Mobile ID – digital identity at work
Over recent years, mobile identity (mID) has proved an increasingly popular choice with citizens, thanks to its convenience, ergonomics, and high-security level.
The rapid adoption of m-Government services in countries that have chosen to focus on mobile communication devices has demonstrated the appeal of this secure and trusted identification method.
Some visionary countries have leaped mobile ID or mID by creating a mechanism using an eID component for accessing online services via mobile devices.
Pioneers include countries with a strong market penetration of cell phones and new technology, such as Austria, Estonia, Finland, Norway, and Turkey.
Mobile ID projects are sometimes driven by the need for a universal form of identification (Austria 2003) or Estonia in 2007 to supplement a national card program and accelerate electronic identity and digital signature development.
In 2014, Oman was the first country in the Middle East to complement its national electronic ID card with a mobile ID scheme.
As a highly trusted channel between citizens and service providers, mobile ID extends its use from egovernment into other online areas such as banking and payment.
"1984" did not happen.
Contrary to the vision of novelist George Orwell in "1984", national eID schemes have shown that managing citizen IDs can protect civil liberties, identity, and social interactions in a state of law.
Electronic records on individual citizens are available upon their owner's request in many European countries with a national eID scheme.
As former President of Estonia Toomas Hendrik Ilves puts it: "You own your data, so you have the right to access it any time."
When introducing its national eID in Belgium, the government offered citizens an application to know who has accessed their data.
And, of course, the key to accessing this online app is the national eID card. Each citizen can consult their file in the national data register to see a record of when government officials have accessed their data and for what reason.
It's an excellent example of how transparency and traceability in every transaction between governments and citizens can help protect privacy and strengthen trust.
Read more on transparency and traceability in the following Thales white paper on eGov 2.0.
We’re seeing the emergence of a global consensus on privacy protection, explicitly incorporating biometric data, as illustrated in particular by the regulations known as the General Data Protection Regulation put in place in Europe and the UK in May 2018.
The California Consumer Privacy Act (CCPA), implemented as of 1 January 2020, is also a significant step toward privacy rights and consumer protection. It may serve as a guide for several other US states. It's been further enhanced with the CPRA (California Privacy Rights Act). It will take effect on 1 January 2023.
New York State, Colorado, and Virginia now stand beside California. Utah may follow soon.
However, the United States does not have a single framework covering the privacy of all data types.
On the road to the virtual driver's license
So when will we have a digital driver's license on our mobile phones?
Well, sooner than you may think. Here is why.
Today you can already do a lot with a smartphone. And the trend for on-phone payment, loyalty, or travel applications may bring the driver's license to your mobile.
While a driver's license primarily confirms the identity and driving rights, a virtual driver's license, also called a mobile driver's license or digital driver's license, potentially brings many more benefits and opportunities for issuers, regulatory authorities, and drivers.
The traditional driver's license is an essential proof of ID (identity and age) checked by enforcement agencies, retailers, and financial institutions. A mobile driver's license would provide an on-screen version of the traditional photo, driver information, and more.
A highly secure mobile application has more robust counterfeiting characteristics, enables driver data to be updated instantly, and facilitates real-time communication, opening the way to new business models using a trusted and secure channel.
Though the mobile driver's license still has some distance to travel before becoming a complement or replacement to the plastic license we are used to, there's an interest in other countries like Australia, Brazil, and the UK also looking into this option.
To learn more about digital driver's license initiatives, visit our dedicated web dossier.
Several US states have launched pilots to explore the user convenience, privacy, security, and interoperability of mobile driver licenses.
In July-August 2017, Colorado and Maryland initiated digital driver's license live pilots. Feedback collected like this one is highly motivating.
"I have people all the time trying to show me a picture of their license on their mobile phone when they don’t have their physical one, which is illegal. This solution hits on that need for mobility but is an actual ID with underlying security and information to guarantee it is genuine. That’s key.” SPECIAL INVESTIGATIONS OFFICER, COLORADO GAMING COMMISSION - JULY 2017
Florida plans to issue its mobile driver's license soon. (October 2020.)
From eID to national identity schemes
Digital identity management is at the heart of the Internet economy as a critical enabler for trust and innovation. Many countries are now putting in place the framework of their national identity scheme.
This architecture helps define the state's roles, such as a regulator or issuer of digital identities (or neither), responsibilities in organizing data, applications, infrastructure, and the underlying principles and operating methods of the digital identity ecosystem as a federated identity management infrastructure.
This can cover everything from how digital identities authenticate users or verify data linked to the services and detail the scheme's identity types and trust levels.
Currently, different approaches are being pursued:
- from a state-led role in issuing digital identities and structuring services, as seen in Estonia or the United Arab Emirates,
- to the more decentralized system with the German ID card project,
- As in Sweden, an identity ecosystem developed through a partnership between the public and private sectors.
Certain nations largely delegate the provision of identity solutions to the market and, therefore, the private sector: this is the case in the United Kingdom which said no to a UK ID card in 2010 by yes to a national identification scheme known as UK Verify launched in 2016.
UK ID card scheme scrapped
The UK has so far remained opposed to the concept of compulsory identification credentials for citizens.
Although the UK does not have a national identity system, the Kingdom is home to a large amount of activity in digital ID development.
In 2006, an attempt -known as the Identity Cards Act 2006- by the then Labour government was to be introduced. It soon floundered in the face of wide-ranging criticism and protest.
When a new Conservative-led coalition took over power in 2010, scrapping the plan was high on its list of priorities.
In 2006, the government encountered criticism because it included privacy, human rights, and security concerns.
But the failure of the 2006 project also needs to be seen in the context of a government that had been in power for several years.
Popularity was waning, and it was vulnerable to well-organized opposition from other parties and hostile media.
Let's be clear.
Much of the protest was focused on the idea of a National Identity Register (holding up to 50 different pieces of information on each citizen) rather than the card itself.
Some public resentment was also down to the simple fact that people faced paying up to £60 to acquire one.
Some of the fundamentals around which UK Verify has been built go a long way to addressing these issues.
UK Verify is born into a different world.
In the space of ten years, the environment has changed dramatically. In 2006, the government cited the need to combat illegal immigration, terrorism, and welfare and identity fraud as compelling reasons to introduce an ID scheme.
A decade later, all these issues have moved higher up the public agenda.
For example, in 2014, 41% of all fraud was identity fraud.
And 84% of all identity fraud was committed online.
In 2019, identity fraud cases in the UK reached 223,163.
As a result, there is far greater acceptance of the need for tighter security in general and identity protection in particular.
The frequency with which citizens resort to a driving license or passport to prove their identity increases, perhaps reinforcing the case for something designed specifically for that purpose.
Just as significantly, with the rapid adoption of a host of mobile and online services, secure authentication of one form or another has become part and parcel of everyday life.
The result is Verify: a single legally recognized means of online authentication that is designed to unlock the door to a new era of eGovernment in the UK.
Dodging the "Big Brother" label – Verify's federated ecosystem (2013-2023)
The GDS has created a federated ecosystem to avoid accusations of a 'Big Brother approach.
The government regulates the online ID scheme, but a range of private sector certifying companies adequately powers it.
End users enrolling with the Verify scheme choose one of these companies to certify their identity and are asked to provide documentation to confirm who they are. Typically this might include a passport or driving license and bank details.
The certifying company then makes the necessary checks, and if successful, a Verify account is created.
This account can then be used as a sole means of access to all digital government services – anywhere; the Gov.UK Verify logo is shown. The whole process is entirely free of charge for end-users.
According to former PM Theresa May, in April 2019, the system has saved UK taxpayers more than £300m, but she admitted UK Verify is a challenging project.
In April 2020, the Treasury gave Gov.UK Verify additional 18-month funding.
The universal credit applications (financial support) brought a surge of hundreds of thousands of new users.
According to Computer Weekly, as of October 2020, 6.7m of digital identities have been created by Verify.
The UK "One Login for Government" scheme
In 2022-2023, The government will start implementing a new digital identity assurance system for all Gov.UK services. The so-called "One Login for Government" program will allow users to create a government account to access services online or through a mobile app that is being developed with Deloitte.
This new initiative represents a shift in the government’s approach.
In essence, the UK Government’s 'Transforming for a digital future' policy paper, released in 2022, lays out an ambitious plan to revolutionize digital public services, upgrade digital technology, attract digital talent, and improve public services.
The plan outlines six missions, including:
- transformed public services,
- one login for the government,
- better data for decision-making,
- efficient and secure technology,
- digital skills at scale,
- and a system that unlocks digital transformation.
However, one year on, significant challenges persist, including slow and expensive services, multiple competing digital identity solutions, legacy IT issues, poor data quality, and limited data sharing.
Despite some progress, such as the growth of the Digital, Data, and Technology (DDaT) profession by 12% and the creation of the Digital Functional Standard, there is still a large talent shortage and skills gap to be addressed to meet the government's 2025 objectives.
The case of the US national ID
The case of the US citizen ID is somewhat similar.There is no national ID card in the USA stricto sensu.
- Today, the Social Security Card can be used to verify identity on certain occasions: employment, obtaining a passport, a driver's license, or at the bank to get credit.
- The driver's license in the United States is also a de facto ID document and can be used in many states to buy firearms, open a bank account, or travel on domestic flights.
- Citizens not having a driver's license can get a State ID issued at the state level and used for identification purposes such as banking, etc.
- Of course, the US government passport and passport card are official IDs, as is the military CAC card.
Real ID Act ( May 2023 update)
A federal initiative known as the REAL ID Act, passed by Congress in 2005 and modernized recently, established minimum security standards for state-issued driver's licenses and identification cards and prohibits Federal agencies from accepting official purposes licenses and identification cards from states that do not meet these standards.
Identification needed for air travel in 2025
Yes, you read that right. It's been delayed again.
The US Department of Homeland Security (DHS) had initially been requested that starting 22 January 2018, passengers with a driver's license issued by a state still not compliant with the REAL ID Act would need to show an alternative form of identification (such as a passport) for domestic air travel.
The real ID deadline has been, however, delayed several times.
The REAL ID deadline is now set for 7 May 2025 because of the pandemic.
On 28 December 2020, Congress passed the REAL ID Modernization Act. It modernizes the 2005 REAL ID requirements.
According to CNBC, Real ID will be the required form of state identification needed to board a plane or enter a federal facility.
The USA and the NSTIC federal initiative
The (US) National Strategy for Trusted Identities in Cyberspace had explored a more global system of interoperable identity service providers (public and private), giving individuals the choice of secure credential/s using various mobile phone options to smart cards and computers.
The NIST Digital Identity Guidelines are formerly known as NIST SP 800-63-3. NIST published the official edition in June 2017. In particular, these recommendations could help improve national identity, credentials, and access management.
The bad news?
The initiative launched by the Obama administration never gained momentum as no service providers adopted the framework.
The country clearly lacks a comprehensive digital ID strategy, as CSO online stated (17 September 2020.)
According to US Congressman Bill Foster's website, the Digital Identity Act of 2021 was urgently needed.
He explains that the country's old identity systems have not transitioned well to the new digital ecosystems – generating friction in commerce, boosting fraud and theft, degrading privacy, and crippling many services online.
Although the bill was near to passing in the previous Congress and has undergone several iterations since its initial introduction in 2020, it was ultimately held up due to objections from a single member.
For 2023, he plans to reintroduce a digital identity verification bill in Congress to enable federal agencies to provide opt-in identity validation services and form a task force to offer recommendations on digital identity.
The case of the Swiss National Identity scheme: no to a private operator
On 7 March 2021, voters in Switzerland said «no» to a planned law governing a potential electronic identity system.
64.4% of voters rejected the project of a digital identity verification system licensed and supervised by the State but managed by private companies.
According to SWI (swissinfo.ch), voters clearly wanted an eID only provided by the government and under democratic supervision.
The state should take full responsibility, and eID is not contested.
A solution will be found with a new proposal.
Australia and New Zealand initiatives
- New Zealand's Digital Identity Trust Framework legislation will be drafted this year. It was introduced to parliament on 29 September 2021. Identity providers will then be accredited.
- Australia decided to delay launching an enhanced version of myGovID and include facial verification capabilities in 2020. The scheme is now available. 4 million digital identities have been created as of October 2021—82,000 use facial recognition. My GovID and myGov (online government services) are now linked up.