Digi2: a PoC app for DigiD



DigiD is the Dutch national digital identity solution for citizens to use e-government services (and online health and pension-related services). It is quite popular actually, in 2015 there where 12 million citizens that had a DigiD, on a population of a bit of 17 millions. Also the amount of logins had increased significant over the year, with over 200 millions logins in 2015. InnoValor did a project in 2015 to make a proof-of-concept app for DigiD that can 1) serve as replacement of SMS as second-factor, 2) can be used with government mobile app and 3) is more secure than current DigiD because it can use the contactless chips in e-passports etc as second factor. We did this project for and with DUO (government organisation responsible for student enrolment, student finance etc), in collaboration with RDW (government organisation responsible for driving licenses, vehicle registration etc) and Logius (government organisation responsible for DigiD).

The below blogpost is written jointly with Jan Kouijzer from DUO and gives details. It is in Dutch and includes links to videos with a demo. It appeared earlier (7 December 2015) on https://innovalor.nl/digi2-een-proof-of-concept-app-voor-digid/.

Read the rest of this entry »

FIDO and its place in the eID ecosystem



FIDO stands for Fast Identity Online. FIDO is a new authentication specification that makes it easier to integrate with and re-use non-password authentication means: what-you-have and what-you-are. The specification was published in a v1.0 version last December by the FIDO Alliance, which unites an impressive list of large companies (e.g., Microsoft, Google, Samsung) and smaller authentication companies (e.g., Authasas, Yubico, Nok Nok Labs) to “define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services”.

Last Friday (23 January 2015) PIMN organized a seminar on FIDO,  which was fully booked with a waiting list even. In this blogpost I’ll summarize what I learned and what I presented on “FIDO and its place in the identity ecosystem”.

Read the rest of this entry »

Re-usable identities instead of different passwords everywhere



Below is a blog post in Dutch on re-usable identities instead of different passwords for all websites. The trigger for the blogpost is that Hold Security released the Dutch (or actually, .nl) part of the logindata/emailadresses that they discovered to be hacked. The NCSC (National Dutch Cyber Security Centre) IMHO focusses to much on educating users to prevent this, contrary to fnding/promoting solutions such as re-usable identities, including the Dutch eID Stelsel NL (similar to NSTIC in the US).

Read the rest of this entry »

Crowdsourcing a higher Level of Assurance for digital identities




[cross-posted from IDnext website/news]

Two-factor authentication is becoming more and more popular. In the ‘old days’, it was mostly used by companies and online banking. Very few other services bothered users with two-factor authentication. But now, with new services providing access to privacy-sensitive information and/or becoming more important to us, service providers are becoming increasingly concerned about the identity of the people that they are authenticating – are they really the people they say they are? They feel the need to use two-factor authentication, even if it is costly and if it means that they risk annoying users.

The industry developed the Level of Assurance concept as a means of checking the trustworthiness of a digital identity. A digital identity is determined by the authentication means, such as a smartcard, text message, one-time password etc., and the registration process. The latter is often neglected, despite being very important. It is often also really expensive as well as annoying for the users. Ideally, doing a face-to-face check should be part of any correctly completed registration process. This is expensive, as it involves hiring skilled professionals, providing a working space and so on. Moreover, it annoys users, as it requires them to go somewhere and take action. Obviously, the expense depends on how the registration process is organised, and on its scale, but will cost between € 10 and € 100 per user.

Reusable identities are useful as the user goes through the process only once and can then authenticate himself to many services. The costs can be divided among the services and the user only gets annoyed once. Standards that define discrete levels are available in order to communicate the trustworthiness of a reusable identity. In Europe, the STORK levels are probably the most commonly used standard, although strictly speaking it is not a standard but a project deliverable edited by my colleague, Bob Hulsebosch.

Bob was tasked with writing the STORK levels with government issued/approved digital identities in mind, since the STORK project is about federated national digital identity solutions. For the higher levels of assurance, this means a strict face-to-face process. But the costs of many user types, such as age verification or insurance services, are too high. During the last three years or so, we also worked with clients on more ‘creative’ registration processes to provide the necessary level of assurance without resorting to face-to-face checks. This is partly because in the Netherlands, there is no re-usable identity available for consumer-to-business services (only government-to-consumer services). Typically, this creativity makes use of one or more derived identities. By “derived” I mean that we use a previously established identity, even without the permission of the issuer of that identity.

One example of how this process is used is the banking sector in which the user transfers a set amount of money. PayPal works in this way. We combine these derived identities with remote verification steps such as using an NFC app to read the ICAO chip that is in everyone’s passport.
We are now collaborating with SURFnet, part of Géant3plus’ Open Calls programme, to explore a new creative direction: crowdsourcing Levels of Assurance. We are basing our approach on the web of trust concept, as used in PGP for example. In this concept, users can vouch for other users, thereby creating a decentralised way of building up trust. We do this for users in an interfederation, re-using existing trust relationships wherever possible, such as those in social networks and PGP. We have a first prototype in which users authenticate themselves to an “Attestation Service” and then link their LinkedIn account (and PGP key) to their federation account.

The Attestation Service contacts “Helpers” from, in this case, the users’ LinkedIn networks to explicitly vouch for the identity of the user. The more contacts the users have, the higher the Level of Assurance. We are evaluating the prototype to determine our highest STORK level, including how to apply the concept to specific attributes such as mobile phone numbers.

PayPal and Dutch banks as identity provider



Today I received an email from PayPal to inform me on updates they are making in their legal terms related to “Log in with PayPal”. That PayPal wants to be an identity provider is nothing new, but this update was a good reason to blog about opportunities for Dutch banks to introduce innovative services in the area of digital identity. See below the cross-post in Dutch from the InnoValor website on this subject.

PayPal en banken als inlogmethode

Paypal heeft vandaag aanpassingen aan de gebruikersovereenkomst bekend gemaakt. Opvallendste voor mij was de toevoeging van “PayPal als inlogmethode”, oftewel, PayPal als identity provider. PayPal is overigens al langere tijd zich aan het positioneren als identity provider. ”PayPal als inloginmethode” is erg vergelijkbaar met hoe Facebook Connect of andere social logins werken, je logt in bij een wesite van een derde partij door op een button te klikken die je browser redirect naar bijvoorbeeld Facebook waar je inlogt met de gebruikersnaam/wachtwoord die je gebruikt voor Facebook. Qua user experience en werking niet heel veel anders dan DigiD overigens. Geen nieuwe wachtwoorden voor elke site, minder gedoe met registreren etc. Voor de techies: PayPal gebruikt OpenID Connect hiervoor, DigiD gebruikt SAML.

Read the rest of this entry »

Step-up authentication as-a-Service


IDentity-as-a-Service (IDaaS) was a hot topic in 2012 (e.g., this blog post of Dave Kearns), and probably will continue to be so in 2013. In a project for and with SURFnet (Dutch NREN) Novay designed a IDaaS-like service to make existing identities more trustworthy: Step-up authentication as-a-Service. (No idea more to abbreviate this: SuaaaS?)  The Step-up authentication as-a-Service we designed addresses this need by making it possible to increase the trustworthyness (put differently: increase the level of assurance) of identities in an existing identity federation. The service addresses both the technology and the process/registration side: a second factor authentication and an additional face-2-face check who this digital identity (and second factor) actually belongs to.

From a user perspective, the service has a self-service interface to register a second factor (see mockup below), an interface for the identity providers for user management (see second mock-up below) and of course every time a step-up authentication is needed the user is re-directed to the Step-up authentication as-a-Service to authenticate with this second factor.

Read the rest of this entry »

Tooling and methologies for privacy & security in the cloud


We recently finished a project on privacy& security in the cloud for SURFnet (Dutch NREN, responsible for the Dutch research network and middleware services on top of this). Basically, we supplemented work of others that focussed on the contractual and legal perspective with a more technology perspective. We listed what an organisation can do themselves to improve privacy & security when taking applications to the cloud, focussing on authentication, autorisation, provisioning/account management and encryption. Below a more eloborate blog post in Dutch.

Zelf zorgen voor security en privacy in de cloud

Read the rest of this entry »

Do’s and don’t’s for DigiD


Nieuwe logo DigiD

DigiD is the Dutch national digital identity solution for citizin-2-government. Although not the most secure solution around, it is one of the more succesful ones with respect to actual usage. DigiD is actually not only for e-government services, but also for online services in healthcare and pensions (since they can use the Dutch social security number). For such a ‘lucky’ company, which is going to use DigiD next to an own identity solution for consumers, we did a series of interviews to determine the do’s and don’t’s of implementing DigiD. My colleague Wouter Bokhove was in the lead for this, and published a blog post summarizing some of the main finding. It is in Dutch, and be be found here or for your convenience copied below. Amongst others we advised on using the new SAMLv2 interfaces or the ‘old’ A-Select interfaces, and on how to use te Levels of Assurances concept.


DigiD: een goede voorbereiding is het halve werk!

Stel: je hebt als organisatie in de pensioen- of zorgsector een Mijn-omgeving waar je online zaken kunt regelen. Een deel van je gebruikers heeft een account tot deze Mijn-omgeving op basis van een gebruikersnaam en wachtwoord (met alle nadelen en beperkingen van dien), maar je bent op zoek naar een goedkoper, veiliger en/of gebruikersvriendelijker alternatief.

Is DigiD dan het antwoord? Wanneer is het nuttig om DigiD te implemeteren? Waarom zou ik nog een eigen gebruikersnaam/wachtwoord-combinatie aanbieden? Wat is belangrijk bij het implementeren van een DigiD koppeling? DigiD heeft verschillende koppelvlakken, welke moet ik kiezen? Wat gaat er met DigiD 4.0 veranderen, welke ontwikkelingen zijn nog meer relevant en welke impact zullen deze veranderingen en ontwikkelingen kunnen hebben op de keuzes die ik nu maak? Hoe zorg ik voor een toekomstvaste identiteitsarchitectuur die hiermee om kan gaan?

Novay heeft voor een grote Nederlandse financiële dienstverlener een aantal adviezen geformuleerd die op deze vragen een antwoord geven. Hiervoor is niet alleen gekeken naar de huidige situatie van deze klant en de publiek beschikbare informatie over DigiD, maar is ook uitgebreid gesproken met ervaringsdeskundigen uit de zorgsector, system integrators en met Logius. In deze blogpost schrijf ik kort een paar van de aanbevelingen die interessant zijn voor een breder publiek:

  • Er kunnen verschillende redenen zijn om gebruik te willen maken van DigiD:
    • het wordt mogelijk om diensten aan te bieden waarvoor een hoger zekerheidsniveau nodig is (t.o.v. een eigen gebruikersnaam en wachtwoord);
    • het gebruik van DigiD verlaagt de drempel voor klanten om gebruik te maken van de Mijn-omgeving; hierdoor zullen meer klanten gebruiken van dit (typisch goedkopere) kanaal;
    • er zal minder gebruik gemaakt worden van het eigen authenticatiemiddel, waardoor nieuwe identiteiten uitgegeven hoeven te worden en er minder belasting zal zijn voor de helpdesk (bv. voor het resetten van vergeten wachtwoorden);
    • het is eventueel niet langer noodzakelijk om een eigen authenticatiemiddel aan te bieden (dit is o.a. afhankelijk van het feit of alle klanten wel een DigiD kunnen aanvragen).
  • Er moet gekozen worden tussen koppelen met het ‘oude’ A-Select koppelvlak of met het ‘nieuwe’ SAML v2 koppelvlak. Het gebruik van SAML v2 is aan te bevelen omdat dit meer toekomstvast is (SAML v2 is een OASIS standaard). SAML v2 wordt vanaf DigiD 4.0 ondersteund (SAML v2 is nu ook al beschikbaar bij DigiD Eenmalig Inloggen). De release hiervan is echter uitgesteld van 1 oktober 2011 tot na 1 april 2012.
  • Ondanks het feit dat het gebruik van DigiD en de begeleiding bij de implementatie van DigiD door Logius momenteel nog gratis is, is het verstandig om rekening te houden met het feit dat dit op termijn anders zal worden. Het is op dit moment niet te voorspellen hoe duur dit zal zijn, en of dit zal verschillen per zekerheidsniveau.
  • Doe een risico-inventarisatie van de huidige en geplande diensten voor de Mijn-omgeving en bepaal welke zekerheidsniveaus hiervoor nodig zijn. In verband met de toekomstvastheid is het verstandig hierbij gebruik te maken van de zekerheidsniveaus zoals deze gedefinieerd zijn in het Europese STORK project (D2.3, geschreven door Novay in opdracht van het ministerie van BZK).
  • Logius is zeer streng met betrekking tot de communicatie-eisen en het blijkt dat Logius freuent (pre-)productie-omgevingen afkeurt als deze niet voldoen aan deze eisen. Dit betekent dat een aansluitende partij zich geen enkele vrijheid kan veroorloven ten aanzien van de voorgeschreven teksten en het gebruik van het DigiD logo.

Bovenstaande adviezen zijn opgesteld in de periode voor ‘Lektober‘. Naar aanleiding van de DigiD-gerelateerde recente veiligheidsproblemen bij o.a. gemeentes die hieruit naar voren zijn gekomen, kan er nog een advies worden toegevoegd:


No more Cardspace …


Microsoft announced yesterday that Cardspace 2.0 will not be shipping. Or to put this  more directly: that they’ve stopped with Cardspace. This is not a big surprise, uptake was very slow and Microsoft already showed signs of less-than-fully supporting Cardspace/InfoCards for a while now.

Cardspace was IMHO a promising approach to some of the privacy, security and usability concerns for federated identity systems, but it lacked adoption. Part of the reason as Mike Jones puts it is it is not drop-dead simple to use. Lack of user acceptance is  also confirmed by the user study we did for SURFnet in 2009, where users basically distrusted Cardspace. Other reasons I think are lack of an easy migration path from existing standards, and slower-than-hoped  update of identity federation in the consumer space in general.

Anyway, Microsoft stopping Cardspace will probably mean the end of the used InfoCard standard as well. This makes things clearer in the standards department, which a consolidation on basically OpenID (/OAuth) and SAML. And especially Facebook with a non-standard protocol to do similar things.  Not that standards are the most important, I agree with Eve Maler (now Forrester) when she states:

when it comes to lightweight consumer-scale federated identity, the specific protocol matters less for success than the user base, the nature of the data available about those users, and the tooling available for relying-party integration.

Even though the protocol may not  be the biggest issue for a federated consumer identity solution, it is still not a trivial one. Especially the issue to have a web-based client (i.e. OpenID or SAML WebSSO) or an active client (Cardspace/InfoCard) is one that remains interesting because of the consequences for usability and security.

Most popular ‘social logins’


Janrain produced some nice statistics on usage of OpenID and similar technologies to use credentials from, again typically, social networks to log in on other sites. They use ‘social login’ as a term, which sounds probably better than OpenID or identity federation 🙂 There is a statistic specifically for Europe, based on logs from 20 of their European customers. By the way, they don’t have US statistics on their blog post, maybe they just assume the international statistics are the same as US ones, or maybe they simply don’t have that many non-US customers.

Below the part of the blog post on Europe. Among others, it claims that Hyves is growing as an identity provider.

Similar to last quarter, we want to note that Windows Live remains twice as popular a social login provider in Europe as in the US, and its share has increased from 8% to 11% despite the emergence of more localized social networks and email providers.  These providers, such as Hyves (Netherlands), Netlog (Belgium), Web.de and GMX (Germany) comprise over 10% of social logins from our sample of 20 European customers.  Their growth in social login popularity across the Atlantic comes at the expense of Google, Twitter and Yahoo!

European Social Sign-On Preferences

Most popular overall is Google (38%). Top five combined has 92%, but I expect for specific domains (e.g., business-2-business where LinkedIn would be popular) or region (e.g., Netherlands with Hyves) this top five would have other names in it.