Areas of application for digital identities: digitally representing — and protecting — physical identities
Areas of application for digital identities:
Digitally representing — and protecting — physical identities
With the current further development of the European regulation on electronic identification and trust services (eIDAS), a recognized and secure digital identity can be established throughout Europe. Digital identities have long been commonplace — from email accounts and social media to digital visits to public authorities: The use of digital services requires proof of identity. The identification and authentication required for this is linked to different levels of protection depending on the service used. Companies that want to offer services that require digital identities — for employees, partners and customers — need to know the requirements.
A digital identity is the digital representation of a physical identity. The latter can be a person, but also an institution, a machine or a server. In the healthcare sector, for example, practices, hospitals or pharmacies can be given a digital identity. In this context, it represents a collection of attributes in electronic form that characterize a natural or legal person — this can be name, address and date of birth, but also user name or email address. A digital ID must be unique, otherwise it cannot be assigned; the process of original identification is transferred to the digital world — registration is required for initial identification; recognition is achieved through authentication. From a social perspective, there are three forms of identity: real, self-constructed and anonymous, with the latter playing a sometimes controversial role on social media, for example.
Possible uses of digital identities
Digital identities are necessary as a basis or digital representation for digital services and processes. They are used wherever digital services are offered and are personalized, which requires the collection, storage and processing of data. Digital services take various forms — from social media user accounts and online accounts in e‑commerce to online banking or digital administrative procedures via eGovernment offerings. As with ID cards, the scope of a digital identity can go beyond mere identification and, for example, include age verification.
Increasing digitalization is opening up further potential uses for a digital identity: the European eIDAS (Regulation on Electronic Identification and Trust Services) creates a uniform framework for the use of electronic means of identification and trust services across borders. The revision of the eIDAS Directive was launched in 2020 and has not yet been completed. The aim is to offer a secure EU identity wallet across Europe. The eID is therefore the virtual equivalent of an ID card. It is intended to enable identification and authentication, verification of validity by third parties and the secure storage and presentation of identities. It should also make it possible to generate qualified electronic signatures. This digital equivalent of a signature allows legally valid contracts to be concluded digitally.
The eIDAS also stipulates that EU member states must make digital identities available to citizens; the envisaged acceptance obligation may also contribute to the elimination of other digital identities. Purchases abroad or picking up a rental car could thus be simplified, as the digital identity makes processes more efficient. This is because digital services are associated with a reduction in costs compared to analog processes; the user benefits greatly from simpler and more convenient handling, for example when dealing with the authorities from home.
Unlike with digital identities via Google or Facebook, the authorities can ensure that data protection is complied with in accordance with the GDPR. In the healthcare sector, digital identities on smartphones are set to replace electronic health cards in the future — but this cannot yet be realized.
Security and protection of the user
One possible attack scenario that particularly affects digital identities is theft in the form of impersonation or identity theft. The potential damage ranges from hate comments on social media to the access and misuse of personal data, such as banking transactions or confidential health data. While the analog ID card limits misuse by thieves due to the photo on it, the situation is different online. The digital identity must therefore be specially protected. Protective measures can be, for example, secure passwords or two-factor authentication, as is already used in online banking, for example with a password on the one hand and additional TAN generation on an external device on the other. The hardware token in smartcards represents the highest level of security as a certified version.
Standardized confidence levels
The level of security depends on the purpose of the digital identity and is regulated in the Implementing Regulation (EU) 2015/1502. For example, online banking or the healthcare sector involve particularly sensitive personal data that requires a high level of protection. The regulation defines three standardized levels of trust: low, substantial and high. A low level of protection corresponds to one-factor authentication, as is common in social networks or forums. Substantial protection is provided by the aforementioned two-factor authentication. However, a high level of protection, for example when health data is involved, must be even more secure, for example with a passport including a photo and biometric features. Identification can be carried out using video identification or postal identification procedures.
However, the higher the security level, the more complicated its technical implementation. For example, high-priced smartphones come with certified security components — while cheaper devices are equipped with inferior biometric sensors that can be easily manipulated or bypassed. They therefore have no protected memory areas. Smartcards in health cards, on the other hand, can use and store cryptographic key material with their chip processors. The underlying infrastructures thus ensure authenticity.
The future potential of digital identities
Digitalization is on the rise, all its services require a digital identity and these are already widespread: On average, every citizen has 90 digital identities. The digital and analogue worlds can merge, for example when access controls in companies are digitized and require proof of a digital identity, or when the health card is scanned as an ID in doctors’ surgeries. Media disruptions are perceived as an obstacle here, for example when paper documents are to be submitted as scans to health insurance companies. Digital identities and the assignment they enable make the digitalization of such processes possible in the first place. In the field of eHealth, for example, doctors can digitally sign and send invoices and prescriptions.
In turn, companies can use digital identities across the board for customers and employees, end customers or partners. This means, for example, that vacation requests can be made via a portal. Possible applications for customer loyalty should also not be neglected: After all, digital services that customers use can be used to gain information about their behaviour — in order to better tailor and optimize your own offering. However, companies need to be aware of the different levels of security. User-friendliness is important, but so is digital protection against identity and data theft. If this is not guaranteed, the consequences can be serious. A consulting company such as SRC GmbH can help to shed light on solutions — both paid and open source -, check certifications and ensure conformity and thus legal certainty.
Conclusion
Nothing works on the Internet without digital identities — digital services require initial identification of the user and authentication for further use, for example via passwords with additional TAN generation as part of multi-factor procedures. The type of service and the data used depend on the security requirements, which are ensured via three levels. Companies that want to use digital services must therefore know the requirements in order to exploit the application potential for customers, partners or suppliers.
___________________________________________________
Author: Nico Martens, Consultant SRC Security Research Consulting GmbH
Further information: https://src-gmbh.de/
Press contact:
Patrick Schulze
WORDFINDER GmbH & CO. KG Lornsenstraße 128–130 22869 Schenefeld Tel.
+49 (0) 40 840 55 92–18ps@wordfinderpr.comwww.wordfinderpr.com