As part of a continuing blog series on mobile government (mGov), we’ve discussed the expansion of online access to government services, and how derived credentials, a form of digital ID, can make it safer to use mGov services.
In this blog, we look at the emerging discipline of credential management, which ensures a properly derived and stored credential, and the types of applications that can benefit from using derived credentials. We begin by looking at the best way to derive a digital credential.
Smartcard eIDs provide the foundation
The smoothest transition to mobile access begins with the proven, verified electronic IDs (eIDs) associated with smartcards. This is because smartcard eIDs are governed by national or internationally recognized standards and have proven themselves, in years of use in billions of authentications, to be a trusted way to identify a person. The digital credentials derived from smartcard eIDs reflect this high level of trust and provide a sound basis for mobile access.
The embedded secure elements (eSEs) used to support derived credentials are another important part of the security picture, since they’re compatible with existing contactless smartcard infrastructures (including those that use MIFARE or NFC), and can be authenticated using in-place methods. Built-in compatibility with the existing infrastructure also helps simplify the deployment and lowers the cost of ownership.
Having established an infrastructure for trusted ID services that are based on derived credentials, governments can get closer to the ideal of creating a single-entry point for multiple services, since the new infrastructure makes it possible to issue one ID that fits every application. Using a single ID to access multiple services, in what’s referred to as “federated” ID management, is something private organizations are pursuing, too, since the approach enables secure use of private digital information while extending the service offering.
One ID, many uses
As an example of using one digital credential to simplify access to multiple services, consider a smartcard-based eID program that already includes two applets, one for a national ID and one for a health card. Adding a third applet, for a driver’s license, makes the smartcard design more complex and means more stakeholders must align and agree on a suitable card profile.
With an infrastructure for properly derived credentials and a flexible authentication platform, however, these design constraints are essentially removed. A single ID can be securely linked to multiple applications, for use with any number of public and private services. The initial card launch can be quick, with new use cases added over time. The total cost of ownership goes down, while the number of options available to citizens goes up.
The derived credential can be used in much the same way traditional IDs are used, but in a mobile context. In the case of the driver’s license, for example, the derived mobile driving license might be used to reserve a rental car, to verify the driver’s authorization to operate the vehicle. The derived credential from a national ID can serve as verification of residency when applying to open a bank account, initiate utility service to a new apartment, or join the local library. In similar fashion, the derived credential from a healthcard might be used to verify medical information, such as a prescription for medication or corrective lenses, when using an online pharmacy or ordering a pair of eyeglasses. Derived credentials offer a unique combination of flexibility and security, making it possible to transition just about any service, public or private, to the mobile environment.
In many of today’s online applications, developers are forced to make a tradeoff between security and convenience. As the level of protection increases, ease of use tends to go down, since the authentication process becomes more complex. Using derived credentials in mobile devices promises to eliminate this trade-off between security and convenience, since the mobile format enables next-generation ID methods that are both secure yet easy to use because they are context aware. That is, the authentication method used by the back-end system takes into account factors like who the user is, what they are requesting, how the user is connected, the time of day, and where the user is located. With context awareness, the authentication process might use one set of requirements when the access request comes from a network inside a government office, but a different set when it comes from a public Wi-Fi.
Operating in response to current conditions, these context-aware methods promise to optimize security, convenience, and cost. The identification method can vary depending on the device and its specific features. For example, if the device is equipped with a biometric sensor that reads fingerprints or recognizes a face or voice, then the authentication method can use the biometric. If the device doesn’t have a biometric, then a PIN number, a Transaction Authentication Number (TAN), or a password can be used as the basis for authentication.
The added level of flexibility afforded by derived credentials and context-aware authentication means it’s easier to choose the right level of security for each situation. With high-stakes applications, such as access to health records, for example, multi-factor authentication can be used to reach the necessary level of security, but with applications that present a lower risk, a less sophisticated authentication method can lower the technology overhead – without compromising privacy or security.
NXP’s approach to derived credentials for mGov
At NXP, we’re building on our number-one position as a supplier of silicon solutions for eGov to support the trend toward mGov. We are already a leading supplier of eSEs to the smartphone industry, and a recognized innovator in the secure services that rely on eSEs for protection, and are using that experience to build solutions for other mobile devices and mGov applications. We’re also creating a service platform that will provide our customers with an infrastructure for digital authentication supporting various credential types.
Using eID hardware as a starting point, the NXP platform supports an easy design and deployment of secure authentication services for mobile applications, and will help developers migrate multi-application eID operation into the mobile space.
Go a level deeper
To learn more about our work in this area, visit the eGov section of our website or contact your local sales office.
NXP blog: Derived credentials create a secure, convenient link between physical & digital identities
NXP blog: Paving the way for digital identities and mobile eGov access