Biometric Research Note: Systematic process needed to implement government eID programs
Governments are under increasing pressure to effectively identify individuals and safely secure their borders. Accurately issuing and verifying the integrity of documents like passports, border patrol documents, national IDs and employee badges is increasingly important.
Initial smart card-based technologies filled the demand for electronic identification. But new challenges are evolving in issuance, usability and accuracy. Next-generation solutions include faster read and write speeds to process and create documents efficiently, enhanced memory technology to support emerging security requirements, and better contactless implementations.
The emergence of national eID technologies are placing pressures upon national governments to migrate to new credential standards in the interest of enhanced security. The migration from regular paper identification to eID must be implemented systematically by governments and implicitly should engender a three-step approach.
The first step should focus on the selection of the physical and technical template for the identification credential. With the change from a traditional paper document to a smart card format, many new optical elements and optical technologies can be leveraged including multiple laser image (MLI), changeable laser image (CLI), embedded hologram, diffractive optically variable image device (DOVID), image perforation and window technologies. These optical elements dramatically increase the optical security of the document, when compared to paper-based ID documents. The mechanical and optical stability of smart cards are obviously better than paper-based documents due to durability and greater resistance to counterfeit.
The second characteristic of migration to eID is represented by the integrated circuit (IC), which brings new electronic security features to the credential. An IC platform raises the bar on functionality and performance to advance the next generation of government- issued IDs and e-passports. IC fundamentally shifts the performance and capability of smart card applications delivering faster and more reliable authentication of users.
The smart card technology acts as a safe box for data, able to perform highly complex cryptographic algorithms, as well as the authentication of biometric samples. This technology is designed to withstand sophisticated attacks such as hardware electrical shields, light attack sensors, differential power analysis sensors as well as side channel attack sensors.
To accommodate current and future security and encryption requirements, IC platforms should conform to basic access control (BAC) and extended access control (EAC) requirements developed by the International Civil Aviation Organization (ICAO). IC platforms should also integrate advanced security countermeasures and be designed to meet stringent requirements such as those enumerated in the Common Criteria EAL5+ security certification per the BSI (Bundesamt für Sicherheit in der Informationstechnik) Smartcard protection profile (BSI-PPP-0002). IC hardware should also support both public key cryptography including RSA and Elliptic Curve, and symmetric key cryptography, which includes DES/Triple DES and AES. IC platforms should also support both contactless (ISO/IEC 14443 air interface protocol) and contact (ISO/IEC 7816 smart card interface protocol) communication. Combining hardware, operating system and application software also provides secure encryption, storage, data management and authentication required for governmental identification controls.
The third requirement for the effective implementation of eID is the development of “eGovernment”. Citizens should be able to leverage the cards to access a myriad of services online via their personal computers, smartphones or other mobile devices.
Government services provided online requires digital identity management. eID documents are personal, portable secure credentials that can ensure a highly secure end-to-end channel of communication between the user, the citizen and the service provider, the government.
The use of the credential can even be extended to transactions to businesses and consumers in the wider economy, if proper security and privacy controls are put in place. But in order to achieve implementation in the wider economy, agreements need to be forged between governments and the commercial sector, including credit card companies and other financial institutions. Most importantly, consent for such a payment scheme needs to be obtained from citizens through a thoroughly democratic process, along with an accompanying policy that would determine access and control over the large data footprint that would be generated from it.
Biometrics Research Group provides forward-looking and systematic data about the global biometric market, allowing industry stakeholders to calculate political, economic and investment risk.