For digital processes and business activities to succeed, the trustworthiness of digital transactions’ security is paramount. Traditional security measures however often miss the mark as they shift responsibility to the individual user while at the same time not offering much in terms of ease of use. eIDs, on the other hand, combine a high level of security with greater usability. They can also be used across the full spectrum of digital services that require clear proof of identity. Through the eIDAS regulation, eIDs add a regulatory framework setting a uniform standard throughout the European Union.
eIDAS regulation and eIDS in a nutshell
How have identities been authenticated online so far?
In order to prove an identity (meaning to ensure that a person really is who they claim to be) there are various possibilities. Here is a small selection of the most common methods:
Email verification was used heavily in the past but it ranks at the lower end of security. Here, only the existence of a given email address is checked at the time of verification, whilst the actual identity of a person is not. With email verification a person can prove that they have access to the email address in question at a given time, this however does not necessarily mean that this person is actually the legal owner or holder of the email address. The true identity of the person therefore remains a mystery.
One of the simplest and still most widespread methods for proving identities is authentication with a password. This type of identity confirmation is used to this day by many online providers and it is probably best known for logging on to online email services. Although the security level is higher with password authentication than with mere email verification, it is still quite low. How so? With password potential attackers often only have a low hurdle to overcome. The root cause for this is poor usability which is particularly evident when considering the use of passwords in the real world: nowadays it is not unusual to have to manage several dozen passwords.
Simple passwords are ineffective and present no real challenge for those trying to crack them.
Since passwords are required for many services these days, real password management becomes a necessity to maintain security.
As everyone knows strong passwords must
- be unique
- be long
- contain upper- and lower-case letters
- contain special characters
- be used exclusively for one service at a time
- be changed regularly
In individual cases this may be feasible but in the aggregate, for most it is too much to handle, so only very few people stick to it. In real life most users either use the same password for all kinds of different services or their passwords are so simple that they can be easily guessed and present little resistance to brute force attacks. In addition, there are now databases online with compromised passwords from past hacker attacks that any attacker can use. Passwords can be guessed, passed on and spied on; above all their security is crucially dependent on the user. Combining passwords with a second factor such as security questions helps improve security, but still doesn’t guarantee that the authenticated user is the desired user.
Conclusion: Passwords alone can neither be the future for real security nor usability!
Digital identities – simply more security in the digital world with eIDs
The future of secure authentication lies with digital identities. In simple terms, a digital identity comprises all the information about a person that is available in digital form. Through secure authentication it is possible to build trust in digital identities, and this authentication successfully works with eIDs (electronic identifications). eIDs ensure that the indicated identities truly belong to the actual individuals.
Why are eIDs necessary and what benefits do they have?
As already explained in this blog series, in digital processes it is particularly important to ensure security through identity verification. There is a need for effective digital proof in online business relationships where the counterpart does not confirm their own identity with an ID card in hand. eIDs are a digital solution with which individuals as well as organisations can confirm their identity and they represent a hard form of identification. Users can use their eID to authenticate themselves easily and securely for various digital services. This has the great benefit that users no longer need to remember a username and password for each service to authenticate themselves.
Poor password security is a typical result when user convenience prevails over proper password management.
As most users are simply overwhelmed with the multitude of different logins and passwords, they look for workarounds which jeopardise security. This can quickly lead to catastrophic consequences for any organisation.
eIDs, on the other hand, authenticate identities in the digital world in a user-friendly way. They operate at a significantly higher level of security than email verification or passwords since the level of security is not passed on to the individual user.
How do eIDs work?
Authentication using eIDs requires an electronic identity or token (such as a physical ID card) which has been created by a third party (an identity provider) and is verified electronically. This token is then activated during use by Face ID, PIN, or password. When activated by password, only one password is required to be able to identify yourself securely via eID for any corresponding digital business or transactions. eIDs are a unique and personal form of digital proof of identity, and they cannot easily be passed on, forged, or guessed.
When using eIDs, it is possible to pursue a Zero Trust model. In business transactions, for instance, all parties involved can prove their identity digitally: When exchanging messages and data, both sender and recipients of a transfer can authenticate themselves with their eIDs.
There are various certified and accredited identity providers who issue such digital identities and carry out the electronic identity verification in eIDs’ practical applications. In Germany, for example, these are yes® and verimi in the private sector and the Bundesdruckerei with its new personal identity card (nPA) in the public sector. The latter is equipped with eID functionality, which is activated by default, and can be used in combination with the “AusweisApp2” app with NFC-enabled smartphones (or alternatively with a card reader and computer).
The respective set-up processes vary, but it is common for trusted identity providers to require users to provide personal information for their eID (i.e. full name, date of birth, home address) and to prove their identity using documents such as their ID card or passport. This is done in person or by sending hardcopy documents to meet the strict requirements of the eIDAS regulation.
Once the identity of the user has been verified by the identity provider, the latter issues the eID. With their eID, the user now has a verified digital identity and can authenticate themselves in electronic communication and transactions. eIDs thus enable the use of one very secure and simple solution for many different services. This creates great added value, particularly in the public sector, for banks, and health care institutions, but also in many other industries. Furthermore, by relying on trusted identity providers and qualified Trust Service Providers, setting up and verifying eIDs can be outsourced effectively.
On the rise: The worldwide market revenue for digital identity solution is projected to double within six years.
A uniform standard for eIDs – the eIDAS regulation
In 2016, the member states of the European Union gave eIDs a standardised basis with the eIDAS regulation (electronic IDentification, Authentication and trust Services), which also regulates electronic ID functions when used across borders. The pre-requisite for EU-wide security and traceability in digital processes was created with the goal of providing legal certainty for transactions in the digital space comparable to those on paper.
Since 2018, the binding mutual recognition of electronic identities has been in force on the European market, meaning citizens can use their national, eIDAS-compliant eIDs for public services in other member states as well. This enables EU-wide digital processes and paperless transactions that are legally secure, doing away with the necessity to exchange documents by post.
The eIDAS regulation led to a multitude of national providers of eIDAS-compliant eIDs, all meeting the same secure standard paving the way for secure digital interactions between public authorities, enterprises, citizens, and customers.
Trust Service Providers (TSPs) ensure that digital identities are properly authenticated. There are qualified and non-qualified TSPs with the eIDAS regulations setting the requirements for what such providers must fulfil in order to be considered qualified, secure, and trustworthy. These include a thorough review process by the authorities of the TSP in question. Only after this has been successfully completed is a TPS considered qualified. One such qualified TSP is Signicat, the leading provider of digital identity solutions in Europe.
By providing a basis that applies to all EU member states, the eIDAS regulation created the foundation of eIDs’ success: interoperability, uniform standards, and wide acceptance. This regulation is an effective and powerful driver for the use of eIDs across the European Union.
- How have eIDs been implemented in countries like Sweden where for years digital proof of identity has been firmly established in people's everyday lives?
- Can lessons be learned for other European countries on how to successfully implement eIDs?
You will find the answers to these questions in our next blog post.