Language:
women an men paying with smartphone in a bar outside

Digital identities and how they are evolving

published on 02.06.2020

The average European has a good 90 digital identities, and the number is rising. This makes it increasingly difficult to manage these identities securely. How do we come to have so many digital identities and what are scientists and industry doing to better organize them? 

Analog, digital and mobile identities and how they differ

Whether ordering from Amazon or online banking, the team calendar for a soccer club or the ‘Elster’ tax form from the tax office, whenever we register for the first time as a user, a digital identity is created that allows us to login again later.

But how exactly is an identity created?

  • Generally speaking, an identity is basically a defined set of data that belongs to an individual. These attributes can be the name of the person or their address, their fingerprint or eye colour.
  • In the case of a sovereign digital identity, these attributes are confirmed by a state authority and recorded, for example, in the person’s ID card.
  • Digital identities are created, for instance, when a user registers for an online service, enters their personal data and links this data to a username and password. Digital identities are not just for people but also for objects, such as the vehicles of a car rental company.
  • Mobile identity refers to when digital identities can also be used on mobile devices, such as smartphones or tablets regardless of location.

Data silos – A confusing jumble

As a rule, users create a new account for each online service that requires them to enter their data for the first time. This leads to countless data silos with each respective provider in which our ID data is stored. This kind of redundancy can pose risks and as the number of platforms with their different levels of protection grows, so too does the risk of data theft.

Banks, for instance, normally use the Video-Ident method to identify new customers, so that new customers can easily open an account via a video call. They do this by holding their face and ID card up to the camera. The bank clerk at the other end decides whether the caller and the picture on the ID card look sufficiently similar to be classified as one and the same person. No further identity check is necessary. This is very convenient, but it can be a gateway for fraudsters. Disguised as alleged bank clerks, landlords or employers, they steal the applicants' digital identities and use them for criminal purposes, such as money laundering or to open fake shops. This often leads to years of unpleasant consequences for the victims. It also shows that trusted, secure identity systems are the only way to form a foundation for people and companies to communicate efficiently and carefree on the net.

"Single sign-on: If a user logs in with this kind of ‘master key’ user account, all information about everything the user does on other sites could land with the provider of the user account." 

verbraucherzentrale.de (https://www.verbraucherzentrale.de/wissen/digitale-welt/soziale-netzwerke/singlesignon-riskanter-login-fuer-alle-internetseiten-13704)

Data as merchandise

Single sign-on is becoming increasingly popular when logging into an online service. With a single login, users can login to several systems at the same time and spare themselves the trouble of entering data several times. This field is currently occupied by several globally active companies, such as Facebook or Google, which have developed into dominant providers of digital identities. The Facebook ID is used more often in this country than the eID function of the ID card. The downside from a user perspective: Facebook and Co. have acquired a dubious reputation as data leeches with a business model that ultimately involves merging and commercially exploiting digital identities, thereby overshadowing the data sovereignty of the individual. It is almost impossible for users to see what happens with their data and they ultimately lose control over their digital identity.

As simple as Facebook, as secure as your ID card

The solution to this are secure solutions based on sovereign identities, a legally regulated context and an independent infrastructure. Solutions like these protect against intransparent use and data misuse. Several projects in Germany are currently dedicated to combining security, data protection and user centricity in digital identities. An overview:

In the first phase of the publicly funded OPTIMOS project, smartphones became a secure platform for high-quality data. In OPTIMOS 2.0, the focus is now on sovereign documents. This cooperation project headed by Bundesdruckerei will run until mid-2020. Smartphone manufacturers, mobile phone providers, a Fraunhofer Institute and the Federal Office for Information Security (BSI) are involved in this project. The aim is to derive a digital identity from sovereign documents which will allow people to securely identify themselves for online services and which can be used regardless of location.

Some sovereign documents already have an interface with the digital world. This means that these documents enable electronic readout, they simplify verification processes and open up channels to the digital administration. The eID function of the ID card, in particular, which is also referred to as AusweisIDent Online, offers state-verified data for digital applications.

The core elements of the solution are an NFC interface for contactless data exchange and the so-called Secure Element – a microchip in the smartphone that is addressed via cryptographic processes. This ‘high-security area’ houses the applets, i.e. the software for individual applications. Another core element of mobile ID is the Trusted Service Manager (TSM): a background system operated by a trusted institution. It establishes the connections to the smartphone and functions as an app store where users can download apps. As the ‘big watchdog in the middle’, the TSM handles lifecycle management, i.e. from the opening of a user account to the updating of data right through to shutdown. The main technical components have already been implemented. The challenge now is to find a suitable platform for economically efficient operation. The search is now on for a suitable business model: Who will provide the service and who will pay for it?

The developments of the OPTIMOS 2.0 project are also opening up new opportunities in the healthcare sector. The VEGA research project, funded by the Federal Ministry of Health, aims to bring online identification and authentication for the health card onto smartphones as a mobile variant of the health card. This would allow insured persons to use their smartphones to authenticate themselves to their health insurance company or to view their electronic patient data. Thanks to the involvement of stakeholders from the healthcare sector, the project team receives rapid feedback on suitability for everyday use.

Was im OPTIMOS-2.0-Projekt entwickelt wurde, eignet sich für mehrere Einsatzfelder. Im ONCE-Projekt werden die Ergebnisse in die Breite getragen. Digitale Identitäten beziehungsweise Berechtigungsnachweise – wie der mobile Führerschein – werden für verschiedene Dienstleistungen nutzbar gemacht, beispielsweise Autoverleih oder Hotellerie. Käme ein Geschäftsreisender am Frankfurter Flughafen an, könnte er ein Auto mieten, ohne sich am Schalter des Anbieters anzustellen. Den Autoschlüssel bekäme er auch gleich aufs Handy gespielt. Später würde er elektronisch im Hotel einchecken und hätte den Zimmerschlüssel schon auf seinem Smartphone. Unter den Partnern sind VW, Bosch, Sixt, die Hotelkette Motel One sowie IT-Anbieter.

In an effort to ensure that mobile driving licences work across national borders and despite different devices from different manufacturers, new technical standards are currently being developed by the ISO international standardization committee. Last year, experts from around the world met in Nebraska, USA, to test the interoperability of their solutions.

When it comes to digital technologies, there is often talk of the `transparent citizen’. Those who entrust their data to a large number of service providers largely surrender control over their data and lose track of what happens to it – despite data protection legislation. Digital self‑determination is therefore an essential factor in new solutions. Several projects under the keyword ‘Self-Sovereign Identity’ also draw attention to this topic with a view to public administrations and the private sector. In the Lissi (Let’s Initiate Self-Sovereign Identity) project, work is underway on a solution for smartphones in which the digital identities of users are no longer stored in the different data silos of individual providers. Instead, users hold the reins and can determine for themselves how their identity is used. Any disclosure of identity data requires the user’s active consent.

Partners from the banking sector, from industry and science as well as Deutsche Bahn have joined forces in this project. What the solution looks like in detail: A user creates an electronic ‘wallet’ on their smartphone. This is where the user manages their digital identities, from their ID card, rail card to their digital membership card for the gym. These identities are verified and electronically signed by reliable issuers – in the case of the bank card, for example, by the bank. If the user then wants to book a trip online, they present the travel company with selected identity data from their ID card and bank card. The other party – the travel provider that received the booking – checks that the data is correct using the cryptographically secured seal of the issuing parties, in this case, the bank and citizens’ office. The travel provider now knows that the customer is in fact who they claim to be. To do this, the company does not need to contact the issuing parties directly, but simply accesses a public directory. With this procedure, identity providers, such as banks or citizen's offices, cannot draw conclusions about a user’s movements on the Internet. The public directory – in this case the blockchain – does not contain the user data itself, but only the data that is needed to verify and manage the data. A prototype has already been developed. The basic idea behind this and other projects is self-determination for the user.

Does an Estonian student have to come to Berlin just to register for a seminar at Freie Universität Berlin (FU) before the semester begins? Not anymore thanks to the electronic student ID card. The recently completed project StudIES+ has delivered a prototype. In this example, the student in Estonia can authenticate himself to the university using the sovereign document of their home country. The university then sends them their digital student ID card, enabling the secure use of digital services.