insecure.
But more than just ‘fixing the weak link’, providing a Universal digital ID solution benefits immediately the whole ecosystem, both public and private sector. It starts a self-feeding improvement loop where services are less costly to operate and easier to use, leading to higher service adoption, new services, etc.
What is the role of the Mobile device in this digital identity evolution?
In a country having already deployed a wide digital identity solution, such as the UAE, the transition to Mobile Identity feels like a logical next step. The population is already familiar with using an electronic format and the Mobile can add convenience on top of security, like the proverbial cherry on the cake.
In a country relying on printed cards, Mobile Identity can seem like the solution that would justify the significant investment required to upgrade, and maybe leapfrog the physical ID card altogether.
As mentioned earlier, cost and political will are often the barriers to evolution, rather than a lack of benefits brought to a document used only sparsely.
The ‘Mobile Revolution’ is an opportunity to bring public and private services to your pocket, with a mix of convenience and new risks. Suddenly, a Government Identity operated on a Mobile device can be used more frequently, and feed on the virtuous reinforcing loop we discussed earlier.
Why won’t I subscribe to new banking services from my Mobile device, secured by a government-issued Identity factor and biometrics? Why won’t I secure the application to my French passport by using a mobile-powered multi-factor authentication rather than providing weak personal information (e.g: my parents full name …)
Isn’t that the TSM story all over again?
Many challenges arise when it comes to deploying strong authentication Identity projects on mobile, not unlike the ones faced by Mobile Payment solutions: the technical ecosystem is patchy, threatening adoption, and the benefits are unclear at first.
But if we observe in detail the two main issues that Mobile Payment solutions were really facing, the outcome might be quite different for Mobile Identity:
- Can Mobile increase usage of digital form factors?
This can be debated from one market to another when it comes to payment, but there is no conclusive case where Mobile Payment resulted in a wide, significant increase, boosting direct revenues for the issuer.
A Mobile Identity solution, as an enabler to other Mobile Services rather than a service itself, is very likely to increase in use, providing lower risk and on-boarding costs to service providers (including payment service issuers).
- What are the benefits for the acceptance side, often liable for a large part of the costs?
In the case of Mobile Identity though, in particular when it comes to government-issued Identity, the acceptance side is centralized, making costs easier to manage. The benefits are then easy to enumerate:
- Potential new revenue stream from the private sector
- Better control over the population register
- Reduced law enforcement costs
- Safer / More convenient society
The last remaining challenge is related to distribution: how to get the proper equipment and identity credentials in the hand of the public? In a country such as the UAE, this is likely to shadow the natural renewal process of the mobile equipment and the identity document. Over a period of 5 years, a large part of the population would have renewed its equipment.
The last puzzle piece: the digital signature
It’s difficult to mention automating authentication processes without talking about the signature. More often than not a “wet signature” is the only legal way to provide authentication and non-repudiation of a transaction.
The concept of signature is one of the modern world oddities; a technology without major improvement since its inception. Sumerian records dated around 3100 BC, are showing the earliest known examples of signature [ref4] . A distinct set of strokes from a stylus on a clay tablet, ensuring its authenticity.
The support may have moved to ink and paper, but the process to create and verify a signature hasn’t changed.
The situation is quite similar to the cases of identification and authentication; a number of private and public parties could immediately benefit from automating the signature creation and verification (e.g: banks maintaining teams looking at signatures and comparing them to the ones on file).
The technical setup is hardly more complicated than the one required to operate an mPKI solution. Put it simply: if you can authenticate on a Mobile device, you can sign. Digital signature solutions already exist, including in the public sector (e.g: tax documents signature). But the main barrier for adopting such solution seems to be rather rooted in our habits and by extension in the legal framework regulating these usages. A scribble on a contract or on a payment receipt is both convenient to produce and easy to visualize, but we all understand it doesn’t bring more security today than fifty centuries ago.