Mobile ID – digital identity at work
Over recent years, mobile identity (mID) has proved an increasingly popular choice with citizens, thanks to its convenience, ergonomics, and high security level.
The rapid adoption of m-Government services in countries that have chosen to focus on mobile communication devices has demonstrated the appeal of this secure and trusted method of identification.
Some visionary countries have leaped mobile ID or mID by creating a mechanism using an eID component for accessing online services via mobile devices.
Pioneers include countrieswith a strong market penetration of cell phones and new technology, such as Austria, Estonia, Finland, Norway, and Turkey.
Mobile ID projects are sometimes driven by the need for a universal form of identification (Austria 2003), or Estonia in 2007, to supplement a national card program and accelerate electronic identity and digital signature development.
In 2014, Oman was the first country in the Middle East to complement its national electronic ID card with a mobile ID scheme.
As a highly trusted channel between citizens and service providers, mobile ID extends its use from egovernment into other online areas such as banking and payment.
"1984" did not happen.
Contrary to the vision of novelist George Orwell in "1984", national eID schemes have shown that managing citizen IDs can protect civil liberties, identity, and social interactions in a state of law.
Electronic records on individual citizens are available upon their owner's request in many European countries with a national eID scheme.
As former President of Estonia Toomas Hendrik Ilves puts it: "You own your own data, so you have the right to access it any time."
When introducing its national eID in Belgium, the government offered citizens an application to know who has accessed their data.
And of course, the key to accessing this online app is the national eID card. Each citizen can consult their personal file in the national data register to see a record of when government officials have accessed their data and for what reason.
It's an excellent example of how transparency and traceability in every transaction between governments and citizens can help protect privacy and strengthen trust.
Read more on transparency and traceability in the following Thales white paper on eGov 2.0.
We’re seeing the emergence of a global consensus on privacy protection, explicitly incorporating biometric data, as illustrated in particular by the regulations known as the General Data Protection Regulation put in place in Europe and the UK in May 2018.
The California Consumer Privacy Act (CCPA), implemented as of 1 January 2020, is also a significant step toward privacy rights and consumer protection. It may serve as a guide for several other US states. It's been further enhanced with the CPRA (Californa Privacy Rights Act). It will take effect on 1 January 2023.
New York State, Colorado and Virginia now stand beside California. Utah may follow soon.
However, the United States does not have a single framework that covers the privacy of all types of data.
On the road to the virtual driver's license
So when will we have a digital driver's license on our mobile phone?
Well, sooner than you may think. Here is why.
Today you can already do a lot with a smartphone. And the trend for on-phone payment, loyalty, or travel applications may yet bring the driver's license to your mobile.
While a driver's licenseprimarily confirms the identity and driving rights, a virtual driver's license, also called a mobile driver's license or digital driver's license, potentially brings many more benefits and opportunities for issuers, regulatory authorities,and particularly drivers.
The traditional driver's license is an essential proof of ID (identity and age) checked by enforcement agencies, retailers, and financial institutions alike. A mobile driver's license would provide an on-screen version of the traditional photo and driver information and more.
A highly secure mobile application has more robust counterfeiting characteristics, enables driver data to be updated instantly, and facilitates real-time communication, opening the way to new business models using a trusted and secure channel.
Though the mobile driver's license still has some distance to travel before becoming a complement or replacement to the plastic license we are used to, there's an interest in other countries like Australia, Brasil, and the UK also looking into this option.
To learn more about digital driver's license initiatives,visit our dedicated webdossier.
Several US states have launched pilots to explore the user convenience, privacy, security, and interoperability of mobile driver licenses.
In July-August 2017, ColoradoandMaryland initiated digital driver's licenselive pilots. Feedback collected like this one is highly motivating.
"I have people all the time trying to show me a picture of their license on their mobile phonewhen they don’t have their physical one, which is illegal. This solutionhits on that need for mobility but is an actual ID with underlying security and information to guarantee it is genuine. That’s key.”SPECIAL INVESTIGATIONS OFFICER, COLORADO GAMING COMMISSION - JULY 2017
Florida plans to issue its mobile driver's license soon. (October 2020.)
From eID to national identity schemes
Digital identity management is at the heart of the Internet economy as a critical enabler for trust and innovation. Many countries are now putting in place the framework of their national identity scheme.
This architecture helps define the state's roles, such as regulator or issuer of digital identities (or neither), responsibilities in organizing data, applications, infrastructure, and the underlying principles and operating methods of the digital identity ecosystem as a federated identity management infrastructure.
This can cover everything from how digital identities authenticate users or verify data linked to the services and detail the scheme's identity types and trust levels.
Currently, different approaches are being pursued:
- from a state-led role in issuing digital identities and structuring services, as seen in Estoniaor the United Arab Emirates,
- to the more decentralized system with the GermanID card project,
- An identity ecosystem developed through a partnership between public and private sectors, as in Sweden.
Certain nations largely delegate the provision of identity solutions to the market and, therefore, the private sector: this is the case in the United Kingdom which said no to a UK ID card in 2010 by yes to a national identification scheme known as UK Verify launched in 2016.
UK ID card scheme scrapped
The UK has so far remained opposed to the very concept of compulsory identification credentials for citizens.
Although the UK does not have a national identity system, the Kingdom is home to a large amount of activity in digital ID development.
In 2006, an attempt -known as the Identity Cards Act 2006- by the then Labour government was to be introduced. It soon floundered in the face of wide-ranging criticism and protest.
When a new Conservative-led coalition took over power in 2010, scrapping the plan was high on its list of priorities.
Back in 2006, the government encountered criticism because it included privacy, human rights, and security concerns.
But the failure of the 2006 project also needs to be seen in the context of a government that had been in power for several years.
Popularity was waning, and it was vulnerable to well-organized opposition from other parties and hostile media.
Let's be clear.
Much of the protest was focused on the idea of a National Identity Register (holding up to 50 different pieces of information on each citizen) rather than the card itself.
Some public resentment was also down to the simple fact that people faced paying up to £60 for the privilege of acquiring one.
Some of the fundamentals around which UK Verify has been built go a long way to addressing these issues.
UK Verify is born into a different world.
In the space of ten years, the environment has changed dramatically. In 2006, the government cited the need to combat illegal immigration, terrorism,and welfareand identityfraud as compelling reasons to introduce an ID scheme.
A decade later, all these issues have moved higher up the public agenda.
For example, even back in 2014, 41% of all fraud was identity fraud.
And 84% of all identity fraud was committed online.
In 2019, identity fraud cases in the UKreached 223,163.
As a result, there is far greater acceptance of the need for tighter security in general and identity protection in particular.
The frequency with which citizens must resort to a driving license or passport to prove their identity increases, perhaps reinforcing the case for something designed specifically for that purpose.
Just as significantly, with the rapid adoption of a host of mobile and online services, secure authentication of one form or another has become part and parcel of everyday life.
The result is Verify: a single legally recognized means of online authentication that is designed to unlock the door to a new era of eGovernment in the UK.
Dodging the "Big Brother" label – Verify's federated ecosystem (2013-2023)
To avoid accusations of a 'Big Brother' approach, the GDS has created a federated ecosystem.
The government regulates the online ID scheme but is adequately powered by a range of private sector certifying companies.
End users enrolling with the Verify scheme choose one of these companies to certify their identity and are asked to provide documentation to confirm who they are. Typically this might include a passport or driving license and bank details.
The certifying company then makes the necessary checks, and, if successful, a Verify account is created.
This account can then be used as a sole means of access to all digital government services – anywhere; the Gov.UK Verify logo is shown. The whole process is entirely free of charge for end-users.
According to formerPM Theresa May, in April 2019, the system has saved UK taxpayers more than £300m, but she admitted UK Verify is a challenging project.
In April 2020, the Treasury gave Gov.UK Verify additional 18-month funding.
The universal credit applications (financial support) brought a surge of hundreds of thousands of new users.
According to Computer Weekly, as of October 2020, 6.7m of digital identities have been created by Verify.
The UK "One Login for Government" scheme
In 2022-2023, The government will start to implement a new digital identity assurance system for all Gov.UK services. The so-called "One Login for Government" program, will allow users to create a government account to access services online, or through a mobile app that is being developed with Deloitte.
This new initiative represents a shift in the government’s approach.
GOV.UK Verify will, however, continue to run until April 2023. The Cabinet Office will pay £11m a year to keep it working as major private partners began to pull off from the system.
The case of the US national ID
The case of theUS citizen ID is somewhat similar.There is no national ID card in the USA stricto sensu.
- Today, the Social Security Card can be used to verify identity on certain occasions: employment, obtaining a passport, a driver's license, or at the bank to get credit.
- The driver's license in the United States is also a de facto ID document and can be used in many states to buy firearms, open a bank account, or travel on domestic flights.
- Citizens not having a driver's license can get a State ID, issued at the state level and used for identification purposes such as banking, etc.
- Of course, the US government passport and passport card are official IDs, as is the military CAC card.
Real ID Act ( March 2022 update)
A federal initiative known as the REAL ID Act, passed by Congress in 2005 and modernized recently, established minimum security standards for state-issued driver's licenses and identification cards and prohibits Federal agencies from accepting for official purposes licenses and identification cards from states that do not meet these standards.
Identification needed for air travel in 2023
Yes, you read that right. It's been delayed one more year.
The US Department of Homeland Security (DHS) hadinitially been requested that starting 22 January 2018, passengers with a driver's license issued by a state still not compliant with the REAL ID Act would need to show an alternative form of identification (such as a passport) for domestic air travel.
Nine states had non-valid DL (Kentucky, Maine, Minnesota, Missouri, Montana, Oklahoma, Pennsylvania, South Carolina, and Washington). They have been granted an extension.
The real ID deadline has been, however, delayed several times.
The REALID deadline is now set for3 May 2023because of the pandemic.
On 28 December 2020, Congress has passed the REALID Modernization Act. It modernizes the 2005 REAL ID requirements.
According to CNBC, Real ID will be the requiredform of state identification needed to board a plane or enter a federal facility.
The USA and the NSTIC federal initiative
The (US) National Strategy for Trusted Identities in Cyberspace hadexplored a more global system of interoperable identity service providers (public and private), giving individuals the choice of secure credential/s using various mobile phone options to smart cards and computers.
TheNIST Digital Identity Guidelinesare formerly known as NIST SP 800-63-3. NIST published the official editionin June 2017. In particular, these recommendations could help improve national identity, credentials, and access management.
The bad news?
The initiative launched by the Obama administration never gained momentum as no service providers adopted the framework.
The country clearly lacks a comprehensive digital ID strategy, as CSOonlinestated (17 September 2020.)
According to US Congressman Bill Foster's website, the Digital Identity Act of 2021is urgently needed (US Congress HR4258.)
He explains that the country's old identity systems have not transitioned well to the new digital ecosystems – generating friction in commerce, boosting fraud and theft, degrading privacy, and crippling many services online.
The case of the Swiss national Identity scheme: no to a private operator
On 7 March 2021, voters in Switzerland said «no» to a planned law governing a potential electronic identity system.
64.4% of voters rejected the project of a digital identity verification system licensed and supervised by the State but managed by private companies.
According to SWI (swissinfo.ch), voters made it clear that they want an eID only provided by the government and under democratic supervision.
The state should take full responsibility, and eID is not contested.
A solution will be found with a new proposal.
Australia and New Zealand initiatives
- New Zealand's legislation for a Digital Identity Trust Framework will be drafted this year. It has been introduced to parliament on 29 September 2021. Identity providers will then be accredited.
- Australiadecided to delay launching an enhanced version ofmyGovID and include facial verification capabilities in 2020. The scheme is now available. 4 million digital identities have been created as of October 2021. 82,000 use facial recognition. My GovID and myGov (online government services) are now linked up.
- Learn from ou webinar:Mobile ID in the 21st Century ( 6 October 2020)
- EU to develop a robust electronic ID scheme
- What's next? EU's plan for a digital ID wallet