On the doorstep to the third decade in this millennium, I have done some reflections on digital identity. The use of a federated electronic identity (eID) simplifies our lives in many aspects, as we have proven our identity once, and can re-use this to different kind of services. Living in the Nordics, this is part of our weekly routine. With more than 90% coverage, we use our eID more than four times per week on average. From everything to logging into the bank, insurance company, health portal to check which vaccines you have taken, to selling your car, doing your taxes, renewing your driver’s license, signing up for a credit card, taking up a mortgage, and even proving that you are of legal age when entering a tanning salon. The list of services in Norway of where I can use my digital identity are endless and it makes my life easier. Not only that, it simplifies and reduces cost for service providers.
So what about fraud? Yes, of course. There is no 100% solution. In Norway it turns out that the majority of identity theft and identity fraud happens through close relatives. People who willingly or accidentally share their BankID credentials with family members. If I have your credentials, I can take up a loan or credit card in your name, and you will be liable. The rules are very clear on this. BankID Norway is currently running a campaign to focus on this to remind people never to share their BankID password, not even with loved ones.
My advice to everybody would be: do not share your passwords, not even to the people you share your bed with.
The Nordic countries are high up on eID usage however we are seeing the growth elsewhere in Europe. Estonia is very advanced in the use of eIDs, where you can do almost everything digitally, with the exception of buying/selling property or getting married or divorced. We also see an increase in the use of eIDs in the BeNeLux area and the DACH region as well. In the Netherlands, almost everyone with a bank account can use iDIN (i.e. the Dutch «BankID»). But very few people know about this, and there are still not many services where you can use it. Similarly, in Germany, everybody has the government issued Neue Personalausweiss (nPA). But again, the problem is that there are few digital services available to use the nPA and most people are not aware of this possibility. There are also new schemes popping up in Germany such as Yes and Verimi, which are private initiatives just like iDIN and the BankIDs in the Nordics. ItsMe, the eID in Belgium, shows the highest increase in usage. It is the classic chicken and egg problem where services need to be available to promote, facilitate eID usage amongst citizens, but one thing is for certain, eIDs are on the rise.
I’m frequently asked about cross-border eIDs, as defined by eIDAS . In short, eIDAS is a regulation for harmonizing eIDs and trust services in Europe. Your own national eID should be usable in other countries. This is of course a brilliant idea, however one obstacle is the business systems. In the Nordics, most business systems use the National Identification Number (NIN)- or fødselsnummer in Norway- as the unique identifier. The NIN is given to you at birth and persists throughout your life. If you are a foreigner coming to Norway for example to study, you will be assigned a special NIN (in a different number range), as the NIN is required to get a bank account, insurance etc. Another issue is the «strength» of the eID, defined in eIDAS as low, substantial and high. Most banks will require high to open a bank account. As you can understand, there is no magical way that you will suddenly be able to access services in a different country, using your personal eID, even though the eIDAS gateways are in place.
As a result of increased use of eIDs, electronic signatures are also on the rise. Without being able to verify who signed a document, an electronic signature is not worth a lot. Some popular electronic signature solutions do not check your identity, except verifying access to an email address (which proves nothing of who you are), and the «signature» is just a handwritten signature scribble on a screen. In most cases, this is worthless as a legal document. Using an eID simplifies this however. The identity is already verified, and then reused when signing a document.
What about Qualified Electronic Signatures (QES)? A general misunderstanding is that to be able to replace handwritten signatures, you *have* to use QES. I think this comes from the statement in eIDAS that «a QES shall be recognized as the same legal level as a handwritten signature» . In the absence of national legislation that requires QES however, Advanced Electronic Signatures will in most cases be sufficient and is both simpler and cheaper than QES.
John Erik Setsaas
VP of Identity and Innovation at Signicat
December 27 2019