Digi2: a PoC app for DigiD



DigiD is the Dutch national digital identity solution for citizens to use e-government services (and online health and pension-related services). It is quite popular actually, in 2015 there where 12 million citizens that had a DigiD, on a population of a bit of 17 millions. Also the amount of logins had increased significant over the year, with over 200 millions logins in 2015. InnoValor did a project in 2015 to make a proof-of-concept app for DigiD that can 1) serve as replacement of SMS as second-factor, 2) can be used with government mobile app and 3) is more secure than current DigiD because it can use the contactless chips in e-passports etc as second factor. We did this project for and with DUO (government organisation responsible for student enrolment, student finance etc), in collaboration with RDW (government organisation responsible for driving licenses, vehicle registration etc) and Logius (government organisation responsible for DigiD).

The below blogpost is written jointly with Jan Kouijzer from DUO and gives details. It is in Dutch and includes links to videos with a demo. It appeared earlier (7 December 2015) on https://innovalor.nl/digi2-een-proof-of-concept-app-voor-digid/.

Read the rest of this entry »

FIDO and its place in the eID ecosystem



FIDO stands for Fast Identity Online. FIDO is a new authentication specification that makes it easier to integrate with and re-use non-password authentication means: what-you-have and what-you-are. The specification was published in a v1.0 version last December by the FIDO Alliance, which unites an impressive list of large companies (e.g., Microsoft, Google, Samsung) and smaller authentication companies (e.g., Authasas, Yubico, Nok Nok Labs) to “define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services”.

Last Friday (23 January 2015) PIMN organized a seminar on FIDO,  which was fully booked with a waiting list even. In this blogpost I’ll summarize what I learned and what I presented on “FIDO and its place in the identity ecosystem”.

Read the rest of this entry »

Mobile digital ID from Barcelona (idBCN) wins award


Barcelona City Council together with Firmaprofesional and TechIDEAS won the Novay Digital Identity Award 2013 with idBCN: a mobile digital identity solution for Barcelona. Mercedes Mestre Antolí (security official of the Barcelona City Council in charge of Digital Identity matters) and Xavier Tarres (CEO of Firmaprofesional) presented their submission at the  IDentit.Next (un)conference earlier this week and accepted the award. The award was a mask made by Dutch artist Frans Krom.

See below the pressrelease from Novay and IDentity.Next for details.



idBCN wins Novay Digital Identity Award

November 19, The Hague, The Catalan identity solution idBCN wins the 2013 Novay Digital Identity Award. The price for the best new concept or product was awarded today during the Identity.Next’13 conference in The Hague. idBCN is a mobile identity solution that allows citizens of the city of Barcelona to identify themselves in a user friendly and secure way to regional government and commercial service providers.

Read the rest of this entry »

An NFC app to make your offline identity mobile?


Blogpost by Maarten Wegdam and Martijn Oostdijk

We believe that there is a bright future for the combination of smartphone and digital identity, which we refer to as mobile-centric identity. The question is, of course, how and when, and probably also who (which organisations) will benefit from this.  To contribute to making mobile-centric identity happen, we are experimenting with how we can use a smartphone to get access to our ‘offline identity’, i.e., our passport / ID card. More specifically, we developed an Android app, called NFC Passport reader, that uses NFC to read the chip embedded in a passport / ID Card (aka ePassport). This app is now available from Google Play.

What did we do?

Read the rest of this entry »

SIM augmented authentication as alternative for SIM based?


We recently did an assessment of a so-called SIM augmented authentication token, or VASCO’s new DigiPass Nano product to be more specific. We did this for SURFnet, for which we previously also did an assessment of Mobile PKI. We liked Mobile PKI, but it has a big disadvantage: you depend on your mobile network operator to be able to use it (and in the Netherlands they are not deploying this any time soon). This disadvantage is the main motivation to look at SIM augmented tokens. These are, as the term suggests, added to in stead on being ‘inside’ the SIM card.

So what is a SIM augmented authentication token? Physically it is a sticker with an embedded chip that you stick on your SIM card and sits between the SIM card and the mobile phone. The chip stores a secret used for authentication, which is more secure than storing the secret in a ‘normal’ mobile app. This secret is used by an authentication application that is also runs from this chip. This application, from the perspective of the mobile phone, appears to be a normal SIM application, and can work on basically any phone (smart of dumb). The only SIM augmented authentication token that I’m aware of is the above mentioned  DigiPass Nano from VASCO (let me know if you know of others?). The DigiPass Nano implements an event-based one-time-password functionality, i.e., it generated a new code every time the user asks for it.

We did an assessment of the usability, security and business model aspects. Below I copied the conclusions, but the bottom-line is that we believe from a security perspective this is a good alternative to other one-time-password solutions, and it more secure than solutions implemented as a mobile app. The main benefit is that it works on basically any phone (also non-smartphones), and you you can deploy it without needing help (and investments) from your mobile operator. The main disadvantage is the user experience. We did some limited testing with putting the sticker on, which was ok, but the user experience of getting a one-time-password can be troublesome. It requires the user to find SIM applications on their mobile phone, which are often hidden somewhere deep in the menu’s. My estimate is that this usability limitation will need to be addressed for this technology to get acceptance beyond specific enterprise use-cases. Or to put it differently, I’d do very carefull usability optimizations/testing before deploying this to millions of consumers.

This assessment was joint work with my colleague Martijn Oostdijk, see his blog for more details on especially the security aspect. The full report of our assessment is available via the SURFnet website. If you’re looking for a wider perspective on the combination of mobile and digital identity, see this previous blog post on our mobile-centric identity vision.

6 Conclusions

The Digipass Nano uses a form factor that is relatively unique in the authentication token market. It is a SIM augmented token, a thin patch/sticker including an embedded chip that sits between the SIM and the user’s mobile phone. The key advantages of this form factor are:

  • secure storage of credentials under a “security domain” that is distinct from the other stake holders (e.g. mobile operators, handset vendors),
  • while at the same time the ability to use the user-interface of the user’s existing GSM handset,
  • and, potentially, the use of the mobile phone’s GSM or 3G network.

As most users will always carry their mobile phone with them, this means that the token will be present during transactions in many different contexts.

The technology underlying SIM augmentation is based on standards that have existed for a long time, are present in billions of GSM handsets around the world, and have proven to be relatively secure given the threat landscape thus far. The DP Nano does not use all features offered by this technology (it only uses the user interface features, not, e.g., the network features present in GSM 11.14). However, a number of variations of the DP Nano exist (see [10], apparently targeting different markets) which do utilise the networking capabilities of the GSM SIM, and which appear to more strongly bind the token to either handset (“IMEI lock”) or SIM (“IMSI lock”).

On paper, from a technological and security perspective, SIM augmented tokens compare well to other mobile and possession based tokens such as SMS OTP, OTP tokens, mobile soft tokens, and smart cards. As to the security, threats from malware on the handset are minimal as long as the SIM toolkit API interface is properly implemented on the handset.

The user experience may cause some problems for certain groups of users, depending on the issuance and installation process (e.g. whether users are required to install the token themselves). The DP Nano requires the user to navigate through unfamiliar text based menus in order to start up the application when asked by the SP to provide an OTP. This is the most prominent drawback when compared to e.g. the Mobile PKI experience (as described in [8]) where the authentication application on the handset it triggered over the air.

From a business model perspective SIM augmented tokens are interesting as they separate the role of SIM based authentication provider from the role of MNO. Obviously, being the first of its kind and relying on a server side licensing model and proprietary implementation, whether a choice for the DP Nano provides a positive business case when compared to MNO provided SIM based authentication remains to be seen.

Interesting features to add could be:

  • Lock the token to IMSI or IMEI (possible, according to [10])
  • Use the network to initiate authentication transactions (drawback: implies sending service SMS messages to the token, which may mean cooperation of a MNO or at least per-transaction costs)
  • Use the network as an OOB channel during an authentication session (e.g. to display transaction details, similar drawback as above)
  • Use the network to “blacklist” a token when a token is reported stolen
  • Combine SIM augmented solution with a handset resident application to provide a better user experience (may be dependent on operating system and handset to provide installed apps with an API for communication with SIM)

The latter option is particularly attractive as a way to enhance the security of SURFnet’s tiqr solution (see [11]) and other mobile app solutions.

Since a one-size-fits-all solution to authentication does not exist, in the end SIM augmented solutions will likely find a market alongside authentication tokens with different form factors.

Digital identity in the Netherlands: DigiD for consumer-2-business?


On Tuesday 4 October we organised a Novay networking event called Tuesday Update, with digital identities as the subject. The main subject of discussion was the need for re-usable identities, and especially who should be the identity provider: government or private parties. This is a hot subject in the Netherlands, also because of the recent security incidents (DigiNotar). Hein Aanstoot, director at SIVI, argued very well that the insurance sector increasingly needs a consumer-2-business identity solution, and would they be allowed to use the national citizin-2-government solution DigiD then this would help insurance companies a lot. This is however not allowed in the Netherlands, and Kees Keuzenkamp from the ministry of Internal Affairs explained the policy developments in this area (NL and EU), including the planned Dutch eID smartcard (called eNIK, elektronische Nederlandse Identiteits Kaart). Bottom-line (in my wording) is that the decision on eNIK will be taken end of this year (after which it goes to parlement) and that it is very unlikely that DigiD/eNIK can be used as a generic consumer-2-business identity solution. Hein Aanstoot also gave some insight into a new initiative with several large insurance companies to create a breakthrough in a re-usable identity for the insurance sector, I think it is good for these insurance companies that they do not make themselves (too) dependent on the government or others (banks). I also presented, and gave my perspectives on consumer-2-business identities, why this is so difficult (privacy, trust etc), the outcomes of our cidSafe project, my views on DigiD (and eHerkenning) and what the role of government should be (especially: solve it or be very clear you’re not going to do so). I also presented three innovations we are working on that we believe will increasingly become important: user control over their data, mobile-centric identity and context-enhanced authentication/authorization. My presentation is on slideshare (dutch!).


Mobile-centric identity in the IDentity.Next newsletter


Below a contribution I wrote for the IDentity.Next newsletter  (I’m on the expert panel) on mobile-centric identity, see also http://www.identitynext.nl/news.php?id=22.

Mobile phone – the remote control of our (digital) identity?


For most people the mobile (smart) phone is the most personal device they have. You carry it with you almost always, you rarely let others use it and you notice it is gone very quickly. Combine this with the smart phone becoming a mature and popular channel to online services, and you realize the importance of your mobile phone for your digital identity. The term user centric identity was (or still is) quite popular the last few years, going further I’m a strong believer in mobile centric identity: the mobile phone as the central component to control your digital identity.

I distinguish three ways in which this is happening:

1.     The mobile phone as authentication device– this is already happening and is progressing, especially one-time-passwords over SMS are pretty common. But also apps for Android or iPhone with one-time-password generators, or Mobile PKI which exploits the SIM card for more security.

2.     Authentication for the mobile channel– this is still a struggle, even more than identity on the ‘fixed’ internet. Typing passwords is a huge hassle on mobile phones, and providing these to random and barely trusted mobile apps is not a good idea (for example a third party mobile banking app). Common stronger authentication means like smartcards-with-readers or one-time-password tokens  are not really an option since no one wants to carry additional devices with them. Also identity federation standards like SAML WebSSO and OpenID are not really suitable for mobile phones. We’ve been using oAuth for mobile Apps, which may not be the final solution but is a step into the right direction if ‘medium’ security is good enough.

3.     Control your privacy on your mobile phone – I, and many with me, believe that sharing personal data can make our lives easier, but that the user should be in control of this. A single point of control for this is the way to go, for example determine in a central place who should get access to my new home address, and my location updates. This starts at basic consent functionality when using external identities (e.g., OpenID), but goes all the way to Personal Data Ecosystem, Vendor Relationship Management and User Managed Access ambitions. The mobile could be the trusted device to control this. This is far from reality nowadays.

A major risk for the success and speed in which mobile centric identity will come to be is if we are successful in keeping the mobile phone secure enough for this. This has not been a major issue yet, but for sure requires attention (for example, ENISA report or KuppingerCole Top Trends 2011). Solutions that are part of the operating system and/or exploit trusted hardware like the SIM card may prove most successful.

Related to identity is always payment, and although slower than expected the signs are good that NFC technology (for mobile payments) will get a significant penetration to mobile phones the coming years. Also, at least in the Netherlands, banks and mobile operators have joint forces to make mobile payment possible. Your mobile phone may very well replace both the coins and the bank/smartcards that are now in your wallet. It will be interesting to see how, how fast and who will profit from this!

Maarten Wegdam (principal researcher at Novay – member of IDentity.Next expert panel)