Page 74 - Security Today, March 2019
P. 74
tion, issuance and post-issuance updates. The card management system should fea- ture a localized GUI to retrieve document status in real time while also enabling such post-issuance operations as on-card appli- cation updates. Issuance and post-issuance processes again need to take into account the user experiences of both the citizen and government officials. Citizens want to receive their documents quickly, efficiently and securely whether through the mail, a ki- osk or in person. When they make changes or updates, they want to be sure that these are done quickly, accurately and in a way which does not compromise their use of the document or the service it enables. Mean- while the government officials want to be sure that documents are provided to the right citizen and that the post-issuance pro- cesses are secure and efficient.
Planning for Mobile IDs
Governments must also plan an easy path to offering mobile identities to their citizens. New technologies enable identity credentials to be enrolled, provisioned and used on mo- bile devices, presented in a way that does not compromise security or privacy, and authen- ticated without requiring specialized train- ing. These technologies also give citizens greater control over what identification in- formation they share, in person or remotely, including over the telephone, on websites, or when accessing other digital services.
As countries move from paper or elec- tronic documents to mobile IDs, they
can streamline proof of identity issuance through over-the-air provisioning directly to citizens’ phones. This model protects privacy with end-to-end encryption and multiple lay- ers of fraud-fighting security mechanisms, while post-issuance technologies keep mobile IDs current and trustable.
Mobile ID solutions should be an exten- sion of the infrastructure used for physical e-Document programs and should be backed by the same high security standards for data, communication and privacy protection. The solutions should enable issuing authorities to easily add other government agencies and authorized private-sector entities into their ecosystem. This creates new opportunities to improve communication between govern- ments and their citizens while opening the door for people to carry many different gov- ernment and commercial IDs in one conve- nient mobile application.
In addition to the modular software suites employed for physical and mobile IDs, a provisioning mechanism is required to securely manage the delivery of the iden- tity to the correct mobile device. Such a provisioning mechanism can be managed on premise by governments or in the cloud and managed by the Government or offered as a service by an external vendor. These platforms manage the provisioning of fully encrypted mobile identities from a central issuance system to citizens’ smartphones while ensuring the privacy of all personal information. An early example is the HID goID Gateway that HID Global has added
to its end-to-end e-Passport solution. De- ployed by the government of Tanzania, the platform makes it possible to provision mobile “electronic passports” to citizens’ smartphones as insurance in case their physical passport booklets are stolen or lost in another country. The gateway also cre- ates the opportunity for any public entity to deliver localized and dedicated mobile ID services to Tanzanian citizens in the future.
Another key element of a citizen mobile ID program is the smartphone app. This app should include off-the-shelf data structures that enable governments to issue mobile credentials that will comply to standards currently being developed by ICAO and the International Organization for Standardiza- tion (ISO). The most flexible way to create the smartphone application is to provide a software developer’s kit (SDK) so that lo- cal developers can produce an application which is customized to local requirements and based on trusted, proven technology. The mobile identity is delivered into the smartphone app by the provisioning service where it is secured to the device using the on- board security mechanisms. The identity can be securely shared on-line or off-line using Bluetooth, NFC or other device-to-device communication technologies.
Finally, a mobile identity solution requires a method for authentication or verification. The provisioning infrastructure must enable the secure distribution of verification applica- tions for incorporation into hardware devices or other software systems. The role of the ver- ification application must be managed by the issuer to ensure that the security and privacy of the citizens is protected at all times.
The latest end-to-end citizen identifica- tion solutions include all requirements for a successful program as part of a comprehen- sive and coherent issuance and verification framework. They provide a customized, modular approach to deploying the major back-end system elements while meeting the exact needs of users and enhancing their experience at each step. These solu- tions also acknowledge and pave the way for IDs to be carried on citizens’ mobile devices. A complete, end-to-end solution bridges the gap between the physical cre- dentials of today and the mobile creden- tials of the future, so governments can is- sue a physical or mobile credential, or both, from a single source, and
authenticate them via a
single, low-cost verifica-
tion infrastructure.
Steve Warne is the senior director of product mar- keting with HID Global.
72
0319 | SECURITY TODAY
IDENTIFICATION