Digi2: a PoC app for DigiD

2016/02/07

digi2-PoC-screenshots1

DigiD is the Dutch national digital identity solution for citizens to use e-government services (and online health and pension-related services). It is quite popular actually, in 2015 there where 12 million citizens that had a DigiD, on a population of a bit of 17 millions. Also the amount of logins had increased significant over the year, with over 200 millions logins in 2015. InnoValor did a project in 2015 to make a proof-of-concept app for DigiD that can 1) serve as replacement of SMS as second-factor, 2) can be used with government mobile app and 3) is more secure than current DigiD because it can use the contactless chips in e-passports etc as second factor. We did this project for and with DUO (government organisation responsible for student enrolment, student finance etc), in collaboration with RDW (government organisation responsible for driving licenses, vehicle registration etc) and Logius (government organisation responsible for DigiD).

The below blogpost is written jointly with Jan Kouijzer from DUO and gives details. It is in Dutch and includes links to videos with a demo. It appeared earlier (7 December 2015) on https://innovalor.nl/digi2-een-proof-of-concept-app-voor-digid/.

Read the rest of this entry »


Crowdsourcing a higher Level of Assurance for digital identities

2014/06/23

crowdsurfing-LoA-wordle

 

[cross-posted from IDnext website/news]

Two-factor authentication is becoming more and more popular. In the ‘old days’, it was mostly used by companies and online banking. Very few other services bothered users with two-factor authentication. But now, with new services providing access to privacy-sensitive information and/or becoming more important to us, service providers are becoming increasingly concerned about the identity of the people that they are authenticating – are they really the people they say they are? They feel the need to use two-factor authentication, even if it is costly and if it means that they risk annoying users.

The industry developed the Level of Assurance concept as a means of checking the trustworthiness of a digital identity. A digital identity is determined by the authentication means, such as a smartcard, text message, one-time password etc., and the registration process. The latter is often neglected, despite being very important. It is often also really expensive as well as annoying for the users. Ideally, doing a face-to-face check should be part of any correctly completed registration process. This is expensive, as it involves hiring skilled professionals, providing a working space and so on. Moreover, it annoys users, as it requires them to go somewhere and take action. Obviously, the expense depends on how the registration process is organised, and on its scale, but will cost between € 10 and € 100 per user.

Reusable identities are useful as the user goes through the process only once and can then authenticate himself to many services. The costs can be divided among the services and the user only gets annoyed once. Standards that define discrete levels are available in order to communicate the trustworthiness of a reusable identity. In Europe, the STORK levels are probably the most commonly used standard, although strictly speaking it is not a standard but a project deliverable edited by my colleague, Bob Hulsebosch.

Bob was tasked with writing the STORK levels with government issued/approved digital identities in mind, since the STORK project is about federated national digital identity solutions. For the higher levels of assurance, this means a strict face-to-face process. But the costs of many user types, such as age verification or insurance services, are too high. During the last three years or so, we also worked with clients on more ‘creative’ registration processes to provide the necessary level of assurance without resorting to face-to-face checks. This is partly because in the Netherlands, there is no re-usable identity available for consumer-to-business services (only government-to-consumer services). Typically, this creativity makes use of one or more derived identities. By “derived” I mean that we use a previously established identity, even without the permission of the issuer of that identity.

One example of how this process is used is the banking sector in which the user transfers a set amount of money. PayPal works in this way. We combine these derived identities with remote verification steps such as using an NFC app to read the ICAO chip that is in everyone’s passport.
We are now collaborating with SURFnet, part of Géant3plus’ Open Calls programme, to explore a new creative direction: crowdsourcing Levels of Assurance. We are basing our approach on the web of trust concept, as used in PGP for example. In this concept, users can vouch for other users, thereby creating a decentralised way of building up trust. We do this for users in an interfederation, re-using existing trust relationships wherever possible, such as those in social networks and PGP. We have a first prototype in which users authenticate themselves to an “Attestation Service” and then link their LinkedIn account (and PGP key) to their federation account.

The Attestation Service contacts “Helpers” from, in this case, the users’ LinkedIn networks to explicitly vouch for the identity of the user. The more contacts the users have, the higher the Level of Assurance. We are evaluating the prototype to determine our highest STORK level, including how to apply the concept to specific attributes such as mobile phone numbers.


Another DigiD incident: we’d better hurry up

2014/01/08

The latest security incident with the Dutch eID solution DigiD was all over the Dutch media. The DigiD of about 150 citizens from Amsterdam was stolen in December. The identity thiefs then used these DigiDs to change the bank account number for pensions etc from the victims. Although, in my opinion, DigiD is a success since it is used a lot, we really need to make it more secure. There are plans for this, but no final decision has been made. Below a more elaborate blog post in Dutch.

Weer DigiD fraude: we hebben haast

Digid Fraude Vk Kop1

DigiD stond vanochtend weer groot en negatief in de landelijke kranten (bv Volkskant, NRC). Dit maal blijkt de DigiD van 150 Amsterdammers gestolen zodat uitkeringen en toeslagen naar criminelen konden worden overgemaakt. Het gaat hier om een bekende zwakheid bij DigiD: het wachtwoord wordt via de post verspreid dus iemand die je brievenbus ‘hengelt’, een criminele PostNL medewerker of iemand met toegang tot je huis kan vrij makkelijk jouw DigiD stelen. Hoewel ik inschat dat de financiële schade van deze 150 gevallen wel mee zal vallen ten opzichte van de investeringen voor een veiligere eID oplossing, is het erg vervelend voor de 150 mensen die het overkomt en is het slecht voor het vertrouwen in de elektronische overheid. En er zijn meer incidenten geweest en er zullen er meer komen.

DigiD is ontworpen als een laagdrempelig en relatief goedkope identiteitsoplossing. En vergeet niet, het is een succesvolle oplossing. Hierbij is de maatstaf voor succes of het gebruikt wordt. DigiD wordt veel gebruikt, ook in vergelijking met onze buurlanden. Het DigiD gebruik stijgt ook nog steeds, tot 100 miljoen keer afgelopen jaar. Er moet nu alleen wel tempo gemaakt worden met een opvolger. Ik heb al het nodige geblogd over deze opvolger: het eID stelsel NL en een DigiD smartcard, dat ga ik hier niet herhalen. Wel vind ik het opvallend dat ook nu, in bijvoorbeeld de Volkskant, bij dit incident een smartcard als oplossing wordt gepresenteerd. Maar als die smartcard gewoon via de post opgestuurd zou worden gaat dit echt niet helpen. Dat betekent niet dat ik niet vind dat een veiliger authenticatiemiddel geen goed idee is, maar de urgentie lijkt me meer in een veiligere uitreiking van het authenticatiemiddel. Dit komt meestal neer op een face-2-face uitreiking van het wachtwoord of smartcard, in plaats van per post.

Vlak voor kerst is een kamerbrief over eID stelsel en DigiD-kaart verschenen. Deze bevatte weinig verrassingen en een paar keuzes over met name wat privaat en wat publiek zal worden in het eID stelsel. Een citaat uit deze brief:

De definitieve besluitvorming over de inrichting van het eID Stelsel en de introductie van de DigiD-kaart kan pas plaatsvinden als de hiermee samenhangende uitgaven en ontvangsten volledig in kaart zijn gebracht en alle uitgaven zijn gedekt. De Tweede Kamer zal hier op een later tijdstip nader over geïnformeerd worden.

Gezien de toenemende problemen met DigiD hoop ik dat er ook snel tot daadwerkelijk besluitvorming inclusief financiering overgegaan wordt. Dan kunnen publieke en private partijen hierop inspelen en kan Nederland een volgende stap zetten naar betrouwbaardere digitale dienstverlening (overheid en bedrijfsleven). Dit geldt overigens ook mocht het eID stelsel en/of DigiD-kaart alsnog struikelen of in een beperkte vorm worden ingevoerd. Beter dat dit snel duidelijk is zodat marktinitiatieven de ruimte hebben. En als voor wat voor reden dan ook een opvolger van DigiD te lang op zich laat wachten, dan kan overwogen worden als tussenoplossing DigiDs via het gemeentehuis i.p.v. via de post uit te reiken.

 

 


Which level of assurance is needed for LSP and other patient portals?

2013/09/09

lock

More and more health providers offer patient portals. These portals can contribute more efficient and effective health care. In addition, because since they provide easy access to personal health records and personalized health information, they can contribute to more patient empowerment. But there is also a risk: the wrong person (i.e., an identity thief) may get access to this very personal information.

Novay participated in a working group that developed a guide for health providers to help them determine how secure the authentication solution for patient portals should be, i.e., which levels of assurance is needed. My colleague Mettina Veenstra and myself tried out this new guide on the Dutch national infrastructure for the exchange of personal health records. This infrastructure is in Dutch called Landelijk Schakelpunt (LSP), which I have no idea how to translated in English (it resembles what the EU epSOS project calls a National Contact Point). The LSP recently added the possibility for patients to see which health professionals used the LSP to access their health records. It does not provide access for patients to the actual health records. Nevertheless, if an identity thief can see that e.g. an oncologist accessed your medication record as stored by your local pharmacy, then it implies something you may not want to share. The blog post discusses this, including the relationship to the national identity solution in the Netherlands (DigiD which is STORK 2, and lack of STORK 3 solution in the Netherlands).

The full blog post is only in Dutch, see here and copied below for convenience. For non-Dutch speakers, this is what Google translate makes of it.

Read the rest of this entry »


Privacy and security in an eID solution?

2013/05/27

irma4

In the Netherlands we have a digitale identity solution, called DigiD, for citizins that want to use e-government services. It is used quite a lot (compared to e.g. Belgium or Germany), but not very secure (only SMS as second factor, and verification via a well-known address contrary to e.g. face-2-face). The Dutch government is now working on a more secure eID solution, as part of an bigger identity trust framework that is called “eID stelsel” (roughly translates to eID scheme or eID framework). In the below blog post (in Dutch …) we discuss this, and zoom in on the IRMA research project in which we participate. IRMA smartcard aims to be both secure and privacy friendly (attributes, double blind certificates etc).

Een betrouwbaardere en privacyvriendelijkere DigiD

In een kamerbrief over de toekomstbestendigheid van Nederlandse identiteits-infrastructuur, schrijft minister Plasterk dat DigiD, in de huidige vorm, op korte termijn niet meer voldoende beveiliging biedt voor nieuwe gevoelige e-overheids diensten. Voor deze diensten is een veiligere eID oplossing nodig. Te denken valt dan, bijvoorbeeld, aan toekomstige diensten als toegang van patiënten tot hun elektronische patientendossier.

Read the rest of this entry »


Step-up authentication as-a-Service

2013/01/07

IDentity-as-a-Service (IDaaS) was a hot topic in 2012 (e.g., this blog post of Dave Kearns), and probably will continue to be so in 2013. In a project for and with SURFnet (Dutch NREN) Novay designed a IDaaS-like service to make existing identities more trustworthy: Step-up authentication as-a-Service. (No idea more to abbreviate this: SuaaaS?)  The Step-up authentication as-a-Service we designed addresses this need by making it possible to increase the trustworthyness (put differently: increase the level of assurance) of identities in an existing identity federation. The service addresses both the technology and the process/registration side: a second factor authentication and an additional face-2-face check who this digital identity (and second factor) actually belongs to.

From a user perspective, the service has a self-service interface to register a second factor (see mockup below), an interface for the identity providers for user management (see second mock-up below) and of course every time a step-up authentication is needed the user is re-directed to the Step-up authentication as-a-Service to authenticate with this second factor.

Read the rest of this entry »


Guide to classifying e-services to Levels of Assurance: a good first step

2012/02/09

A Dutch government body responsible for establishing open standards for elektronic exchange (Forum Standaardisatie) published a guide for government service providers to help them classify e-services to Levels of Assurance. They use the EU STORK Quality Authentication Assurance levels for this, which classify authentication solutions in four levels. Since Novay was responsible for defining these levels in the EU STORK project, and we’ve helped several clients in applying STORK levels, we read this guide with great interest. In the below text we discuss the Levels of Assurance concept, and give our opinion on the guide.

Read the rest of this entry »