Tag Archive for: Eidas

Appli­cation areas of Digital Identities: Digitally repre­senting — and protecting — physical identities

Appli­cation areas of digital identities:

Digitally repre­senting — and protecting — physical identities

With the current devel­opment of the European Regulation on Electronic Identi­fi­cation and Trust Services (eIDAS), a recog­nised and secure digital identity can come about throughout Europe. Digital identities have been common­place for a long time — from email accounts to social media to digital official trans­ac­tions: The use of digital services requires proof of identity. The necessary identi­fi­cation and authen­ti­cation is linked to different levels of protection, depending on the service used. Companies that want to offer services for which digital identities are necessary — for employees, partners and customers — must know the requirements.

A digital identity is the digital repre­sen­tation of a physical identity. The latter can be a person, but also an insti­tution, a machine or a server. In the health sector, practices, hospitals or pharmacies, for example, can receive a digital identity. In this context, it repre­sents a collection of attributes in electronic form that charac­terise a natural or legal person — this can be name, address and date of birth, but also user name or email address. A digital ID must be unique, otherwise it cannot be assigned; the process of initial identi­fi­cation is trans­ferred to the digital — for initial identi­fi­cation it requires regis­tration; recog­nition is achieved through authen­ti­cation. From a social perspective, there are three forms of identities: real, self-constructed and anonymous, with the latter playing a sometimes contro­versial role on social media, for example.

Possible uses of digital identities

Digital identities are necessary as a basis or digital repre­sen­tation for digital services and processes. They are used wherever digital services are offered and are person­alised, which requires the collection, storage and processing of data. Digital services have various forms — from social media user accounts, to online accounts in e‑commerce, to online banking or digital official proce­dures via eGovernment offerings. As with the identity card, the scope of appli­cation of a digital identity can go beyond mere identi­fi­cation and, for example, an age check can be possible.

Increasing digital­i­sation is opening up further possible uses of a digital identity: The European eIDAS (Regulation on Electronic Identi­fi­cation and Trust Services) creates uniform framework condi­tions for the use of electronic means of identi­fi­cation and trust services across borders here. In 2020, the revision of the eIDAS Directive was launched, and it is currently not yet complete. The goal is to offer a secure EU identity wallet throughout Europe. The eID is thus the virtual equiv­alent of an identity card. It is supposed to enable identi­fi­cation and authen­ti­cation, verifi­cation of validity by third parties as well as secure storage and repre­sen­tation of identities. In addition, it should make it possible to generate qualified electronic signa­tures. This digital counterpart to the signature allows legally valid contracts to be concluded on a digital level.

The eIDAS also stipu­lates that EU member states must make the digital identity available to citizens; the envisaged accep­tance oblig­ation may also contribute to the elimi­nation of other digital identities. Shopping abroad or picking up a rental car could thus be simplified, as the digital identity makes processes more efficient. This is because digital services are associated with a reduction in costs compared to analogue processes; the user benefits greatly from simpler and more conve­nient handling, for example, when admin­is­trative proce­dures can be completed from home.

Unlike digital identities via Google or Facebook, the author­ities can ensure that data protection is complied with in accor­dance with the Data Protection Regulation (DSGVO). In the health sector, digital identities on the smart­phone are to replace the electronic health card in the future — but this cannot yet be realised.

Security and protection of the user

One possible attack scenario that partic­u­larly affects digital identities is theft in the form of imper­son­ation or identity theft. The potential for damage ranges from hate comments on social media to access to and misuse of personal data, such as banking trans­ac­tions or confi­dential health data. While the analogue identity card limits misuse by thieves because of the photo on it, the case is different online. The digital identity must therefore be specially protected. Protective measures can be, for example, secure passwords or a two-factor authen­ti­cation, as it already takes place in online banking, for example, with a password on the one hand and additional TAN gener­ation on an external device on the other. The hardware token in smart cards repre­sents the highest level of security as a certified version.

Standardised trust levels

The level of security depends on the purpose of the digital identity and is regulated in the Imple­menting Regulation (EU) 2015/1502. For example, in online banking or in the health sector, there are partic­u­larly sensitive, personal data that require a high level of protection. The regulation defines three standardised trust levels: low, substantial and high. A low level of protection corre­sponds to a one-factor authen­ti­cation, as is common in social networks or forums. Substantial protection is provided by the afore­men­tioned two-factor authen­ti­cation. However, a high level of protection, for example when health data is involved, must be even more strongly secured, for example with a passport including a photo and biometric features. For example, identi­fi­cation can take place via video-identi­fi­cation or post-identi­fi­cation procedures.

However, the higher the security level, the more compli­cated its technical imple­men­tation. High-priced smart­phones, for example, come with certified security compo­nents — while lower-priced devices are equipped with inferior biometric sensors that can be easily manip­u­lated or bypassed. They therefore do not have protected memory areas. Smart cards in health cards, on the other hand, can use and store crypto­graphic key material with their chip processors. In this way, the infra­struc­tures behind them ensure authenticity.

The future potential of digital identities

Digiti­sation is on the rise, all its services require a digital identity and these are already widespread: On average, every citizen has 90 digital identities. The digital and analogue worlds can merge, for example when access controls in companies are digitalised and require proof of a digital identity, or when the health card is read in as an ID in doctors’ surgeries. Here, media disrup­tions are perceived as an obstacle, for example when paper documents are to be submitted as scans to health insurance companies. Digital identities and the assignment they allow make the digiti­sation of such processes possible in the first place. In the area of eHealth, doctors can digitally sign and send invoices and prescrip­tions, for example.

Companies, in turn, can use digital identities widely for customers and employees, end customers or partners. This means, for example, that holiday appli­ca­tions can be made via a portal. Not to be neglected are also conceivable appli­cation possi­bil­ities for customer loyalty: After all, digital services that customers use can be used to gain infor­mation about their behaviour, which can be used to better tailor and optimise one’s own offer. However, companies must be aware of the different levels of security. User-friend­liness is important, but so is digital protection against identity and data theft. If this is not guaranteed, serious conse­quences can be the result. A consulting firm like SRC GmbH can help here to shed light on solutions — both paid and open source — to check certi­fi­ca­tions and to ensure conformity and thus legal certainty.

Conclusion

Nothing works on the internet without digital identities — digital services require initial identi­fi­cation of the user and authen­ti­cation for further use, for example, via passwords with additional TAN gener­ation within the framework of multi­factor proce­dures. The security require­ments depend on the type of service and the data used, which is ensured via three levels. Companies that want to use digital services must therefore know the require­ments in order to use the appli­cation potential for customers, partners or suppliers.

___________________________________________________

Author: Nico Martens, Consultant SRC Security Research & Consulting GmbH

Further infor­mation: https://src-gmbh.de/

Press contact:

Patrick Schulze

WORDFINDER GmbH & CO. KG

Lornsen­strasse 128–130

22869 Schenefeld

Phone +49 (0) 40 840 55 92–18

ps@wordfinderpr.com

www.wordfinderpr.com