Last updated 3 June 2020
The past ten years have brought a sea-change in what citizens and governments expect national ID cards to deliver and identity to be.
This period has also been filled with incremental tech developments that are serving as a foundation for a smarter citizen ID future.
Five topics have moved to the main stage in the past few years:
- Electronic national ID cards,
- Mobile IDs,
- Virtual documents such as "mobile" driver's license
- The need to set up a national identity framework
Biometric IDs are here.
Fast forward to 2020 and digital identity technologies such as smart cards and biometrics have come of age, with an estimated 120 countries now deploying electronic passports incorporating these highly secure features and over 70 countries implementing eID cards.
National ID cards have undergone a considerable transformation; simple paper documents designed for single identification applications have given way to smarter documents in the form of a credit card.
These citizen ID cards or eIDs include a microprocessor for more robust document verification but also online authentication and signature.
As they contain the portrait of the cardholder and very often fingerprints, they can be used for biometric identification and biometric authentication when needed.
And guess what?
Passed on 20 June 2019, the 2019/1157 EU regulation is giving two years to its Member States to implement security features of ID cards aligned with those of passports.
The Member States and Iceland, Norway, and Liechtenstein will need to start to issue these new cards with a secure contactless chip, and the holder's photo and two fingerprints in the 2021-2022 timeframe as the directive comes into force 12 months after publication and States have two years to comply.
And there's more.
This new generation of computerized national identity card offers one of the best identity theft protection.
These eID cards also enable governments to implement online applications such as eGovernment solutions giving citizens access to public services with the reassurance of robust security.
The development of these government-issued IDs means a single card can offer a host of applications – from acting as a driver's license, enabling the user to file their taxes or giving him/her access to state benefits.
More from Thales on secure document implementations around the world.
3,6 billion citizens to carry a national eID card by 2021
But while some nations have been reticent in adopting eIDs, other countries have been far more bullish.
We've seen implementations in Asia with China, Malaysia, Pakistan, and Indonesia, to name a few, or across Africa with countries like the Republic of South Africa, Nigeria, and more recently with Algeria and Cameroun.
Added to that are deployments across large parts of Europe, in the Gulf, and parts of Latin America. All provide inspiring examples of the potential of eIDs to affect millions of ordinary lives throughout developed and emerging economies.
In early 2017, 82% of all countries issuing National ID cards have implemented eID programs. Annual issuance will peak in 2019 at 679 million state-issued IDs with a chip.
According to research company Acuity Market Intelligence, the number of electronic National ID cards in circulation will reach 3.6 billion citizens by 2021.
This rapidly evolving dominance of electronic IDs reflects the global drive towards eGovernment and eCommerce services enabled by electronic identities.
This move, according to Acuity, will provide substantial opportunities as national, regional, and global transaction infrastructures secured by a trusted digital identity scheme emerge over the next five years.
National identity and economic empowerment
In the business world, they play a crucial role in enabling financial services firms and telecoms companies to fulfil Know Your Customer (KYC) requirements and carry out Know Your Employee checks. They allow government departments to interact with their citizens more effectively around the clock.
In the border control environment, combined with facial recognition and biometric authentication systems, they boost security and improve passenger throughput, giving authorities the confidence that the person standing in front of them is who he or she claims to be.
And the best part?
Emerging economies see the value of digital ID credentials in general because they promote economic empowerment, drive democracy, and aid economic development, as highlighted by the World Bank Group initiative named ID4D.
They show the rest of the world that they are modern, secure, and trustworthy states, able to implement new technologies and standards – and very much open for business. Furthermore, secure ID technology that can be used cross-border is essential as it promotes regional integration and stability and makes economic development more likely.
Yes, you're right.
There are similarities with the European Regulation put in place in September 2018.
This interoperability is what the European eIDAS Regulation on digital identification and trust services for digital transactions is trying to achieve. A framework of digital trust will allow European citizens of 31 countries to free themselves from uncoordinated and separate infrastructures.
One of the most innovative aspects of the Regulation is the possibility of accessing many services throughout Europe using the same national digital identity, whether public or private, provided that it has been officially validated by the authorities of the country where it is currently in use.
Mobile ID – digital identity at work
Over recent years, mobile identity (mID) has proved an increasingly popular choice with citizens, thanks to its convenience, ergonomics, and high level of security. The rapid adoption of m-Government services in countries that have chosen to focus on mobile communication devices has demonstrated the appeal of this secure and trusted method of identification.
Some visionary countries have leapt mobile ID or mID, through the creation of a mechanism using an eID component for accessing online services via mobile devices.
Pioneers include countries where market penetration of cell phones and new technology is strong such as Austria, Estonia, Finland, Norway, and Turkey. Mobile ID projects are sometimes driven by the need for a universal form of identification (Austria 2003), or, in the case of Estonia in 2007, to supplement a national card program and accelerate the development of electronic identity and digital signature.
In 2014, Oman was the first country in the Middle East to complement its national electronic ID card with a mobile ID scheme. As a highly trusted channel between citizens and service providers, mobile ID continues to extend its use from egovernment into other online areas such as banking and payment.
More on mobile IDs and the role of public authorities with the Thales white papers.
"1984" did not happen.
Contrary to the vision of novelist George Orwell in "1984", national eID schemes have shown that managing citizen IDs can protect civil liberties, identity and social interactions in a state of law.
Electronic records on individual citizens are available upon request of their owner in many European countries with a national eID scheme.
As former President of Estonia Toomas Hendrik Ilves puts it: "You own your own data, so you have the right to access it any time."
When introducing its national eID in Belgium, the government offered citizens an application enabling them to know who has accessed their data. And of course, the key to accessing this online app is the national eID card. Each citizen can consult their personal file in the national data register to see a record of when government officials have accessed their data and for what reason.
It's an excellent example of how transparency and traceability in every transaction between governments and their citizens can help protect privacy and strengthen trust.
Read more on transparency and traceability in the following Thales white paper on eGov 2.0.
We’re seeing the emergence of a global consensus on privacy protection, explicitly incorporating biometric data, as illustrated in particular by the regulations known as the General Data Protection Regulation that has been put in place in Europe and the UK in May 2018.
The California Consumer Privacy Act (CCPA) implemented as of 1 January 2020, is also a significant step forward for privacy rights and consumer protection. It may serve as a guide for several US states such as Massachusetts, Utah, North Dakota, and Washington.
New York now stands beside California. New York's Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) is effective 21 March 2020.
Federal legislative hearings are also taking place in 2020 on that very topic.
On the road to the virtual driver's license
So when will we have a digital driver's license on our mobile phone?
Well, sooner than you may think. Here is why.
Today you can already do a lot with a smartphone. And the trend for on-phone payment, loyalty, or travel applications may yet bring the driver's license to your mobile. While a driver's license primarily confirms the identity and driving rights, a virtual driver's license, also called a mobile driver's license or digital driver's license potentially brings many more benefits and opportunities for issuers, regulatory authorities, and particularly drivers.
The traditional driver's license is an essential proof of ID (identity and age) checked by enforcement agencies, retailers, and financial institutions alike. A mobile driver's license would provide an on-screen version of the traditional photo and driver information and more.
As a highly secure mobile application, it has more robust counterfeiting characteristics, enables driver data to be updated instantly, and facilitates real-time communication opening the way to new business models using a trusted and secure channel.
Though the mobile driver's license still has some distance to travel before becoming a complement or replacement to the plastic license we are used to, there's an interest in other countries like Australia, Brasil, and the UK also looking into this option.
To learn more about digital driver's license initiatives, visit our dedicated web dossier.
Several US states have launched pilots to explore the user convenience, privacy, and security and interoperability of mobile driver licenses.
In July-August 2017, Colorado and Maryland initiated digital driver's license live pilots. Feedback collected like this one is highly motivating.
Discover more about the first users' feedback.
From eID to national identity schemes
Digital identity management is at the heart of the Internet economy as a critical enabler for trust and innovation. Many countries are now putting in place the framework of their national identity scheme.
This architecture helps define the roles of the state, for example, as regulator or issuer of digital identities (or neither), responsibilities in organizing data, applications, and infrastructure, and the underlying principles and operating methods of the digital identity ecosystem such as a federated identity management infrastructure.
This can cover everything from how digital identities are used to authenticate users or verify data linked to the services and detail the identity types and levels of trust within the scheme.
Currently, different approaches are being pursued:
- from a state-led role in issuing digital identities and structuring services, as seen in Estonia or the United Arab Emirates,
- to the more decentralized system with the German ID card project,
- or an identity ecosystem developed through a partnership between public and private sectors, as is the case in Sweden.
Certain nations largely delegate the provision of identity solutions to the market, and therefore the private sector: this is the case in the United Kingdom who said no to a UK ID card as such in 2010 by yes to a national identification scheme known as UK Verify launched in 2016.
UK ID card scheme scrapped
The UK has so far remained opposed to the very concept of compulsory identification credentials for citizens.
Back in 2006, an attempt known as the Identity Cards Act 2006 by the then Labour government to introduce just such a scheme soon floundered in the face of wide-ranging criticism and protest. When a new Conservative-led coalition took over power in 2010, scrapping the plan was high on its list of priorities.
Back in 2006, the government encountered criticism because it included privacy, human rights, and security concerns.
But the failure of the 2006 project also needs to be seen in the context of a government that had been in power for several years. Popularity was waning, and it was vulnerable to well-organized opposition from other parties and hostile media.
Let's be clear.
Much of the protest was focused on the idea of a National Identity Register (holding up to 50 different pieces of information on each citizen), rather than the card itself. Some public resentment was also down to the simple fact that people faced paying up to £60 for the privilege of acquiring one.
Some of the fundamentals around which UK Verify has been built go a long way to addressing these issues.
UK Verify is born into a different world.
In the space of ten years, the environment has changed dramatically. In 2006, the government cited the need to combat illegal immigration, terrorism, and welfare and identity fraud as compelling reasons to introduce an ID scheme.
A decade later, all these issues have moved higher up the public agenda.
For example, even back in 2014, 41% of all fraud was identity fraud.
And 84% of all identity fraud was committed online.
As a result, there is far greater acceptance of the need for tighter security in general and identity protection in particular.
The frequency with which citizens must resort to a driver's license or passport to prove their identity is also increasing, perhaps reinforcing the case for something designed specifically for that purpose.
Just as significantly, with the rapid adoption of a host of mobile and online services, secure authentication of one form or another has become part and parcel of everyday life.
The result is Verify: a single legally recognized means of online authentication that is designed to unlock the door to a new era of eGovernment in the UK.
Dodging the "Big Brother" label – Verify's federated ecosystem
To avoid accusations of a 'Big Brother' approach, the GDS has created a federated ecosystem in which the government regulates the online ID scheme, but adequately powered by a range of private sector certifying companies.
At present these include:
- the Post Office and Royal Mail,
- credit check specialist Experian,
- security enterprises Digidentity, Secureidentity (by Morpho), and CitizenSafe.
End users enrolling with the Verify scheme choose one of these companies to certify their identity, and are asked to provide documentation to confirm who they are. Typically this might include a passport or driving license and bank details. The certifying company then makes the necessary checks, and, if successful, a Verify account is created.
This account can then be used as a sole means of access to all digital government services – anywhere; the Gov.UK Verify logo is shown. The whole process is entirely free-of-charge for end users.
According to former PM Theresa May, in April 2019, the system has saved UK taxpayers more than £300m, but she admitted UK Verify is a challenging project.
The case of the US national ID
The case of the US citizen ID is somewhat similar. There is no national ID card in the USA stricto sensu.
- Today, the Social Security Card can be used to verify identity on certain occasions: employment, to obtain a passport, a driver's license, or at the bank to get credit.
- The driver's license in the United States is also a de facto ID document and can be used in many states to buy firearms, open a bank account, or travel on domestic flights.
- Citizens not having a driver's license can get a State ID, issued at the state level and used for identification purposes such as banking, etc.
- Of course, the US government passport and passport card are official IDs, as is the military CAC card.
Real ID Act
A federal initiative known as the REAL ID Act, passed by Congress in 2005, established minimum security standards for state-issued driver's licenses and identification cards and prohibits Federal agencies from accepting for official purposes licenses and identification cards from states that do not meet these standards.
Identification needed for air travel in 2021
Yes, you read that right. It's been delayed one more year.
The US Department of Homeland Security (DHS) had initially been requested that starting 22 January 2018, passengers with a driver's license issued by a state still not compliant with the REAL ID Act would need to show an alternative form of identification (such as a passport) for domestic air travel.
Nine states had non-valid DL at that time, and (Kentucky, Maine, Minnesota, Missouri, Montana, Oklahoma, Pennsylvania, South Carolina, and Washington) have been granted an extension.
The real ID deadline has been, however, delayed several times.
The real ID deadline is now set to late 2021 because of the pandemic.
Real ID will be the required form of state identification needed to board a plane or enter a federal facility according to CNBC.
NSTIC federal initiative
The (US) National Strategy for Trusted Identities in Cyberspace has explored a more global system of interoperable identity service providers (public and private), giving individuals the choice of secure credential/s using a variety of options from mobile phones to smart cards and computers.
The NIST Digital Identity Guidelines are formerly known as NIST SP 800-63-3. NIST published the official edition in June 2017. In particular, these recommendations are being leveraged to improved federal identity, credential, and access management.