1
2021Mobile ID – Electronic Identity of Today
Author: Saša Šćekić, Vice President of the AmCham Digital Transformation Committee
Providing nationwide verified electronic identities has become an imperative to unlock the full potential of digital economy and significant, coordinated efforts have been made over the last two decades in order to make this happen.
Back in 2014, EU adopted eIDAS Regulation (Electronic Identification and Trust Services) in order to lay down foundations and a common legal framework for people, companies and public administrations to safely access digital services and perform online transactions, within their home countries and across border.
eIDAS implementation delivers eID, a Digital Identity based on national electronic identification schemes, which can be used to access eGovernment services, facilitate online Know-Your-Client identification process (KYC) to open a bank account, issue eSIM to a customer, enroll in a foreign university, and so on.
Equally important, it delivers Trust Services – namely electronic signature, electronic seal, time stamp, and electronic delivery service – ensuring that contracts and other documents can be signed and exchanged online while having the same legal status as their traditional paper-based equivalents.
Following the adoption of eIDAS, EU countries and those aspiring to become EU members focused on aligning their legal frameworks with this regulation and building national platforms called: eID schemes. These schemes are actually IT systems which enable electronic identification and trust services. From the citizen/customer perspective, it’s about the eID means which they can use to access these systems, identify themselves online and sign documents. They can be material units such as National Identity Card with embedded microchip or immaterial such as specific mobile phone-based software, biometrics, etc.
Germany was the first country to implement eIDAS compliant eID and Trust Services solution based on its National Identity Card. Since then many EU countries followed, such as: Estonia, Belgium, Croatia, Slovakia, Italy, Spain, Portugal, etc.
Using National ID Card was a logical first choice, considering the long history of issuing these cards and the resulting broad population coverage. Electronic identification and electronic signature capabilities were implemented by embedding a microchip on the card and storing data on that chip. In order to get the National ID Card, a citizen undergoes a usual identity proofing process during a face-to-face verification by an appropriate authority – for example at the counter of the Ministry of Interior.
Maybe the best way to understand how this works is by drawing a parallel with credit cards usage. When a customer makes a payment, he either inserts his card into a POS device or brings it closer to use contactless payment, and then enters the PIN to verify the purchase. Similar workflow is applied with the National Identity Card. When a person wants to identify himself online or digitally sign a document, the first step is to start the appropriate application, then to insert the identity card into a smartcard reader and finally enter his PIN in the computer to seal the deal. This just gives a general idea of user experience without going into a complex communication that is happening behind the scene.
The biggest drawback of this approach is in the fact that a person needs to have access to a smart card reader and a personal computer with specific operating system in software. Configuration of all this is not always straightforward and then there is a matter of carrying all this stuff around in order to be able to identify yourself or digitally sign the document while being on-the-go.
Introduction of contactless chip on the National ID Card made the whole process somewhat more comfortable, considering that nowadays almost all smartphones can read contactless cards. Even Apple opened its typically closed ecosystem and enabled the use of NFC for this purpose (since iOS 13). When a citizen uses this solution to verify his identity online, he uses his mobile phone to read the contactless identity card and then enters his PIN code in the mobile app.
Although introduction of contactless ID cards made the whole experience more user friendly and attributed to higher acceptance by the general public, it still wasn’t as straightforward as mobile users have learned to expect these days.
The raise of Mobile ID
Mobile-based identification schemes or Mobile ID were created to address the pitfalls of National ID Card approach and ensure much faster adoption across industries and government services. Next to convenience, mobile-based systems can also provide higher security – by utilizing biometrics and cryptography modules (secure element, trusted execution environment, etc.). It also means faster delivery to a larger percent of the population especially when considering the logistics of issuing a new national identity card vs obtaining a sim card or even not needing to obtain anything.
Common approach is to have digital signatures on the phone. This is often referred to as a client-side implementation. With this approach, a special SIM card is used to store data necessary to create the signature, while the mobile phone is used to enter the PIN which authenticates user identification or signing process. The SIM card in this case has the same function as the microchip on the National ID Card, while the mobile phone acts as a smartcard reader (reading data from the SIM card). This model is used in countries such as Sweden, Finland, Estonia, and Moldova.
Moldova Mobile ID Case Study from 2018 details Moldova’s project to implement digital signatures on the phone, through a public-private partnership with mobile network operators. In this model the government provides the foundation of the eID system – Public Key Infrastructure (PKI) for issuance of identity credentials and qualified electronic signatures and signature validation services – while mobile operators provide user registration process, issuance of PKI-enabled SIM cards and data transport over their mobile networks. The project lasted 18 months, out of which implementation of the technical solution was completed within 6 months. Each of the three involved mobile operators incurred approx. 400.000 EUR of cost while the government investment amounted to approx. 30.000 EUR. The solution is not free for citizens, as mobile operators charge a fee for the use of mobile signatures and pass on part of the related income to the government, as part of the revenue-sharing agreement.
Another innovative and even less constraining Mobile ID approach is to have remote signature creation. Also referred to as server-side implementation. In this case encrypted user’s data is stored on a remote location and authentication is done via a remote hardware security module (HSM) – which means that any mobile phone and SIM card can be used, as long as sending and receiving SMS is supported. From the user experience perspective – the approach is similar to solutions used by banks for login to e-banking, where after typing the phone number (as user ID) and password, the user receives an SMS with a one-time-password, which is actually called TAN in this case. By entering the received TAN, electronic signature creation is triggered based on the certificate and signature creation data stored on the remote server.
ITU’s 2017 report on Mobile identification: implementation, challenges and opportunities, details implementation of this model by the Austrian government. As key success factors of this model the report states that: zero footprint and no additional hardware is required and the system works independently from the mobile phone and mobile network providers. By following a server-based solution, no SIM change is required. This also eases activation for citizens. It has low development costs and it is free of charge for the citizens.
There are several other, proven Mobile-based e-ID implementations detailed in the ENISAs report on eIDAS compliant eID solutions from March, 2020.
Mobile ID for Digital Montenegro
So where is Montenegro in the whole eID scheme of things?
In the last couple of years great strides have been made to align Montenegro’s legal framework with eIDAS. The Law on Electronic Identification and Electronic Signature and its bylaws were provisioned to regulate the conditions for using electronic signatures, electronic stamps, electronic time stamps and electronic delivery services. eID scheme was defined, as well as the conditions for recognition of electronic identification means of other countries. Amendments of the Law on Identity Card have authorized the Ministry of Interior to add two certificates to the National Identity Card – one for electronic identification, and the other for qualified electronic signature. Overall it could be said that baseline regulatory framework has been established to support eIDAS compliant eID and Trust services.
Provisions of the Law on Electronic Government regulated how state bodies, state administration and other governmental bodies communicate with citizens and companies by electronic means and how they process, exchange and publish data. By introducing requirements to establish data registers and integrate within central e-Government portal, while complying with defined eID and Trust Services requirements, this regulation is providing a sound basis for development of digital public services in Montenegro.
While the current legal framework provides strong support to digitalization of private sector, further improvements are needed, especially in laws that apply to regulated industries. Qualified Electronic Signature is defined to have the equivalent legal effect as a handwritten signature – which should ensure validity of any document signed online, and this is especially important for online sales and contracting. On the other side, when it comes to lending processes, banking industry is governed by the Law on Consumer Loans, and this law requires a written Loan contract. Account opening process also needs to be performed face-to-face, due to provisions of the Law on Prevention of Money Laundering and Terrorism Financing. Alignment of this law with the 5th EU Anti-Money Laundering Directive would introduce the option of secure remote or electronic customer identification elaborated in Montenegro’s Law on Electronic Identification and Electronic Signature. Similarly, Telco industry is governed by the Law on Electronic Communications, which also requires written documents. These laws do not refer to eID and Trust Services the way that the Law on Electronic Government does. And conflicting provisions, in combination with the lack of Court’s case-law covering this subject are resulting in legal uncertainty, which hinders further development of related online services.
Next to the legal perspective, there is the question of necessary infrastructure and technologies enabling eID and Trust services in Montenegro. Government opted for the eID scheme based on National Identity Card (ID Card), underlying Public Key Infrastructure (PKI) and other systems necessary to produce and personalize ID Cards with electronic identity and signature information onboard. Systems went live in 2019, while the first new ID Card was issued in June 2020. Ministry of Interior was appointed as the Certification Authority – named TrustME – and as such is responsible to issue certificates that are stored on new ID Cards. An important thing to note is that certificates are issued free of charge to citizens.
Although Montenegro’s ID Card approach follows the example of many EU countries, it does miss out on a key lesson learned: there is a clear user preference for mobile-base ID solutions and if you must have ID Cards – then make them work with mobile phones instead of requiring smartcard readers. To quote the European Commission report: “The world is now becoming mobile, and in response governments have started to explore mobile digital identity and mobile-first strategies. eID solutions need to be conceived to work as well on mobile devices as on desktop computers, rather than being adapted for mobile use a posteriori” (Embracing Mobile Identity for eGovernment, May 2020). Same report also indicates that EU Regulation 2019/1157 mandates usage of contactless and that by August 2021, EU Member States will have to start issuing new ID documents complying with this regulation. This should be a consideration for countries aspiring to become EU members – such as Montenegro.
In order to use Montenegrin National ID card for electronic identification and signing, citizen needs to have smartcard reader and personal computer with Windows OS and specific software installed. Before the card can be used it first needs to be activated – and while the process is not overly complicated it can be discouraging for an average citizen. This is maybe best depicted by The Health Insurance Fund of Montenegro, while explaining how it provides service of activating the new ID Card, so that it can be used as a healthcare card. The Fund wrote on its website: “it’s a procedure which many, especially senior citizens, would not be able to manage, and in addition, this requires the possession of the necessary device (Card Reader), which would be an additional cost for them”.
Government made a good effort to provide necessary information about the new ID card, with user manuals and other relevant information on the dedicated website: ca.servis.mup.gov.me (subdomain could be easier to remember). However, that doesn’t change the fact that intended use – with computers, smartcard readers and configured software – can be overwhelming and off-putting for an average citizen.
Good news, learned from communication with Ministry of Interior, is that currently issued ID Card has contactless capabilities and that with mobile apps development this feature could become available to Montenegrin citizens. There is a strong argument for the Government to push this development forward, as a high priority. The success of the ID Card approach is directly correlated to ease of use and accessibility. And mobiles phones are nothing if not accessible in Montenegro. This is the country with one of the highest mobile user penetrations in Europe – at 174%, according to MONSTAT report on ICT usage in Montenegro in 2020. The same report also indicates that a constant and significant growth have been registered, year by year, in terms of usage of mobile devices as primary Internet access platforms – with 10.5% of growth recorded just between 2019 and 2020. During last year, 96.9% of household accessed internet via mobile phone, while 34.8% used only a personal computer. Simply put, there is a strong preference towards mobile in Montenegro – and mobile phone with the mobile app vs. computer with the smartcard reader and software is a no contest comparison.
Montenegro should also follow German example and activate ID cards at the time they are issued to citizens. To boost the online use of the ID card, Germany regulated that from June 2017, each new ID card is issued with activated electronic identity verification function. This provided for significant increase in activation from less then one third to 50% in only a year and a half (According to Thales 2020 report, Overview of the German identity card project and lessons learned).
Having said this, the shift towards mobile-based ID solutions is clear and the Government should consider this technology as well. Austrian server-side model discussed in this article could be a good fit. With its zero-footprint (any phone and SIM would do) and ease of use (similar to login to e-Banking) it has a potential to get adopted very fast, by the wider population. And if this model does not fit, considering currently deployed national infrastructure and potential complexity and costs of needed adjustments, then the client-side model with PKI-enabled SIM cards could also be considered. In this case citizens would need to replace their SIM cards but this should not be an issue, considering the strong branch network of all mobile network providers in the country. In this case, Montenegrin Government could follow Moldova’s example and implement this project in a public-private partnership with Telco industry. This could help in offsetting some of the cost and managing infrastructure complexity challenges. It should be a partnership with all three mobile network operators in the country – considering that each has approx. a third of the market share (34,89%, 33,56% and 31,55% according to Agency for Electronic Communications and Postal Services, December 2020 Market Share Report). This way Mobile ID service would be available to citizens whichever mobile provider they choose to use.
Next to getting citizens onboard, it is equally important to integrate Montenegrin private sector into the eID and Trust services ecosystem. And companies do have a strong interest in enabling their online solutions to provide identification and contract signing with qualified electronic signatures to their first-time customers. This opens a wide range of possibilities for online sales and related new revenue streams – from banks to telecommunication companies, insurance providers and others looking to acquire new customers and sell their products and services online. Private sector incentive grows along with the number of citizens that are onboarded to the national eID system.
However, in order to enable this integration, the Government would first need to expose its eID system infrastructure and provide instructions for software developers. This would mean providing necessary APIs (integration interfaces), sandbox environments for testing and technical guides so that third party applications can make use of eID (and hopefully Mobile ID). To accomplish this challenging task the Government could again reach out to private sector and have Montenegrin software development companies deliver necessary SDKs and documentation or even establish themselves as Software-as-a-Service providers delivering solutions for authentication, signing and validation processes under the national eID scheme.
To summarize, the Government should focus on further legal framework improvements, enabling contactless functionality of National ID Card and issuing them activated, introducing Mobile ID and enabling integration of private sector. These efforts would ensure that the implementation of national eID and Trust services reaches its full potential in Montenegro. And that paperless society becomes more than just a buzz word – but a promise of our new reality.
Photo, source:
