SURFconext Strong Authentication (SCSA) allows users to obtain a second factor authentication token that provides additional identity assurance to their institutional username and password based account. In order to obtain a second factor token, users have to physically identify at a registration desk. This identity vetting process works fine for users that work at the institutional buildings; they can easily go to the registration desk and identify themselves. However, for users that do not work at the institutional buildings, getting a strong authentication token in this manner is problematic as it requires a lot of travelling. For Dutch and foreign users that work abroad it is almost impossible to get a token. Moreover, setting up a registration desk is accompanied by costs: employees have to be available to identify the user, they have to be trained to do the identification properly and to know how to determine the authenticity of the shown identity document, evidence has to be archived, etc. If the number of users that require a strong authentication solution is limited, the costs of setting this up do not weigh against the benefits. Finally, the current registration desk process does not scale for short term bulk enrolment of large amounts of users. For these types of use cases, i.e., remote Dutch and foreign users, a limited number of users, and bulk enrolment, a number of alternative, several remote vetting solutions were assessed.

Goal

The main goal was to gather and assess possible solutions for remote/online vetting as part of SCSA. Remote vetting could imply online vetting, but other forms of remote vetting are also in scope.

Assessment criteria

The following assessment criteria for remote vetting were identified:

  1. Easy to use by the user: if the user experiences inconveniences during remote vetting he may cancel the process.
  2. Easy to organize by the institution: it must be easy for the institution to enroll, deploy, initiate, or arrange a remote vetting solution.
  3. Limited impact on current SCSA service: how easy can the remote vetting solution be integrated with the current SCSA service, what needs to be adapted technically or organisationally by SURFnet, is it a one-off (e.g. software improvement) or continuous (e.g. audit process) effort?
  4. Straight-through processing: the possibility to vet for the user’s identity in a fully automated manner without human interference. More automation means shorter vetting lead times and improves the user experience. It also provides more efficiency and less errors (e.g. due to typing errors when entering personal information).
  5. Sufficient penetration rate: as many potential target users as possible must be able to go through a remote vetting process. Certain user groups may not be able to execute the remote vetting process because they lack certain functionality that is required for remote vetting (e.g. they use a smart phone without NFC or do not have a Dutch bank card).
  6. Sufficient level of authentication assurance: the outcome of the remote vetting must provide sufficient assurance in the identity of the user (which on its turn will provide a higher authentication level of assurance). The SCSA service works at ISO29115 levels 2 and 3 depending on the authentication means (these levels roughly correspond to eIDAS Low and Substantial).
  7. Costs: the costs of the solution are reasonable, with a particular focus on the vetting costs per user.
  8. Controllability/auditability: the ability to control the remote vetting process in such a way that it is implemented by all institutions in an unambiguous manner including the ability to audit the process for accountability purposes.
  9. Future proof & maturity: Is the solution future proof and does it have a sufficient maturity level?

Solutions

The following long-list of nine remote/online vetting solutions was established, based on desktop study, interviews and a workshop with stakeholders:

  1. Physically at the door;
  2. Live video chat;
  3. Mobile app with picture of identity document and selfie for biometric identification against the identity document photo on the picture;
  4. Mobile app with NFC technology for reading the chip of the identity document and selfie for biometric identification against the identity document photo on the chip;
  5. Derived identity from strong authentication by banks;
  6. Derived identity from strong authentication by national eID solutions via eIDAS;
  7. Central registration desk for physical identification;
  8. Reuse of existing registration desks at other organizations like municipalities, banks, Chamber of Commerce, Certification Authorities or other education and research institutions;
  9. Community-based vetting, i.e. let other users do the vetting.

Assessment against criteria and use cases

Via a scorecard, the various solutions for remote vetting were assessed against the criteria (see table below).

Remote-vetting-EN.gif

The outcome of the assessment is that solutions based on derived authentication and mobile apps score best. For derived authentication, bank authentication is the best choice as it offers a high national penetration level. As a remote vetting solution bank authentication, however, struggles to achieve a sufficient assurance level since it is more susceptible to man-in-the-browser attacks. Consequently, compensating measures are required to achieve ISO29115 level 3 or eIDAS Substantial. Moreover, mapping bank accounts to institutional accounts may be challenging since the bank’s authentication assertion only provides initials and not full names. Looking at the mobile app solutions, the NFC-based app offers, compared to an optical-based app, more assurance and efficiency. However, lack of coverage of NFC-enabled mobile phones is a drawback (iOS devices currently do not support NFC). Because of the relatively large amount of actions required it is recommended to guide the user well through the whole vetting process to prevent them from dropping out.

The identified typical use cases add several additional requirements to the solutions: users may be limited in number but work at the institution’s premises, they may be remote (abroad or do not work at institutional premises) or they need to be enrolled within a short period of time. For remote Dutch and foreign users that work abroad and large numbers of users any form of physical vetting is problematic. For foreign users, the bank authentication derived identity solutions are also less optimal. The eIDAS solution could work for European citizens but is still too immature and lacks coverage. Video-based solutions score well for all user groups, but scale less for bulk scenarios. The mobile app based vetting solutions are to be preferred as these best facilitate all use cases.

Conclusions and recommendations

There is not one single best solution, therefore a combination of remote identity vetting solutions is needed to cater for the various use cases, serve all users, and to cover for fall-back scenarios. It is recommended to extend the SCSA service with bank authentication functionality as the primary remote identity vetting solution and to develop a mobile NFC-based app for the vetting of users that do not have a Dutch bank account or are unwilling to use their personal bank account. Proof of concepts will be developed in 2018.

For more information please contact Bob Hulsebosch.