As countries the world over continue to implement electronic government services for citizens, the need to prove identity online is becoming a vital necessity. A white paper from UL Transaction Security details the current state of eID in Europe and the growing number of implementations across the continent.
The white paper, “Electronic Identities in Europe,” begins by explaining the three main methods of eID currently being used: password-bases systems, Public Key Infrastructure (PKI) and Attribute Based Credentials (ABC).
Password-based systems are those schemes that enable the users to authenticate and to electronically “sign” a document or an action — in other words, agree with the contents of the document or action— by entering a username and password. This method uses passwords that are either static — one password per every log-in — or dynamic as in One Time Passwords.
In the case of OTP, further classifications can be used to conduct the username and password authentication, with OTP lists, OTPs received via SMS or generated via tokens.
Public Key Infrastructure (PKI) a set of hardware, software, policies and procedures that combine to manage a public-key cryptographic system. PKI implementations use asymmetric or public-key cryptography that have two separate keys for encrypting and decrypting data. One key is made publicly available while the other, private key, remains undisclosed.
The public key is linked to the identity of the individual via a certificate, or document that is digitally signed by a Trusted Third Party, for example a country’s Certification Authority. It is this certificate that is received by the authentication server, verifying the user’s public key. PKI solutions can be further segmented based on the type of implementation — smart cards, mobile SIM card or on other tokens.
Attribute based credential (ABC) solutions are types of systems in which the user’s information is stored in what are called “attributes,” with multiple attributes characterizing the credential given to the user by an issuing authority. Also called privacy preserving credentials, when conducting a transaction with a service provider, the user’s attributes dictate what rights the user is entitled to without divulging the user’s actual identity.
The UL whitepaper reveals that of the 31 countries studied for public authentication and electronic signature implementations, 17 have opted for password-based solutions, 26 for PKI while only one has adopted the Attribute Based Credentials method. Also noted by UL is a list of seven European countries— Czech Republic, Denmark, Estonia, Finland, Lithuania, Norway and Sweden— who enable citizens to choose between a passwords-based and a PKI solution.
Those countries opting for password-based systems tend to go the OTP route to ensure secure login to the online banking environment, with the banks being the identity providers for the solution. Only two countries in the Nordic region have implemented OTP eID initiated by the public authorities.
Despite the success of these implementations, less sophisticated eID solutions remain. In France and the UK, citizens are allowed to declare their taxes online using only a username and password for authentication. Elsewhere, username and password methods are used for digital signing, requiring the user to simply retype their password to provide consent.
UL estimates that a new wave of PKI cards is set to launch in Central and Eastern Europe in preparation for national eID programs.
UL reports that the lone Attribute Based Credential implementation began in Germany in 2010.
Measuring eID’s success
UL goes on to explain that success of eID implementations in Europe and likely other parts of the world will rely on a few very critical factors:
- Availability of services
- Ease of use/Simplicity
- Perceived usefulness
- Availability of other eID solutions
- Switching costs
- Security/threats to privacy
Ultimately, UL posits that current eID initiatives on the continent will lead to firmly cemented solutions across Eastern and Southern Europe within the next five to ten years.
See the full “Electronic Identities in Europe” white paper on UL’s website.