e-ID and Mobile IDA Dutch Perspective

Salah BohoudiEnterprise Security Architect, Europol

15 June 2016

2

Agenda

• Introduction

• Business context

• EU policy context

• eID in the Netherlands

• Closing Remarks

3

Mission of Europol

“Europol’s competence shall cover organised crime, terrorism and other forms of serious crimeaffecting two or more Member States in such way as to require a common approach by the

Member States owing to the scale, significance and consequences of the offences.”

4

Europol’s competences

5

Europol National Units (ENU)Europol Liaison Bureaux (LB)

6

Europol Strategic Objectives

- EU centre for law enforcement expertise

- EU criminal information hub

- EU support centre for law enforcement operation

Identity and Access Management solutions are key strategic business enabler

7

Agenda

• Introduction

• Business context

• EU policy context

• eID in the Netherlands

• Closing Remarks

Policy Context

• Limitations current eID solutions• Dutch policy ambitions for full electronic

service delivery in 2017• National Cyber Security Strategy (NCSS I)• Clear and ambitious government objectives

for state of the art e-ID/Mobile-ID systems• Boosting economy, fostering innovation,

creating jobs and saving costs

NetherlandseGovernment state of play 2015

9

10

Agenda

• Introduction

• Business context

• EU Policy context

• eID in the Netherlands

• Closing Remarks

EU Policy Context

• Actions 8 and 83 of the Digital Agenda propose a revision of the eSignature Directive with a view to provide a legal framework for cross-borderrecognition and interoperability of secure eAuthentication systems.

• European Action Plan 2011-2015 on eGOV in action 37 declares that Member States should apply and rollout the eID solutions, based on the results of STORK and other eID-related projects.

• eIDAS regulation objective: Strengthen EU Single Market by boosting Trust and convenience in secure and seamless cross-border electronic transactions

11

eIDAS

Main objectives

6

Source: European Commission

Other initiatives

• FIDO: It defines an open, scalable and interoperable set of mechanisms with the aim of reducing the use of passwords for the authentication of users

• GSMA Mobile Connect: online identity solution from Mobile Network Operators and defined by GSMA

• Trusted Identities in Cyberspace (USA) may create a set of industry standards

• ICAO 9303 for travel documents (worldwide)• e-Driving License: ISO/IEC JTC 1 SC17 WG10

focuses on a mobile driving license

14

15

Agenda

• Introduction

• Business context

• EU Policy drivers

• eID in the Netherlands

• Closing Remarks

Dutch new e-ID system

• Replaced outdated e-ID systems• Standardize eID means/scheme for citizens (DigiD)

and businesses (eRecognition) • Foster public-private partnerships• Enable citizens to authenticate with a high

assurance and reliable eID• Enable user consent and right to choose the

authentication means• Cover all user cases

Use cases

Citizen-to-Government

Tax Collection

Social Welfare Program Access

Population Registrar

Enterprise-to-Government

Part of government

strategy

From business start-up, running,

taxation to termination

eHealth

Patient Record Tracking

Patient Information

Sharing

Patient Declaration

Insurance

Finance

Electronic banking

Commercial

Support all online

transactions with enterprises

17

Dutch “eID stelsel”

The Netherlands is unique in the way it is handling eID’s:

• Modern and flexible legislative instruments

• Customer choice and public-privatepartnership

• Government managesthe links in the “chain and leaves”

• Private sector to drive the leaves

• Foster innovation

Dutch eID landscape

• Root identity• Dutch Municipal

Personal Records Database.

BSN

• eGoverment• Municipalities, tax

and customs administration, police, pension funds and health insurers.

DigiD

• Authentication service for companies

• Trust framework and certified providers

eHerkenning

• New eID system/ stelsel

• DigiD+eHerkenning• eIDAS compliant• Pilot mode

Idensys

• Online payment through your bank

• Banking Agreements

• Most popular payment method

iDEAL

• Bank ID• oversight of Central

bank• Digital transaction

management • Pilot ongoing

iDIN

The year of e-ID

Comparison

Idensys IDINOrganisation Public-private PrivateDomain BSN domain

Non BSN domainNon BSN domain

(limited BSN domain support)

Identifier BSN or pseudonym Bankidentification-codeAssurance level Stork 2,2+, 3, 4 Stork 2, 3ID means Public ID cards

Private means(existing) banking

authentication meansCross border support EiDAS compliantFunctions Authentication

Attribute managementTimestampingE-signature

Authentication

Scope Citizens, enterprises Citizens

21

Closing remarks

• eID solutions must limit the footprint of the user on the Internet.

• Privacy Impact Assessment and privacy by design is a key requirement. Still some work to do on idensys and IDIN

• Technology neutrality is a principle that enables innovation and avoids monopolistic market situations.

• The “Root of Digital Identity” is and will be provided by Member States and the eIDAS, and “Know Your Customer”

• Low assurance “virtual ID” will emerge for online services• Chain of eID for different purposes, one core National eID for

high assurance transactions