Use of mobile identity solutions within the framework of electronic ID
The need for a digital means of identification is growing. In Switzerland, electronic identity (eID) is regulated by the eID Act and provides, for example, for a division of tasks between the state and the authorities. The question therefore arises to what extent a mobile device can support identity verification, regardless of whether one actually uses a service via smartphone or the device is only used for identification and authentication. While the challenges regarding security and data protection are becoming increasingly greater in the age of Big Data, the need for an identity solution with a high level of user-friendliness is becoming more and more important. At the European level, the establishment of a digital single market is being driven forward. Switzerland, for its part, has adopted the “Digital Switzerland” strategy. Both developments require the realisation of a trustworthy electronic identity to authenticate companies and individuals for electronic transactions with authorities. However, the successful implementation and the associated acceptance of electronic identity solutions depends very much on how user-friendly and simple such a solution is perceived to be.
Identification with the smartphone
One identity solution that is perceived to be highly user-friendly is identification via mobile devices such as the smartphone. However, the security and data protection aspects for such mobile identity solutions have not yet been conclusively clarified for Switzerland. Particularly for transactions with sensitive data, mobile identity solutions are not yet widespread in Switzerland. Mobile identity solutions are also rarely used for e-government services. In general, the demands that citizens place on eGovernment services are very high. On the one hand, the protection of privacy must be guaranteed, and on the other hand, it should be possible to use the services around the clock, regardless of the device. Obtaining services and carrying out transactions via smartphone or tablet are now commonplace for many citizens. The MobileID mobile identity solution that exists in Switzerland is operated by Swisscom, Salt and Sunrise and, in contrast to the electronic identity (eID), uses not only the internet but also the radio network of the three companies. To obtain the MobileID in Switzerland, it is necessary to obtain a PKI-enabled SIM card and own a smartphone. Other possible and existing forms of mID abroad are chip-based (Sweden) and blockchain-based (Slovenia and Canada) mIDs. MobileID is only used sporadically in Switzerland (e.g. PostFinance), but for e-government services the question arises for which services and in what form the mobile device can and should support identity verification.
Already widespread abroad
A look at the administration abroad shows that electronic identity solutions go beyond chip cards and USB sticks and that successful integrations with smartphones do exist. The following solution elements can be found in the mobile identity solutions that exist on the market so far:
- Federated identity: A Mobile ID (mID) is able to be used in different IT systems and websites.
- Two-factor authentication: A mobile device such as a smartphone can be used as a second factor for authentication. This second factor can consist of either knowledge, possession or characteristics. In terms of mobile devices, this means that possession of a SIM card and/or a smartphone represents a second factor.
- Mobile digital signature: SIM cards are able to use cryptographic operations. Here, a Wireless Public Key Infrastructure (WPKI) is set up, through which the user receives a digital certificate via SIM card, which he can then use several times and at different websites. It is also possible to make a digital signature legally equivalent to a physical signature.
In Finland there are over 300 services where the so-called mID is applied. In the area of social insurance, healthcare, but also as a state-recognised signature, the mID is used intensively in Finland. According to Finnish law, mobile signatures are legally equivalent to physical signatures.
Figure: Process of mID use in Moldova (Source: Moldovan government, 2014)
In Moldova, an mID solution has already been in use since 2012. Registration takes place within 15 minutes and the solution is based on strong authentication. Especially in the business-to-government sector, mID is used, but also in areas of tax returns and social insurance. Around a quarter of social security forms are verified by mID in Moldova, for example.
Identification via SIM card
In Estonia, too, mID is based on the SIM card. The certificate is always valid for three years and must then be replaced. Electronic signature and mobile authentication are based on PKI SIM cards. Almost all online service providers in the public and private sectors in Estonia accept the mID as a solution for identification and authentication. Thus, the mID is used almost everywhere in Estonia, i.e. for example for vehicle registration, driver’s licence registration, healthcare, social security, as a state-approved signature, tax declaration, business registration and elections. These examples of mobile identity solutions are almost all implemented on the basis of PKI-enabled SIM cards. However, mobile identity solutions have only gradually developed into a viable solution thanks to pioneering efforts and certain failures. It is striking that in each of the countries studied, as in Switzerland, there is only one mobile identity solution. The success factor is always the nationwide cooperation between the authorities and telecommunications companies. In addition, the support of the private sector and a high number of usable services from the public and private sectors are crucial.
Moldova creates smart applications without eID
In Switzerland, there are only a small number of business cases so far, which is why a mobile identity solution currently offers little added value for identification and authentication with a mobile identity solution. However, the foreign examples also show that the use, for example, for vehicle and driver’s licence registration is not complex and at the same time offers a very large added value for user-friendliness. Countries like Estonia show what could potentially be done with a mobile identity solution by using mID in almost all areas. Moldova also demonstrates that no eID is needed at all if the mobile identity solution is supported by all stakeholders. If the success factors of the leading countries are extrapolated to Switzerland, it can be stated that the cooperation of all telecommunication companies has already taken place and therefore a good basis has been laid. The telecommunication companies are state-certified Identity Providers (IdPs), which already carry out identity checks on citizens when they obtain an ordinary SIM card. However, as the success of a mobile identity solution depends on the number of usable services in the private and public sector, federalism seems to be a particular obstacle with regard to interoperability in the public sector, and this disadvantage also applies to the eID. Cantons would have to harmonise services related to the implementation of MobileID use in order to benefit from the positive synergy effects.
Estonian Government (1 April 2017). Using mobile ID. Retrieved 9 September 2018 from Id.ee: https://www.id.ee/index.php?id=36884 Gemalto (16 December 2014). White Paper National Mobile ID schemes – Learning from today’s best practices. (Gemalto, ed.) Retrieved 28 August 2018 from Gemalto Government Programs: http://www.id-world-magazine.com/wp-content/uploads/WP-Gemalto-MobileID-overview-EN.pdf Gemalto (2018). Expand your national identity system. Retrieved 17 October 2018 from Gemalto Mobile ID: https://www.gemalto.com/govt/coesys/mobile-id GSMA (11 July 2013). Finnish Mobile ID: A Lesson in Interoperability – An Executive Summary. Retrieved 28 August 2018 from GSMA: https://www.gsma.com/identity/wp-content/uploads/2013/07/SC_GSM_288_Finland-Mobile-ID-executive-summary-100713-v4.pdf Moldovan Government. (14 October 2014). Case Study. Retrieved 29 August 2018 from eGov Moldova: www.egov.md/ro/file/3695/download?token=7fnIFJzO