Governments moving citizen IDs to smartphones
The HID Global solution is aimed at any credential issuing authority who wants to adopt it and clearly who is ready to pay for it, says Rob Haslam, Vice President and Managing Director, Government ID Solutions with HID Global.

Governments moving citizen IDs to smartphones

The versatility of smartphones are only increasing. Governments are now pilot testing the process of transferring government identifications to smartphones. Physical identifications that need to work within the boundaries of a country are the ones that are being tested in the first phase. These include national identification cards, drivers licenses, and vehicle registration cards.

The process of issuing and transferring the digital identification to citizen smartphones follows a parallel process similar to issuing the physical identification. This means that governments do not need to invest in building separate process infrastructures to deliver the digital identification to citizen smartphones. However they do need to invest in the technology solution and the technology partnerships to make this happen.

The benefits of this innovation are two-fold, for the citizen and the government. Citizens can carry multiple digital identifications on their smartphones without managing the physical versions, since the smartphone is now almost ubiquitous for everyone. For the government, issuing the digital identification version implies a much better process of delivery to the citizen, timely reissue on expiry, and reduction of fraud around ownership and forgery. However there is more to digital identifications residing in smartphones than merely having a digital version of it stored in the smartphone.

According to HID Global, a leading vendor in secure identity solutions, a mobile identification is a secure credential delivered by a government to the smartphone of a citizen. These mobile IDs are in fact all-in-one applications for receiving the credential securely in the smartphone, saving it securely in the smartphone, and being able to present it with the highest level of privacy protection to any authority as required. Such mobile identifications will coexist with their physical versions for some time to come, and are not necessarily meant to replace them in the short term.

HID Global also describes the characteristics of mobile identifications over other versions of digital identifications. Receiving and sharing of mobile IDs is a voluntary process and requires citizen participation. The process of receiving, storing, and presenting the mobile ID, needs to work with any smartphone device, in any operating system, with any telecom service operator, and within any country. The information encrypted inside the mobile ID needs to be readable by only authenticated readers. And reading the mobile ID must not require handing over the citizen’s smartphone in which it is resident. The integrity of the mobile ID must not depend on an internet connection and needs to function in remote areas equally well. Finally it must be available in a dead battery situation as well.

Mobile IDs therefore require both the security keys used by mobile network operators and the manufacturers of the smartphones to securely transfer to the citizen smartphone. These keys allow loading of the mobile ID applet onto the respective secure element. They are also required to personalise the mobile ID with unique citizen information. Government agencies that consider building mobile ID management solutions on their own, would naturally be overwhelmed or they can choose to partner with vendors such as HID Global that have done so. The latter being the more logical choice forward.

The solution offered by HID Global includes two platforms – goID and Seos. Seos is a cryptographic infrastructure technology that has been developed specifically for the mobile experience. It is meant to provision secure credentials over telecom networks to smartphones. The goID platform enables instant over-the-air provisioning and streamlined access to cloud-based government information services with assurance that all transactions are secure and trustworthy. With Seos and goID, transactions related to issuing, managing and presenting credentials using mobile phones are conducted in highly secure environment and protected by end-to-end encryption.

“Seos is essentially a secure vault where we can store data items in such a way that they are encrypted and accessible using only encrypted channels. It is a non-SIM based solution, and it is a hardened software environment,” explains Rob Haslam, Vice President and Managing Director, Government ID Solutions with HID Global. The solution also segregates citizen data inside the vault based on required levels of access. So a law enforcement officer may have access to all of the citizen’s data, but a private service entity may have much more limited access.

“This means, that as a citizen, you only give your details to those who need to know them. Our security has been designed in such a way that it uses the most cutting edge cryptography available. The HID Global solution is aimed at any credential issuing authority who wants to adopt it and clearly who is ready to pay for it. This is not a solution we would put on a web site that you can download the solution and deploy it.”


 

 

Jordi C Shutterstock_1000x550_1
Mobile IDs will be issued through the Nigerian Police Biometric Central Motor Registry, vehicle registration card programme. (Image Jordi C Shutterstock)

 

Mobile IDs for Nigerian vehicle licenses

  • Mobile IDs will be issued with Nigerian vehicle registration licenses
  • Mobile IDs to be issued through Nigerian Police Biometric Central Motor Registry
  • Mobile IDs to be issued using HID Global Seos and goID encryption, connectivity solutions
  • Resistant to man-in-the-middle, reflection, replay, device tracking attacks
  • Resistant to message deletion, message reordering, message modification, message concatenation, message insertion
  • Includes anti-hacking techniques for reverse engineering, tampering, access, code injection, security by obscurity
  • Transaction are unique, cannot be cloned, recorded, replayed,
  • Applications include binary protection, root detection
  • Mobile IDs tied to the device through specific cryptographic keys with no master keys
  • Mobile IDs are only active on the registered smartphone
  • Mobile IDs to be received in citizen smartphones through internet
  • Multiple vehicle owners can have multiple mobile IDs on same smartphone
  • Security of transaction independent of security of transport technology
  • Transaction between mobile ID and verifying reader secured by Seos over the air
  • Issuing infrastructure manages keys for verifying readers making them trusted end points
  • Law enforcement can view mobile ID within Bluetooth access distance
  • Use cases can be built around mobile IDs based on public data available
  • Broad based usage to drive cross border interoperability including travel documents

A recent example is HID Global’s mobile ID implementation of vehicle registration licenses using the goID and Seos platform for Nigerian Police. The project envisages mobile IDs to be issued along with physical licenses by the Nigerian Police Biometric Central Motor Registry. This government application is currently being used to capture biometric information about Nigerian citizens at the time of vehicle ownership registration followed by the issue of the physical license. HID Global has entered into a pilot phase with the Nigerian Police to issue mobile IDs along with the physical licenses.

Issuing of the mobile ID would follow the same secure application process as the physical license. The citizen would be validated biometrically and the mobile number would be verified by SMS or email. On completion of the procedure the mobile ID would be ready to be transferred to the citizen’s smart phone. However whether the mobile ID holds all the registered data of the citizen or only part of it, and whether it is transferred to the citizen smart phone at the same time or later, depends entirely on the government agency issuing the credentials. Since these processes are intrinsic to the specific government agency, HID Global’s Haslam points out they are not involved in the specific operational procedures. However Haslam points out that transfer of the mobile ID to the citizen smartphone would require an internet connection.

In any project implementation, HID Global would initially go through a proof of concept with the government agency across various verification scenarios. Once that is over, it would enter into a pilot project developing the business processes and initial use cases to focus on early return on investments. Once that is over the pilot project can migrate into full deployment.

Mobile IDs transferred to a citizen’s smartphone can be read by Near Field or Bluetooth Communication readers that have been set up by the Seos application. For law enforcement being able to read the mobile ID from a citizen’s smartphone by Bluetooth from a distance provides additional protection. For a citizen with multiple vehicle ownerships, being able to have the registration licenses handy with a smartphone is an additional convenience. “Both of these protocols have very different tuneable reading distances and therefore could have different use cases,” says Haslam.

A key active role that HID Global plays in overall process is the encryption of the data from the Nigerian Police Biometric Central Motor Registry into the mobile ID and further transfer over the internet into the citizen smartphone. “We would provide our own hub to provision their mobile identity into the application and essentially that gets integrated with their own database. HID Global would have to provide an interface to the hub, which is the centre where the data conversion happens to secure and annonymise it, before it gets sent out over the internet to the mobile device. They do not need to provide any specific technology.”

As with any technology implementation project, HID Global is also working with regional partners in the implementation of Nigerian Police Biometric Central Motor Registry, mobile ID project. HID Global and Media Concepts designed the project so that the new offering could be integrated directly into the current enrollment process, allowing migration to mobile IDs. “We are open to different business models depending on the nature of the engagement that the partner has with the government agency. We can work with them to construct the project from scratch that they would manage from the ground,” says Haslam.

So compelling is the mobile ID innovation that Haslam expects a mushrooming of use cases and verification scenarios as longer term benefits for citizens. When the mobile ID readers are meant for law enforcement their distribution would be more secured since they would have access to full citizen information. For other more public use cases they could be offered as downloadable applications.

As governments start deploying mobile IDs into citizen smartphones with increasing success, the solution will soon be ready to cross borders and cross applications. Ubiquitous smartphones will then have transformed into ubiquitous mobile IDs.

 

Sura Nualpradid shutterstock_1000x550
It is easier to fake a physical driver’s license than a mobile driver’s license. With mobile, electronic authentication using cryptography is possible, which will prevent counterfeiting or fake IDs. (Image Sura Nualpradid Shutterstock)

 


 

 

Key benefits from Seos

  • Seos enables secure identities to be mobile
  • Seos changes a smart device into a credential
  • Seos enables credentials, readers to communicate across open systems
  • Seos uses standards-based cryptography to provision secure identities
  • Seos protects secure identities across broad range of mobile OS platforms
  • Seos is based on strong mutual authentication between application on citizen phone and reading device
  • Seos protects against man in the middle, reflection, reply, other attacks
  • Seos ensures credential holder is not tracked, identified by unauthorized party

 

 

How Seos performs

Security for mobile IDs is based on a multi-layered approach comprised of security technologies that run across the citizen smartphone, the verifying device and issuing infrastructure. Seos can be run and has been tested on secure elements and in pure hardened software credential storage. The latter being preferred to secure mobile applications because currently there is no common hardware security supported across all mobile platforms. This means the digital keys in the mobile phone are independent of any partner system from MNOs and OEMs.

Using a hardened software based credential allows HID Global to benefit from the many built in security features of a mobile phone operating system. This allows applications to store information and operate securely. In addition to this, mobile IDs are stored as Secure Identity Objects, which are encrypted and signed using NIST Suite B approved cryptography, making it impossible for a hacker to create or modify the content of a mobile ID.

Mobile IDs based on HID goID are tied to the device through a diversifier and device specific cryptographic keys and there are no master keys. This means a citizen’s mobile ID will not work on another device. The application itself includes binary protection including root detection and anti-hacking techniques for reverse engineering, tampering, unauthorised access, code injection and security by obscurity.

Seos technology does not depend on the security of the transport technology. It is standards based and includes secure messaging, strong authentication and data confidentiality. With HID goID, transactions between citizens’ smartphones and verifying readers rely on the Seos secure messaging protocol to secure over-the-air communication, independent of the transport technology whether NFC or Bluetooth Smart.

Every Seos transaction is unique and cannot be cloned, recorded or replayed. Seos is also resistant to man-in-the-middle attacks, reflection attacks, replay attacks, message deletion, message reordering, message modification, message concatenation and message insertion. Seos protocol supports strong privacy, meaning that it is not possible to track the identity of a device.

The issuing infrastructure processes incoming mobile ID payload securely issuing and protecting the citizen specific data using device independent diversified keys that are managed and generated within Hardware Security Modules. Citizen specific payload is securely wrapped and sent to the citizen’s smartphone using different transport channels. The issuing infrastructure also manages all keys including the issuance to verifying devices, ultimately allowing them to become trusted endpoints.

Widespread adoption of mobile IDs requires interoperability between issuing authorities across agencies, borders and geographies, worldwide.

 

Click below to share this article

Browse our latest issue

Intelligent CIO Africa

View Magazine Archive