Being a technology provider, there is a risk of sounding biased when talking about the right technology for digital identity solutions, but I’m not here to just say, “our technology is the right technology”. I want to raise points that should be considered when deciding which technology is right for the kind of service being implemented and the particular user-base it’s aimed at.
First, a very quick definition of digital identity would be a set of attributes that enables the distinction of an individual from any other in an IT system. When we talk about digital identity technologies or services, we are referring to tools that enable an individual to confirm they are the person a set of attributes are describing, i.e. to authenticate themselves, and tools that enable the individual, once identified, to provide explicit consent, i.e. to sign or verify a transaction. There is a myriad of technologies on the market for authentication and digital signing, such as smart cards, SIM cards, USB keys, PIN calculators, cloud-signing, simple and complex mobile push notification apps, one-time password via SMS or app, and no doubt, some more. Different solutions offer different values; some are cheaper, some are more simple to setup, some are more accessible to certain demographics, some are certified to the level governments require. Choosing the right technologies and understanding the considerations that need to be made ahead of implementation can mean the difference between a successful digital identity solution being rolled out, and a money pit.
To narrow down the field and focus on the kinds of solutions that governments accept, we can limit ourselves to those that can achieve EAL4+ certification, which very quickly defined is a Common Criteria evaluation, cited as the highest level at which a remote signing solution is likely to be economically feasible to retrofit to an existing product line. EAL4+ is under an eIDAS Protection Profile that deems a technology suitable (among other things) to be used for qualified (legally binding) signatures in Europe. One of the key criteria to EAL4+ is the use of dedicated security hardware to protect private keys and sign, which leads us to tokens with chips in them, like smart cards, SIM cards, and USB keys, and solutions that use HSMs (hardware security modules) to protect private keys and carry out signing.
Different solutions have pros and cons and may present themselves as a more suitable technology for certain demographics or regions depending on the exposure to certain foundational technologies, as well as in relation to what already exists in terms of a national identity. We must also consider that we need extra partners for some of these solutions and extra hardware for others, but compromises like this may be necessary. It’s rare a technology can tick all the boxes and be self-contained as well, so we have to know our userbase and have a vision for what our service will be like and the problems it’s meant to solve.
So, what are the considerations we need to make in terms of rolling out a digital identity solution in our region or country? First of all, we’re looking at PKI (public key infrastructure) based technologies, so we need PKI, i.e. at the very least, a trusted certificate authority. But once we have that foundation in place, we should look at whether there is already a national identity in place, and how accurate and usable it is. If there is an existing unique identifier for everyone, this is great, and it’s much better if it’s usable by the private sector as well. If individuals have an identity card already, the question is: do you want to replace it, or add to it? This is where we can look at smart cards.
Smart cards have the advantage over the other solutions mentioned of being usable in person as standard. They cover both in-person identity and digital identity, and if both of these functions are necessary in your service, the smart card can be a great choice. Smart cards have been around for decades; they’re a well tried and tested solution. Another aspect of smart cards comes in the form of both an advantage and disadvantage when compared to more modern alternatives. Smart cards, for the most part, require a smart card reader; an extra bit of hardware which is effectively an adapter for use in PCs. It’s easy to see the downside; that this is an additional item to carry around if you want to use the smart card on the go, and is unlikely to be compatible with phones and tablets as well. That is certainly a downside. But the upside to this is that a card reader is the only additional piece of tech, as long as there is access to PCs, such as in libraries, internet cafes, etc.
I mentioned demographics above, and this is where the specific demographic we’re looking to serve becomes relevant. If we’re looking to offer a method of online identity authentication to those in society that require welfare or benefits, the homeless, or even refugees, they may have no access to a mobile phone, smart or otherwise, so more modern solutions will be of little benefit to these groups. Similarly, certain countries or regions may not have significant smartphone penetration, and again, a smart card and reader might be the best offering. A solution that is similar to a smart card, but quite a bit more convenient is the SIM card-based authentication and signing technology.
We must remember, moving away from smart cards; a physical, as well as digital identity solution, we lose in-person identification, but if we have an existing ID card that doesn’t need replacing, or if in-person identity proofing is not a concern for your solution, SIM cards can be a great option. There are additional considerations to make with SIM cards, such as the requirement of the telecommunications providers being involved and responsible for the manufacture and distribution of new SIM cards. There are costs to take into account due to this, but the benefit of SIM-based solutions over smart cards is no requirement for additional hardware like readers, and they work on phones, both older models as well as smart phones, which is even a benefit over more modern solutions that require smart devices. If there is good mobile phone penetration, but smartphones haven’t become widely used yet, or we’re looking at demographics that may not be able to afford smartphones or just don’t have an interest in them (maybe older generations), SIM cards can tick many boxes.
I won’t go too deeply into USB keys, as these are less likely to be used for national digital identity solutions due to their cost. They also don’t tick as many useful boxes as SIM cards and smart cards, though they can be a useful tool in the private sector for businesses internally, e.g. system administrators accessing vital services. The final relevant technology group to discuss is those that, rather than storing keys in chips on cards, utilise HSMs (hardware security modules) to protect the private keys of the users. There are a couple of different ways to use HSMs, and this is where some bias may show as this is where we enter the game (though we’ve been involved in smart card roll outs and SIM-based service implementations over the past twenty years as well).
You may have heard of cloud-signing solutions, that allow the user to keep their private keys in the cloud, protected by an HSM of the service provider. This enables the user to sign using their private keys from effectively any device that has an internet web browser, so, tablets, smartphones, PCs, even some smart TVs. This is a great advantage, but only covers the activity of signing. In order to authenticate ahead of gaining access to the keys or ahead of signing a document, there is a need for another technology, but again, an advantage here can be that you can potentially use any other certified technology, such as smart cards, SIM cards, or USB keys. The question does arise that if there are smart cards, SIM cards, etc. available, why use a cloud-signing service, as these other solutions can do the same thing?
That’s where another method of using HSMs can come in (and our tech). Without getting too technical, using MPC (multi-party computation) and Threshold cryptography, we can generate private keys in two shares and sign with them as if they were one using two separate devices. One side of this solution is the HSM, but the real advantage comes when the other side is a smart phone. Authentication and signing can work in the same way, so for the user, the only technology they require is their smartphone. We come full circle now and address the point that a solution like this clearly requires a population or userbase with a high smartphone penetration. Without that, more modern solutions are unlikely to be the best choice. But if smartphones are widely used, these kinds of solutions can be faster to roll out and far more cost effective, and come with the added bonus of being remotely updateable and future proof. They may even be used for in-person identification with the right software and processes, becoming the true successor of smart cards with all of the pros and none of the cons.
The right technology is all about what’s best for the service you’re planning to create and run, and the userbase you’re planning to offer it to. No one technology truly ticks all the boxes when we look at a diverse and varied userbase – one size doesn’t fit all. We may even see benefit in a combination of technologies, like smart cards and SIM cards, or smart cards and a smartphone solution, covering a wider range of the population, while still offering the most convenient and cost-effective solution to those on the go. There are many considerations to make when rolling out a digital identity service, which technology to use is just one, but it’s one that will have a long-term impact and one we can’t change very easily, so best to get it right first time.
Written by Max van de Poll