Biometrics and digital identity – is that really you?

There is an iconic moment in the Steven Spielberg film Minority Report, where Tom Cruise heads into the shopping mall of the future, and as he passes the stores they scan his iris, and the billboards start making all sorts of personalised sales offers to him.  We might guess the next logical step would be to buy an item, wink, and payment sent?

Today’s rapidly developing biometric technologies suggest we are heading to a future that may not be so far off from Spielberg’s epic. Indeed, to paraphrase author William Gibson, ‘the future is already here, it’s just not evenly distributed’. Smile-to-pay facial recognition systems are being tested currently, with KFC pioneering the system in China, allowing customers to pay simply smiling after placing their order. Amazon’s supermarket, Amazon Go, dispenses with checkouts altogether, combining mobile device and object recognition to fully automate the check-out and payment process.

More widely used biometrics authenticators such as Microsoft’s ‘Windows Hello’ or Apple’s ‘FaceID’ are emerging as everyday authentication methods, as they have solved some of the initial hacks by using infra-red scanning and live video detection to confirm the person is real, alive, and present.

If we look at the high-profile data breaches appearing in the news on a regular basis, we realise that even with the impressive advancements in biometric authentication, no single technology in isolation is entirely infallible.

Multi-factor, intelligent biometric authentication

Authentication will forever be an evolving beast. Usernames and passwords were only just the beginning (or, arguably the past). Additional forms of authentication, such as email and SMS verification are widely used as well. Geolocation and user patterns help identify anomalies, providing insights on when to apply step-up authentication, with retail banks typically blocking transactions if there is an outlier in the customer’s purchasing pattern.

Biometric authentication adds a whole new realm of opportunity to ensure you are uniquely you, but it becomes fallible if reliant on single forms of identification. Fingerprints can be copied, siblings can trick facial scans, and more. Using multiple sources helps to prevent fraud and build trust.

At Signicat, we explore a number of advanced biometric identification methods. Facial scanning, fingerprints, iris, and voice are currently well-known methods. But what about gait analysis? Are you walking like you normally walk? What about movement? Are you handling your mobile device normally, or are there any anomalies in your behaviour? There are subtle but telling queues that can be tracked to help identify if it seems to be you. If there is any uncertainty, additional, step-up authentication methods can be employed.

Biometrics and the Digital Identity Challenge

The primary purpose on any authentication endeavour is to ensure that the digital identity is verified. The Nordic countries set the bar for trusted digital identity years ago by introducing a shared digital identification infrastructure that vendors can use to engage more seamlessly with their customers.

These electronic ID schemes (eID), such as BankID and NemID, are tied to national ID numbers, passports, a valid address, and have access to credit ratings. Users must typically log in using a multifactor authentication and generally speaking, there is a comprehensive risk analysis as part of the interaction.

The introduction of biometrics and mobile devices have further simplified and improved the authentication process. For example, Norway’s BankID previously required a “code brick” to authenticate. Now, mobile phones are used as an additional authentication method, requiring fingerprint and pin code, in addition to a unique ID and password.

Trusted digital identity

Ultimately, the use of biometrics helps build trust in the digital identity, and with that trust, the business goes unimpeded.

Today, the bank-driven ID schemes of the Nordics have set the standard for digital identity and authentication with billions of uses of digital identity per year in a population of less than 30 million people. For the average Norwegian business, new customer onboarding and authentication involve customers entering their eID credentials, the system checks the eID and access is granted rapidly to new and existing accounts. The success of these schemes lies in the trust built around digital identities. Financial service providers, online retailers, and other commercial enterprises are able to digitally build a trusted relationship with their customers. Furthermore, these relationships are fully compliant with KYC and AML regulations.

These eID schemes are really popular with the Scandinavian public as they can dispose of their 50 or more passwords and log in to almost all digital services with their single set of credentials.  And the frequent use of a single eID allows the establishment of behavioural patterns that ensure the algorithms pick up identity theft quickly and block fraud.

Linking the eID to the mobile device and the deployment of biometric factors considerably enhance security and enable a frictionless digital customer authentication process. Layering on biometric technology to existing identities allows customers to prove they-are-who-they-say-they-are via their mobile devices.

This linking of our physical ID to an eID to our mobile device with transactional and behavioural monitoring goes beyond two or three factor biometric based authentications. This combination not only provides extremely robust security and validation, but it also tackles perhaps a pressing issue of the digital economy – that of assuredly validating digital identities for on-boarding and authentication of customers.

Learn more about customer’s requirements around digital on-boarding. Download our most recent research – The battle to on-board: The European perspective on digital on-boarding for retail banks.

 

User-controlled privacy through self-sovereign identity

More and more, we conduct business online and through one or several digital identities, ranging from credentials issued from a single organization to a reusable, verified electronic identity. In a research report we conducted, 72% of consumers interviewed wanted a digital-only onboarding process for new financial services. Coinciding with this however, we find consumers becoming more privacy-conscious and there’s a growing trend towards having consumers “owning” and controlling their data.

We refer to this as Self-Sovereign Identity (SSI). SSI is a rather new concept, and there is no consensus on the exact definition. There is agreement that the user should be in control of their own identity data, but there is disagreement as to how this can be achieved.

This article will look at how to achieve this, using identity custodians.

Is blockchain the answer?

In a word, no. Blockchain technology offers the world a number of exciting opportunities to innovate and to solve problems in ways that haven’t been considered previously. However as a framework for creating a digital identity, blockchain has a few critical flaws that need to be addressed.

Most obviously, users are notorious for losing passwords and requiring assistance with resetting their accounts. In a blockchain world, digital identities cannot be recovered and it is the sole responsibility of the user to keep track of their login credentials. After all, by some reports there are over $20bn worth of bitcoins that are lost because the retrieval codes have gone missing.

In addition, the blockchain solutions typically put the information on the users’ own devices, encrypted, under the sole control of the user. Which is good until you lose the device, in which case there is no recovery mechanisms, as this would violate the thought of the user’s sole control.

As if that is not enough, who is liable in case of a breach? And who do you call if you have a problem? The idea behind blockchain is that there is no central authority and no ownership. Which also means no liability for the infrastructure.

As human beings, we are used to always being able to have somebody to call if there is a problem. Everybody has used the “I forgot my password” function multiple times. Most of us at some point have called a locksmith to get us into our car or house, because we have lost the key. Remember that with modern cryptography, there is no backdoor. There is nobody to call if you lose the key.

Finally, do users really want to manage their own data? And if so, can we trust them to do this. Digital identity is something which should be available and work, nothing that the end users should need to worry about.

If blockchain isn’t the answer, what is?

Enter the Identity Custodian

An Identity Custodian manages the identity infrastructure and assists users in managing and retrieving their data. An identity custodian will manage the user’s data on behalf of each user, very much in the same way banks manage the user’s money on their behalf, which few people seem to question.

This will have the following benefits for the user:

  • Somebody to call when there is a problem.
  • Somebody who is liable if there is any kind of problem.
  • Somebody who is managing the electronic identity.

As a user, I will choose an identity custodian I trust. I will be able to change to a different custodian when needed.

What is an anonymous self-sovereign identity?

Another advantage to taking this approach is the ability to offer a mostly anonymous digital persona that is tied to a verified identity. We are beginning to experiment with this in the Nordics.

Occasionally users want to be anonymous in certain online interactions, such as discussion groups or online communities. With Anonymous Self-Sovereign Identity, these users can remain anonymous, but their real identity can be discovered using a court order or similar.

Additionally, the anonymous-SSI will also prevent users from going back into a forum (where they have been expelled) with a new alias.

Who should be Identity Custodians?

As part of our Battle to On-Board research, we discovered that in most markets consumers have the most trust for banks to hold their digital identities (when compared to governments, specialist companies, and social media platforms).

This coincides with the most effective electronic identities in the market. These are found in the Nordics and are consistently driven by banks. Banks’ main business is trust. They are trusted with our money. In these days of PSD2, the banks risk being reduced to “plumbing”, and could use the opportunity to step up, and be recognized as trust service providers.

Benefits to banks

  • Consumer trust. With consumer data for sale from many online organizations, and through shoddy security and data breaches, consumer trust is low. Enabling consumers to work with businesses through a SSI means that digital trust can begin to be rebuilt.
  • Revenue. Banks can earn money from facilitating online transactions.
  • Stronger brand. Increased brand awareness through ongoing transactions helps build trust and loyalty with consumers.
  • Enhanced services and offerings. Finally, with a verified self-sovereign identity, organizations can begin to offer services that protect the privacy of their users online, or Anonymous Self-Sovereign Identity.

In conclusion

Banks face a unique opportunity in today’s evolving digital identity landscape. As witnessed by the success of the digital identities from the Nordics, there is a model for banks to increase their involvement in digital transactions and build improved consumer trust, while supporting consumers desire for both privacy and ease of use.

Digital customer onboarding – are you doing it wrong?

Until recently, proving our identity has been a fairly straightforward process. After all, almost all of us have access to some form of physical identification which we’re able to produce as necessary. Go through immigration and we present our passport or identity card. Hire a car and we hand over our driving license.

But as more and more of our lives play out online, what was once a trivial matter – proving we are who we say we are – has become a lot more complicated. Online authentication is something most of us must do on a daily or weekly basis, yet the physical documents we rely upon in everyday life aren’t much help in the digital world.

As a result, digital verification is often cumbersome and inefficient. These stubbornly outdated identity verification processes are holding the digital revolution firmly in check by forcing customers back offline to prove they are who they say they are.

In fact, we conducted some research around the digital onboarding of customers in the retail banking industry and found that over 50% abandoned their attempt to sign up for new financial services.

Yet of the consumers we interviewed (4,000 individuals in the UK, Germany, Sweden and Netherlands), 72% said they want an all-digital onboarding system. And of those consumers that do onboard digitally, we found that they were more likely to remain loyal and tend to apply for more products and services.

So if customers want to sign up online, but over half of them quit before they’ve completed the process, what’s going on?

Abandonment reasons

Of those that abandoned an onboarding process, 40% cited the amount of information required as a key reason. This was followed by 34% saying the time it took to complete the application was a deterrent. The need to send identity documents by post or visit a branch in person was third on the list with 28%, and finally 18% found that the language used in the application was confusing.

Interestingly, Sweden, is the only country that has an established and pervasive shared (and verified) electronic ID called BankID, thus the quickest and easiest verified digital identity process, ran into trouble with regards to website usability and confusing language.

Conversely, the UK’s high abandonment rate was primarily due to length of the application process, with the requirement of sending documents (such as passports) in the mail as a close second.

Three tips to improving digital customer onboarding

Of course each business needs to dig into what its own personal challenges are when it comes to customer onboarding, however we have seen three key elements that can help improve customer onboarding.

1. Step-up applications

A step-up application is a gradual process where you request more information over time, as you engage more deeply with your customers. Instead of hitting them with five pages of forms before letting them see how your services work.

For services such as online banking, providing a simple username/password application to see the inside of your online bank can help establish a sense of trust with your customer and get the relationship going. You can then ask for document scans, job history, and their dogs birthday later in the relationship.

2. Use better technology

Generally this falls into two camps: In some markets, such as the Nordics, there are established electronic IDs (such as BankID), while in others, the use of document scanning and other verification methods are used.

We have seen eIDs used extensively in customer onboarding and they do greatly streamline the process. However instead of asking for additional information on top of what the eID provides, the more progressive institutions are initiating registry lookups to further gather the information they require without the customer having to enter the details manually.

For those markets where there are no eIDs (or ones that lack pervasiveness), we generally recommend using a good document scanning service and then conducting registry lookups to get the details you need. Again, the more required information you can gather automatically, the smoother the experience is for the customer.

3. Improved user experience

It seems obvious, but sometimes legal requirements and system infrastructure can cause you to lose customers before they’ve even signed up. Reviewing and streamlining your customer experience, including legal requirements, language used, and application flow can help save as many as 25% of your dropped applications.

To learn more about our research relating to digital customer onboarding, download our report below.

EU Trust Mark

The pros and cons of eIDAS qualified

Signicat having been approved as a qualified trust service provider (QTSP) according to the EU’s eIDAS regulation (Regulation (EU) 910/2014) spurs some reflections on what it means to be “qualified” and the trust services situation in Europe.

The eIDAS regulation has four parts: General provisions, electronic identification, trust services, and electronic documents. This blog post is only about trust services; the part where the “qualified” term is defined. However, note the importance of the very short part on electronic documents. This simply states that an electronic document shall not be denied legal effect solely on the grounds that it is in electronic form. A pre-requisite for electronic trust services is of course that electronic documents are accepted. This was not obvious in all European countries before eIDAS.

As an EU regulation, eIDAS applies in all EU member states, overriding national law in case of conflict. Since eIDAS is “of EEA relevance”, eIDAS also applies to Norway, Liechtenstein and Iceland.

eIDAS defines a closed set of trust services:

• Certificate issuing for electronic signatures (signature by natural person) electronic seals (signature by legal person), and web-site authentication,
• Services for signing and/or sealing (signature creation),
• Signature/seal validation services,
• Time-stamp services,
• Preservation services for electronic signatures/seals and related certificates,
• Electronic registered delivery services.

eIDAS then sets out a few provisions on trust services in general, and detailed provisions for qualified trust services and their providers. “Qualified” is defined as fulfilling eIDAS requirements. All defined trust services can be qualified, except signature/seal creation services (still, such services can create qualified signatures/seals). Many qualified trust services and/or their outcomes are granted legal presumptions from eIDAS, e.g. a qualified time-stamp is granted the presumption of accuracy of date and time and integrity of the data bound to the time-stamp. Furthermore, one is not allowed to ask for more than qualified; this is the top level that is guaranteed to be accepted across the entire EEA area.

This greatly expands the qualified signature term from eIDAS’ predecessor, the EU e-signature directive. But the legal presumption from the directive is continued with eIDAS, that a qualified signature shall always be considered a proper replacement for a handwritten signature; this has been valid since 1999.

Has eIDAS’ concept of qualified been a success?
It is too early to answer. Judging from the number of actors, yes; by start of December 2018 the EU list includes 168 QTSPs. Three countries have none, and a few others only list actors that must be considered as marginal players. But since services can be offered cross-border, a lack of services in a country is not necessarily a problem. Close to 30 accredited conformity assessment bodies compete for the mandatory audits that each QTSP and its services must pass.

What we do not know is the market and revenue for the QTSPs. Some of them are governmental, semi-governmental, or public-private partnerships but the majority are commercial. Here, we find banks and banking service providers, postal services, notaries, chambers of commerce, and other actors that expand existing services into the digital space – plus specialist trust service providers like Signicat. Some are niche players offering one or a few services, and some aim to cover all or most trust services, qualified or non-qualified.

Qualified, whether it is qualified signature/seal or qualified trust service, is the top level, hence, also the most expensive level. Requiring this for all purposes may not be cost-effective. Requiring a specific service or mechanism (like a qualified signature, which today must be based on PKI technology) to be used for a process may be counter-productive; the service or mechanism must fit the process flow and the needs and capabilities of the actors. Signicat’s home market is the Nordic countries. These countries are among the most digitised in the world, and they have zero (or close to zero) requirements for qualified signatures or seals. While there was no doubt that Signicat should join the club of QTSPs, our home market experience makes us cautious not to push anything qualified unless it is really needed.

The pros of qualified are that it is guaranteed to be recognised and accepted across the EU for all purposes (national security excepted) and that, in some markets, qualified may be a ticket to trade. The cons are the price level and the potential lack of fit between the process at hand and qualified services/mechanisms. For non-qualified, the actors involved must agree what is sufficient for the process, which requires judgement but may lead to cost savings and smoother processes. A non-qualified trust service may well be recognised across the EU; the market decides but the recognition is not guaranteed.

Regarding qualified signatures, the idea of defining a signature level that can always be used to replace a handwritten signature, no questions asked, is a good idea. This fences off threats against digitisation from arguments that no digital mechanism is good enough. But unfortunately, in too many cases this idea is turned upside down by stating that qualified signature is the only mechanism that can replace a handwritten signature. One even sees the term “legally binding signature” used as a synonym for “qualified electronic signature”.

However, eIDAS is crystal clear in stating that:

“An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.”

So, all electronic signatures are legally binding and can replace handwritten signatures, except in the presence of additional requirements that pose specific restrictions. Such extra requirements, e.g. requiring qualified signature for a purpose, can be found in national laws and regulations, in EU legislation (in practice seldom seen), in sectorial rule sets and best practices, or imposed by the involved actors themselves.

Qualified signatures have until now in too many cases been hampered by poor user experience. Hopefully, server-based signing services will both lower cost and do away with much of the user friction.

Based on these arguments, Signicat recommends use of an advanced or qualified signature only when at least one of the following holds true:

1. There is a legal requirement, typically from national legislation.
2. A risk analysis shows the need for a particular level of signature.
3. The mechanism (advanced/qualified) is a good fit for the process at hand.

Then, one can argue that the starting point, finding a substitute for a handwritten signature, can be challenged, as the result may be a digital process that mimics the paper process. While a handwritten signature is the only way to prove consent on paper, a digital consent can be obtained by a plethora of mechanisms that do not have to mimic paper signing. But that is a topic for a future blog entry.

Links:
https://ec.europa.eu/futurium/en/eidas-observatory
https://www.eid.as/home/ which also points to
https://www.futuretrust.eu/ where Signicat is associate partner
https://go.eid.as/ which is a new non-profit initiative promoting eIDAS
https://webgate.ec.europa.eu/tl-browser/#/ for trust list information

Blog post by Jon Ølnes, Nordic Product Manager, Signicat

Banks must replicate challengers and take onboarding seriously

Banks must sharpen up their onboarding process if they are to retain the lionshare of customers.

Our Battle to Onboard research from 2018 has revealed that more than 50% of people abandon a financial services onboarding process. The reasons being that it took too long (34%) and needing too much personal information (40%).

I would expect that number to be closer to 15-20%, you’re losing nearly half of your customers before they’re even your customers.

Traditional banks view onboarding in a binary fashion – you’re either onboarded or you’re not. They’re used to a model where you ask for everything up front.

I believe that banks are “extremely risk averse” and reluctant to have a non fully KYCed individual in their system.

But this is an area that I think must change considering the high onboarding abandonment rate. I encourage them to view it as a step up model and make it easier to get a foot in the door and get the relationship going. You gradually ask the customer for more information – this is what a lot of newcomers are doing.

Digital challengers are winning the onboarding game, with Monzo most recently reaching 1m accounts in late September 2018 and contemporary Starling Bank likewise seeing a 500% increase in accounts. Both banks pioneer the use of mobile phone verification and lean heavily on lessons learned from the tech giants.

They’re making it very simple to become a customer. I did onboarding myself with Revolut and it’s very smooth and easy to get started and then they begin asking for more information the more you get into AML. People want something convenient and convenience always wins.

 

How Signicat can help

Signicat is simplifying the process by providing one single API for a number of different onboarding methods in a single interface, making it very simple for banks. They can then set  the initial onboarding on whatever level they would like and then step up at a later time.

Banks can take the following steps to smooth out their onboarding process:

  • Instead of assuming that all users in the system are fully KYC’d, also make a category “New customer”
  • Make it simple to become a “New customer”, e.g. verifying the phone number by a one-time-password
  • Limit what a “new customer” can do and for how long, e.g. limit on amounts
  • Do all the existing risk monitoring also on the “new customer” accounts
  • Make a smooth step-up process, requesting additional information for full KYC
  • Work on the UX. Use clear and simple language in all steps


Blog post by John Erik Setsaas, VP of Identity & Innovation at Signicat

 

 

EU Trust Mark

Qualified Trust Service Provider – So what?

Signicat has recently (2018-11) been approved as a QTSP – Qualified Trust Service Provider, and the qualified service is the QTSA – Qualified Time Stamp Authority.

So what is the big deal, and who needs time stamps anyway?
A trusted time stamp is needed to ensure that the signature can be validated after the certificate expires. To check the validity of a signed or sealed document, you must be able to trust the time when the document was signed or sealed, as all validity checks on certificates is based on the time. The time stamp must be added in a way which makes it extremely hard to forge.

So what does the QTSA do?
It is obvious that if this time is taken from a local clock on your machine, this cannot be trusted, as it is very simple to set a different time. What if the service provider does this, it would be OK, right? It really depends on the service. Can you be confident that the clocks on the servers are running correctly? And that it is not possible for somebody working there to tamper with the time, to make a forgery? And if you check the document in a few years, are you confident that you can still trust the time it was signed.

How do you synchronize the clock?
You cannot just pick up the time from any NTP (Network Time Protocol) server, which gives no guarantee or liability for the time which is returned. This means that the clock must be synchronized with an authorized time source. Signicat’s QTSA service is using the Norwegian Metrology Service (https://www.justervesenet.no/en/), which provides a legal certified time. In addition, a separate server continuously monitors the derived time from the main server, and if any deviation is found, an alarm is set off, and the service is stopped.

Having a trusted time on the signed and sealed documents is one important aspect of long-term validation (LTV). If you have requirements to validate the document in the future, after the signing certificate has expired, or even long into the future (for example for contracts regarding properties which can be for 50 years or more), there must be some way of validating that the process of signing followed certain standards. One way of doing this is using LVT information embedded into the document, which gives the advantage that everything is embedded in the document. The LTV information contains all the certificates in the certificate path, all the certificate statuses, and the very important trusted time stamp. Every 3 to 5 years, the document is re-validated using this information, and a new time-stamp is added. Without the trusted time-stamps, you will not be able to have confidence in *when* the document was signed, nor when it was validated, and you may lose trust in the signed document.

Finally, there is the need for a QTSP – Qualified Trust Service Provider – which is the organization which binds this together. To become a QTSP, there are a lot of standards to follow, a lot of controls to implement, and any important configuration changes are done using dual-control, meaning that at least two people must be involved in the changes. The setup has dedicated hardware with strict physical and logical access control, including auditing of everything which is done. All of this would make it, if not impossible, at least extremely difficult to tamper with the system.

Each year, independent auditors scrutinize the service and the organization, delivering their report to the national notification authorities. The system is anchored in the legislation in all EU/EEA countries, and is the same as we know from the EU qualification of certificate authorities.

I have already mentioned that the service is operated under dual-control. This is just one of many controls which is required to get a QTSP status. Others are procedures for reporting incidents, insurance for handling closure of the service (for any reason), periodic internal and external audits. All this is done according to ETSI standard, which dictate how it should be done, and it is audited by an accredited external auditor (we were audited by BSI group https://www.bsigroup.com/en-GB/), and approved by the national accreditation body (in our case NKOM (https://www.nkom.no/), as we are based in Norway), which then added us to the EU trust list (https://webgate.ec.europa.eu/tl-browser/#/), where you can see all the QTSPs in Europe.

Read press release: Signicat named as Qualified Trust Service Provider

Blog post by John Erik Setsaas, VP of Identity & Innovation, Signicat

Introducing improved mobile support for Swedish BankID

Sweden’s BankID recently introduced a function where users can scan a QR code as part of an authentication, using Swedish Mobile BankID, providing enhanced security by reducing the geographical distance between the web browser on the desktop and the Mobile BankID client. This means that the desktop computer and the user with the Mobile BankID app are in the same place.

The user obtains a QR code on the website, and then scans this QR code using the Mobile BankID app. This eliminates the need to type in a personnummer (Swedish national identification number), which reduces the likelihood of social engineering attacks.

Signicat has now implemented support for this new QR code functionality. Signicat has also made improvements to the user interface of the BankID method in this new release. A method can be configured to support the new user interface and/ or QR code functionality.

To learn more, visit our developer pages.

For existing customers, contact our support team to take advantage of this new functionality.

If you are not a customer and wish to learn more, contact us.

Preserving Electronic Signatures – Are you taking care of your signed documents?

Did you know that an electronic signature does not last forever? Just like old pieces of art, it needs to be periodically maintained to ensure its freshness. Some contracts need to be valid for a long time. This would typically be contracts for properties, which may even be inherited to the next generation.

So what happens with the signed document, you may ask. Are bits and bytes from the document disappearing? Of course not. The signed document itself has to be preserved to maintain its availability and integrity but when this is taken care of, the structure of the document itself does not change. But the world revolving around the document does.

I will be touching on three issues:

  • Certificates have an expiry date.
  • Validation information is needed to verify a certificate.
  • The strength of the cryptographic algorithms vanishes over time.

For one, the certificates (including all intermediate certificates up to the root) used for generating the signature have an expiry date. After this date, the certificate is no longer valid, which also means that if you try to validate a signature, this validation will fail.

Another issue in validating a signature is the need for validation data. A certificate may be revoked, i.e. declared invalid, before its expiry date, in the worst case because the certificate has been compromised. Thus, all certificate issuers offer services to establish the validity of certificates, typically as revocation lists (CRLs) or online status verification (OCSP).When validating a signature, one is obliged to check the validation data in addition to checking the expiry date of certificates. But a certificate issuer and its validation data may not live forever (remember DigiNotar?) Without access to the validation data, you cannot validate the signature. Note also that OCSP always returns current status, meaning validation after the certificate has been revoked will fail, even if the certificate was valid at the time of signing.

In addition to the expiry dates and access to validation information, the cryptographic algorithms that are used to add the signatures must be considered. These algorithms are basically math, and it is possible to calculate how much computing power is required to break one of these algorithms, say that you would need 20 years or 200 years to break it. However, this does not take into account breakthroughs in mathematics or in technology. Take quantum computing for example, which uses a completely different approach to problem solving, and may break the existing algorithms in minutes or seconds. In addition, there may be advances in mathematics, which renders existing algorithms invalid. As an example, old hashing algorithms (like SHA1 or MD5) are no longer considered secure, and are being replaced.

Preservation means:

  1. Validate the signature (or all signatures on a document) when certificates are still valid.
  2. Collect the evidences used in validation.
  3. Protect signatures and evidences by a “proof of existence”, making it possible to prove the signatures’ validity status at the time when the proof was created.

To address this issue, documents signed by Signicat contains what is called long term validation (LTV) information. The LTV contains all the results from the validations, so it is possible to verify what the data looked like at the time of signing.The evidence is protected by a time-stamp from Signicat’s time-stamp service proving the time when validation was done and at the same time protecting the integrity of all evidence.

This process needs to be repeated, as the certificates supporting the proofs of existence and time-stamps also have an expiry date, may be revoked, and the mechanisms may involve cryptography that may become weak over time.

To address all of these issues, Signicat offers a secure archive, where documents are periodically verified and re-sealed with updated proofs and time-stamps. This means adding a new layer of security, with updated algorithms.

Did anybody mention blockchain? Yes, you could store the hash (or signature) of the document on a distributed ledger. But that does not change any of the above. Blockchain promises that data cannot be deleted or modified. But that assumes the current mathematics and algorithms. Breakthroughs will make blockchain vulnerable. And you would still have to access validation information, in case of compromised data.  

Signicat Preserve is the Signicat solution to ensure that your signature can be validated 5, 50 or 500 years from now.

And even if Signicat may not be around 500 years from now (who knows?), the preservation follows open standards, so it is possible for others to take over the preservation process.

By John Erik Setsaas

Hackathon proof of concept: Business Vendor On-boarding Platform with verified digital identity

Together with our customer and partner Anva, we participated in the recent hackathon from B-Hive. The challenge was to “Know your Vendor” and, well, we’re pretty proud of our result.

What we built:

We created an easy-to-use platform for vendors to register once, and then being able to submit to multiple RFPs/RFIs using the same registration data. To verify the correctness, eligibility and validity of the submitting party, the vendor representative had to connect the account to LinkedIn as well as Belgium’s Itsme Electronic Identity. Based on this data, we then implemented company information lookup into Dun & Bradstreet APIs, and finally the end user could upload certificates (eg: ISO27001) and additional documents.

Furthermore, we also integrated the portal with ANVA Safebay platform for confidential messaging, and we had an AI chatbot that would automatically generate an NDA based on the ongoing conversation. Once signed by both parties (and verified using eIDs), these NDAs would then be Signicat sealed and put into our archive.

Here’s a more detailed video from our own Peter Feijen:

 

Hotels: Do you really Know Your Customer?

The regulation known as Know Your Customer (KYC) is as important as ever before for the prevention of identity theft and financial fraud, including money laundering and terrorist financing and is a widely used acronym in banking and FinTech. But why would a hotel need to KYC? More and more countries demand that the hotel has a copy of a guest’s passport. and this of course leads to increased time per check-in and a lower Revenue Per Available Room (RevPAR).

The KYC is the process of verifying the user’s identity, and is typically done by a number of mechanisms such as passport or ID paper upload, electronic ID verification, face recognition etc.

As hotels move towards online and kiosk check-ins, it makes this process more difficult. Wouldn’t it be great for customers to provide their passport and ID information ahead of time, including a scan of the passport and a picture of the guest? This information can be stored in the hotel’s Property Management Software (PMS) before the guest arrives?

Financial institutions in the Nordic region, Spain and Germany are reporting huge savings and increased attractiveness of their services since implementing an Electronic ID (eID)-based KYC process became available three years ago.

Here at Signicat we are able to provide secure guest on-boarding, as well as authentication and electronic signing services. We make it easy for hotels and others in the hospitality industry to use electronic IDs (a full list of supported eIDs here), as well as passport and ID card scanning services. We’re able to receive necessary information from passports, copy the documents, and securely store and preserve documents and signed agreements in our preservation archive.

What is an electronic ID? Electronic identification is electronic systems for legitimizing users on the Internet or other computer systems. Using an electronic identity, users can identify, sign in and sign contracts and approve transactions on different websites, such as banks and public portals.

Once onboarded, guests can then quickly access their loyalty program information as well. If an eID is used, there is no need to worry about remembering a username and login as authentication is provided by the eID.

Signicat has more than 10 years’ history of working with companies dealing with both complex regulatory compliance issues, as well as ensuring seamless user experiences to on-board and keep customers. Our APIs provide everything a hotel or PMS provider needs to quickly get up and running.

Afterall, for the hospitality industry wouldn’t it be great to Know Your Guest?

Contact us if you want to learn more!

Have you replaced TUPAS? Time is running out.

Finland’s TUPAS digital authentication method is being replaced. Signicat can help.

The TUPAS protocol no longer meets the criteria for strong authentication in EU legislation. According to the Finnish Communications Regulatory Authority, e-services will have to replace old TUPAS integration interface by 30 September 2019.

Finnish Trust Network:
The Finnish Trust Network is a combination of identity service providers (e.g. TUPAS banks and Mobiilivarmenne operators) and brokers. With agreement with a member of Finnish Trust Network, companies can continue to engage with customers online in a verified, trusted manner.

Signicat has been helping Finnish businesses meet these new requirements by providing an approved, strong authentication solution and providing access to the Finnish Trust Network. We act as a broker for Finnish businesses, meaning that instead of having to sign up 10 separate agreements with the 10 active banks in Finland and then implement 10 separate technical integrations, we act as a one-stop shop, providing a single point of integration and a single agreement.

Additionally, due to the bulk eID pricing we have negotiated, the average customer can save up to 70% on these connection fees in addition.

Contact us if you require more information or help with your TUPAS migration.

EEMA Identity Blog: The problem of self-sovereign identity: We can’t trust people

10th August 2018: Link to EEMA Identity Blog

Two buzzwords often heard in identity today are self-sovereign identity and distributed identity. The reason for considering new models for identity is, among other things, to avoid a single point of dependency and to put the user is in control of his or her identity and decide how much information to share with whom.

It’s a compelling story. Who wouldn’t like more control over who has access to their data? Unfortunately, while the story is easy to sell, implementing self-sovereign identity is a much harder problem. What are the implications of this model of identity, and where will the responsibilities lie?

A digital identity gives a person access to their email, bank account, property, digital money and more. The hard part is binding a physical person to a digital identity. Identity professionals spend a lot of time trying to figure out secure ways of doing this.

In his blog The characteristics of Blockchain can be very valuable to identity, Kim Cameron said that “you should not lose your identity if a country has a political melt-down”. I completely agree. But it can take much less than revolution and anarchy for something to go wrong—neither should someone lose their identity if they fail to backup or forget a private key.

Human beings are not reliable

Anyone who has ever known a human being for any length of time knows this. They forget passwords and credentials and do not create backups. New technology that relies on fallible people to keep credentials safe comes with undeniable risks. A good example of this are the 23% of all bitcoins that are now lost, thanks to lost passwords and hard drives that now lie in landfill.

It’s unwise to create an infrastructure where ownership of possessions depends solely on people’s memory. Raise your hand if you have NEVER used the “I forgot my password” function. Raise your hand if you have NEVER lost a car key or a house key or needed help to access a locked space. Not a lot of hands, right?

In these situations, we can call a locksmith or demand a new password. Whether physical or digital, we can depend on somebody being there to assist if we get locked out. Unless we implement recovery mechanisms, self-sovereign identity means that there is no one that can help.

With self-sovereign identity, each user has a private key, designed in such a way that a brute force attack is close to impossible. This is clearly a good thing, as it prevents others taking over your digital identity. But putting the only possible key to access the digital identity in the hands—and forgetful brains—of the users invites disaster. There is no back-door. There is nobody to call.

It’s not just forgetfulness we need to worry about, as people have accidents or illnesses which can affect their memory. And when they die, and assets are to be passed on, the private key needed to access your digital identity is lost forever. We need to consider a worst-case scenario, such as someone’s house burning down, traumatizing them into losing their memory—and the recovery codes, carefully noted down and put in a sealed envelope, are also gone.

We need identity custodians

Clearly, we need identity custodians: an entity we can trust and call upon if we have a problem. Somebody who is able to give a key back when it’s lost. Ideally, we should be able to choose which identity custodian to use and switch as often as wanted. We also need different custodians for holding identity data and holding a key in escrow, to ensure segregation of responsibilities, and to reduce risk of exposure.
However, there are several fundamental challenges with using custodians:

– First is access to a user’s private key, which must be high-friction. It should not be possible for a rogue employee of an identity custodian to get access to your private key. But it must be possible, with your involvement, to recover the key. High friction and convenience do not go hand-in-hand.

– How do you prove who you are… when you cannot prove who you are? The key recovery must handle the situation that you have forgotten the key entirely and have no possessions that can help.

– The third challenge is building a key recovery system in such a way that it is secure, cost-efficient and usable. No system will be 100% secure, but due to the importance of keeping private keys private, a high level of security is a must.

One way to build such a system would be to split the key into several parts and have these parts stored physically (for example as a printed document), to make it more resistant to digital attacks. The physical presence of the user would be required to ensure a biometric match. The correct key would be handed to the user after all the parts have been collected. Procedures on the part of the identity custodian are important here to ensure that only the user and not the custodian gets the parts needed to reconstruct the private key.

Clearly, creating a secure, cost-efficient and usable management of identities is not simple. Self-sovereign identity, often discussed as a straightforward identity system, actually requires clunky solutions and multiple custodians to support it. It’s important to keep this in mind when these buzzwords are thrown around.

Author: John Erik Setsaas is Identity Architect at Signicat and a member of the EEMA Board of Management

Signicat joins ETSI for standardisation of digital signatures and trust services

Signicat is pleased to announce we have formally become a member of ETSI (European Telecommunications Standards Institute) joining their technical committee on Electronic Signatures and Infrastructure (ESI). ESI is the standardisation body responsible for most European standards on digital signature and trust services; CEN TC 224 additionally produces some standards, notably on security evaluation.

Signicat’s electronic signature services are designed to be standards-compliant, and with Signicat becoming a qualified trust service provider according to the EU eIDAS Regulation, standards-compliance is increasingly important for us. The decision to join ETSI/ESI is a strategic move to not only use standards, but to also get first-hand knowledge of and influence on their development.

European standards on digital signature and trust services are grouped in six areas as shown in the figure below. The green ticks show standards that are done (only maintenance activities) while the rest are in progress. When completed, standards will cover all trust services defined by eIDAS. CEN (the European Committee for Standardization) covers area 2 while the rest of the standards are produced by ETSI.

Formally, standards are not mandatory to fulfil eIDAS requirements for qualified trust services. However, when interoperability is a goal, in practice the ETSI and CEN standards must be used. Currently, Signicat uses standards from area 1 for the Signicat Sign service, from area 4 for the qualified time-stamp service, and of course the recommendations on cryptography from area 2. As the service offering expands, more standards will come into play.

While the eIDAS Regulation sets the scope of the standards work, ETSI’s strategy is to produce technical standards that are globally applicable and not targeted at a specific legal environment. Notably, ETSI uses the technical term “digital signature”, a signature created by use of public key cryptography and PKI certificates, to distinguish from the in-principle technology neutral, legal terms “electronic signature” and “electronic seal” used by eIDAS. ETSI standards, together with a few core specifications on which ETSI has built the work, are referenced internationally as the state of the art standards in the area.

Of the ongoing work, standards to enable server-based (remote) creation of qualified and other signatures are especially important. CEN is about to publish Common Criteria (CC) security evaluation profiles for the equipment needed for such a service, such as “remote QSCD” (Qualified Signature Creation Device). ETSI will publish standards for the signing protocol towards the service and policy and security requirements to be applied by the service provider operating the signing service.

Standards for signature validation services is underway from ETSI, specifying how a signed document (or pairs of signatures and hash values) can be sent to a trusted service, returning a signature validation report that is also being standardised.

Registered delivery, i.e. transmission of documents and other message between parties in a reliable and secure way, is a trust service in eIDAS. A new ETSI standard in this area is about to be sent for national ballot, meaning that the national standardisation bodies of the ETSI member states will vote on its acceptance. In addition to the base standard, ETSI has revised the old Registered Electronic Mail (REM) specification for email-based registered delivery; the new REM version is also under national ballot.

Standards are being produced for long-term preservation of both signed and unsigned documents, using digital signature techniques to produce evidences of existence.

When qualified trust services are audited by a Conformity Assessment Body (CAB), the CAB must be nationally accredited for the job according to an ETSI standard.

Of miscellaneous other work, ETSI recently published standards for issuing of qualified web-site certificates and qualified electronic seal certificates to actors that are accredited for payment service provider roles according to the EU PSD2 directive.

All in all, as ETSI standards are the foundation of many of the services that Signicat provides or will provide in the future, keeping track of and influencing the development of standards is necessary to ensure that Signicat continues to deliver world-class signature and trust services.

More on these links: ETSI and CEN.

itsme®

Signicat and Belgian Mobile ID to deliver trusted digital identity services in Belgium through the itsme® digital identity scheme

Trondheim, Norway 19 June 2018 – Signicat, the world’s leading trusted digital identity provider, has partnered with Belgium Mobile ID to integrate the Belgian itsme® digital identity scheme into the Signicat Digital Identity Platform.

The integration of itsme® into the Signicat platform means that Belgian financial institutions, online retailers, and other commercial entities can more readily attract new customers and more seamlessly engage with existing customers through:
– Frictionless customer on-boarding and ongoing, advanced user authentication.
– Improved digital customer engagement through electronic signing and preservation of legal agreements.
– regulatory compliance of KYC and AML, GDPR and more.

Additionally, through the relationship, Signicat allows businesses throughout Europe to accept itsme® as an official mobile ID, meaning that Belgian citizens will be able to use their digital ID to access services across the continent. Signicat now connects to 20+ eID schemes globally in countries including Sweden, Norway, Denmark and The Netherlands.

As part of the engagement, Signicat will become a value-added reseller for itsme®, providing customers with comprehensive offering for trusted digital identity solutions in Belgium.

Itsme®, created by Belgian Mobile ID, is an ID scheme and an open ecosystem with the ambition to become a European reference for mobile identity and digital privacy, which makes the concept easy to deploy in other regions and countries. Itsme® is free of charge for users. Companies and institutions who want to offer itsme® to their clients contribute according to their number of users.

“Being able to on-board and keep digital customers is becoming increasingly important for businesses, especially with offerings that require a level of trust beyond a functional credit card. Our work with Belgian Mobile ID means that we can streamline customer onboarding and ongoing engagement for organizations looking to build trusted digital relationships with customers in Belgium,” said Gunnar Nordseth, CEO, Signicat. “The integration of itsme® into the Signicat platform further means that businesses across Europe can quickly and securely on-board Belgian customers, digitally, in minutes – and have trust in their identities – without any need for excessive paperwork.”

“Partnering with Signicat means that Belgian citizens now have access to a wide range of services from across Europe, effectively making itsme® a cross-border digital ID scheme,” said Kris De Ryck, CEO of Belgian Mobile ID. “The cooperation with Signicat offers interesting perspectives to expand the reach of itsme® in Europe.”

-ENDS-

About Signicat
Based in Trondheim, Norway, and founded in 2007, Signicat operates the largest Digital Identity Hub in the world, offering the only complete identity platform in the market and trusted to reduce the burden of compliance in highly regulated markets.
With Signicat, service providers can build and leverage existing customer credentials to connect users, devices and even ‘things’ across channels, services and markets transforming identity into an asset rather than a burden. By ditching manual, paper based processes and replacing them with digital identity assurance, customer on-boarding is accelerated and access to services is made simple and secure. Signicat’s Identity Hub is a complete solution to that offers compliance and a route to better customer engagement.

Signicat has over 200 financial services organisations as clients, connects to more than 20 schemes globally and verifies more than 10m identities per month.

For more information, visit: https://www.signicat.com/itsme/ or contact us https://www.signicat.com/contact/

Media Contacts:
CCgroup for Signicat
Nicole Louis, Martyna Borys
signicat@ccgrouppr.com
+44(0) 203 824 9200

Freja eID

Signicat and Verisec partner to offer Sweden’s Freja eID across Europe

Trondheim, Norway, June 12 2018 – Signicat, a leader in trusted digital identity, and IT security company Verisec, the developers of Freja eID, today announced a digital identity partnership using the Freja electronic ID (eID). As part of the deal Signicat will now offer Freja eID as a signing and authentication method—enabling retail, financial, and other organisations to use Freja eID to on-board and engage customers.

Freja eID is a digital identity with two levels of trust; the easily accessible basic Freja eID, and the more secure and trusted Freja eID+, which requires additional identity vetting. Freja eID+ is used for secure transactions across the private and public sector and is the first Swedish mobile eID approved by the Swedish E-identification Board, granting it the Svensk e-legitimation (Swedish Electronic Identity) quality mark.

Freja eID can be used to sign documents in accordance with the EU’s cross-border digital identity regulation (eIDAS). It also makes it possible for those with limited access to electronic identity schemes—such as recent immigrants—to use Freja eID at the basic level.

Signicat has added Freja eID support into the Signicat Digital Identity Platform and will resell Freja eID acceptance as part of the commercial arrangement. Through the Signicat platform, its customers will have access to Freja eID users through the same interface.

Gunnar Nordseth, CEO Signicat, comments:
“Signicat is pleased to be working with Verisec and to add support for Freja eID and Freja eID+ to the Signicat Digital Identity Platform. By supporting Freja eID we give our customers a new digital identity method for use in combination with all those we already support across Europe. Signicat fully supports Freja eID for authentication, customer on-boarding, and to digitally sign documents.”

Johan Henrikson, CEO Verisec, comments:
“Signicat, as an established digital identity service provider (DISP) in Europe, represents a new and important partnership for Freja eID, supporting its use across the region. For many major players in the banking, finance, insurance and eCommerce, Signicat is the preferred provider of electronic identity and signature solutions.”

For more information, please contact:
Johan Henrikson, CEO Verisec AB
Mobile: +46 733 45 89 02
E-mail: johan.henrikson@verisec.com

For more information, please contact:
CCgroup for Signicat
signicat@ccgrouppr.com
+44 203 824 9200

About Verisec
Verisec AB (publ) is a company on the cutting edge of digital security, creating solutions that make systems secure and easily accessible. The company provides a wide range of products and services within its two areas of business: Digital Identity and Information Security. Verisec has global distribution and operations in Stockholm, London, Belgrade, Madrid, Mexico City, Dubai and Frankfurt. Verisec is listed on Nasdaq First North Premier in Stockholm. Erik Penser AB is Verisec’s. Certified Adviser. For more information, please visit www.verisec.com and www.frejaeid.com

About Signicat
Based in Trondheim, Norway, and founded in 2007, Signicat operates the largest Digital Identity Hub in the world, offering the only complete identity platform in the market and trusted to reduce the burden of compliance in highly regulated markets.

With Signicat, service providers can build and leverage existing customer credentials to connect users, devices and even ‘things’ across channels, services and markets transforming identity into an asset rather than a burden. By ditching manual, paper based processes and replacing them with digital identity assurance, customer on-boarding is accelerated and access to services is made simple and secure. Signicat’s Identity Hub is a complete solution to that offers compliance and a route to better customer engagement.

Signicat has over 200 financial services organisations as clients, connects to more than 20 schemes globally and verifies more than 10m identities per month.

For more information, visit: https://www.signicat.com/contact/

Mitek and Signicat partner to improve digital customer on-boarding for financial institutions

Joint offering additionally helps customers to comply with PSD2, AMLD5 and eIDAS regulations

San Diego and Trondheim, June 4, 2018: Mitek (NASDAQ:MITK) a global leader in digital identity verification software solutions, and Signicat, the world’s leading trusted digital identity provider, today announced a partnership to improve the digital customer on-boarding process for Europe’s financial services companies, while helping clients in their efforts to comply with a number of regulations, including PSD2, AMLD5, and eIDAS.

For many European financial services companies, the battle to attract new customers is fierce. With new “challenger” banks emerging and smaller banks looking to capitalise on new technologies to provide a competitive advantage, every step of the customer acquisition process must be streamlined to achieve optimum success.

“At Signicat we commissioned a report, ‘The battle to on-board: The European perspective on digital on-boarding for retail banks’, to understand what consumers across Europe identify as problem areas when it comes to selecting new financial service providers,” said Gunnar Nordseth, CEO at Signicat. “We found that up 52% of European customers abandon the on-boarding process and one of the main reasons for this is the need to present paper-based ID documents. The research further found that 52% of respondents would be more inclined to register for a new service should the on-boarding process be 100% online.”

To compound this, new regulations throughout Europe are forcing institutions to more rigorously identify customers. In addition to AMLD5 and new KYC regulations, eIDAS opens the way for electronic identification and PSD2 places the focus on strong customer authentication. This multi-faceted focus on identity means that current on-boarding processes could become cumbersome and act as a deterrent to potential new customers.

Signicat has integrated Mitek’s Mobile Verify solution into the on-boarding engine within its Digital Identity Platform. This will enable financial institutions across Europe to verify identity documents though capture on a mobile device, and to seamlessly on-board customers.

Mitek’s Mobile Verify solution can verify the authenticity of identity documents by capturing an image with a mobile device and assessing its authenticity. This helps customers to ensure compliance with strict AML and KYC regulations.

“This partnership marks a watershed in the European identity market. Financial institutions can now on-board customers 100% digitally, doing away with the need to visit a branch,” René Hendrikse, VP and Managing Director, EMEA, Mitek commented. “With the arrival of PSD2 and increasingly stringent AML and KYC regulations, the ability to verify customers’ identity digitally is essential. Our partnership with Signicat offers one of the only platforms capable of this.”

“Partnering with Mitek enables us to jointly offer European financial services institutions a customer on-boarding solution that is 100% online. Our customers will not only be able to benefit from Mitek’s Mobile Verify solution, but also Signicat’s secure authentication, electronic signing and archiving of sealed documents, as well as our integration with over 30 public electronic ID schemes and registry lookups,” said Nordseth. “The partnership is designed to remove friction from the customer on-boarding process to ensure financial institutions can effectively compete in the marketplace.”

-Ends-

To download Signicat’s white paper, “The battle to on-board: The European perspective on digital on-boarding for retail banks”, click here: https://www.signicat.com/resources/battle-to-on-board-2-report/

About Mitek
Mitek (NASDAQ: MITK) is a global leader in digital identity verification solutions built on the latest advancements in AI and machine learning. Mitek’s identity verification solutions allow an enterprise to verify a user’s identity during a digital transaction. This enables financial institutions, payments companies and other businesses operating in highly regulated markets to mitigate financial risk and meet regulatory requirements while increasing revenue from digital channels. Mitek also reduces the friction in the users’ experience with advanced data prefill and automation of the onboarding processes. Mitek’s innovative solutions are embedded into the apps of more than 6,100 organizations and used by more than 80 million consumers. For more information, visit www.miteksystems.com or www.miteksystems.co.uk. (MITK-F)

Mitek Contact:
Ann Reichert
Senior Director of Marketing
pr@miteksystems.com

CCgroup
Mitek@ccgrouppr.com
+44 203 824 9200

Mitek Investor Contacts:
Todd Kehrli or Jim Byers
MKR Group, Inc.
mitk@mkr-group.com

About Signicat
Based in Trondheim, Norway, and founded in 2007, Signicat operates the largest Digital Identity Hub in the world, offering the only complete identity platform in the market and trusted to reduce the burden of compliance in highly regulated markets.
With Signicat, service providers can build and leverage existing customer credentials to connect users, devices and even ‘things’ across channels, services and markets transforming identity into an asset rather than a burden. By ditching manual, paper based processes and replacing them with digital identity assurance, customer on-boarding is accelerated and access to services is made simple and secure. Signicat’s Identity Hub is a complete solution to that offers compliance and a route to better customer engagement.
Signicat has over 200 financial services organisations as clients, connects to more than 20 schemes globally and verifies more than 10m identities per month.
For more information, visit: https://www.signicat.com/contact/

Media Contact
CCgroup for Signicat
signicat@ccgrouppr.com
+44 203 824 9200

Podcast

The Global Digital Banker podcast – episode 14 – The global state of digital identity

The Global Digital Banker podcast:

We take a look at the global state of digital identity. From the West we hear from John Erik Setsaas, Identity Architect at Signicat and from the East we hear from Jonathon Thorpe, Head of Identity at the Australian Govt. Digital Transformation Agency.

John Erik Setsaas shares how financial institutions can position themselves at the centre of this technology shift, the opportunities to banks for investing within this space and some great examples of institutions that are leading in market.

Jonathon Thorpe explains the next phase of work for the Digital Identity Framework, the organisations that they are partnering with to implement their solutions and how they build trust and mitigate against risks for consumers.

Listen to the podcast here

Trusted Digital Identity

The Nordic countries rank high in trust, which means that people have trust in other people. And in organizations. And in the government. Trust is a core part of making a digital identity scheme work. There are countries where the uptake of digital identity is very slow, and one of the reasons is the lack of trust.

“Trust is a fundamental element of social capital – a key contributor to sustaining well-being outcomes, including economic development.” (Cite: Esteban Ortiz-Ospina and Max Roser (2016) – “Trust”. Published online at OurWorldInData.org. Retrieved from: https:/ourworldindata.org/trust)

One problem is of course also the lack of services which accept the digital identity, and as such it is a chicken-egg problem.

Then there is usability. If the digital identity scheme requires a card reader, which you must buy, and install drivers to make it work on a number of different PCs, or make it work with mobile devices or tablets, well, the stage is set for disaster. And if there are no services available, why would users want to set up an electronic Identity (eID)?

If you do not have trust in the government, perhaps due to fear of surveillance, you will also be very reluctant to share personal information online. There are countries with a history of not just surveillance but even eradication of groups of people, so this is understandable.

On the other hand, many people are more than happy to share an abundance of personal details on social media, and seem oblivious that this information is available to a lot of people, including the government. Many people seem to be more than eager to sell their private information in return for targeted marketing, for example through the use of store loyalty cards. Perhaps social media has given the users some sort of comfort, letting users believe that they are only sharing information between friends. We tend to forget that information such as which links we are clicking on, which posts and pages we like and comment on, as well as where we are and which device we are using, is also collected, and used to learn more about us. The sharing of information is motivated by yourself, possibly because you are you are being rewarded by other people liking or commenting on your information . Nobody is requesting the information from you; you are sharing. In return, you get paid in likes, as well as in ads, all the while (consciencly or not) trusting the social media platforms not to mis-use your data.

To make a solution trustworthy, it must be transparent. The user must understand what information has to be shared (e.g. uploading the image of a passport), why this information has to be shared (e.g. to verify who you really are, and to prevent someone from stealing your identity) as well as how the information is being used (for example for the sole purpose of verifying your identity).

The GDPR (General Data Protection RegulatIon: https://www.eugdpr.org/ ) will come into effect in May this year, and is good news for all of us. The GDPR was created to protect the privacy of the user. It is not for organizations. It is not for governments. It is all about protecting how our personal information is being used. The GDPR requires that anybody collecting and using PII (Personally Identifiable Information) also has to obtain consent from the user in order to be able to use their data.

And to show that that they truly mean this, the EU has put some substantial fines on breaches, up to 4% of global revenue. So hopefully, this should make collecting and using personal information more transparent, as well as help restore trust in identity data usage.

Signicat is currently working with some of our large customers to see how consent management can be integrated into our solutions, while at the same time putting as little stress as possible on the user.

Blogpost by John Erik Setsaas, Identity Architect, Signicat

Innovation Horizon2020

Signicat secures second round of Horizon 2020 funding to develop ID Assurance as a Service

Signicat secures second round of Horizon 2020 funding to develop ID Assurance as a Service

Oslo, Norway, 25th January 2018 – Signicat, the first and largest identity assurance provider in the world, has secured phase two funding from the EU’s Horizon 2020 programme, the framework for funding research and innovation. The funding will be used to further develop Signicat’s IDAaaS (Identity Assurance as a Service) toolbox for use across Europe—helping to create a single digital identity market for Europe, one of the European Commission’s priorities for the latter half of the decade.

ignicat’s IDAaaS service will enable financial service providers and other businesses across Europe to verify the identity of a new customer—either an individual or an organisation—using electronic identity (eID) and digital verification of paper ID, as well as other technologies including registry lookup, facial recognition, and other innovations. This means businesses can comply with complex KYC (Know Your Customer) requirements, while still offering simple, digital on-boarding to their customers.

The grant follows the completion of phase one, undertaken by Signicat and funded by Horizon 2020 in December 2016. This analysed the need for and applicability of digital on-boarding in selected countries. Working with Innopay, Signicat discovered that on average, European eID schemes provide 69% of the information that financial institutions need in order to on-board a customer wholly digitally, and identified the gaps where Signicat could offer IDAaaS. This new project builds on this work.

“A single digital ID market in Europe is vital so that financial service providers can easily offer their services across borders without the customer struggling to assert their identity. Cross-border digital ID creates greater choice and convenience for the customer, and opens up new markets for financial institutions” said Gunnar Nordseth, CEO, Signicat. “While eIDAS is a step in the right direction, it does not yet go far enough. Our vision is to integrate eIDs across Europe, making on-boarding customers simple for financial institutions and their customers, while still meeting KYC regulations.”

The EU’s eIDAS regulations aim to help financial services across Europe meet KYC requirements through digital IDs. While eIDAS provides a standard regulatory environment with different levels of assurance for different levels of risk, it is up to member states to define the tools needed for each level of assurance. This has created a fractured ecosystem lacking consistency across borders.

Signicat is the first IDAaaS provider in the world and will develop its IDAaaS toolbox to meet the requirements in more countries, integrating identity assurance across Europe. As well as creating new business opportunities for Signicat in new markets, this will help the Financial Services industry develop as a single digital market.

Horizon 2020 is part of the Innovation Union, a Europe 2020 flagship initiative aimed at securing Europe’s global competitiveness.

-ENDS-

About Signicat
Based in Trondheim, Norway, and founded in 2007, Signicat is the first and largest Identity Assurance Provider in the world, providing regulated markets with the technology to create mutual trust between organizations and their potential customers.

With Signicat, service providers can build and leverage existing customer credentials to connect users, devices and even ‘things’ across channels, services and markets transforming identity into an asset rather than an obstacle. By ditching manual, paper based processes and replacing them with digital identity assurance, customer on-boarding is accelerated and access to services is made simple and secure. Service providers can rapidly grow market share, easily acquire new customers, and ensure compliance with financial, privacy and data protection regulations including AML and KYC.

Signicat has the technology to connect the market, the expertise to scale the systems, and the experience to build the trust.

For more information, visit: www.signicat.com

Media Contacts
CCgroup for Signicat
signicat@ccgrouppr.com
+44 203 824 9200

Digitization and digital identity

Everybody needs a digital identity

Digitization needs digital identity
Financial services are moving towards 100% digital. But a fully digital financial services ecosystem is impossible unless it is underpinned by digital identity. How can we do digital business if we don’t know the identity of the person on-line, and how can we be digital if we still print lots of paper and send it out by post for signing?

Without interoperable digital identity, digitization will suffer
But digital identity need to be widely deployed to be effective. It also needs to be interoperable. Having separate digital identities for different services becomes too cumbersome and will not encourage digitization.

In some markets, infrastructure that enables sharing of digital identity across multiple services are being built. This type of infrastructure is called a digital identity scheme. A digital identity scheme enables individuals to have a single digitial identity that can be used whenever a service needs to know a verified fact about the user.

A digital identity gap opens up across Europe
Some countries, notably the Nordics, had an early start with digital identity as a common infrastructure since the beginning of the 2000s. Others are catching up, with digital identity schemes initiatives announced in the Netherlands and Germany recently. Still others are in the risk of being left behind without the digital identity infrastructure that is necessary for rapid digitization.

Take for instance the UK.

The UK has a dominant position in the financial services market and the fintech industry, and ties with Singapore in the top spot of Deloitte’s list of best fintech cities. This position could be endangered by the lack of a widely used, interoperable digital identity.

The UK does have a digital identity scheme, GOV.UK Verify, but it is under-used and has failed to meet key targets. Unlike other digital ID schemes such as those in Norway, Sweden, and the Netherlands, it is limited to the public sector, does not support financial services and is not interoperable with its European counterparties. Plans to remedy its shortcomings are vague.

This lack of digital identity is already having an effect: A recent study confirms that the UK’s digital infrastructure has fallen behind countries such as Germany and Spain

Slipping behind in digital identity carries real risks for the UK’s digital economy. Without the right digital identity system it will be tricky, if not impossible, for UK-based companies to operate in the EU, and vice versa. This will relegate the UK’s digital economy to a ‘second tier’, incompatible with one of its biggest partners.

Digital identity schemes need public-private partnership to succeed
If the UK wants to correct this course, it needs to rethink its approach to identity for the digital age. One of the experiences from the early adopters of digital identity schemes is that they stand little chance of success if they are limited to the public sector. The high volume use cases such as payment need to be included to drive adoption rate. The approach of a bank-led public-private partnership should be explored, and GOV.UK Verify needs to start to align with the commercial needs of the UK banks if it is to take off.

Norway-headquartered Signicat has unique experience of digital identity, supporting public identity schemes across Europe including Norway’s Bank ID, and is a world leader with 150 Million uses by the public of their digital identity platform. The company has been tasked by the EU’s Horizon 2020 innovation project to help deliver the EU’s vision of a digital economy underpinned by a single digital ID market.

Blog post by Gunnar Nordseth, CEO, Signicat

Password security

People don’t like passwords – and vice versa

When was the last time you looked forward to enter your username and password? Never, right? Authentication is a necessary evil which stands between you and what you want to do. Many of us understand why we need authentication, but is it really necessary to enter username and password  all the time? Popular services like Facebook, Google, Yahoo and LinkedIn, can have you logged in over long periods and allows you to be remembered on your devices. This sets expectations for how we want to interact with services and sets the bar for what a good user experience is.

The user expects quick access to an application. More than five seconds is not acceptable

In the digital world, people always value convenience over security, in most cases without realizing this. We use weak passwords (which as easy to guess, for example the ever popular “123456”). We use the same password for all applications (which means that an attack on one application may give the attackers access to other applications). We do not lock our mobile device. If we use different passwords, these are written in an open note on the mobile device (I was helping a friend, when I realized that her phone did not have a password, and all the application passwords were stored in an open note called «Passwords». And she didn’t understand why this was a problem). We write down the password and hide it under the keyboard.  Few people enable two-step (i.e. authentication which adds additional security, such as a one-time code to your cell phone, or a code generating application) authentication (this is even true for people with high technical knowledge). And in many cases, the users do not understand that any of this is a problem.

“Nearly one in five enterprise users have passwords that are weak or shared” (www.techrepublic.com)

But still, most of us lock the door to our house and our car. And we do understand that the threat is that somebody can steal our things. However, stealing your digital identity may inflict far more damage. So why have we, as the expert community, failed to communicate this to the users; that protecting your digital assets is equally important, if not more, than protecting your physical assets. The least we can do, is to try to reduce the burden on the user.

Security is seen as the responsibility of the service provider. This is partly correct, but if I am negligent (such as not protecting the password), I can be held responsible. Service providers must ensure that high security is also convenient for the user, and that this is enabled by default.

User input (such as typing your e-mail address and password) on a mobile device is not very convenient due to the small keyboard. It is important to avoid having the user typing in data as much as possible, for example by prefilling the input fields. Unfortunately, most of the eID methods (e.g. BankID in Norway) do NOT support pre-filling, so you have to type in your email and password every time. (A small helpful tip: On your mobile device, create a keyboard shortcut “gma” which enters your gmail address or “phn” which enters your phone number).

The fastest and easiest-to-use applications will win the race, regardless of security. The popularity of the Norwegian Vipps app (which is a person-to-person payment scheme), is based on its simplicity. In Norway, a typical pre-Vipps money transfer required a BankID authentication twice – both when opening the application and when transferring the money. With Vipps you only use your fingerprint once to transfer money.

 

Today it is possible to switch banks in minutes, with no (or very minimal) cost. With more and more self-service taking place, this means that the consumers will flow to the banks with the best and easiest-to-use interfaces, combined with the lowest cost for usage. The banks are pressured to provide cheap and easy-to-use services, as well as being responsible for the security, and brand loyalty can no longer save them from users switching to competition.

“Millennials are far more likely to switch banks than other consumers. Nearly one in five said they switched banks in the last year, with many moving to online-only banks” (www.thefinancialbank.com)

With PSD2 (the European Payment Services Directive 2), the requirement to do SCA (Strong Customer Authentication) will increase. This means that the user will have to authenticate using a two-factor method, much more often than today. To make this as painless as possible for the users, the friction of the authentication must be reduced.

Signicat MobileID is our secure authentication solution, using only a fingerprint or a PIN for authentication. After an app-download and a quick registration process, which involves binding the user’s mobile device to the account using a QR code, the app is ready to use. Whenever a second step authentication is required, the app will pop-up, and user will authenticate with fingerprint or PIN. That’s it. It is also possible to integrate the functionality into an existing business app, using our SDK.

The next generation authentication will be data-driven, and by using machine learning, your cell phone can determine if it is in your possession, and doesn’t even bother you with the fingerprint. This is done by analyzing things like your location (are you in a familiar place), the available WiFi networks (have these WIFI networks been in your vicinity before) and the gyro sensors (is this really you, or is somebody else carrying your phone?). Even more sensors may be added to make this identification even more secure.

Click here to learn more about low friction authentication using Signicat MobileID.

Blog post by Magnus Mauland and John Erik Setsaas, Signicat

PEP lookup as an integral part of Signicat Assure means even stronger identity assurance

Financial institutions are under strict requirements when onboarding clients, regardless of whether this is done digitally, or in the old-fashioned way, by meeting face-to-face. The driver behind this is the AMLD (Anti-Money Laundering Directive), which aims to prevent money laundering and terrorist financing.

One of the checks that has to be performed is checking whether the person being onboarded is a PEP (Politically Exposed Person). PEP is a term describing someone who has been entrusted with a prominent public function. A PEP generally presents a higher risk for potential involvement in bribery and corruption by virtue of their position and the influence that they may hold. there is not a global definition of a PEP. Still people with PEP status are typically politicians, judicial or military officials, senior executives of state owned political parties and important political party officials. PEP status also apply to family member and close associates of PEPs.

Enhanced Due Deligence

When onboarding a user with PEP status, the AMLD requires that EDD (Enhanced Due Diligence) is to be performed. This includes even more extensive background checks of the person.

Signicat has now included PEP check in our Signicat Assure solution. This means that when using Signicat Assure for onboarding digital customers, a PEP check can be performed in the background. Information about the PEP status is returned to the bank (or any organization requesting this information when onboarding). The bank can then execute additional EDD check, which may also be provided by Signicat.

Click here to get more information about Signicat Assure and simple, cost-efficient and user-friendly onboarding.

Blog post by John Erik Setsaas, Identity Architect, Signicat
Twitter: @jsetsaas

Nordic FinTech giants SDC and Signicat drive dramatic rise in digital-only mortgage applications

83% of SDC’s Danish banking clients’ customers now apply using electronic signatures

Oslo, Norway 12 October 2017 Signicat, the first and largest identity assurance provider in the world, and SDC, a full-service IT service partner for the financial sector in the Nordic countries, today announced that 83% of SDC’s Danish banking clients’ customers’ mortgage applications are processed wholly digitally. The fully digital process for application, approval and signing has reduced the time to complete the mortgage process from weeks to days — and sometimes, in markets where consumers have an electronic identity (eID), mere hours. SDC provides financial technology, including system operation and data processing services, to more than 120 banks in Denmark, Norway, Sweden and Faroe Islands.

Signicat’s digital signing solution – Sign – has removed the need for customers to visit their branch to complete a mortgage application. All this is now completed digitally — creating a process that is both fast and convenient dramatically enhancing the customer experience.

The news follows the announcement in June last year that SDC would be using Sign for transnational digital signing across financial service applications. The solution allows SDC customers to offer digital signing containing information on who signed the document, when it was signed, and the signatures validity. Customers in markets with an eID scheme, such as NemID in Denmark, can simply use their eID to sign and receive approval in just hours.

“Financial institutions have invested millions in digital transformation. Digitizing every interaction with customers, from the first mile to the last, is essential to truly capitalise on this investment,” said Gunnar Nordseth, CEO at Signicat. “Our pioneering work with SDC has dramatically accelerated the mortgage application process, resulting in positive customer feedback and, critically, fewer abandoned applications. At a time when revenue generation is more important than ever, banks must provide the fully-digital services customers demand.”

“Applying for a mortgage can be one of the most challenging and stressful processes people face. We wanted to make it as frictionless as possible,” said Nikolai Andersen, Head of R&D Digitization at SDC. “The collaboration with Signicat has created a truly digital-only process and the numbers speak for themselves. Adoption and critically conversion of applications using eSignatures is skyrocketing, especially in markets with eID schemes that accelerate the process. We look forward to exploring other ways our bank customers can benefit from eID schemes in relevant markets.”

SDC’s digital signing solution uses local eID schemes to verify identity. The eID schemes used are Bank ID in Norway and Sweden, and NemID in Denmark, mapping SDC’s footprint.

-ENDS-

About Signicat

Based in Trondheim, Norway, and founded in 2007, Signicat is the first and largest Identity Assurance Provider in the world, providing regulated markets with the technology to create mutual trust between organizations and their potential customers.

With Signicat, service providers can build and leverage existing customer credentials to connect users, devices and even ‘things’ across channels, services and markets transforming identity into an asset rather than an obstacle. By ditching manual, paper based processes and replacing them with digital identity assurance, customer on-boarding is accelerated and access to services is made simple and secure. Service providers can rapidly grow market share, easily acquire new customers, and ensure compliance with financial, privacy and data protection regulations including AML and KYC.

Signicat has the technology to connect the market, the expertise to scale the systems, and the experience to build the trust.

Media contact: signicat@ccgrouppr.com / +44 203 824 9200

About SDC

SDC is an IT-centre providing an all-round service for financial institutions in Scandinavia. Our clientele is made up of over 124 Danish, Norwegian, Swedish and Faroese financial institutions, which are also the owners of SDC.

SDC is based on the philosophy of common solutions for common needs – and the cost saving benefits which go with it. SDC’s services are supplied at cost price to the owning institutions.

SDC’s core business is the development, maintenance, operation and joint purchase of IT solutions for the financial sector. SDC’s services are provided by SDC itself or SDC’s partners in cooperation and sub-suppliers.

For more information, visit: http://www.sdc.dk/
Media contact: Michael Spence ms@sdc.dk / +45 2488 9124

 

Do I need multiple digital identities?

Do I need multiple digital identities?

From my point of view, it is good to have one, and only one, digital identity. And you protect the login information very well. Frequent logins ensures that you are familiar with how to log in, which user name and password, and how to use the second factor. Always authenticating in the same way  reduces friction, as you know exactly what to do. At the same time, this increases security, as you will know exactly how it works, and you will recognize deviations, which may be security attacks and fraud attempts.

Note that I am talking about your digital identity, and how to authenticate, i.e. prove that this digital identity is yours. I would of course like to be able to have different personas using this identity, so I can present a different part of myself to different organizations. This for example depends on whether I use my ID as an employee, as a member of voluntary work or as a private person. But this is not the topic for this blog post.

A word on frictionless. To be completely without friction, you would not have to do anything. The system would automatically recognize you. There are some interesting projects around behavioral biometrics, which are quite promising in this area. More about this in a later post.

Remember John from my previous post? Imagine if he had a separate digital identity for government. Government login is done very rarely, maybe as rarely as once per year, when you do your taxes. It is very probable that John would not remember the procedure for using this ID, nor his password, and maybe not even find his second factor token. This increases friction. As John (like most of us) does his taxes in the last minute, he would not be able to file his taxes on time, or he would occupy the support hotline leaving a bad and expensive experience.

Insurance is another case where login is not done very often, maybe two or three times a year, in some cases when you have had an accident, and need to get in touch regarding this. Having to authenticate in a way you are not familiar with will only increase the user tension.

As pointed out, there are huge advantages of using the same identity for bank identification, which you use weekly or even more often, also for less-used services like government, insurance and health. So how come that in Norway, you can use the same digital identity for multiple different services? Why are other countries struggling  with digital identity? Why won’t users start using it? Why are different schemes used for different purposes, as this is not helpful for the consumers and does not increase security?

One reason is that the Norwegian government and banks managed to work together on this. From the very start, the use of BankID was thought to be used by both the banks, but also for third parties, needing digital identity or signature. And this resulted in a critical mass of users, using BankID for banks, government and others.

On a side note, the only thing which is shared between BankID in Norway and BankID in Sweden is the name. They are completely separate.

Then of course there is the social security number; SSN, which is a number uniquely identifying an individual, and treated differently in different countries. In Norway, the banks are using the SSN as the login ID, and as far as I know, they have been doing this since Internet banking started. As in many countries, the banks MUST have the SSN for tax reasons. The government must know exactly who you are. For the health services, it is very important that our John is not confused with another John, and on and on. So it makes a lot of sense to use this as login identifier. Any Norwegian will be able to recite his or her 11-digit SSN without missing a beat. It does help that the first 6 digits is the date of birth on the format DDMMYY.

As an alternate example, let me use the Netherlands, not because they are doing badly with digital identity, but because there are two schemes emerging: iDIN and DigiD. The latter contains the BSN (the Dutch SSN), and is restricted in usage to government and health insurance only.

Which I personally find strange, as all banks are required by law (for tax reasons) to obtain the BSN of each customer, so the Dutch banks do have this number. This means that if a Dutch bank wants to onboard a new customer, iDIN can be used. However as iDIN does NOT supply the BSN, the customer must also upload a personal identity paper (for example a scan of the passport), to provide his BSN. In the rare situations where I need to use DigiD to log in; will I remember the procedure and the credentials? In any case, friction is increased, and I would claim that security is reduced.

The eIDAS (EU regulation 2014/910) regulation is put in place to let people use their digital identity across countries. There are some claims here that eIDAS will only be used to issue new “local” credentials, which then will be used for logging into one (or more) services in the foreign country. However, then we are back to my initial problem, with having multiple credentials.

From my perspective, always using the same way of logging in, also every time you log in over eIDAS to a foreign service will reduce friction and increase security.

Blogpost by John Erik Setsaas, Identity Architect, Signicat
Twitter: @jsetsaas 

One identity hub for Europe’s banks

 

Gunnar Nordseth, CEO, Signicat

Over the past 10 years, the Norwegian digital identity solutions pioneer, Signicat, has built and expanded the first cross-European Identity Hub for Europe’s 4,000 banks. Around 200 banks have already joined the hub.

Article from the official Money20/20 magazine MoneyMag by Michael Juul Rugaard, Norfico

One of the common characteristics of regulatory initiatives is how identity  is  increasingly  taking centre stage. This is unquestionably a reflection of a larger trend as expressed in David Birch’s book Identity is the New Money and in an interview in 2014 where he says, “Looking at the situation now,  you can’t help thinking that maybe some kind  of  Single  European  Identity Area would have made more sense that a Single Euro Payments Area.”

To enable banks and other players further to realise their digital ambitions by leveraging the existing eID solutions or by delivering their own, Signicat has built a dedicated identity on demand platform. With this in place, Signicat has established itself as Europe’s leading ‘Digital Identity Service Provider’ or simply ‘DISP’. One of the features of the DISP platform that will be of critical importance in the light of PSD2 is its ability to enable banks to handle the new requirements for Strong Customer Authentication (SCA).

PSD2 leading the way

Looking specifically at PSD2, one of the main themes of the comprehensive EU directive is authentication, which is all about the ability to verify a certain digital identity. Article 97 of PSD2 imposes Strong Customer Authentication (SCA), which means at least two-factor authentication, in all online-transactions  going forward.

Implications for the banks

These new SCA requirements are expected to have important implications for European banks for two reasons:

Firstly, the banks are by default liable and responsible for the handling of SCA in accordance with PSD2-related transactions made by Third Party Providers (TPPs) – whether PISPs or AISPs. Secondly, the number of SCA transactions is expected to increase massively as a direct consequence of PSD2 as soon as the directive is fully implemented and the TPPs have had some time to promote their new services (AIS and PIS) across Europe.

Gunnar Nordseth, CEO of Signicat, is prepared to help the European banks handle the PSD2 Strong Customer Authentication (SCA) requirements by providing ‘Authentication as a Service’ through the company’s cross-European DISP. Gunnar Nordseth explains:

“SCA is certainly an issue that European banks need to be prepared for – and the sooner, the better. The largest and most innovative European banks are already preparing, but this is just the tip of the iceberg and the vast majority of Europe’s banks still need to plan for the future handling of SCA. The problem is that they must comply and they have quite limited time to do so.”

All banks in Europe share this same challenge, which is to handle SCA in the most efficient, flexible, user-friendly and cost effective way. Yet SCA is not one of their core  competencies.

Authentication as a Service

This scenario obviously creates an opportunity for a specialist to step in and offer a pan- European ‘Authentication as a Service’ solution, which will effectively ease the banks’ SCA pains and enable them to focus on their core businesses.

“This is exactly what we are doing at Signicat. Based on ten years of experience working  with two-factor national eID schemes, we have developed our DISP platform as an online identity hub. This DISP platform offers Identity On Demand services for customers, regardless of geography or eID,” Gunnar Nordseth says and continues:

“Strong customer authentication is a fundamental part of the DISP platform, which means Signicat is best placed to scale its services to banks all over Europe in need of SCA assistance.

Today, more than 200 European banks and financial institutions, as well as insurance companies and government agencies, are connected to Signicat’s DISP platform. As well as the responsibility of authenticating users, many customers have mandated Signicat to provide electronic signing, identity proofing and document preservation.

Basic DISP services to banks

Under PSD2, Europe’s 4,000 banks will be required to offer SCA services to all authorised Third Party Providers (TPPs), which will require the banks themselves, or their current platform or service providers, to implement and maintain these SCA services. Alternatively, they can choose to outsource the SCA task to Signicat, making use of Signicat’s DISP platform and ‘Authentication as a Service’ solution, thereby freeing up time and resources to focus on their core business. The DISP platform’s main PSD2 related features are its services to identify and authenticate individual customers and to allow siloed information to be accessed by other banking areas. The DISP also opens the possibility for banks to be able to offer identity services to third parties – e.g. to AISPs and PISPs.

Beyond PSD2 – partnering with Rabobank “A common theme for our customers is the need to support all available eIDs in the markets in which they operate, and they do not want to invest heavily in order to implement this,” says Gunnar Nordseth.

Among financial institutions already using Signicat to support their eIDs are Banco Santander, BMW Financial Services and large Nordic region insurance and finance companies like SEB, If Insurance and Tryg.

“The fact that Signicat operates its DISP platform means that our customers can select which eIDs they want to activate and Signicat sets up a service providing access to the eIDs,” says Gunnar Nordseth.

Recently, leading Dutch bank Rabobank announced that it had joined forces with Signicat to launch a Digital Identity Service Provider (DISP) for businesses in the Dutch market. Rabobank wants to utilise the DISP to offer a range of online login, identity, signature and archiving solutions under its own eBusiness banner.

Rabobank initially intends to focus on five customer groups: energy, telecom and insurance companies, healthcare institutions and financial services providers. The idea is that Rabo eBusiness services will make it easy for businesses to enable functions such as onboarding new customers, digitally signing contracts and offering a dashboard for invoices or expense claims.

“What we are doing together with Rabobank is a good example of how Signicat’s Digital Identity Hub can assist not only with PSD2- related SCA compliance services but at the same time offer a bank a uniform way of handling identities across all platforms and channels,” Gunnar Nordseth concludes.

Link to the official Money20/20 magazine here

State of the art electronic signatures

As a part of our Digital Identity Service Provider platform (DISP) we find more and more customers realizing the benefits and using electronic signatures to replace paper processes. We have offered electronic signature services for almost 10 years and support signing with eIDs in a vast number of countries. To succeed with electronic signing we think there is three key elements that needs to be in place:

1) A great user experience on any device

People are used to great mobile user experience from their daily interactions with applications and they expect nothing less from your electronic signing processes. You should make it easy to sign documents electronically from your smartphone in a user friendly way and give users the ability to quickly sign documents wherever they are. At Signicat this is a top priority and we continuously try to make our products work better on all devices.

2) Becoming paperless – and staying compliant
The goal with signing documents electronically is to decrease the amount of manual paper process, both for the end user and for your company. The evidence of the signed document is important and you need to be sure that you can prove that the contract was signed in a legally binding way and ensure that the electronic signature is correctly embedded into the document. With over 10 years of evolution, Signicat’s signature solutions gathers and integrates all the needed legally binding data into the document, making it the preferred choice of financial institutions, insurance companies and government institutions.

3)  Integrate once and scale up your digital processes
Whether you are targeting one or multiple countries, you should focus creating digital processes replacing paper processes instead and spend less time integrating and understanding electronic signature technology. By integrating with Signicat, you will get a single point of integration to multiple signing methods, with a vast amount of features ensuring that you are covering your needs for today, and tomorrow. A trend for businesses integrating with Signicat for electronic signing is that they start in one market and gradually expand to multiple markets – seeing the ability to scale their digital business cross border.

Read the latest press release related to this topic; Nordic FinTech giants SDC and Signicat drive dramatic rise in digital-only mortgage applications

Signicat is 10 years this year

Signicat was started in 2007, which means we are 10 years old this year.

During the 10 years Signicat has existed, there has been a rapid development in the use of electronic identity. A combination of forces have driven this development. On the one hand, the desire for digitization of services that previously required physical attendance and manual steps. On the other hand, stricter requirements for security and privacy. As the leading provider of identity services to regulated industries in the Nordics, Signicat has played an important part in this development.

When we started in 2007, the eID market in the Nordic region was just about to take off. All four Nordic countries had their solutions for electronic identity, and after a long introductory phase, the markets were reaching a critical mass both with regard to issued IDs and service providers where the eIDs could be used. In Norway, BankID was the leading solution for electronic identity and the first banks began issuing eID to their customers already in 2003. But it was only when service providers with support for eID began to appear that the usage of eID started to grow rapidly.

Signicat was an early facilitator of the use of eID for banking and financial services. Fully digitized consumer loan processing with eID and eSignature was developed for the online store Komplett.no already in 2005, while Signicat was still a department in the consulting company we were spun out of. Since then, we have helped many other banks and finance institutions with replacing tedious manual procedures with electronic identity and electronic signature.

After more than 10 years of rollout of electronic identity in the Nordic region, there is little evidence that the growth is slowing. New and easy-to-use solutions like BankID on mobile continue to drive growth. In Sweden alone there were more than 2.5 billion logins with BankID in 2016. The potential for digitization is far from exhausted.

But what about Europe outside the Nordic region?

Signicat has had presence in the Netherlands since the autumn of 2015, and since December 2016 also in London. Currently we work with customers in the Netherlands, UK, Germany, Spain and several other European countries. There is no doubt that the use of eID in these countries is not as far developed as in the Nordic countries. Perhaps the level of maturity is about the same as in the Nordic region 10 years ago. The question is whether it will take another 10 years before Europe is on par with the Nordic countries.

I think the answer to this question is “no”. The reason is that drivers that were strong in 2007 have become even stronger over the past 10 years. Electronic identity is in many cases the last missing piece to get full-digitized processes. We have smart phones that can be used for two-factor authentication replacing inconvenient and expensive technologies that required purpose built hardware. On top of this, European initiatives such as PSD2, OpenBanking and GDPR are pushing for better and more widespread solutions for electronic identity.

Signicat’s value proposition to customers in Europe is the same as in the Nordic countries: A single point of connection for easiest access to a wide range of electronic identity services. This is especially important when technology and infrastructure are in rapid development. Our services for the initial proofing of electronic identity are also important in markets where there is no established third party electronic identity infrastructure, as we have in the Nordic countries. The fact that our online services meet or will meet requirements in regulations and directives such as eIDAS, GDPR and PSD2 are also helping users to get started with electronic identity.

For Signicat, the first 10 years have been an exciting journey where we have contributed to making electronic identity a critical community infrastructure in the Nordic region. In the next few years, we hope to be able to repeat this journey, and bring the experience of the first 10 years to the larger European market, making electronic identity just as widespread here as well.

Get in touch!
If you have comments or questions, feel free to contact me either by e-mail or phone:

E-mail: gunnar.nordseth@signicat.com
Telephone:+47 930 60 408

An identity fairytale from fantasyland

An identity fairytale from fantasyland

Once upon a time, in a country up North, John had finally decided to buy a new camera, and needed to pay for this. He logged into his bank, and he used BankID to authenticate himself. Within a few seconds the bank recognized John. Of course, John realized that he does not have sufficient funds for this camera (the Sony A9 is not cheap), and needs to borrow the money. He runs through the wizard, enters the amount and the payback time, and then gets a loan contract to sign. The loan contract is signed digitally, using BankID. And immediately he has the money on his account and he can pay for the camera. Again, this payment is authorized using BankID.

Later the same day, John realized that he was running out of his blood pressure medication, and had to get some more. But he couldn’t remember if the last prescription was still valid. So he logged into the government health portal, again using his BankID, and found that indeed, the prescription was still valid, so no need to bother the doctor to have it renewed. John walked down to the pharmacy on the corner, and identified himself with his driver’s license, and got another dose of the medication. As the pharmacy is electronically connected to the central prescription database, the good old paper prescriptions, with the doctor’s unintelligible handwriting are long since history.

Later that night, John had to do his taxes (good thing he got more blood pressure medication), and went to the government portal. Of course again, he used his BankID to log in, and he could then update the tax report, before submitting it.

Verify identity by using BankID

A few days later, John’s camera arrived in the post, and he realized that he should take out insurance. So he logs into his insurance company. Guess what, he uses BankID to identify himself, and adds the camera to his insurance. He also decides that he wants to sell his old camera, and goes to the C2C platform finn.no. He creates an account, and is asked if he wants to be a verified seller. Of course he wants to, and guess what. Again, BankID is used to verify his identity.

(And if John wants to open a new bank account, with another bank, he can use BankID, and his identity is verified. No need to visit a branch. No need to provide additional information. Easy and simple).

Quite a fairytale, right? Well, actually no. The fantasyland I’m describing is Norway, but Sweden, Denmark and Finland, and let’s not forget Estonia, are all on the same page. In these countries, the same digital identity can be used for more and more purposes. It all started with banks. But these days it is used for government, health, insurance and others.

At Signicat we had our first customer on our BankID cloud-service back in 2007. With 10 years of experience in the Digital Identity space we find it our call to spread the fairytale message to rest of the world.

Blogpost by: John Erik Setsaas, Identity Architect
Twitter: @jsetsaas

Download your free copy of Signicats report, “The Rise of Digital Identities” based on exclusive Innopay research.

Please fill in the form below to get your free copy.

Signicat report maps out Strong Customer Authentication (SCA) requirement for PSD2

Report from Signicat and Consult Hyperion provides industry guidance to comply with requirement central to PSD2

Oslo, Norway, 13th June 2017Signicat, the world’s first and largest identity assurance provider, has released a white paper with Consult Hyperion to prepare financial institutions for the Strong Customer Authentication (SCA) requirement of the second Payment Services Directive (PSD2). The report, “Strong Customer Authentication in Practice – limitations and possibilities with PSD2”, demonstrates the importance of SCA and highlights the implications for identity and authentication to the payments and commerce industries. It also seeks to provide guidance on how to incorporate SCA into existing services.

SCA is being introduced to ensure consumer identities are secure when paying electronically and to guard against fraud. The requirement will come into effect in Q4 2018, six months after the deadline for all EU member countries to implement PSD2 as national law on 13th January 2018. PSD2 mandates SCA for transactions above €30, meaning Two Factor Authentication will be required to verify the transaction. SCA mandates that authentication is based on at least two of the three elements of Knowledge, Possession and Inherence.

Signicat released the report following concern in the industry that SCA could damage business by creating more friction for the consumer at the checkout. Once SCA is triggered, providers will be forced to look for ways to simplify the transaction process either through exemptions or low-friction SCA. The report seeks to guide the industry on how the requirement will work in practice, who will be expected to perform SCA, and puts forward suggestions to minimize the burden of the authentication process for consumers.

“If not done right, SCA will impose a huge burden on consumers forced to endure a painful authentication process when confirming transactions with a retailer,” said Tim Richards, Principal Consultant, Consult Hyperion. “Providers and banks responsible for implementing SCA must look at ways to simplify the check-out process to ensure a smooth transition to SCA in a post-PSD2 world. The aim of this white paper is to set out the intentions of SCA and to identify how the challenges faced can be addressed.”

“All parties in the PSD2 ecosystem face the challenge of creating a frictionless payment experience for consumers,” said Gunnar Nordseth, CEO, Signicat. “With SCA coming into force in 2018, failing to respond is simply not an option. It’s important that banks and third party providers understand their responsibilities and create systems to both comply with PSD2’s SCA requirements and ease the pain of the process for consumers.”

The report, “Strong Customer Authentication in Practice – limitations and possibilities with PSD2”, is available for free download.

-ENDS-

About Signicat

Based in Trondheim, Norway, and founded in 2007, Signicat is the first and largest Identity Assurance Provider in the world, providing regulated markets with the technology to create mutual trust between organizations and their potential customers.

With Signicat, service providers can build and leverage existing customer credentials to connect users, devices and even ‘things’ across channels, services and markets transforming identity into an asset rather than an obstacle. By ditching manual, paper based processes and replacing them with digital identity assurance, customer on-boarding is accelerated and access to services is made simple and secure. Service providers can rapidly grow market share, easily acquire new customers, and ensure compliance with financial, privacy and data protection regulations including AML and KYC.

Signicat has the technology to connect the market, the expertise to scale the systems, and the experience to build the trust.

For more information, visit: www.signicat.com

Media Contacts
CCgroup for Signicat
signicat@ccgrouppr.com
+44 203 824 9200

Download your free copy of Signicats PSD2 White Paper
If you want to read the PSD2 White Paper, please fill in the form below to get your free copy.

The PSD2 White Paper has been produced on behalf of Signicat by Norfico (www.norfico.net) and Consult Hyperion (www.chyp.com)

Can blockchain technology be useful to digital identity?

The word blockchain brings out many associations. I guess for most of you, Bitcoin comes first. And maybe other cryptocurrencies like Ripple and Ethereum. From there, you probably think about illegal buying and dark web, and anonymity. Yes, true. As with any type of fiat currency, you can also use cryptocurrencies to buy illegal stuff, and to be anonymous. But remember that blockchain is technology, and technology is only bad if it is used in a bad way.

Why can blockchain be useful for identities?
Anyway, this post is not about money but about identities. What are the reasons to consider blockchain to hold digital identities? And what are the properties of blockchain, which can be useful for identities.

For one, a blockchain is distributed, so there is no central authority which manages your identity. And it is immutable, which means that as soon as an identity is stored on the blockchain, it can never be removed. These properties means that your digital identity can not be purged. This would prevent any government from taking away the identity from people based on religion, ethnicity or other attributes, and you would be in control of your own identity. This is often referred to as sovereign identity.

Proof of concept with the sovereign identity idea
Signicat has been doing a proof of concept with the sovereign identity idea. Below are the components of this PoC:

Attribute storage
Each attribute is encrypted and stored separately. This means that if the encryption is cracked on one attribute, only data for this attribute is exposed. For example that somebody is born on January 1st 1972, that somebody is over 18, or that is somebody has a given Nationality. But not who. And even if two records are broken, there is nothing indicating that these belong to the same individual. To know this connection, you  must have the private key.

Attribute verification
To ensure a validity of an attribute, an eIDP (electronic identity provider) or eAP (electronic attribute provider) is involved. This could be public eID providers (such as BankID in Norway and Sweden or NemId in Denmark), consumer identity providers (such as Facebook or Google), it could be a bank, a government, or even a group of friends. Before storing the attribute record on the blockchain, it is validated by one or more of these. This means that the recipient of the attribute can verify the validity of the attribute.

Exposing an attribute
If you want to provide an attribute to somebody, for example that you are over 18, you send the record ID and the encryption key for this record to the recipient. This will prove that the record is yours, and that it is valid (by checking the attribute provider validation). The encryption key can only be used to decrypt the given record, so the owner is in control of, what is being shared. Additional measures are used to prevent replay of the attribute, for example that the recipient uses this to another party.

Private key storage
A user needs a private key to identify his or her records on the blockchain. A challenge is that users lose their private key, and thereby lose access to their blockchain information. By using a key splitting algorithm, the private key is split into as many parts as there are nodes in the blockchain and each node is given one part. In addition, the algorithm defines how many parts are needed to construct the key. If there for example are 20 nodes, you could require 10 parts to reconstruct the key. Any 10 arbitrary parts will suffice. By setting up rules for releasing the private key parts, requiring one or more eIDPs or aIDPs to prove your identity, a node can release one part, thereby allowing the key owner to reconstruct the private key.

Attribute and identity providers
The eAPs and eIDPs will be approved by the blockchain. Only the approved nodes are trusted, which is especially important for the release of private key parts. If a provider is no longer trusted, it will be removed from the trustlist.

Finally a word of warning: Before going all-in on an identity solution (or any solution using sensitive data) on the blockchain, privacy must be considered carefully. When data is on the chain, there is no way to change it, so there is no room for error in the initial setup.

Blogpost by: John Erik Setsaas, Identity Architect
Twitter: @jsetsaas

Contact us


When is an electronic signature legally binding?

When is an electronic signature legally binding?

In the digital age, we want to replace the good old handshake and the handwritten ink signature with the more modern and flexible electronic signature.
In the Nordic countries, we are known for our high penetration and coverage of internet access and mobile devices. Important key drivers for the success of building advanced digital services. This has given us many years of experience with electronically signed contracts, resulting in better customer experience and lower handling cost.

With more than 10 years of experience with national eID schemes, as well as with electronic signatures, the alignment and adoption to the national legislation is well in place. At the end of the day it all comes down to the strength of the evidence being put together.

10 years is still a long time and solutions evolve based on requirements and experience.

New EU regulation replaces electronic signature directive

eIDAS (EU regulation #910/2014) replacing the old Electronic Signatures Directive 1999/93/EC, is stating that qualified electronic signatures have the same legal status as a handwritten signature, and must not be rejected.

Up until know the requirements to a qualified signature has been so costly and the user experience has in general been bad, so the adoption has not been widespread and adopted. This has resulted in alternative “solutions” to qualified signatures as mentioned below.

The alternative to qualified electronic signature is called advanced electronic signature. The complexity and requirements in the advanced electronic signature is lower, and have been the basis for many of the successful national eID schemes like BankID in Norway and Sweden and NemID in Denmark.

High priority on both compliance and user friendly electronic signing

At Signicat we are working with our 3rd generation of the “electronic signing ceremony”, where user experience and mobile channels receive top priority.  Our customers are eager to follow the adoption of more user-friendly electronic signing flows, but at the same time focused on compliance and do not take any chances at all in this respect.
Since there are no standards or practical definitions setting the scene for advanced electronic signature, Signicat asked an external 3rd party to do an assessment of our 3rd generation electronic signing ceremony.

We commissioned an international law firm –  Bird & Bird – to do this assessment covering Denmark, Norway, Sweden and Finland focusing on two areas:

– The national eID scheme (electronic signature) in relation to EU legislation (eIDAS – AES – QES)
– The implementation of electronic signed agreements in the national legislation

The conclusion is that the Signicat Signature solution in combination with the national eID schemes covered, comply with the level corresponding to AES (Advanced Electronic Signature) and this has been adopted in the national legislations.

Read the full assessment

If you want to read the full assessment, please fill in the form below to get your copy.

Regulation creates opportunities

2017: A year of new regulations and new opportunities

Regulation creates opportunities

AML4, PSD2, eIDAS and GDPR. The deadlines for implementing these new EU directives and regulations are fast approaching.  Banks, financial institutions and other businesses dealing with personal data are rushing to do what is required to be compliant with the new regulations.

On the other hand, some banks are starting to see that new regulations also creates new opportunities. Take for instance PSD2: It is true that it requires banks to give access to account data to third parties that may be potential competitors. But it also creates an opportunity for banks to leverage their relations to their end customers by offering Strong Customer Authentication (SCA) to third parties.

Banks are uniquely positioned to do this. In some regions, like the Nordics, the infrastructure is already in place. In other regions where this is yet not the case, the banks are in the best position to provide SCA based on identity data they already hold about their customers.

Access to strong eID would be of great value to the fintechs and challengers trying to establish themselves in the market. By offering access to third parties, banks would accomplish two things: Creating a market for value-added services on top of the basic services required by PSD2 and strengthening the relations to the end-customer using the strong eID from the bank to access other services. It could also be used as part of an attractive value proposal to corporate customers of the bank.

Banks cooperating to provide strong eIDs to third parties

The concept of banks cooperating to provide strong eID to third parties is older than the new wave of regulation. It started in the Nordics with BankID and similar initiatives more than 10 years ago. The banks saw that they could profit from selling access to their strong eID to third parties. By making their eID interoperable between banks (as in a federation), they could also increase the frequency of use of the eID, thus creating stronger bonds to the end customer.

What happened in the Nordics in the bank industry is now expanding to other regions and other verticals. Cross-industry schemes and federations for eID are being established by banks, telecommunications companies and others who want to exploit the network effect of providing electronic identity across industries and businesses.

One such example is the partnership between Dutch banks to establish a federation of electronic identity, called iDIN. Another is the MyBank initiative by the EBA. A third is GSMA Mobile Connect, which is driven by the Telco industry.

The common denominator of these initiatives is that they connect existing electronic identity together in federations. Thus, a customer of a Dutch bank can use his online banking login to establish a customer relationship with an ecommerce retailer or a fintech providing account aggregation services.

Initiatives like the Dutch iDIN and MyBank has the potential for rapid deployment of Strong Customer Authentication. They build on existing electronic identity that already is in frequent use for Internet banking, sidestepping the need for costly and time-consuming deployment of new electronic identity.

Now is the time to act

In 2014 Consult Hyperion’s David Birch published the book “Identity is the new money”. That was before PSD2, eIDAS and GDPR. Now, with the effect of the new EU regulations, the title of the book is probably more true than ever.

Signicat has been aware of the opportunities related to new regulations for some time, and we started to expand our cloud based range of services for strong electronic trust outside of the Nordic region two years ago.

PSD2 and other regulations are not only about compliance. They provide opportunities for banks and fintechs to position themselves as being more innovative and forward thinking than the competitors. The ability to provide strong identification and authentication of customers will be a key factor for success.

Signicat is a pioneer in this field with 10 years of experience and over 250 banks, fintechs, insurance companies and government agencies using our online services for strong eID and eSignature.  This gives us a unique position to help European banks to explore the opportunities related to PSD2 and other European regulations.

by Gunnar Nordseth

EBA PSD2

Signicat welcomes PSD2 Strong Customer Authentication

Yesterday Thursday February 23rd the EBA (European Banking Authority) published the final draft RTS (Regulatory Technical Standards) on Strong Customer Authentication (SCA) and common and secure communication under article 98 of directive 2015/2366 (PSD2).

On the first draft RTS the EBA received as much as 244 responses, some of those have influenced this final draft and some not. This final draft RTS is 153 pages of information, guidelines and rules to implement and follow to be PSD2 compliant in terms of Strong Customer Authentication (SCA).

Signicat has been helping our customers for almost 10 years with Strong Customer Authentication and grown our support for many different digital identity methods covering both government schemes, commercial eIDs, proprietary eIDs and of course self-issued eIDs.

Please find the final draft RTS here:

If you want more information about our award winning digital identity cloud based eID HUB or want to receive news and updates from the digital identity space, please get in touch by filling in the form and we will keep you updated.

Frictionless

Signicat on-boarding report from 2016 still topical

Signicat on-boarding report from 2016 still topical

Early 2016 we conducted a market research revealing some of the challenges consumers are facing when they want to change bank or “buy” financial services. This underlines the need for frictionless and great user experience if you want to sell more or attract new customers  for your financial services.

The research told that more than 40% abandons due to too complicated on-boarding processes. Find the full report here.

Last week Chris Lemmon at FStech did a post on a new survey with same conclusions as the Signicat report – consumers won’t spend more than 20 minutes on an application for financial products online. Find the article here.

Take a look at some of our customer references and learn how we have helped them improving their customer experiences entering the digital age.

Blockchain as tool for improving the identity handling

As written in previous blog posts blockchain and digital identity are 2 very different technologies and the blockchain killerapp within digital identity is yet to been discovered. We recognize blockchain as a promising technology with many interesting angles and as part of our strategy to pursue the blockchain as tool for improving the identity handling, Signicat joined the Dutch Blockchain Hackathon (https://blockchainhackathon.eu/) this weekend with a team of hardcore eID and blockchain resources.

At the end, we showed a fully working demo of a blockchain solution, which addressed the following issues.

Safe storage of the user’s private key
One of the challenges with any digital identity schemes which is based on private keys, is that this private key typically is stored on a device in the possession of a user, and if this device is lost, the private key is gone with it. There is no way to get the private key back.

Our demo showed a model where the private key is split into parts, and stored across the nodes of the blockchain, in such a way that no single node has the complete key, but multiple nodes are required to reconstruct the key. The user must prove that he or she is the owner of the key, by using one or more identity providers, as explained in the next section.

Independence of identity provider
In typical identity schemes, the user is dependent on ONE identity provider. If this identity provider is compromised, or if this identity provider decides either to discharge a user or to take control of the private key, it can do so. Instead, we set up multiple identity providers, where the user must authenticate with several of these at the same time to retrieve the private key. In addition, the identity providers must be approved by the blockchain, so an identity provider which has been compromised, will be excluded.

The worst-case scenarios are where a government issuing identities, decides to target a group of users based on an attribute, for example deleting them. The blockchain will provide safe storage, and the users would have other identity providers, e.g. social media or even a private community.

Privacy, and putting the user in control of attribute sharing
A user is often asked to provide some information, e.g. being over a given age or living in a specific country. The current solution is to provide an identity paper, which shows ALL this information and much more, which is not required to share.

By having each attribute verified by one or more IdPs, and then encrypted by different encryption keys, the user can expose any subset of the attributes to the recipient. So, it is possible to share only the date of birth, or even the derived “I’m over 18”, if this is verified by an (or more) identity provider.

We got some blockchain hands on and a working demo to show how blockchain can be used including additional blockchain insights working intense together and meeting a lot of other blockchain nerds J

Signicat take these new technologies very seriously and we therefore have a dedicated blockchain team and innovation test / demo platform to test our latest blockchain ID software on.

By John Erik Setsaas, Identity Architect, Signicat

 

Blog: Strong identification to explode in Finland

New Finnish legislation and Finnish Trust Network (FTN) will expand strong identification to more and more online services, where it does not exist today, says Country Manager, Antti Harsunen from Signicat.

“At the moment we are at a run rate of a couple of million authentications per month . We believe that next year at this point we are looking at 3-4 times the figures.”says Harsunen.

“We are aggregating all the major Northern and Central-European electronic identities (eID) and Finland has been important market to our company since 2008.”

Finnish Communications Regulatory Authority (FICORA) is working together with other actors in the coming FTN community how to implement the legislation, which applies from 1st May 2017 onwards. FTN consists of eID providers and aggregators.

The objective for the change in the legislation is to make Finland a more favorable environment for digital services and to adopt strong identification easily. A big change is the aggregation services, which acts as a broker between the online services and the eID provider enabling a one-stop shop for the service providers to access all the eID’s with one agreement.

Until now, the service provider is required to make agreements with all eID providers (10 banks + Mobile operator). It has slowed down the implementations and wider adaptation of the strong eID’s in Finland.

For example, only the government online services have more than 1,000 contracts with the different eID providers!

“With the change of the mode of operation is analogous to the Payment Services Act reform in 2010. Thanks to the amendment, online payments through Payment Service Providers (PSP’s) began to become more common in Finland strongly,” says Harsunen.

From 2009 to 2013, the number of online payments increased by 23.1 million units to 56.3 million units. This means almost 2.5-fold increase in a few years.

Signicat believes that strong authentication is increasing particularly strongly in the future, for example in health care, insurance and real estate sector. Signicat’s traditional ”home industry” has been financial sector. The company’s customers in Finland include Lähi-Tapiola, Fennia, If P & C, DNA, Nordnet, SEB and Santander, as well as a number of European financial sector companies.

The new law requires the identification of the proxy service providers approved by FICORA.

“On May 1st 2017, we are ready to provide mediation service as an official one-stop shop for all means of identification. We have provided technical services in the Finnish market since 2008 and now we can finally offer it also contractually! “, says Harsunen.

News service called Digital Identity Service Provider

”There is a  new service provisioning category called Digital Identity Service Provider (DISP). The DISP’s offer Identity On Demand-services for their customers, regardless of geography or eID. Signicat has extremely strong expertise and background of being a DISP for a decade and we aim to be the leader of the pack also in the future”, sums Harsunen.

Signicat’s Mikael Kemppainen is responsible for Presales in Finland. He believes that aggregating eID’s through a DISP makes perfect sense technically as well. ”Alone in Finland there are 11 integrations to various eID providers, why not use a DISP like us with only one integration? The biggest advantages are achieved in international companies that operate in several markets”.

Contacts in Finland:

www.signicat.fi

Country Manager Antti Harsunen
antti.harsunen@signicat.com, +358 40 687 9090

Presales executive Mikael Kemppainen
mikael.kemppainen@signicat.com, +358 40 701 7774

identity crisis FinTech

Blog: Are we heading for an identity crisis in FinTech?

Are we heading for an identity crisis in FinTech

Banks are, or are fast becoming, digital businesses and the customers they are competing for are “always on” – used to services accessible from any device and tailored to individual preferences. This brings its own set of problems, not least of which is verifying a customer’s identity online.

Establishing if someone is who they say they are in today’s virtual world is a major headache for banks and fintechs, thanks to the strict regulations they operate under and the difficulty in providing non-physical, verifiable forms of identity.

Consumers are demanding mobile first, digital services, and financial service providers need to meet stringent KYC processes that are rooted in a physical world at odds with today’s digital consumer. If this security process means popping into the branch or copying a 20-digit code from a SMS to an app, customers simply won’t buy it.

For fintech challengers, keen to steal business away from established providers, it needs to be simple for prospective customers to access and use their services, and, crucially, to trust them as much as current providers. Without this trust it won’t matter how innovative the service or how slick the mobile experience is – customers will stick with who they already have faith in to keep their details safe.

We can see this effect in action – security has improved beyond passwords and mother’s maiden name-type questions, but at the expense of convenience. Over 40% of applications for financial services products are abandoned. The current approach to identity doesn’t fit with either the shift to digital or the increasingly global nature of financial markets.

ID proliferation in the post-password era
The market has begun to address the issue. Major technological breakthroughs are being made such as new biometric techniques – skull-produced sounds will soon supplement fingerprints and facial recognition; projects such as HSBC’s voice recognition service; and use cases like consumer ID credentials stored in Apple Wallets, are all part of the effort to solve one of the biggest problems in tech: “how do I prove who I am, simply, securely and digitally?”

Organisations like Google, which announced Project Abacus earlier this year, are developing proprietary solutions that banks and other players can use to authenticate customers. Industry bodies like FIDO and the GSMA are creating standards designed to govern how IDs are managed and individuals are authenticated. At the same time regulators are mandating that providers enable strong authentication as part of PSD2 and eIDAS efforts to harmonize the single market in Europe.

While these efforts are important to addressing this issue, the mix of proprietary, industry and public policy approaches have created a plethora of different technologies, standards and alliances with only one clear result: confusion.

There is currently no “killer” identity solution. For every service, whether it’s online banking, insurance, online shopping, government eIDs or something else, a different ID is being used.

An identity crisis?
Everyone understands that the reliance on passwords cannot continue, and that existing authentication approaches sacrifice usability for security. However, creating multiple authentication methods is not the solution to consumers having to remember and manage multiple passwords.

With financial institutions and fintechs desperately seeking a solution to the problem, and consumers suffering from password/PIN fatigue, the solution is simplicity, ubiquity and scale, not more fragmentation. There needs to be a common approach or underlying infrastructure that solves the following problems:

  • Usability – consumers need a fast, simple and consistent method with minimal friction, across channels, markets and service providers.
  • Security – with fast changing regulation and increased threat from fraudsters, the approach must be ‘banking grade’ to offer providers and individuals peace of mind.
  • Scalability – consumers want to be able to use the same method and ID credentials across service providers and markets, and providers want to be able to use the same system across all channels and countries to grab market share.

Unless addressed, the identity crisis will mutate into market inertia. Providers will wait for the right solution to adopt and throw their weight behind. Meanwhile consumers will resist shifting from passwords and PINs until a better alternative is in place.

Enter digital identity
A different approach is needed – one that tackles the core problem: how can a consumer establish an ID credential that can be used across multiple services, standards and technologies?

For this to work in any sort of ubiquitous, scalable manner we must first create a single, robust digital ID and determine how it can be passported across services and markets. The irony is that almost every consumer has at least one trusted digital identity – either government or industry scheme – that could provide the answer. For example, Scandinavia has BankID, Estonia has ID kaart and the UK has GOV.verify.

So rather than reinventing the wheel, financial service providers should use the existing public and private eID infrastructure that is gathering pace across Europe and beyond. The trick will be pooling them together into one central area so that they can be used across multiple geographies, multiple providers and for multiple purposes.

A federated approach
Rather than making their customers go through onerous KYC processes, organisations in regulated markets, such as financial institutions, can use existing customer credentials via an ID hub. Customers can register and use services quickly and simply, and financial service providers can accelerate expansion, boost market share, accelerate regulatory compliance and potentially capitalise on some of the enormous investment already made in KYC.

The financial services sector is undergoing the biggest transformation in its long history. Regulators across the globe want to open the market to competition and enforcing ever-stricter legislation. Meanwhile revenues are declining, cyber-attacks are increasing, and fintech challengers are competing on services that were traditionally the preserve of established banks.

Digital identity has the potential to be the foundation from which providers can create better, digitally-native services that are highly secure yet easily accessible to new and existing customers regardless of where they are. Without a new approach, all financial providers will be paralysed by the identity crisis.

By Gunnar Nordseth, CEO, Signicat

gunnar nordseth signicat

CEO Signicat, Gunnar Nordseth

Gunnar Nordseth has more than 20 years of experience with information security, PKI and digital identity, and has since 2006 been CEO of Signicat.

Blog: Introduction to digital seals

john-erik-photo-2014-07

Identity Architect – John Erik Setsaas

One of the trust services addressed by eIDAS (EU regulation 2014/910) is electronic seals. This post will describe what electronic seals are, and how they can be used.

Electronic seals have the same encryption as electronic signatures, and the result is in both cases a protected document. When a document is sealed, it is possible to verify the origin of the document, as well as detecting if changes have been done to the document after the seal was added. Many people think that if you save a document as a PDF, this document cannot be modified. This is unfortunately not true – a PDF document can be easily edited in Adobe Acrobat and other PDF editors. However, if a seal is added to the PDF document, Adobe Reader (and possibly other PDF readers) will report if the document has been tampered with.

signature-vs-sealSo what is the difference between an electronic signature and an electronic seal? The simple answer is that a signature is added by a person, while a seal is added by an organization.

A little more complex answer is that an electronic signature is added by a natural person, i.e. a human being, and that the signature is added by this person performs some action when adding the signature. This action typically involves some sort of authentication, where the user proves that she is who she claims to be. An electronic seal is added by a legal person, for example an organization. There is typically no human action involved in this, which makes electronic seals easy to include in existing business processes.

When do you want to use an electronic seal and not an electronic signature? If your organization is producing documents that are sent to other parties, and you want to ensure the integrity of these documents, electronic seals can be a good solution. The sealing of the documents can be integrated into the business process, ensuring that all produced documents are automatically sealed, without any human interaction.

add-digital-seal

It is equally simple to include verification of received documents in the business process. This could then automatically reject documents where the seal is not valid, or start a manual verification if there are any doubts about the signature.

verify-digital-seal

One use case for using electronic seals is an auditor. The result of an audit is a report, which is used to prove to a 3rd party that some requirements are fulfilled. The auditor generates a report, which is sent to the organization and this is then forwarded as a proof of conformance. Sealing this report, ensures that nobody can tamper with the report, and that the document is produced by the auditor, and not by somebody else.

Universities produce diplomas for students, which can typically be downloaded as PDF. This makes it very easy for a student to modify the diploma and alter anything from grades to subjects. It is also very simple to create fake diplomas. A quick Google search for “fake diploma” returns more then 350.000 hits. The consequence of this is that an employer may hire under-qualified workers, which is at best a business risk, and at worst lethal in businesses such as healthcare. By electronically sealing the diplomas, it is simple to verify that these are genuine, that they originate from the correct university and that it is not tampered with. An automatic check of diplomas when screening incoming job applications, could discard any diplomas which are fake.

Electronic seals could also be used for securing the integrity of bank statements, employment confirmation, identity papers, deeds, policy documents, training certificates, tax statements, and many others.

Signicat offers simple-to-use APIs, both for adding seals to documents and for verifying electronic seals. A document can be sealed by including a web-service call which is connected to a business process. Signicat will add the electronic seal, and return the sealed document, which then can be distributed.

To verify a received document, a web-service call will return the health of the sealed document, including a simple “traffic light” status. A check of this traffic light can be included in the business process, to reject obviously tampered-with documents, and approve verified documents. Questionable documents can be forwarded to a manual check.

Blog: Work hard, play hard – in the safe sandbox

img_20160915_133444_01

Regulatory and industrial sandboxes were up for discussion at yesterday’s Finance IT Day in Copenhagen. Signicat announced the first ever identity sandbox for FinTech companies.

Written by Lars Møller Kristensen, Product Marketing Manager, Signicat

For most of us the feeling of being part of an important movement, the feeling of being a true frontrunner and first-mover, and the feeling of co-creating the rules of the future, and shaping the zeitgeist is rare. But occasionally something magical can happen, and you might, at least in a glimpse, get the sense of – collectively – hitting the wave right.

Yesterday at The Finance IT Day 2016 I had that feeling. What is happening at the moment in the financial technology industry globally is impressive. And as I watched the crowd of talented and ambitious people gathered in the main hall of Industriens Hus, I felt that Copenhagen actually has an opportunity of obtaining its fair share of the FinTech action going forward if the broad range of FinTech stakeholders manage to play it right together.

The FinTech vision

For the past year and a half, a group of public and private organizations, companies and authorities have worked hard “to make Copenhagen the leading FinTech hub in the Nordic region,” as Mayor Anna Mee Allerslev formulated the vision earlier this year. Several new projects have been started, and some of the results are a new and stronger version of CFIR by the name Copenhagen Fintech, the new FinTech co-working space Copenhagen Fintech Lab, Tryg’s InsurTech & Fintech co-working space The Camp, and Danske Bank’s The Hub.

The missing sandbox project

Although these are important projects for Copenhagen as a future FinTech hub, another highly important area – the regulatory treatment of the FinTech sector – still seems to lack the necessary attention from the Danish public authorities. Especially one thing seems to be in high demand amongst the regulated FinTech startups who want to operate in Denmark, and that is a kind regulatory sandbox like the one launched in May by the British Finance Conduct Authority (FCA).

FCA is the British counterpart to the Danish Finanstilsynet, and FCA was the first regulatory authority in the world to establish their sandbox as part of a comprehensive and progressive project called Project Innovate/The Innovation Hub. FCA’s Director of Strategy & Competition, Christopher Woolard, has described the overall project and the sandbox like this:

“The Innovation Hub was set up by the FCA to do two main things: Firstly, it provides direct support to innovative firms who are trying to launch new products into the market that we think might benefit consumers. And the second thing is that it is the center for our innovation policy “The regulatory sandbox” is where the government has asked us to look at if there is a way in which we can provide a safe space for firms to enter the market and experiment with some of the ideas that they may have.”

Especially one thing seems to be in high demand amongst the regulated FinTech startups who want to operate in Denmark, and that is a kind regulatory sandbox like the one launched in May by the British Finance Conduct Authority (FCA).

Several kinds of sandboxes

One of the main themes yesterday at the Finance IT Day was exactly the current need and potential for sandboxes in the FinTech sector.

Dea Markova, Head of Programmes at Innovate Finance, went through the British sandbox initiatives from FCA as mentioned above, and she underlined how these efforts in recent years had contributed heavily to the establishing of London as a leading global fintech hub.

According to Ernst & Young, the FinTech sector in the UK had a turnover of more than 6.6 billion pounds in 2015. The UK attracted FinTech investments for more than 520 million pounds the same year, and the UK FinTech sector employs more than 60.000 people. There is little doubt that the welcoming, open-minded and innovative attitude towards FinTech from the British FCA has its fair share of the credit for these impressing numbers (it is going to be interesting to see if and how much Brexit will slow down this progress).

According to Ernst & Young, the FinTech sector in the UK had a turnover of more than 6.6 billion pounds in 2015.

Since FCA established the first regulatory sandbox in the world in May this year, the idea has been copied by several other regulatory authorities throughout the world. At the moment you will find similar projects – in different stages – in places like France, Australia, Singapore, Thailand, Hong Kong, and Norway.

The industrial sandboxes

Dea Markova’s presentation yesterday was followed by a panel discussion about how to transfer the British sandbox ideas from the FCA into a Danish, Nordic or even cross-European context. In the panel – besides Dea Markova and myself – were people from Youlend, Spar Nord, Festina Lente, and Oslo Fintech.

I believe that everyone on the panel – and probably most of the couple of hundred people in the audience too – agreed that Denmark has a need for a regulatory sandbox if we want to realize the vision of positioning Copenhagen as a leading Nordic FinTech hub.

Unfortunately, the Danish FSA (Finanstilsynet) was not present in the panel or – I believe – at all at yesterday’s event, which was quite odd and obviously made it slightly difficult to send an immediate call for action to the regulator and the responsible minister.

Besides the regulatory sandbox, we need other kinds of industrial sandboxes that allow for startups to try out new solutions fast, easy and with no or little cost before they decide whether or not to take the next step.

The Signicat FinTech Starter Pack

In Signicat we have developed such an industrial sandbox within the area of identity. We call it the Signicat FinTech Starter Pack, and it is made for startups who need a safe test environment for identity features as part of their product or solution.

Ensuring compliance and staying on top of the regulation has a lot to do with handling identities and digital signing of legally binding contracts and documents. And the two disciplines are infrastructure services just like payments and preferably just a snippet of code or a plugin FinTech companies use when developing new business services or apps.

Some of the features that companies can test in the Signicat sandbox and that most financial apps need to deal with are:

• Onboarding new customers
• KYC (Know Your Customer)
• Accepting terms and conditions
• User consent

Signicat offers a full featured pre-production (test) environment for FinTech startups to explore and utilize. And when they are done testing it can all be deployed to Signicat’s production environment, if they choose so. Visit www.signicat.com/we-love-fintech and learn about how to get started.