SURFconext Strong Authentication (SCSA) allows users to obtain a second factor authentication token that provides additional identity assurance to their institutional username and password based account. In order to obtain a second factor token, users have to physically identify at a registration desk. This identity vetting process works fine for users that work at the institutional buildings; they can easily go to the registration desk and identify themselves. However, for users that do not work at the institutional buildings, getting a strong authentication token in this manner is problematic as it requires a lot of travelling. For Dutch and foreign users that work abroad it is almost impossible to get a token. Moreover, setting up a registration desk is accompanied by costs: employees have to be available to identify the user, they have to be trained to do the identification properly and to know how to determine the authenticity of the shown identity document, evidence has to be archived, etc. If the number of users that require a strong authentication solution is limited, the costs of setting this up do not weigh against the benefits. Finally, the current registration desk process does not scale for short term bulk enrolment of large amounts of users. For these types of use cases, i.e., remote Dutch and foreign users, a limited number of users, and bulk enrolment, a number of alternative, several remote vetting solutions were assessed.
The main goal was to gather and assess possible solutions for remote/online vetting as part of SCSA. Remote vetting could imply online vetting, but other forms of remote vetting are also in scope.
The following assessment criteria for remote vetting were identified:
- Easy to use by the user: if the user experiences inconveniences during remote vetting he may cancel the process.
- Easy to organize by the institution: it must be easy for the institution to enroll, deploy, initiate, or arrange a remote vetting solution.
- Limited impact on current SCSA service: how easy can the remote vetting solution be integrated with the current SCSA service, what needs to be adapted technically or organisationally by SURFnet, is it a one-off (e.g. software improvement) or continuous (e.g. audit process) effort?
- Straight-through processing: the possibility to vet for the user’s identity in a fully automated manner without human interference. More automation means shorter vetting lead times and improves the user experience. It also provides more efficiency and less errors (e.g. due to typing errors when entering personal information).
- Sufficient penetration rate: as many potential target users as possible must be able to go through a remote vetting process. Certain user groups may not be able to execute the remote vetting process because they lack certain functionality that is required for remote vetting (e.g. they use a smart phone without NFC or do not have a Dutch bank card).
- Sufficient level of authentication assurance: the outcome of the remote vetting must provide sufficient assurance in the identity of the user (which on its turn will provide a higher authentication level of assurance). The SCSA service works at ISO29115 levels 2 and 3 depending on the authentication means (these levels roughly correspond to eIDAS Low and Substantial).
- Costs: the costs of the solution are reasonable, with a particular focus on the vetting costs per user.
- Controllability/auditability: the ability to control the remote vetting process in such a way that it is implemented by all institutions in an unambiguous manner including the ability to audit the process for accountability purposes.
- Future proof & maturity: Is the solution future proof and does it have a sufficient maturity level?
The following long-list of nine remote/online vetting solutions was established, based on desktop study, interviews and a workshop with stakeholders:
- Physically at the door;
- Live video chat;
- Mobile app with picture of identity document and selfie for biometric identification against the identity document photo on the picture;
- Mobile app with NFC technology for reading the chip of the identity document and selfie for biometric identification against the identity document photo on the chip;
- Derived identity from strong authentication by banks;
- Derived identity from strong authentication by national eID solutions via eIDAS;
- Central registration desk for physical identification;
- Reuse of existing registration desks at other organizations like municipalities, banks, Chamber of Commerce, Certification Authorities or other education and research institutions;
- Community-based vetting, i.e. let other users do the vetting.
Assessment against criteria and use cases
Via a scorecard, the various solutions for remote vetting were assessed against the criteria (see table below).