This article is provided by the Secure Identity Alliance.As identity goes mobile and digital, it is proliferating at an incredible rate. From the low level 'sign-in through Facebook' to high-security access and new government and SMART CITY services, the ability to prove who we are (when we are mobile) has become a strategic imperative. And it is not just about convenience or security.The social and financial wellbeing of nation states may not necessarily 'rely' on getting digital and mobile identity right, but there is little doubt that it offers a tremendous economic boost.Estonian president, Toomas Hendrik Ilves, certainly thinks so. In 2014, he was quoted as saying that electronic signatures in his country are saving the equivalent of one working week per person. International studies have shown significant cost projections for the public purse – one notable report from the SIA and Boston Consulting Group predicts savings in the region of $50 billion by 2020.Everyone's doing itIt's not only northern European countries that are launching e-Identity and mobile identity initiatives. The United States has its National Strategy for Trusted Identities in Cyberspace (NSTIC), the European Union has the electronic identification and trust services for electronic transactions in the internal market (eIDAS) initiative, and there are a raft of SMART CITY projects across the United Arab Emirates (UAE) that are also tackling the issue.It must be remembered that these acronyms, regulations and technologies are sources of complete indifference to the citizen. People just want to pay their taxes, buy goods and services, manage bank accounts and enjoy simple, fast and secure access to whatever private or public service they use.Of course, a user-centric approach is all very well for actual solutions. But the identities themselves – the 'things' on which this brave, new, inclusive and financially beneficial world are being built – must begin with a trusted framework. And for many, including the SIA, sovereign states have a clear role to play. Certainly, government institutions will be joined along the way by internet giants, banks, technology providers and many more ecosystem players. However, in a world as complex as mobile identity – one that touches privacy, public safety and national security – leveraging existing trusted state identities is crucial. Building the frameworkAs providers of essential online services to whole populations, governments can (and should) take a lead in promoting high value, highly secure, trust-based economic and social interactions on the mobile.This could involve empowering eDemocracy and personalized health services, or the creation of a new citizen-to-citizen economy, in which private individuals can transact with one another in a trusted environment where accountability and the rule of law exists.It doesn't matter what the service is, it matters what identity is offered, and how that identity is authenticated to give secure access to the citizen.Clearly, there are challenges associated with online identity that extend from convenience through to trust. For example, identities used to access online banking and government services are typically derived from strong registration processes that straddle both the physical and virtual worlds: citizens present a physical credential – a birth certificates, identity card or passport – and are provided with the authentication tokens to enable online access.Other online services rely on self-registration, where citizens create their own user names and passwords to access social networks, eCommerce accounts or webmail. In these instances, citizens may choose to protect their personal information by using pseudonyms to access services.It is clear that without a trusted digital identity, the digital economy can't function effectively. This is why governments have such a clear role to play in establishing a clear national policy strategy for digital identity management – and in acting as the national validation gateway for ID service providers.Unlocking the potential of mobileIn recent years, a number of high profile eGovernment implementations around the world have helped unlock the identity authentication conundrum, making it possible for citizens to create and use an online government account that could very well form the root identity for their trusted digital ID.But with mobile devices fast becoming the access channel of choice for populations the world over, tackling the challenges relating to mobile identity (m-ID) and authentication is clearly the next priority.Why mobile ID mattersBy 2018, the Organisation for Economic Co-operation and Development (OECD) predicts that 96% of the world's population will be equipped with a cell phone. The growing adoption of smart devices means more and more people are using their mobile to get online – indeed, one study indicates that by 2018 there will be 8.9 billion mobile internet consumer devices and connections.Mobile identity is set to become an essential factor in enabling secure access to a vast array of services – including banking, payment, retail, healthcare, transport, energy and other advanced identity-based digital services – via a mobile device, no matter where in the world we are.A number of pioneering countries are already tackling the challenge of adopting new structures and codes to govern associated services and transactions – and are in the process of defining what mobile identity and mobile identity solutions should (and do) look like.For some, the answer begins at the network operator level. For others, it's rooted in the existing physical and digital identities already created by government.Authentication and mobile-IDThe mobile identity solutions employed by today's innovators are flexible, in terms of how they deliver a wide range of applications and use cases. However, all are reliant on an authentication solution that's appropriate for delivering secure access to an eService via a mobile device.Authentication lies at the crux of m-ID, demonstrating assurance that the individual engaging – or about to engage – in a transaction is indeed the person defined by the identity that's being used. Ideally, this identity will have been created during a prior enrolment process, such as a government program.Furthermore, context-aware authentication will be required to ensure identification methods are appropriate to the user case in hand. This framework should include multi-factor authentication options that assure the high levels of security that users need when accessing government, banking or health services.For very strong authentication use cases – for example when a legally binding proof of authentication or authorization transaction is required – the introduction of a mobile signature based on PKI (Public Key Infrastructure) technology would be critical to making robust identity proofing possible and support the generation of digital certificates for identity validation.The question of where these identities are stored is crucial for obvious security reasons. While the form factor of the electronic identity may vary, it should be stored or accessible using a secure element such as a mobile UICC (SIM card), an embedded secure element in a mobile device or a microSD card, for example.Whatever the approach taken, there's a common theme that underpins the most successful m-ID programs currently in operation around the globe. All are highly dependent on the active and effective collaboration between public authorities, banking and financial institutions and private service providers to establish a highly secure standard for mobile environments.This enables all parties to participate in an interoperable and universal approach that establishes the practices, security standards and ease of use that needs to characterize a mobile identity infrastructure – and sets out the authentication modes that are expected for defined use cases.Mobile ID goes liveA number of countries have already developed advanced m-ID initiatives that bring together a large of number of service providers, commercial organisations and government agencies to deliver mobile digital services to their populations.In Finland, the city of Helsinki is using mobile technology to engage with citizens and deliver innovative new public services; for example, a new tax receipt app now allows citizens to calculate the total amount of direct or indirect taxes they pay monthly. Today, over 300 public and private services across the country accept mobile ID. The most popular services include getting involved with citizen initiatives, reporting incidents to the police, working with insurance services, and accessing health services.In Estonia, the national mobile-ID service is now being used to boost export and trading activities with Lithuania and Azerbaijan, by making it possible for companies to be set up in just minutes. The service also allows non-nationals residing in the country to access local citizen m-ID services and participate in key infrastructure services such as DigiDoc and banking applications. The initiation of a non-resident 'investor passport' approach has made satellite citizenship a reality that's attracting new investment into the country – and creating the potential for 'digital embassies' in friendly foreign countries.What matters in adoption?Ultimately, there are two critical elements within the m-ID environment that will support successful strategies.The first is the role of the state in driving the trusted framework. The second is the need to deliver user protection that is appropriate to the use case.If we're logging into a social network, there's little need for high levels of multi-factor authentication. If we're accessing/making a government or financial service/transaction – particularly if it is cross-border in nature – the highest levels of confidence in the proffered identity, and in its security, are paramount.For example, the eIDAS regulation, which is set to foster the use of identity solutions across the Digital Single Market, offer three different assurance levels for transactions: low, substantial and high. For the SIA, just how 'appropriate' low or even substantial levels are for cross-border transactions – when there's an alternative that offers full protection – is a point of debate.Over the next 12 months we are likely to see a raft of new m-ID initiatives planned and launched. And they'll be much discussion on a range of connected issues – from whether regional frameworks can offer answers in a globally interconnected world, to how to gain the highest levels of assurance on and off the device. One thing is clear, m-ID is not going away.
Identity in a hyper-connected, mobile world
