From blockchain to European log-ins
Esther Makaay is SIDN's digital identity specialist; Robert Garskamp is the founder of IDnext. Below, the two experts talk about developments in the field of on-line identities. "On-line identification is increasingly like showing your passport."
Created about seven years ago, IDnext exists to support innovation in the field of on-line identities. "I'd been working with on-line identities for some time," recalls founder Robert Garskamp. "I could see that solutions were often determined by the technology. And that many companies didn't look further than their own solution. Hardly any consideration was given to the social or organisational context. So it seemed to me that a platform was needed, for experts and professionals from the public and private sectors to exchange knowledge and experience. IDnext was conceived as a response to that need." The foundation organises meetings, masterclasses and workshops, and publishes reports.
SIDN and Connectis
At the start of this year, we acquired a majority stake in Connectis, one of the biggest suppliers of secure log-in solutions and reusable digital identities. More than twelve million Dutch people use the Connectis infrastructure to log in to upwards of 250 service providers. The Connectis-SIDN link-up represents a big boost for the digital identities market.
Collaboration with SIDN
IDnext is a small organisation, supported by an advisory board made up of experts and professionals. Like many others involved with IDnext, board members are unpaid volunteers. The organisation also benefits from the support of outside partners, including SIDN. As well as providing financial assistance, we often co-organise activities with IDnext, and Esther Makaay sits on the advisory board. "The board is a diverse group of professionals who meet about six times a year," says Esther. "We exchange knowledge and discuss the latest developments. It acts like a forum for sounding out ideas." Since our acquisition of log-in specialists Connectis, synergy between SIDN and IDnext has increased further.
On-line identities are becoming more important all the time. Because, as Robert points out, the world is digitising fast. "Look at the way we interact with government departments and banks nowadays. On-line identification is increasingly like showing your passport. What's more, sound digital identity policies enhance the security of the internet, because good identification and authentication make it harder to perpetrate abuse."
Several new laws with implications for on-line identities come into effect in 2018: PSD2, GDPR and eIDAS. "PSD2 is a new European law, which will allow companies other than banks to offer payment services," explains Robert. "So in the future you might be able to pay via WhatsApp or Facebook, for example. To make that possible, the new players need to have access to bank accounts." Esther takes up the story: "The change will have huge implications for banks, who have invested heavily in security. How does a bank know whether another service provider's ID solution is reliable? How can they be sure that the right account is accessed?"
Next year will also see the EU's new General Data Protection Regulation (GDPR) implemented in Dutch law. "The GDPR gives everyone the right to ask a company what data that company has got about them," says Esther. "As well as saying what info they hold, the company has to be able to explain what it's being kept for. If asked to do so, the company must be able to destroy the data too. That obviously has major implications for the identification solutions that are used. Because lots of organisations are saving more data than they can justify."
The third big driver of change in 2018 will be eIDAS, which the EU has brought in to help build a single European market in electronic services. "The practical impact of eIDAS is that, all across Europe, it's got to be possible to log in using your own country's digital ID solution," Esther explains. So a Dutch person has to be able to log in with a local council in Austria using DigiD. And an Austrian ID has to work in Amsterdam." According to Robert, eIDAS represents a great opportunity for Connectis. "Connectis has already provided the technology that enables about eighty Dutch municipal authorities to handle almost all European log-ins. The company aims to be a major European player in this sector."
eIDAS will also increase the impetus behind the further development of DigiD. "Security experts still have some reservations about the Dutch identification solution," acknowledges Esther. "The reliability level is currently rated 'low'. Because no member state is allowed to apply stricter requirements to foreign log-in systems than to their own systems, we could soon be obliged to accept a low-reliability solution from, say, Romania." Robert adds: "The government has therefore been looking at the Idensys platform for a while now. Idensys is a public-private initiative aimed at providing more security (e.g. on the basis of two-factor authentication) and more user-convenience. Under the outgoing administration, Idensys was unfortunately neglected, but I'm hoping the new government will revive it."
"Blockchain applications are used to record transactions," Robert begins. "That's how it works with Bitcoin, for example. The technology could be used to record personal data as well. But how can you be sure that the data is correct? And what about the privacy implications?" According to Esther, expert opinion differs. "Some people in the field see blockchain as the best way to prevent identity fraud," she says. "Others believe it should never be used for recording personal data, because a blockchain register is necessarily public. So, even though the register data is encrypted, the risk is unacceptable." Another important consideration is that working ID applications based on blockchain remain some years off. IDnext recently organised an event devoted to this topic, from which it was apparent that there is plenty of interest in the Netherlands.
Robotics and the Internet of Things
"The Internet of Things is getting bigger all the time," says Robert. "You come across robots all over the place now. But what's the best way to control them? How does a robot know whose instructions to follow? How does it distinguish between a private account and a business account?" Esther provides an illustration: "Suppose you've got a phone provided by your employer. Do you let your kids use it to play games? And what if they want to tweet their high scores? How can your phone tell the difference between that kind of private use and your business use? Do you have a log-in system? Or some other solution?"
"A digital identity is made up of various attributes: name, age, city, and so on," explains Robert. "At the moment, you often need to provide all those details when you register on a new system. Even though some of the information isn't really needed. Take a site selling alcohol. That site needs confirmation that you're over eighteen, but it doesn't need to know anything else about you. With pressure from consumer organisations and privacy lobby groups growing, we're seeing more and more applications that rely on a limited set of attributes for identification." The demand for validation is increasing all the time, Esther confirms: "Does this person really work for the company they say they work for? Is their e-mail address really one of that company's addresses? And who can confirm that?"
Robert sees flexibility as vital. "Most consumers easily have twenty accounts, each with its own user name and password. It's easy to lose track. In response to the desire for convenience, lots of sites now offer several log-in options. You can log in with Facebook, for example, or with iDIN, the Dutch banks' on-line ID system. Companies like Connectis make it possible for organisations to give visitors the option of logging in using another organisation's ID system." Esther provides another illustration: "You can think of Connectis as providing a company with a sort of universal power socket, which accepts plugs of all shapes and sizes, so that clients from all over can use it. That has the added advantage that the companies don't need to retain ID information about their clients, so the risk of fraud and privacy issues is considerably reduced."
"Mobile first is the rule these days," Esther emphasises. "If it doesn't work on a mobile phone, it'll never take off. That goes for identity solutions, just like everything else." Robert points to the rise of applications that utilise smartphone capabilities. "Two-factor authentication and identification on the basis of facial or fingerprint recognition are increasingly common."
A long way to go
On-line identity is hot. It's a highly dynamic field. Nevertheless, Esther counsels caution. "At the end of the day, no one uses a log-in system for fun. It's just a way of getting into the application you want to use. In due course, identification and authentication solutions have to stop being products and become commodities, something that we take for granted. But there's a long way to go before we arrive at that situation."