Application areas of digital identities:
Digitally representing — and protecting — physical identities
With the current development of the European Regulation on Electronic Identification and Trust Services (eIDAS), a recognised and secure digital identity can come about throughout Europe. Digital identities have been commonplace for a long time — from email accounts to social media to digital official transactions: The use of digital services requires proof of identity. The necessary identification and authentication is linked to different levels of protection, depending on the service used. Companies that want to offer services for which digital identities are necessary — for employees, partners and customers — must know the requirements.
A digital identity is the digital representation of a physical identity. The latter can be a person, but also an institution, a machine or a server. In the health sector, practices, hospitals or pharmacies, for example, can receive a digital identity. In this context, it represents a collection of attributes in electronic form that characterise a natural or legal person — this can be name, address and date of birth, but also user name or email address. A digital ID must be unique, otherwise it cannot be assigned; the process of initial identification is transferred to the digital — for initial identification it requires registration; recognition is achieved through authentication. From a social perspective, there are three forms of identities: real, self-constructed and anonymous, with the latter playing a sometimes controversial role on social media, for example.
Possible uses of digital identities
Digital identities are necessary as a basis or digital representation for digital services and processes. They are used wherever digital services are offered and are personalised, which requires the collection, storage and processing of data. Digital services have various forms — from social media user accounts, to online accounts in e‑commerce, to online banking or digital official procedures via eGovernment offerings. As with the identity card, the scope of application of a digital identity can go beyond mere identification and, for example, an age check can be possible.
Increasing digitalisation is opening up further possible uses of a digital identity: The European eIDAS (Regulation on Electronic Identification and Trust Services) creates uniform framework conditions for the use of electronic means of identification and trust services across borders here. In 2020, the revision of the eIDAS Directive was launched, and it is currently not yet complete. The goal is to offer a secure EU identity wallet throughout Europe. The eID is thus the virtual equivalent of an identity card. It is supposed to enable identification and authentication, verification of validity by third parties as well as secure storage and representation of identities. In addition, it should make it possible to generate qualified electronic signatures. This digital counterpart to the signature allows legally valid contracts to be concluded on a digital level.
The eIDAS also stipulates that EU member states must make the digital identity available to citizens; the envisaged acceptance obligation may also contribute to the elimination of other digital identities. Shopping abroad or picking up a rental car could thus be simplified, as the digital identity makes processes more efficient. This is because digital services are associated with a reduction in costs compared to analogue processes; the user benefits greatly from simpler and more convenient handling, for example, when administrative procedures can be completed from home.
Unlike digital identities via Google or Facebook, the authorities can ensure that data protection is complied with in accordance with the Data Protection Regulation (DSGVO). In the health sector, digital identities on the smartphone are to replace the electronic health card in the future — but this cannot yet be realised.
Security and protection of the user
One possible attack scenario that particularly affects digital identities is theft in the form of impersonation or identity theft. The potential for damage ranges from hate comments on social media to access to and misuse of personal data, such as banking transactions or confidential health data. While the analogue identity card limits misuse by thieves because of the photo on it, the case is different online. The digital identity must therefore be specially protected. Protective measures can be, for example, secure passwords or a two-factor authentication, as it already takes place in online banking, for example, with a password on the one hand and additional TAN generation on an external device on the other. The hardware token in smart cards represents the highest level of security as a certified version.
Standardised trust levels
The level of security depends on the purpose of the digital identity and is regulated in the Implementing Regulation (EU) 2015/1502. For example, in online banking or in the health sector, there are particularly sensitive, personal data that require a high level of protection. The regulation defines three standardised trust levels: low, substantial and high. A low level of protection corresponds to a one-factor authentication, as is common in social networks or forums. Substantial protection is provided by the aforementioned two-factor authentication. However, a high level of protection, for example when health data is involved, must be even more strongly secured, for example with a passport including a photo and biometric features. For example, identification can take place via video-identification or post-identification procedures.
However, the higher the security level, the more complicated its technical implementation. High-priced smartphones, for example, come with certified security components — while lower-priced devices are equipped with inferior biometric sensors that can be easily manipulated or bypassed. They therefore do not have protected memory areas. Smart cards in health cards, on the other hand, can use and store cryptographic key material with their chip processors. In this way, the infrastructures behind them ensure authenticity.
The future potential of digital identities
Digitisation is on the rise, all its services require a digital identity and these are already widespread: On average, every citizen has 90 digital identities. The digital and analogue worlds can merge, for example when access controls in companies are digitalised and require proof of a digital identity, or when the health card is read in as an ID in doctors’ surgeries. Here, media disruptions are perceived as an obstacle, for example when paper documents are to be submitted as scans to health insurance companies. Digital identities and the assignment they allow make the digitisation of such processes possible in the first place. In the area of eHealth, doctors can digitally sign and send invoices and prescriptions, for example.
Companies, in turn, can use digital identities widely for customers and employees, end customers or partners. This means, for example, that holiday applications can be made via a portal. Not to be neglected are also conceivable application possibilities for customer loyalty: After all, digital services that customers use can be used to gain information about their behaviour, which can be used to better tailor and optimise one’s own offer. However, companies must be aware of the different levels of security. User-friendliness is important, but so is digital protection against identity and data theft. If this is not guaranteed, serious consequences can be the result. A consulting firm like SRC GmbH can help here to shed light on solutions — both paid and open source — to check certifications and to ensure conformity and thus legal certainty.
Nothing works on the internet without digital identities — digital services require initial identification of the user and authentication for further use, for example, via passwords with additional TAN generation within the framework of multifactor procedures. The security requirements depend on the type of service and the data used, which is ensured via three levels. Companies that want to use digital services must therefore know the requirements in order to use the application potential for customers, partners or suppliers.
Author: Nico Martens, Consultant SRC Security Research & Consulting GmbH
Further information: https://src-gmbh.de/
WORDFINDER GmbH & CO. KG
Phone +49 (0) 40 840 55 92–18