This is a recap of the Masterclass Digital identities: overview and developments in the Netherlands and Europe that took place on 16th December. This masterclass was initiated by the IDnext platform and organized in close collaboration with InnoValor.
Staying close to our academic roots, InnoValor regularly provides training for our clients. We labelled this InnoValor Classroom and typically do this in-house for our clients or as guest lecturers at universities. However, we decided to try something new: an open application Masterclass on digital identities together with the IDnext platform. As expected, we had a more diverse audience, which we liked since it resulted in interesting discussions between the attendees. In this blogpost we will share some of the highlights of the topics we covered.
Firstly, we covered the basics of trustworthy digital identities. In cyberspace, it is paramount that users can be reliably identified to prevent abuse and privacy breaches. But when we are talking about trustworthy digital identification, we are really talking about two inherent processes: authentication, or how you identify yourself (e.g., a password), and registration, or how that authentication credential was entrusted to you and information about you was verified. This registration process often gets too little attention in discussions on digital identities. Authentication factors are categorized as something you know (e.g., a password), something you have (e.g., a token) or something you are (e.g., biometrics such as fingerprints). A possible fourth factor is the context of the authentication, which includes the conditions of the authentication, to secure the identification process. For example, if you generally log on with the same IP address from the Netherlands, and suddenly, you log on with an IP address stemming from Russia, something fishy might be going on. Another solution that uses context as an authentication factor could be to use your smartphone for authentication. Since you always carry it with you, it doesn’t require extra hardware costs and provides a second channel for communication and authentication. Think of a one-time-password via text message or authentication apps.
We also covered the trade-offs that are inherent to digital identities. Authentication assurance may be evaluated as a costs-benefits analysis, but impact on reputation and ethics should be considered as well. For example, identity theft can have a severe negative impact on someone’s life, which is difficult to express in any monetary amount. Moreover, authentication is a trade-off between usability and security, but also has to do with privacy and costs. One way to reduce expenses is by reusing electronic identities; using login details gained from a single authentication provider for multiple online services. This is easy and cost-effective, but does imply risks to security and privacy. Possible authentication providers are those with a large customer base; social giants such as Facebook and Google are the usual suspects. Outside of identification, these social login providers have the benefit of enabling service integration with social media. The ‘but’ lies mainly with a dependence on (largely American) corporations and a relatively low level of identity assurance offered.
We also covered standards to quantify the trustworthiness of identities, i.e., the level of assurance. Identity solutions are commonly scored on a scale of 1 to 4. Several frameworks are available to calculate such a score, such as ISO 29115. Our colleague Bob Hulsebosch was involved in the development of the now widely used STORK framework to determine levels of assurance. We discussed and compared these and other frameworks.
After we covered the basics, we moved on to recent developments in digital identities, which was the meat of the Masterclass. Interesting are the developments in the Netherlands to strengthen DigiD. Despite its success (over 100 million logins in 2013), DigiD in its current form is relatively insecure, so the government is working on a successor: the eID Framework NL. In the meantime, a short-term solution is to fortify DigiD using Remote Document Authentication (RDA). The idea is to read the chip in a government-issued document, e.g., your passport or driver’s license, as a second (step-up) factor during authentication. During the Masterclass, Maarten demonstrated the Android InnoValor NFC app that can be used for this purpose.
Online authentication between organizations and government is currently done through eHerkenning (‘eRecognition’), a public-private trust framework for digital identities. It is expected that eHerkenning and the new DigiD will evolve into the aforementioned new Dutch eID Framework (in Dutch: eID Stelsel NL). This trust framework is currently being developed and will cater to public and private authentication providers that can be used to log in at public and private service providers. The eID Framework is still being defined. Especially with respect to the business model and the privacy, debate is ongoing. For example, whether or not to use polymorphic pseudo-IDs, which roughly translates as anonymous and encrypted identities unique to every online service and using only necessary personal information. And there’s more; the European Union also wants a single cross-border digital identity. This is instated in the EU Electronic Identification and Trust Services (eIDAS) regulation. Which isn’t easy, given the heterogeneity of national electronic identity solutions in Europe. Finally, the European Commission is deciding on new privacy regulation that would entail considerable regulatory changes, such as higher fines for negligence, dedicated privacy officers in large organizations and the civil ‘right to be forgotten’.
During the Masterclass, there was time for a group discussion to translate theory into practice. How do you check if someone is legally allowed to purchase alcohol in online transactions (age verification)? Or how do you reliably grant patients access to their electronic health records? These cases showed how difficult the reality of digital identities truly is. Developments in this field are rapidly progressing, and 2015 promises to be an exciting year. We hope that you will follow these developments with as much fascination and interest as we do. If you’re interested in one of our open trainings, or want to organize an educational event at your organization, feel free to contact us to discuss the possibilities.
By Arnout van Velzen and Maarten Wegdam. This article also appeared in the IDnext newsletter.