The challenges for a Dutch eID



My colleague Wolfgang Ebbers is a blogger for iBestuur. iBestuur is an independent platform for i-government (the i stands for information). In his latest blogpost he discusses a recent letter from the minister of Internal Affairs on the minister’s vision on digitale government 2017. Wolfgang zooms in on the role of an eID solution in this vision, and interviews me on what I consider are important challenges for the Dutch eID framework that the Dutch government is working on. I basically try to make five points.  I start with that (i) it is good that there is now an eID framework vision that is broadly supported by different parts of the Dutch government, and that it also extends to consumer-2-business. Then I make the point that the unclarity/uncertainty on how this vision will be implemented causes initiatives for eID solutions to wait. Then I discuss some major challenges:  (iii)  the business model (who is paying, private sector vs government vs consumer, market entry), (iv) the privacy aspects, including the trade-off between privacy, costs, security and convenience and (v) redundancy in the framework (e.g., authentication means) including that it is difficult to create the desired level-playing field between government and private sector.

The complete blogpost can be found here (in Dutch). For your convenience, I also copied the text below:

Read the rest of this entry »

Privacy and security in an eID solution?



In the Netherlands we have a digitale identity solution, called DigiD, for citizins that want to use e-government services. It is used quite a lot (compared to e.g. Belgium or Germany), but not very secure (only SMS as second factor, and verification via a well-known address contrary to e.g. face-2-face). The Dutch government is now working on a more secure eID solution, as part of an bigger identity trust framework that is called “eID stelsel” (roughly translates to eID scheme or eID framework). In the below blog post (in Dutch …) we discuss this, and zoom in on the IRMA research project in which we participate. IRMA smartcard aims to be both secure and privacy friendly (attributes, double blind certificates etc).

Een betrouwbaardere en privacyvriendelijkere DigiD

In een kamerbrief over de toekomstbestendigheid van Nederlandse identiteits-infrastructuur, schrijft minister Plasterk dat DigiD, in de huidige vorm, op korte termijn niet meer voldoende beveiliging biedt voor nieuwe gevoelige e-overheids diensten. Voor deze diensten is een veiligere eID oplossing nodig. Te denken valt dan, bijvoorbeeld, aan toekomstige diensten als toegang van patiënten tot hun elektronische patientendossier.

Read the rest of this entry »

Step-up authentication as-a-Service


IDentity-as-a-Service (IDaaS) was a hot topic in 2012 (e.g., this blog post of Dave Kearns), and probably will continue to be so in 2013. In a project for and with SURFnet (Dutch NREN) Novay designed a IDaaS-like service to make existing identities more trustworthy: Step-up authentication as-a-Service. (No idea more to abbreviate this: SuaaaS?)  The Step-up authentication as-a-Service we designed addresses this need by making it possible to increase the trustworthyness (put differently: increase the level of assurance) of identities in an existing identity federation. The service addresses both the technology and the process/registration side: a second factor authentication and an additional face-2-face check who this digital identity (and second factor) actually belongs to.

From a user perspective, the service has a self-service interface to register a second factor (see mockup below), an interface for the identity providers for user management (see second mock-up below) and of course every time a step-up authentication is needed the user is re-directed to the Step-up authentication as-a-Service to authenticate with this second factor.

Read the rest of this entry »

eRecognition won Novay Digital Identity Award


eRecognition (in Dutch: eHerkenning) has won, congratulations to Logius, ICTU, ministerie of Economic Affairs, all the partipating companies in eHerkenning and of course especially to the people that have contributed to eHerkenning! Below the official press release. What I’d like to personally add to this is that I think it is great that eHerkenning simply started facilitating business-2-government identification, with the parties that saw oppertunities to provide identity services and only a limited set of government service providers. It now has a growing usage, and is also targetting business-2-business.

Physically the award is a small statue (ceramics), from the artist Alexandra Veneman. A (bit shortened) explanation on her idea when she made this:

Read the rest of this entry »

Nominees Novay Digital Identity Award 2012: Evolok, eRecognition and IDchecker


For the third year in a row I’m responsible for the Novay Digital Identity Award, which Novay in collaboration with IDentity.Next will give to an innovation in the area of digital identity. The first winner (2010) was Ziggur (digital dealth service), last year’s winner was Edentiti (online identity verification).

We have an independent jury (which I’m not in), which picked three nominees for this year:

  • Evolok – which combines identity & access mngt with a paywall system for online content. Easy-of-use for consumers, flexibility w.r.t. business model for online content providers.
  • eRecognition – an identity trust framework from the Netherlands, for business-2-government (and also aiming for business-2-business). Ahead of similar initiatives in US (NSTIC) and UK, and usage is increasing.
  • IDchecker – a company that is very big in a niche market: a SaaS service for verifying physical ID documents based on a optical scan, or, IMHO much ‘cooler’, using a mobile app.

I copied the official announcement/press release below  (in Dutch is here). The winner will be announced on 20 November, during IDentity.Next in The Hague.

Read the rest of this entry »

Submissons wanted for Novay Digital Identity Award 2012


Novay will for the third year grant an award to an innovation in the area of digital identity. Previous winners are Edentiti (in 2011), and Ziggur (in 2010). The award ceremony will be at the IDentity.Next 2012 (un)conference (20-21 November, The Hague, NL). For details on the award, see below. Please do submit your innovation! And please do suggest others to submit if you think they are good candidates for the award. For information you can contact me.

The below is copied from

Submissions wanted for Novay Digital Identity Award 2012

On November 20-21, the Novay Digital Identity Award will be granted to the best new concept or product concerning digital identity. The award is part of the conference Identity.Next’12 in The Hague. With the award, Identity.Next and ICT research institute Novay want to recognize and support new developments that are shaping the future of digital identity. Submissions are welcome until October 19th.

The conference on November 20-21 (2012)is organized by the IDentity.Next association, a non-profit organization on Digital Identity. Identity.Next will bring a program with top experts, professionals and industry stakeholders to discuss the world around Digital Identity and best practice.

The conference program will consist of debates, workshops, and presentations in four tracks: ‘Social consumer’, ‘Mobile-me’, ‘Private Eye, ‘eCitizen’, ’Own (y)our data’ and ‘Up in the air’.

The award winning concept should relate to one of these themes. Innovative concepts, projects and products on digital identity for the award can be submitted until October 19.

Submissions will be judged by a jury consisting of Kevin Cox (founder Edentity, winner 2011), John Hermans (partner with KPMG), Leendert Bottelberghs (Head of Business Development – Marktplaats, eBay Classifieds Group) and Hermen van der Lugt (chair of the jury and CEO of Novay).

Criteria include innovativeness (technological as well as business model), success & impact, how the privacy aspect is dealt with and added value for users and for stakeholders.

For more information, including jury members, factsheet and submission form, see:

Looking back at 2011: what was new, and what could have been (IDentity.Next newsletter)


I wrote an article for the IDentity.Next newsletter that came out today (21 December 2011). It is here, and for convenience, also copied below.

Looking back at 2011: what was new, and what could have been


With 2011 almost over, the question IDentity.News had for me was to look back to 2011 what were new developments in the area of digital identity. Since I’m in the business of innovation, looking forward is more in my DNA than looking back. And so a little out of my comfort zone, below three major new developments of 2011, and, also, three developments that did not happen in 2011.

1. Trust frameworks– in the US (e.g. NSTIC, OIX), in NL (e.g. eHerkenning) and elsewhere trust frameworks as a way to ensure a fair and trusted ecosystem to provide identity-related services are catching on. Experience with large scale deployment is still limited though. I guess we just have to do and learn. And the alternative for trust frameworks (i.e. government issued identities) also stays popular (e.g., the new German ID card, the Dutch DigiD/eNIK).

2. Cloud and identity-as-a-service– it seems impossible for a self-respecting event in the area of identity not to spend significant time on the combination of cloud and identity. And something similar seems to apply to identity experts J. There is also progress here; especially commercial offerings of identity-as-a-service have been progressing. On making the cloud identity-enabled, things have developed slower than I would have expected a year ago. Although I guess everyone (?) agrees that companies want to have centralized authentication, authorization and provisioning (efficiency, control etc), adoption of standards is still too limited, which is at least part of the reason this is going slow.

3. DigiNotar (and other security fiasco’s in the identity area) – while a disaster for DigiNotar and potentially a huge disaster for an unknown number of Iranians, there is actually a bright side. It resulted in more attention at ‘higher levels in organizations’ for information security and identity. And I’m sure many security consultants had sufficient work in second half of 2011. The downside of this attention is that I rather have digital identity associated with ‘enabling online services’ than with security risks.

There are also three developments that did not happen, but could have. I stay close to home for these.

What first comes to mind is that there is still no clarity on introduction of a Dutch electronic identity card (eNIK), although the responsible Minister of Internal Affairs promised parliament a proposal before the end of the year (still two weeks to go!).

What also did not happen in the Netherlands is the Dutch national electronic health record, instead the Dutch senate seems to prefer faxes, or maybe smoke signals. Not that the proposed law they stopped did not have its flaws from a privacy and authorization perspective. But the proposal could have been improved upon, and current practise is much worse in my opinion. Hopefully the Dutch national health record will continue in another form, there are signs it might.

The third development that did not happen is a breakthrough in a re-usable consumer identity solution on Dutch national or, even better, European or worldwide scale: we still have the same long list of username/passwords for every website that offers personalization.

Maarten Wegdam (principal consultant Novay – IDentity.Next member panel)

Do’s and don’t’s for DigiD


Nieuwe logo DigiD

DigiD is the Dutch national digital identity solution for citizin-2-government. Although not the most secure solution around, it is one of the more succesful ones with respect to actual usage. DigiD is actually not only for e-government services, but also for online services in healthcare and pensions (since they can use the Dutch social security number). For such a ‘lucky’ company, which is going to use DigiD next to an own identity solution for consumers, we did a series of interviews to determine the do’s and don’t’s of implementing DigiD. My colleague Wouter Bokhove was in the lead for this, and published a blog post summarizing some of the main finding. It is in Dutch, and be be found here or for your convenience copied below. Amongst others we advised on using the new SAMLv2 interfaces or the ‘old’ A-Select interfaces, and on how to use te Levels of Assurances concept.


DigiD: een goede voorbereiding is het halve werk!

Stel: je hebt als organisatie in de pensioen- of zorgsector een Mijn-omgeving waar je online zaken kunt regelen. Een deel van je gebruikers heeft een account tot deze Mijn-omgeving op basis van een gebruikersnaam en wachtwoord (met alle nadelen en beperkingen van dien), maar je bent op zoek naar een goedkoper, veiliger en/of gebruikersvriendelijker alternatief.

Is DigiD dan het antwoord? Wanneer is het nuttig om DigiD te implemeteren? Waarom zou ik nog een eigen gebruikersnaam/wachtwoord-combinatie aanbieden? Wat is belangrijk bij het implementeren van een DigiD koppeling? DigiD heeft verschillende koppelvlakken, welke moet ik kiezen? Wat gaat er met DigiD 4.0 veranderen, welke ontwikkelingen zijn nog meer relevant en welke impact zullen deze veranderingen en ontwikkelingen kunnen hebben op de keuzes die ik nu maak? Hoe zorg ik voor een toekomstvaste identiteitsarchitectuur die hiermee om kan gaan?

Novay heeft voor een grote Nederlandse financiële dienstverlener een aantal adviezen geformuleerd die op deze vragen een antwoord geven. Hiervoor is niet alleen gekeken naar de huidige situatie van deze klant en de publiek beschikbare informatie over DigiD, maar is ook uitgebreid gesproken met ervaringsdeskundigen uit de zorgsector, system integrators en met Logius. In deze blogpost schrijf ik kort een paar van de aanbevelingen die interessant zijn voor een breder publiek:

  • Er kunnen verschillende redenen zijn om gebruik te willen maken van DigiD:
    • het wordt mogelijk om diensten aan te bieden waarvoor een hoger zekerheidsniveau nodig is (t.o.v. een eigen gebruikersnaam en wachtwoord);
    • het gebruik van DigiD verlaagt de drempel voor klanten om gebruik te maken van de Mijn-omgeving; hierdoor zullen meer klanten gebruiken van dit (typisch goedkopere) kanaal;
    • er zal minder gebruik gemaakt worden van het eigen authenticatiemiddel, waardoor nieuwe identiteiten uitgegeven hoeven te worden en er minder belasting zal zijn voor de helpdesk (bv. voor het resetten van vergeten wachtwoorden);
    • het is eventueel niet langer noodzakelijk om een eigen authenticatiemiddel aan te bieden (dit is o.a. afhankelijk van het feit of alle klanten wel een DigiD kunnen aanvragen).
  • Er moet gekozen worden tussen koppelen met het ‘oude’ A-Select koppelvlak of met het ‘nieuwe’ SAML v2 koppelvlak. Het gebruik van SAML v2 is aan te bevelen omdat dit meer toekomstvast is (SAML v2 is een OASIS standaard). SAML v2 wordt vanaf DigiD 4.0 ondersteund (SAML v2 is nu ook al beschikbaar bij DigiD Eenmalig Inloggen). De release hiervan is echter uitgesteld van 1 oktober 2011 tot na 1 april 2012.
  • Ondanks het feit dat het gebruik van DigiD en de begeleiding bij de implementatie van DigiD door Logius momenteel nog gratis is, is het verstandig om rekening te houden met het feit dat dit op termijn anders zal worden. Het is op dit moment niet te voorspellen hoe duur dit zal zijn, en of dit zal verschillen per zekerheidsniveau.
  • Doe een risico-inventarisatie van de huidige en geplande diensten voor de Mijn-omgeving en bepaal welke zekerheidsniveaus hiervoor nodig zijn. In verband met de toekomstvastheid is het verstandig hierbij gebruik te maken van de zekerheidsniveaus zoals deze gedefinieerd zijn in het Europese STORK project (D2.3, geschreven door Novay in opdracht van het ministerie van BZK).
  • Logius is zeer streng met betrekking tot de communicatie-eisen en het blijkt dat Logius freuent (pre-)productie-omgevingen afkeurt als deze niet voldoen aan deze eisen. Dit betekent dat een aansluitende partij zich geen enkele vrijheid kan veroorloven ten aanzien van de voorgeschreven teksten en het gebruik van het DigiD logo.

Bovenstaande adviezen zijn opgesteld in de periode voor ‘Lektober‘. Naar aanleiding van de DigiD-gerelateerde recente veiligheidsproblemen bij o.a. gemeentes die hieruit naar voren zijn gekomen, kan er nog een advies worden toegevoegd:


Edentiti wins Novay Digital Identity Award!


Yesterday was the second edition of the IDentity.Next (un)conference, and also the second time Novay putted an innovation in the area of digital identity in the spotlight by awarding it with the Novay Digital Identity Award. Congratulations to Edentiti, and its founder Kevin Cox!!!

Edentiti is an Australian started-up that does online identity verification. What I personally like most about Edentiti is that they have a very pragmatic approach to identity verification which exploits a range of existing online databases and previously established identities. They provide increasing levels of trustworthiness of the identity verification, with increase in trust means more hassle for the user (and probably more cost for the service provider) but for many online services a lower level of trustworthiness is already good enough. And it all cases, the service provider doesn’t have to do the identity verification himself, and the user is in control how his identity is verified. A ‘trick’ they use is that users can verify their identity by proving that they have existing relationships with organizations. For more details, check out this webpage from the greenID verification service that they provide together with a partner.

The photo with this  blog post is the award itself. The artist is Alexandra Veneman (from Ommen in NL, same of the 2010 award). The wave pattern symbolizes that identity if off all times and all areas. The I and the D of course stand for identity. She used the color purple from the Novay logo.

I copied the official announcement of the award below.

Edentiti wins Novay Digital Identity Award!

The Hague, November 9, 2011 – At the Identity.Next’11 conference today, the Australian Edentiti has won the Novay Digital Identity Award for the best new concept or product in the field of digital identity. Edentiti provides online identity verification by checking information
from various online data sources, and does so under the control of the end user.

Identity verification is the process of verifying if someone is who he or
she claims to be. It can be used to prevent identity theft, for age
verification where the purchase of alcohol or gambling is concerned and for several other reasons. What the jury found particularly appealing about Edentiti is the efficient
and innovative manner in which they rely on existing online identities that a
user has, and use these as a basis for identity proofing for new online
services. In the system Edentiti offers,
individuals can verify their identity by proving they have existing
relationships with organizations. Proof is obtained by the individual using
the Privacy Principle that says that individuals can ask any organization
that might hold personal information on them “Do you have any information
about me? Yes or No?”. The number and quality of the “Yes” relationships
determine the trust in the verification. Edentiti is also provided through Deloitte Digital under the brand name greenID, addressing Anti-Money Laundering/Counter-Terrorism Financing (AML/CTF) legislation.

Hermen van der Lugt, director of research institute Novay and chairman of the jury: “It is easier for end-users and less expensive for online businesses than
traditional face-to-face identity verification approaches. Additionally, Edentiti lets the individual control the whole process of identity
verification, which is a big plus, considering the privacy
Edentiti has an approach and business model that allows for incremental growth: in number of users, in number of
customers and in the level of trustworthiness of the identity verification. The jury believes that their
approach has the potential to be expanded to other countries through
partnerships. Organizations which use the system, include Australia Post, the Australian Superannuation Fund
and the National Australia Bank. More on Edentiti’s approach can be found at

Apart from Edentiti, three more organizations were nominated for the award. Qiy ( is a Dutch personal data store initiative that provides a secure environment in which a user controls which companies can access his or her information. WAYF (, a Danish identity federation, connects over 90 service providers with over 130 identity providers in education, libraries, health care and government (including the NewLog-in national authentication system). WAYF pioneered and contributed to open source with, amongst others, a user consent module, real-time calculation of economic benefits of the federation and a federation administration interface. tiQR ( is an open-source and standards-based authentication solution from SURFnet. It uses a mobile phone to scan a QR code that is presented by a webpage, thereby implementing two-factor authentication that is very user friendly.

The award is part of the IDentity.Next’11 conference in The Hague, organized by the IDentity.Next foundation that focuses on developments in digital identity. With the award, IDentity.Next and research based ICT consultancy Novay want to recognize and support new developments and innovations that are shaping the future of digital identity. Co-organizer of the conference is EEMA, Europe’s leading independent, non-profit e-Identity & Security Association. The conference brings together experts, professionals and industrial parties to discuss the latest developments in the field of digital identity. More information about the award and the jury is available at

Nominees Novay Digital Identity Award announced


The submission were quite diverse, and from more different countries than last year. Since it was difficult to narrow it down to intended maximum of three nominees, the jury decided to select four 🙂 My congratulations to edentiti, Qiy, WAYF and tiQR!! The jury is not done though, the winner still has to be selected among the nominees.

Below the ‘official’ press release, copied from the Novay website

On November 9, one of  four nominees will be granted the Novay Digital Identity Award at the IDentity.Next’11. The nominees for the best new concept or product in the field of digital identity are: the Australian edentiti, the Danish WAYF and the Dutch Qiy and tiQR.

Edentiti ( is an Australian identity proofing system that provides online identity verification by checking information from various online data sources, and does so under control of the user. Qiy ( is a Dutch personal data store initiative that provides a secure environment in which a user controls which companies can access his or her information. WAYF (, a Danish identity federation, connects over 90 service providers with over 130 identity providers in education. WAYF pioneered and contributed to open source with, amongst others, a user consent module, real-time calculation of economic benefits of the federation and a federation administration interface. tiQR ( is an
open-source and standards-based authentication solution from SURFnet. It uses a mobile phone to scan a QR code that is presented by a webpage, thereby implementing two-factor authentication that is very user friendly.

Most people have one or more digital identities. As we use more online services, this number increases and the question of who knows what about whom becomes increasingly complex. And then there’s the digital keychain, which yields more annoyance than convenience.  With this award – IDentity.Next and ICT research institute Novay recognize and support new developments will shape the future of digital identities. The jury is chaired by Herman van der Lugt, Director of Novay. The jury also includes
Ziggur, last year’s winner. Ziggur provides a service that gives users control over what happens to their online identity after their death.

The award is part of the IDentity.Next conference in The Hague, organized by the Identity.Next foundation that focuses on
developments in digital identity. Co-organizer is EEMA, Europe’s leading independent, non-profit e-Identity & Security Association. The conference brings together experts, professionals and industrial parties to discuss the latest developments in the field of digital identity. More information about the award and the program is available at .