Embracing mobile identity for eGovernment - Trends in electronic identification May 2020 - European ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
May 2020 Trends in electronic identification Embracing mobile identity for eGovernment CEF eID SMO Version 1.0
This study was carried out for the European Commission by Deloitte. Authors: Marie Eichholtzer Icon first page : Icons made by Freepik from https://www.flaticon.com/ Internal identification Framework Contract DI/07624 - ABC IV Lot 3 ABC IV-000123-6000184687-REQ-01
CONTENTS
The digital transformation of Government services ..............................................1
Government identity going mobile .................................................................................3
Making smartcard-based eID compatible with mobile devices ..................................................3
Using mobile devices as identification means.....................................................................................6
Using mobile devices as a generator of digital identity .................................................................8
Accessing eGovernment services at your fingertips ..........................................10
Benefits of mobile first strategy...............................................................................................................10
Recommendations for improving the mobile experience of cross-border authentication
....................................................................................................................................................................................11
Conclusion ...............................................................................................................................14THE DIGITAL
TRANSFORMATION OF
GOVERNMENT SERVICES
01
The digital revolution is driving the transformation of our a smooth and tailored experience to their citizens.
economy and society. In this new highly competitive
In the last decade, governments have therefore focussed
market, businesses have focussed on user centric
on how to improve the experience of public services. Their
approaches to capture the time and attention of
first efforts focussed on the digitalisation of public
customers. Products and services are designed to provide
services, providing the possibility for citizens to complete a
tailored and positive experiences. In parallel, the use of
series of administrative procedure digitally. Yet these
mobile devices (smartphones and tablets) to achieve
services were developed and maintained by siloed
improved connectivity has quickly risen in popularity, with
departments.
adoption levels now having reached a plateau in most
The next step was the creation of eGovernment platforms,
developed markets. 1
gathering all relevant public services on a single website.
Customers are also citizens. They now expect a similar
Behind this one-stop shop, however, the complexity and
personalised customer experience from public services as
lack of complementarity between services remained.
from private services.
Today, governments focus on user-centric journeys for
Governments must adapt to these new expectations.
citizens in order to offer tailored services and remove any
Failure to provide user friendly and mobile solutions will
frustration linked to the lack of communication between
result in losing the majority of public service users.
government services.
The nature of public services, based on general interest
Digital identity is a key asset to enhance user experience.
rather than profit, makes it difficult for them to keep up
It allows public services to remotely authenticate citizens
with market innovations and standards in order to deliver
in a secure way. Most importantly, it allows public services
1
Deloitte, Deloitte Global Mobile Consumer Survey 2019, https://www2.deloitte.com/us/en/insights/industry/telecommunications/global-
mobile-consumer-survey.html
1to offer more seamless and more personalised services to citizens and improve the automated exchange of information between different administrations. European governments have been developing electronic identification solutions (eID) to facilitate access to their eGovernment website, at the national level and in a cross- border context. The first eIDs developed by governments in Europe were based on smartcard solutions. Citizens were given the possibility to use their national eID card to access eGovernment services. These cards required the use of a card reader and therefore applications were mainly developed for desktop. The world is now becoming mobile, and in response governments have started to explore mobile digital identity and ‘mobile-first strategies’. eID solutions need to be conceived to work as well on mobile devices as on desktop computers, rather than being adapted for mobile use a posteriori. Whereas the concept of ‘digital by default’ already provides a benchmark for the development of more inclusive services, the concept of ‘mobile first’ represents the next evolution of digital public services. In the following chapters, we will explore the key trends in terms of mobile identity and how it impacts governments’ strategies in designing and delivering public services. This includes identifying and discussing the main pain points that users may encounter when accessing online services via their mobile identity. 2
GOVERNMENT IDENTITY
GOING MOBILE
02
There is no such thing as “mobile identity”. Today’s
expectation is for citizens to be able to manage their Making smartcard-based eID
identity from their mobile device. A wide array of electronic compatible with mobile devices
identification solutions exists: some mobile by design,
Over the course of the 20th century, governments started
others seeking greater compatibility with mobile devices in
providing identification means to their citizens. The creation
order to secure a smooth user experience for citizens.
of the welfare state required better control of the state over
More and more EU Member States are deciding to launch the potential beneficiaries of the newly created public
mobile by default strategies, including for electronic services. Today, all EU Member States issue national ID card
identification. Yet some Member States face challenges to their nationals with the exception of Denmark, Ireland, and
due to legacy systems developed during the early ages of the United Kingdom.
eGovernment and must therefore find tweaks to make
With the emergence of the information society, Member
their solutions more compatible with mobile devices. This
States progressively upgraded their paper based ID
is especially the case of Member States that have
documents into smartcards. Electronic certificates have
deployed electronic identification cards, based on smart
been added to the chips in the cards in order to enable their
card solutions.
owners to authenticate remotely for online public services.
In the following sections, we will see what have been the Electronic signature certificates may also be integrated.
latest trends in Europe in order to enable citizens to
Most of these smartcards started to be issued before the
manage their digital identity from their mobile device. The
mobile revolution. Online public services were designed for
use of mobile phones as second factor authentications
desktop-based sessions, where an external card reader
(e.g. to receive one-time passwords) is therefore not
could be plugged into the computer in case the latter was
covered in this analysis.
not already equipped with the necessary reader.
Today, 18 EU Member States2 issue smartcards with a chip.
2
Austria, Belgium, Croatia, Czech Republic, Estonia, Finland, Germany, Hungary, Italy, Latvia, Lithuania, Luxembourg, Malta, t he
Netherlands, Poland, Portugal, Slovakia, Spain
3The fact that an ID document is equipped with a chip does government to develop the use of mobile to access
not necessarily mean that the eID can be used for eGovernment services.
eGovernment functions. Some countries may decide to only
However, until recently, it was not possible for iPhone users
store biometric information on the holder, for example.
to use their smartphone to read their NFC-enabled
The real challenge for governments consists therefore in smartcards. Access to the NFC interface of Apple mobile
building mobile-friendly smartcards from components that devices was instead restricted to a handful of mobile
were not initially designed with a mobile experience in mind. applications such as Apple pay.
This restriction adversely affected the uptake of mobile
NFC technology as a key enabler for mobile
eGovernment solutions by iPhone users. With Apple mobile
compatibility
devices accounting for 28% of the European market in
The ability of governments to enable a smooth transition to
2019, 5 the situation was limiting the possibility for
a mobile strategy for their eID schemes is highly dependent governments to fully embrace mobile first strategies.
on the technology choices that were made at the launch of
To remedy this situation, on 30 January 2019, the EU
the smartcard. Out of the 18 Member States that have
Member States called on Apple to open access to its NFC
issued electronic ID cards, only nine 3 have issued smartcards
interface to support secure mobile use of electronic
with Near-field communication (NFC) technology.
identification means. 6
NFC technology allows access to the stored information on
With the release of iOS 13 in September 2019, Apple
the smartcard through a contactless connection. While
finally allowed access to the NFC interface. 7 Apple
non-NFC enabled smartcards require the use of a card
smartphones can finally be used as readers for contactless
reader, NFC smartcards can be directly read by a
smartcards.
compatible mobile device with an associated app.
Just a few years ago reserved to a handful of high-end and
expensive devices, the NFC technology has quickly become a
must have for all the new devices introduced on the market.
In 2019, the penetration rate of NFC enabled smartphones
has reach 81% worldwide.4 The success of contactless mobile
payment has been a driving factor of change.
ID scanning finally available on iPhones
Member States have been able to develop strong mobile
authentication solutions based on NFC-enabled national
cards. Android phones offer open access to their NFC
interface and provide key attestation functionality allowing
3
Estonia, Germany, Hungary, Italy, Luxembourg, Malta, Poland, Spain, Sweden (but not for eID functions)
4
TechNavio, NFC Enabled Smartphones . Penetration Rate Worldwide Between 2014 And 2019, see: http://beta.evolita.com/explore/nfc-
enabled-smartphones-penetration-rate-worldwide-between-2014-and-2019/5oqme/
5
Statcounter, Mobile Vendor Market Share Europe, Dec 2018 - Dec 2019, see: https://gs.statcounter.com/vendor-market-
share/mobile/europe
6
eIDAS Cooperation network, Decision Of The Cooperation Network On The Need For Open Access To NFC Interface To Support Secure
Mobile Use Of Electronic Identity Means, CN-2019-03, 30 Janvier 2019, see: https://ec.europa.eu/cefdigital/wiki/x/PgEABg
7
Apple, Core NFC framework, see: https://developer.apple.com/documentation/corenfc#overview
4Figure 1 – Screenshots from AusweisApp2 identity via mobile devices for their holders.
Shortly after the release of the new IOS, Germany updated
Making contact smartcards mobile friendly
the AusweisApp2 app to enable iPhones’ users to read their
national eID card and resident card with their smartphone Half of the Member States that issue national eID cards to
in order to access eGovernment functions from their mobile their citizens don’t yet have NFC-enabled smartcards.
device.8 For these countries, the challenge is to make the link
EU regulation imposing contactless between the secure identification provided by the eID card
and a mobile device.
A recent change in EU legislations will foster even greater
roll-out of NFC-enabled smartcards by governments. Using Bluetooth card readers
The EU Regulation 2019/1157 on strengthening the security Contact smartcards require the use of a card reader.
of identity cards of Union citizens and of residence Although this requirement can be easily achieved by
documents, requires Member States to standardise the connecting a reader to a computer, the experience is less
format of all ID cards in the ID-1 format, which is typically straightforward when a reader needs to be connected to a
the size and shape of smartcard based eID or payment mobile device.
cards. Additionally, the identity cards will have to include a
9
Most card readers use USB ports to connect to other
highly secure storage medium containing a facial image of
devices and are not compatible with mobile operating
the holder and two fingerprints. The regulation mandates systems. In order to read a contact smartcard, it is also
that this information be available contactless. possible to use a bluetooth card reader to establish the
By August 2021, EU Member States will have to start issuing connection with the smartphone.
new ID documents complying with this regulation. Identity However, this situation is not ideal as it requires the user
cards not meeting those requirements will be progressively to have the card reader with him/her. This does not provide
phased out until August 2031. a smooth experience for the user and limits the
This is an opportunity. All existing smartcard solutions will possibilities for using the smartcard when this was not
have to be upgraded to enable contactless technology, while planned for.
the remaining ten EU Member States with non-electronic Additionally, the fact that a card reader can be associated
documents will have to migrate to a smartcard-based to a mobile device does not necessarily mean that the user
solution for their national ID card. will be able to effectively use his or her digital identity if
Although the contactless availability requirements only the associated application has not been specifically
applies for the biometric information, we can expect that developed to make use of the digital identity on mobile.
several Member States will take this opportunity to apply it This is nonetheless one approach being followed. Czech
to e-government and e-business functions. Contactless Republic currently has a contact smartcard. The Ministry of
reading of smartcards will support a smoother use of digital
the Interior has developed a mobile app, called
8
Ausweisapp2, press release: ausweisapp2 for IOS now in the app store, see:
https://www.ausweisapp.bund.de/newsdetail/?tx_news_pi1%5Bnews%5D=28&tx_news_pi1%5Bcontroller%5D=News&tx_news_pi1%5
Baction%5D=detail&cHash=f502bdf15990d53a527e75d2476001cc
9
Regulation (EU) 2019/1157 of the European Parliament and of the Council of 20 June 2019 on strengthening the security of identity
cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free
movement, see: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32019R1157
5eObčanka, 10 which can be paired with a Bluetooth card telecom operator along with a mobile device can be used
reader to enable users to access eGovernment services to store electronic certificates enabling the users to
from their phones. identify and authenticate to eGovernment websites.
With Mobile PKI, secure operations are taking place within
the tamper resistant environment provided by a SIM card.
Identification information is not exchanged via the internet
but “travels through the SMS and back-end channels to the
service provider and is verified by the operator”. 11 In order
to infect the encrypted SMS message, an attacker would
have to gain access to the mobile operator network on top
of access to the users’ mobile device.
Estonia and Finland have introduced digital identity
solutions based on SIM cards. The Estonian Mobiil-ID
solution can be requested by the holders of an Estonian ID
card or Estonian residence permit card from a telecom
Figure 2 – Screenshot of the CZ eObčanka mobile app
operator. The SIM card used for this solution is not a regular
SIM card. It also includes a secure element on which
Using mobile devices as sensitive information is stored. Identity information is
identification means derived from the eID card already in possession of the
Mobile devices have become a natural and favourite citizen and checked against the country’s identity
means to host identities. The use of smartphones has database. A specific application, independent of the
reached a complete market penetration, becoming the telecom operators, must be used in order to make use of
most popular entry to the digital world. the mobile identity to access eGovernment website and
applications.
When talking about digital identity on mobile, one pictures
a mobile app allowing citizens to authenticate to a service. In Finland, Mobile ID, 12 a collaboration between three
However, not all mobile apps function in the same way and telecom operators (DNA, Elisa and Telia) is gaining market
identity on mobile can take different forms. share compared to the highly popular eBanking solutions
in the country used for online authentication (including to
Leveraging SIM-cards for secure eGovernment online services).
identification
A consortium of Belgian banks and telecom operators draw
A subscriber identification module (SIM card) is a chip, and on the secure technology 13 provided by SIM cards to create
is therefore no different from the chips integrated in a secure mobile identity - “itsme®”. The solution has been
national identity cards. As such, the SIM card provided by a recognised by the Belgian federal government, with a
10
Google Play, eObčanka, https://play.google.com/store/apps/details?id=cz.mvcr.eobcanka&hl=en
11
Gemalto, When eID becomes Mobile for a whole nation, see: https://www.gemalto.com/brochures-site/download-
site/Documents/gov_cs_finland_valimo.pdf
12
Mobiilivarmenne, see: https://mobiilivarmenne.fi/eng/
13
Note that the final scheme – FAS/ITSME – notified by the Belgium government under the eIDAS Regulation did not draw on the secure
element technology, but relied on other measures to ensure a high level of security. The use of the secure element remains optional, in
part because not all SIM-cards are able to support this function.
6Royal Decree allowing the recognition of private eID Secure Elements – a component soldered to the
solutions to promote innovation and reduce government circuit board or within the system-on-chip that is
costs. The application offers a mobile friendly alternative isolated from other computing environments;
to access online public services. The creation of an itsme® Secure Enclaves – a type of secure element that
requires the possession of an eID card or resident card that is included within the same chip as the main
users must use one time on the solution’s website to processor. Apple now includes a Secure Enclave
generate a 5-digit activation code. 14 within its devices17;
Trusted Execution Environments (TEE) – an
isolated software environment that is used to
execute code securely. Android-based devices are
equipped with TEEs18.
These computing components are being drawn upon to
enable new types of SIM cards that are themselves
integrated within the mobile device:
Figure 3 – Comparison between mobile application itsme® and Embedded SIM (eSIM) – A SIM card containing a
smartcards 15
secure element that is embedded in the mobile
As presented in the illustration above, a potential device. Available in some Android phones since
advantage of this type of solution is that it can be 2017 19;
combined with biometric technology integrated to the
Integrated SIM (iSIM) – A SIM card that is
device.
embedded within the secure enclave of a mobile
A disadvantage of such solutions is that governments device.
remain dependent on the telecom operators, meaning that
The great advantage of these new types of SIM cards is
such solutions may be complex to implement and costly.
that they enable users to download and use multiple
profiles from different carriers over the air20. So, for
Using the secure computing environments
example, a user could simultaneously have on their phone
within mobile devices
an account with Deutsche Telekom and Vodafone, or any
There are a number of different types of computing other number of telecom operators, and easily switch
environments now incorporated within mobile devices that between these providers. 21
could also be used to enable secure mobile identification16.
This functionality can also be turned to mobile
These environments allow the secure storage and use of
identification, allowing users to download identity
cryptographic keys, and include:
14
Itsme, see: https://www.itsme.be/en/
15
Tom van den Bosch, Itsme, Your Digital ID, see: https://www.slideshare.net/ChrisAdriaensen/itsme-your-digital-id
16
ENISA (2020), eIDAS compliant eID solutions
17
Apple Support, see https://support.apple.com/guide/security/secure-enclave-overview-sec59b0b31ff/web
18
ENISA (2020), eIDAS compliant eID solutions, see https://www.enisa.europa.eu/publications/eidas-compliant-eid-solutions
19
The Verge (2017), Google’s Pixel 2 phones are the first to use built-in eSIM technology, see
https://www.theverge.com/2017/10/4/16424740/google-pixel-2-xl-esim-technology-project-fi-first-ever
20
1OT blog, Differences between SIM types - which SIM to choose?, see https://1ot.mobi/resources/blog/differences-between-sim-types-
which-sim-to-choose
21
Mondato blog, eSim: Fresh paint for mobile, payments and identity? see https://blog.mondato.com/esim-fresh-paint/
7credentials from an identity manager 22. These credentials The Danish NemID solution is based on a public key
(certificates and cryptographic keys) would be stored infrastructure. The user’s private keys are protected in an
within the secure element or secure enclave, while the HSM in the NemID server. The user must use his or her
applications used for authentication and identification password associated to a NemID key card or mobile app
would draw on these credentials and use them within the to access the private keys.
Trusted Execution Environment.
Software token
Utilising server signing
Alternatively, the private key and certificates can be stored
Mobile identification solutions using server signing store in the operating system of the mobile device, protected by
key pairs and associated certificates in a hardware security encryption. To access the saved keys, the user must use a
module (HSM) of a trusted service provider. password. As the storage of the keys is not done in a
tamper-resistant environment, this solution is less safe
Access to the key pairs and identity certificates is only
than mobile eID solutions leveraging secure elements of a
granted to their owner. To do this, the user must
SIM card or mobile device.
authenticate using an identifier, password and an
additional authenticator factor in the form of a one-time
password (obtained via a SMS or a push notification sent Using mobile devices as a
to a registered phone number). generator of digital identity
Portugal is currently using a server-based mobile solution Mobile devices could revolutionise the domain of digital
using a hardware-security module (HSM) called Chave identity even further. Previous solutions all rely on the fact
Móvel Digital. In 2019, the monthly average number of
23
that the identity of the user is a given. Governments define
authentications with this solution was slightly under 100K, and approve the identity of a person at a given time. This
preceding the 70K authentications performed with the identity is then stored securely.
national eID card (Cartão De Cidadão). 24
The ability of smartphones to keep track of typical user
behaviour enables the definition of behavioural patterns
that can be used as a dynamic identifier. Such behaviours
include the unique print the user leaves when handling the
smartphone and using its applications, such as finger
pressure and swiping patterns on the touchscreen, typing
speed, and customary way of holding the device.
By collecting data on the user’s travel and working habits,
behavioural authentication can also apply geographical
patterns, for example denying access to a user whose
geographical profile does not correspond (e.g. the user is in
a location that represents an outlier compared to the user’s
Figure 4 – Screenshot of the Chave Móvel Digital app usual profile). Behavioural solutions are already being used
22
Mondato blog, eSim: Fresh paint for mobile, payments and identity? see https://blog.mondato.com/esim-fresh-paint/
23
Autenticacao.gov, Chave Móvel Digital, see: https://www.autenticacao.gov.pt/a-chave-movel-digital
24
Autenticacao.gov, Estatísticas, see: https://www.autenticacao.gov.pt/stats-cartao-cidadao
8in the online banking and e-commerce industry, and are the current technological state of the art. Moreover,
often used in combination with biometric solutions. technological precision is required to keep the risks of ‘false
positives’ to a minimum. The challenge is to be able to
The combined use of biometric and behavioural identifiers
detect slight variations in human behavioural patterns
allows for the conception of mobile digital identity as a
without linking them to an alleged risk of identity theft.
‘dynamic identity’ – an identity that is not merely grounded
Another potential drawback is the acceptability of these
on static identifiers but on a set of parameters that are
practices related to privacy concerns, as users may not
constantly monitored throughout the use of the device by
wish for their behaviour and/or location to be constantly
the identity owner. The success of dynamic identities
monitored. Strong safeguards may therefore be required to
depends on the potential of ‘continuous authentication’.
ensure the confidentiality of their behavioural traits.
This concept depicts authentication as a process rather
than a one-off occurrence. In continuous authentication,
the starting and default status for users is not ‘logged out’,
but ‘logged in’. Instead of having to log in each time they
want to use a service, users remain logged in permanently
on their mobile device as long as the authentication
system detects that the device holder complies with the
biometric and behavioural patterns of the owner’s profile.
To measure compliance users are assigned a score. As
soon as the score drops below a certain threshold, the
system detects a potential risk of the holder not being the
identity owner, and asks him/her to authenticate through
traditional means (e.g. passwords, PIN codes, or biometrics)
and prove his/her identity.
The main advantages of behavioural authentication are,
first, that it builds on and improves the security and
reliability of biometric authentication means, as it is
grounded on constantly evolving data and identifiers,
which are difficult to steal or forge.
From a user perspective, continuous authentication
exempts users from actively authenticating each time on
a new session, as the device automatically maintains
access as long as the handler’s action on the device
complies with the risk parameters linked to the identity
owner’s profile.
Continuous authentication has also some drawbacks,
mainly due to technological readiness. Continuous
authentication can be reliable only if it manages to
constantly capture and analyse behavioural biometric data
through machine learning, which is still a challenge given
9ACCESSING
EGOVERNMENT SERVICES
AT YOUR FINGERTIPS
03
Governments are slowly but surely adopting mobile-first identification solution – the Mobile Phone Signature26 – to
strategies to deliver eGovernment services. This approach citizens since 2009. It is also leading an effort to develop
consists in designing public services for mobile phones first a “European Statement for m-Government”, which will be
before adapting the designs to computer based sessions. discussed during a 2020 high-level conference on
The concept of mGovernment is emerging as a label for mGovernment 27.
this trend.
Although the trend of mGovernment has been developing
Mobile first strategy implies that citizens can use a mobile for several years now, these examples of pro-active action
friendly solution in order to access online services. The remain rare. Governments and agencies have been slow to
objective is to develop mobile applications providing take a leap to make this radical transformation. Most
personalised journeys based on the needs of different public service websites are still not ready for mobile
groups of the population. access.
In November 2016, Malta was among the first country to
issue a “Mobile Government Strategy” to enable citizens Benefits of mobile first strategy
and business to access public services on mobile devices
Adopting a mobile first strategy is not just a fashionable
at any time and from anywhere. 25 The strategy highlights
trend. It is a critical step for governments to take or risk
eleven principles that provide the foundations for the
becoming irrelevant and disconnected from their citizens.
creation of new mobile-first services.
Mobile first strategy relies on the principle of empowering
Austria has been another leading country in promoting
citizens as much as possible. Better designed services,
mGovernment and mobile identity. It has offered its mobile
25
MITA, Mobile Government Strategy 2017-2018, see: https://publicservice.gov.mt/en/Documents/Mobile_Government_Strategy_2017-
2018.pdf
26
See description of the Mobile Phone Signature at https://www.buergerkarte.at/en/
27
DigitalAustria.gv, https://www.digitalaustria.gv.at/eng/High-Level-Keynotes.html
10tailored to the needs of their users enable citizens to satisfaction for the public services will be. If possible,
become more autonomous in their interactions with public citizens prefer not to be dependent on a clerk or an
administrations. opening hour.
Key resulting advantages are: Figure 5 – Internet usage (MITA Mobile Government Strategy)
Cost reduction: More autonomous citizens imply fewer More security: unlike for computers, security updates
staff will be required to perform administrative tasks. on mobile devices are often done automatically. It is
Information runs more smoothly between different therefore harder to exploit vulnerabilities both on the
public services. Services are accessible 24/24, 7/7: and side of the citizens, and on the side of administrations.
remotely, reducing the need to maintain physical This is particularly relevant as damaging disruptions
locations for requesting services. of public sector activities due to the lack of
appropriate management of computer pools regularly
Boosting productivity: if citizens are more autonomous
make the headlines. 28
and face-to-face interactions are reduced to a
minimum, officers can concentrate on more complex
tasks. The automation of low added value and Recommendations for improving
repetitive activities also increases the satisfaction of the mobile experience of cross-
administrative staff and can attract younger talent. border authentication
Increased reach and citizen satisfaction: the EU Member States are currently supporting the uptake of
digitalisation of services is often criticised for reducing electronic identification (eID) to enable secure and
the quality of services provided to citizens. On the seamless electronic interactions between businesses,
contrary, more and more citizens find unbearable the citizens and public authorities, within the context of the
need to physically visit an office in order to perform a eIDAS Regulation (EU 910/2014). 29
procedure. Less advantaged populations also tend to
The Regulation foresees that if an EU/EEA Member State
prefer mobile interactions as they cannot always
offers an online public service to citizens/businesses for
access computers. The greater the autonomy of
which access is granted based on an electronic
citizens and the smoother the journey, the higher the
identification scheme, then they must also recognise the
notified eIDs30 of other Member State
In the context of national and cross-border authentication
in Europe, a series of attention points can be highlighted to
ensure a smooth user experience on mobile devices when
accessing online services.
28
The Telegraph, Cyber attack: NHS ordered to upgrade outdated systems as disruption continues , 15 May 2017, see:
https://www.telegraph.co.uk/news/2017/05/15/cyber-attack-nhs-ordered-upgrade-outdated-systems-disruption/
29
Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust
services for electronic transactions in the internal market and repealing Directive 1999/93/EC, see: http://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=uriserv:OJ.L_.2014.257.01.0073.01.ENG
30
By notified eIDs, we mean all eID schemes that have completed the notification process. The notification process refers to the
selection, peer review and official addition of national eID schemes to the eIDAS Network. Notification ensures that the eID schemes
connected to the eIDAS Network satisfy the conditions of quality and security set out by the eIDAS Regulation.
11Service providers websites must be available, users should receive a message explaining that
responsive for mobile devices the service is only available from a computer.
Responsive design principles are key especially for This type of issue should be particularly taken into account
solutions built to work on multiple devices. Responsive in a cross-border context, where Member States may have
design requires websites to be set up in such a way as to different levels of maturity in terms of mobile strategy.
enable the most efficient and readable display of
information, regardless of the device. The content of a web Develop a mobile-friendly country selector
for eIDAS
page ‘responds’ to the screen size of the device used and
displays the information accordingly. The eIDAS regulation enables citizens to access online
public services from a foreign country thanks to their
Encourage service providers to develop national eID scheme, providing that it has been notified at
mobile applications
the EU level.
Imagine being able to open an app on your smartphone
When seeking to gain access to a foreign online public
and pay your taxes with one click, access the status of your
services, users are prompted to select the identification
benefits and their payment on an intuitive dashboard,
means that they want to use to remotely authenticate to
notify the government of your change of status like you
the service.
would edit a social media profile and snap a picture of the
Member States have developed a country selector to
justification document. Although this seems like an
redirect the citizens to the appropriate country. It is critical
inaccessible dream, these are nothing more than basic
that this country selector be mobile friendly and uses all
features of most commercial applications.
possibilities offered by mobile devices (e.g. picker wheel)
Governments should adopt strategies to support the
to make the selection as smooth as possible.
development of dedicated apps for their public services
rather than websites. Ensure that the eIDAS nodes’ interfaces are
mobile friendly
Adapt the authentication options to the
user’s device Member States can either develop their own eIDAS node or
reuse a sample implementation provided by the European
In case a user is browsing a mobile app and he is prompted
Commission to enable the mutual recognition of eID
for authentication, it is important for the country providing
schemes across borders in Europe. The demo interface
the identification means to take into account that the user
provided by the European Commission has been mainly
is using a mobile device.
developed for desktop. Member States should pay
In case a Member States has both mobile and non-mobile attention to the mobile experience of their eIDAS node. A
friendly eID schemes available, it should avoid presenting specific paper will further address potential improvements
authentication options that are not mobile-friendly to such to be made in this domain.
users. The adaption of the eID selection interface to the
type of device that the citizen is using might be particularly Test the overall mobile journey
needed for Member States that have implemented eID Upon the implementation of the previous
gateway: a single page, which groups all authentication recommendations, final tests should be performed to
options available in the country. identify potential remaining pain points or stumbling blocks
In case no mobile-friendly authentication option is hindering smooth experiences for citizens accessing online
12services with their mobile device. Complete end-to-end testing allows respective Member States to take into account potential issues emerging due to different approaches taken by other Member States, as well as differences in the maturity of their mobile strategies. 13
CONCLUSION
04
This paper has provided an overview of the technologies In the meantime, countries without NFC-enabled smart
and strategies pursued to provide users with mobile access cards can attempt strategies such as using bluetooth to
to eGovernment services. It has situated the shift to mobile connect mobile devices to card readers. This, of course,
as the continuation of governmental efforts to provide requires users to carry a card reader with them. Other
user-centric public services. technological options explored in the paper include the use
of SIM cards issued by telecoms providers to enable the
Digital identity plays a key role in enabling mGovernment,
secure transmission of ID information. Alternatively the use
allowing remote authentication and the possibility of
of new eSim technology embedded in mobile device offers
providing seamless and personalised services. As the trend
similar functionality while avoiding reliance on any single
towards mobile services intensifies, eID schemes must
telecoms operator. Another possibility is the server signing
also be provided in mobile compatible forms.
option, drawing on private keys stored on a hardware-
In the previous sections we have seen that smartcards
security module, which has been adopted in Portugal and
were an early eID format of choice. Those countries which
Denmark.
integrated NFC technology into their smartcards from the
Finally, a new frontier is opening up with the promise of
start (9 of 18 MS with smartcards) have been able to enact
dynamic identity enabled by a combination of biometrics
a relatively smooth transition towards mobile.
and behavioural identification. These technologies can allow
This technology allows contactless communications for continuous authentication of users, only requesting an
between smartcards and mobile devices. With both alternative authentication method if a risk is identified. At
Android and now also Apple providing open NFC interfaces,
present, this approach has not reached full technological
governments can commit to mobile strategies and develop
maturity, and faces the challenge of avoiding false positives
applications drawing on contactless smartcards.
without diminishing the user experience, as well as possible
This paper has also noted the upcoming opportunity resistance due to privacy concerns.
associated with the proposed Regulation 2019/1157 - on
The trend towards mGovernment and mobile electronic
strengthening the security of identity cards of Union citizens
identification is gathering pace and the paper has closed
and of residence documents. This legislation will require
with recommendations for governments trying to apply this
government to integrate contactless technology into their
approach in a cross-border context.
smartcards and some may choose to upgrade these
Organisations attempting this should specifically design
smartcards so that a full range of identity credentials can be
their websites to be responsive to mobile while also
accessed drawing on this feature.
14developing specific mobile applications. They should ensure the authentication schemes drawn upon are suitable for mobile, ensure the development of a mobile friendly “country selector” when choosing the appropriate eID scheme, and ensure that eIDAS nodes themselves are mobile friendly. Finally they should conduct end-to-end testing to ensure that the entire mobile user journey is smooth and efficient. Following these suggestions can help governments move towards the level of service users have come to expect from mobile private sector applications. With citizens increasingly demanding a smooth user experience in accessing public services, authorities must embrace the shift to mGovernment or risk being left behind. 15
.European Commission Embracing mobile identity for eGovernment 2020 – 15 pages
You can also read
