In my recent blog, titled
“Paving the way for digital identities and mobile eGov
we discussed some of the trends driving the expansion of online access to
government services, and noted the importance of using secure login
technologies to make online access safer and more convenient. In particular,
we talked about how a digital ID, called a derived credential, can make the
online login process safer, more flexible and more citizen friendly.
In this blog, we take a closer look at what derived credentials mean for an
increasingly important subcategory of online government services –
What is mobile government?
Mobile government, which is sometimes referred to as mGovernment or simply
mGov, is a rapidly expanding segment of online government services. It refers
to the use of smartphones and other mobile devices, running mobile apps or
using mobile web sites, as the access point to government information and
The growing presence of mobile devices in everyday life, has led local, state and national governments to use mGov as an access channel to reach citizens
and as a new way for citizens to reach government. Mobile devices enable
government-to-citizen transactions, such as benefit payments, and can increase
citizen participation by letting people provide input to political
decision-making, including voting via mobile phones. The use of mobile devices
can also improve the internal operation of public agencies, since it makes
information easier to access and keep up to date.
It’s important to remember that mGov isn’t a replacement for
other services, but can be a strong addition to eGov programs that are already
in place. Similarly, the credentials used to access eGov/mGov services are not
substitutes for traditional physical ID documents, such as birth certificates,
driver’s licenses or marriage certificates. Physical documents remain
the foundation of all government services – online or off – and
remain the root credentials in case there are any problems with the network
infrastructure associated with eGov/mGov services.
Challenges for mGov development
As a new subsegment of eGov, mGov faces many of the same challenges associated
with any emerging application. Perhaps most prominent among these are the
issues of cost, scope and trust.
Cost – mGov applications tend to be viewed as one of
many eGov channels that need to be developed, so they often have to compete
for their share of funding. At the same time, mobile government can lead to
more efficient administration process and save cost for governments and time
Scope – the fact that a single derived credential
can be used for access to multiple eGov services (as well as private-sector
services) makes it important to define the scope of the project before
moving ahead. The aim may be to support multiple use cases, but it might not
be feasible to develop everything at once. The architecture and use cases
for the initial rollout, and any follow-on additions, often depends on
several factors, including budget, the in-place infrastructure and the
involvement of various public and private stakeholders.
Trust – any mGov application that supports
transactional public services, especially those that involve tax-payer
funding and other forms of public budgeting, must use the right level of
security and must gain the trust of everyone involved. One question to be
considered is how the derived credential is stored, since there can be
differences in the way specific SIM cards and embedded Secure Elements
(eSEs) manage security, and because the formats supported by mobile network
operators (MNOs) can differ, too. Another consideration is whether the
stored credential will comply with the necessary standards, such as the EU
regulation for electronic IDs, known as eIDAS, which became a legal
requirement throughout the EU as of July 2016. These questions also have
cost implications, since the choice of storage technology and format often
impacts the budget, too.
To build trust within the stakeholder community, a rigorous development
program, focused on the proper configuration of security mechanisms and
supported device makers, can serve as evidence that the mGov program will meet
the necessary requirements. Other government initiatives, including
legislation to govern the proper use of mobile credentials, and communications
campaigns that explain how security is managed by the mGov application, can
help address end-user concerns and build trust, too.
eID – the root for a digital eIDAS
One thing that makes it easier to address the primary challenges of cost,
scope and trust is the use of proven and verified security technologies, such
as electronic IDs (eIDs). The use of standardized, time-tested eID formats
helps lower development costs, makes the deployment easier to scale and
increases stakeholder confidence.
The specific eID approach we recommend is to use a credential that is based
on, or derived from, a primary credential. A primary credential is a form of
identification issued on the basis of presenting a physical breeder document,
such as a birth certificate. A national ID card, for example, is considered a
primary credential, since it’s issued only after the citizen has passed
a well-established process of identity proofing.
Using a primary credential as the source of the derived ID, the “root
ID” is then held in a secure document. Additional IDs, derived from the
root ID, can be generated for various end-user devices and can be stored
either locally, in the device itself or remotely, in the cloud. Support for a
broad range of devices helps maximize mobility for the most people, and adds
convenience with inherent compatibility across devices.
Choosing the right level of assurance
In the world of identity and access management, the level of assurance refers
to the degree of confidence that a credential is neither fraudulent nor
stolen, and that the person using the credential is the person to whom the
credential was issued. When granting access to any government service, the
level of assurance needs to meet the requirements of a given use case. A
low-risk transaction, for example, is likely to require a lower level of
assurance than a high-risk one. The security mechanisms supported by an
authentication platform typically dictate the level of assurance, and provide
a starting point for balancing the tradeoffs involved with risk, complexity and cost.
Extending smartcard-based services
Using digital credentials derived from smart card eIDs creates a smooth
transition to mobile formats. The mobile credentials are compatible with
existing contactless smart card infrastructures (including those that use
MIFARE or NFC), and can be authenticated using in-place methods. The mobile
device can quickly become an extension of in-place smart card eID programs that
already support things like user authentication, signing and decrypting email,
physical building access or in-store and Internet payments.
The NXP perspective
At NXP, we’re using our experience with eGov solutions to help drive
development in mGov. We’re working on a new service platform that will
provide the necessary infrastructure for digital authentication, including
support for derived credentials. We believe that, by using eID hardware as a
starting point, it will be easier to design and deploy secure authentication
services for mobile applications, and it will be easier to migrate
multi-application eID operation into the mobile space.
Next up: application opportunities
Once the secure, verified framework for derived credentials has been put in
place, government agencies can move quickly to reap the benefits of mGov
services. As one might imagine, given the flexibility and security made
possible by derived credentials, the number of applications is expanding
rapidly. We will address these new opportunities in our next blog.
Go a level deeper
To learn more about our work in this area, visit the eGov section of our
website or contact your local sales office.
NXP blog: Paving the way for digital identities and mobile eGov access
NXP Whitepaper: Maximizing ROI with national eIDs
NXP’s page for smart governance