Vietnam releases draft digital identity and authentication guidelines
Vietnam is pushing ahead with its plan of developing digital governance as the country’s Ministry of Information and Communications (MIC) has released a draft decree defining guidelines on digital ID and authentication, including the use of biometrics.
According to a blog article written by prominent Vietnamese lawyers Yee Chung Seck and Manh Hung Tran, and published on Global Compliance News, the new draft decree is intended to leverage the digital identity concept which the country has been implementing since 2013.
Vietnam is said to be rapidly adopting digital identity innovation, the smart city concept as well as the development of other technologies as part of the Asian nation’s digital transformation agenda.
Per the blog article, the draft decree, among other things, seeks to expand the scope of its digital ID legislation to include transactions with government agencies as well as the private sector, especially in the banking and finance domains.
Broadly speaking, the draft decree carries details on the operationalization of digital identity and digital identification (e-identification), digital authentication (e-authentication), as well as on e-identification and e-authentication services, Global Compliance News states.
It adds that the decree also defines what digital identity is, talks about how digital identity should be managed, defines the two steps by which the digital identification process should be conducted, and how a digital identity can be created.
The decree explains that the process of e-identification and the cross-checking and verification of digital data will be done based on four Digital ID assurance levels (DIALs). These determine, for instance, if the subject’s data must be checked against the digital ID document or a government database. Multi-factor authentication (MFA) is required for DIAL3 and DIAL4.
The draft decree also defines digital authentication saying the process can be carried out based on three different authentication factors. Like the digital identification process, the authentication factors and means of authentication required to perform the digital authentication process are subject to the applicable DIALs.
The authentication factors, the decree specifies, include natural characteristics of the digital ID subject such as their biometrics, information which only the digital ID subject knows, and a digital device owned by the digital ID subject.
The decree also lists six different types of means of authentication to include a password, list of secret codes, two-dimensional barcode, telecommunications device, one-time password (OTP) device or software and a cryptographic device or software, the blog article notes.
According to Global Compliance News, the decree also spells out licensing modalities and requirements for firms interested in offering digital identification and authentication services. As the decree states, such a service provider must be of Vietnamese origin and is also expected to meet eligibility criteria on other aspects including finances, human resources, technical specifications as well as compliance with terms and conditions for managing and providing the service, plus the country’s cybersecurity laws.
Another aspect addressed by the draft decree is the right digital ID service providers to collect and use registered personal information which is voluntarily shared.