Tag Archive for: digital identities

Areas of appli­cation for digital identities: digitally repre­senting — and protecting — physical identities

Areas of appli­cation for digital identities:

Digitally repre­senting — and protecting — physical identities

 

With the current further devel­opment of the European regulation on electronic identi­fi­cation and trust services (eIDAS), a recog­nized and secure digital identity can be estab­lished throughout Europe. Digital identities have long been common­place — from email accounts and social media to digital visits to public author­ities: The use of digital services requires proof of identity. The identi­fi­cation and authen­ti­cation required for this is linked to different levels of protection depending on the service used. Companies that want to offer services that require digital identities — for employees, partners and customers — need to know the requirements. 

A digital identity is the digital repre­sen­tation of a physical identity. The latter can be a person, but also an insti­tution, a machine or a server. In the healthcare sector, for example, practices, hospitals or pharmacies can be given a digital identity. In this context, it repre­sents a collection of attributes in electronic form that charac­terize a natural or legal person — this can be name, address and date of birth, but also user name or email address. A digital ID must be unique, otherwise it cannot be assigned; the process of original identi­fi­cation is trans­ferred to the digital world — regis­tration is required for initial identi­fi­cation; recog­nition is achieved through authen­ti­cation. From a social perspective, there are three forms of identity: real, self-constructed and anonymous, with the latter playing a sometimes contro­versial role on social media, for example. 

Possible uses of digital identities

Digital identities are necessary as a basis or digital repre­sen­tation for digital services and processes. They are used wherever digital services are offered and are person­alized, which requires the collection, storage and processing of data. Digital services take various forms — from social media user accounts and online accounts in e‑commerce to online banking or digital admin­is­trative proce­dures via eGovernment offerings. As with ID cards, the scope of a digital identity can go beyond mere identi­fi­cation and, for example, include age verification. 

Increasing digital­ization is opening up further potential uses for a digital identity: the European eIDAS (Regulation on Electronic Identi­fi­cation and Trust Services) creates a uniform framework for the use of electronic means of identi­fi­cation and trust services across borders. The revision of the eIDAS Directive was launched in 2020 and has not yet been completed. The aim is to offer a secure EU identity wallet across Europe. The eID is therefore the virtual equiv­alent of an ID card. It is intended to enable identi­fi­cation and authen­ti­cation, verifi­cation of validity by third parties and the secure storage and presen­tation of identities. It should also make it possible to generate qualified electronic signa­tures. This digital equiv­alent of a signature allows legally valid contracts to be concluded digitally. 

The eIDAS also stipu­lates that EU member states must make digital identities available to citizens; the envisaged accep­tance oblig­ation may also contribute to the elimi­nation of other digital identities. Purchases abroad or picking up a rental car could thus be simplified, as the digital identity makes processes more efficient. This is because digital services are associated with a reduction in costs compared to analog processes; the user benefits greatly from simpler and more conve­nient handling, for example when dealing with the author­ities from home. 

Unlike with digital identities via Google or Facebook, the author­ities can ensure that data protection is complied with in accor­dance with the GDPR. In the healthcare sector, digital identities on smart­phones are set to replace electronic health cards in the future — but this cannot yet be realized. 

Security and protection of the user 

One possible attack scenario that partic­u­larly affects digital identities is theft in the form of imper­son­ation or identity theft. The potential damage ranges from hate comments on social media to the access and misuse of personal data, such as banking trans­ac­tions or confi­dential health data. While the analog ID card limits misuse by thieves due to the photo on it, the situation is different online. The digital identity must therefore be specially protected. Protective measures can be, for example, secure passwords or two-factor authen­ti­cation, as is already used in online banking, for example with a password on the one hand and additional TAN gener­ation on an external device on the other. The hardware token in smart­cards repre­sents the highest level of security as a certified version. 

Standardized confi­dence levels

The level of security depends on the purpose of the digital identity and is regulated in the Imple­menting Regulation (EU) 2015/1502. For example, online banking or the healthcare sector involve partic­u­larly sensitive personal data that requires a high level of protection. The regulation defines three standardized levels of trust: low, substantial and high. A low level of protection corre­sponds to one-factor authen­ti­cation, as is common in social networks or forums. Substantial protection is provided by the afore­men­tioned two-factor authen­ti­cation. However, a high level of protection, for example when health data is involved, must be even more secure, for example with a passport including a photo and biometric features. Identi­fi­cation can be carried out using video identi­fi­cation or postal identi­fi­cation procedures. 

However, the higher the security level, the more compli­cated its technical imple­men­tation. For example, high-priced smart­phones come with certified security compo­nents — while cheaper devices are equipped with inferior biometric sensors that can be easily manip­u­lated or bypassed. They therefore have no protected memory areas. Smart­cards in health cards, on the other hand, can use and store crypto­graphic key material with their chip processors. The under­lying infra­struc­tures thus ensure authenticity. 

The future potential of digital identities

Digital­ization is on the rise, all its services require a digital identity and these are already widespread: On average, every citizen has 90 digital identities. The digital and analogue worlds can merge, for example when access controls in companies are digitized and require proof of a digital identity, or when the health card is scanned as an ID in doctors’ surgeries. Media disrup­tions are perceived as an obstacle here, for example when paper documents are to be submitted as scans to health insurance companies. Digital identities and the assignment they enable make the digital­ization of such processes possible in the first place. In the field of eHealth, for example, doctors can digitally sign and send invoices and prescriptions. 

In turn, companies can use digital identities across the board for customers and employees, end customers or partners. This means, for example, that vacation requests can be made via a portal. Possible appli­ca­tions for customer loyalty should also not be neglected: After all, digital services that customers use can be used to gain infor­mation about their behaviour — in order to better tailor and optimize your own offering. However, companies need to be aware of the different levels of security. User-friend­liness is important, but so is digital protection against identity and data theft. If this is not guaranteed, the conse­quences can be serious. A consulting company such as SRC GmbH can help to shed light on solutions — both paid and open source -, check certi­fi­ca­tions and ensure conformity and thus legal certainty. 

Conclusion

Nothing works on the Internet without digital identities — digital services require initial identi­fi­cation of the user and authen­ti­cation for further use, for example via passwords with additional TAN gener­ation as part of multi-factor proce­dures. The type of service and the data used depend on the security require­ments, which are ensured via three levels. Companies that want to use digital services must therefore know the require­ments in order to exploit the appli­cation potential for customers, partners or suppliers. 

___________________________________________________

Author: Nico Martens, Consultant SRC Security Research Consulting GmbH

Further infor­mation: https://src-gmbh.de/

Press contact:

Patrick Schulze

WORDFINDER GmbH & CO. KG Lornsen­straße 128–130 22869 Schenefeld Tel.
+49 (0) 40 840 55 92–18ps@wordfinderpr.comwww.wordfinderpr.com