The concept of citizen identity as we know it in Europe stems from the time of Napoleon, where governments became responsible for registering and managing the identity of the citizen – usually to collect taxes efficiently. And for years, this is the way things have been done.
Since then, the concept, attributes, and use cases of digital identity have expanded significantly, which makes us rethink the processes around it – and the ownership itself. For example, should the responsibility of registering and managing all this data still remain with the government? And should governmental organizations be focusing on the software development of digitizing those processes? And where do the responsibilities – and chances – of the private sector lie? eIDAS 2.0 is changing the way we approach these questions, argues Joran Frik, decentralized identity expert and Senior Manager Digital Identity at Deloitte in Brussels.
Moving from enterprise identity to citizen identity
In the last seven years, Joran has seen the work of the cybersecurity team of Deloitte’s Identity Service department gradually shift. “Traditionally, our work focused on the enterprise identity domain, on the way employees log in to their work accounts. Increasingly, we also started focusing on the way our organizations’ customers, the external users, log in, get access to personal data and resources, and manage, for example, their preferences or consent. And now, as the eIDAS 2.0 framework is now becoming more and more concrete, we are able to put our knowledge to use in that area.”
The Identity team in Brussels does so by guiding organizations in improving their user journeys, driven by digital identity. The team collaborates with the public and private sector, and even helps the European Commission to support the legislative process. And the work doesn’t stop with the European framework, says Joran. “I have regular conversations with contacts in Asian countries such as Japan and Singapore, but I also speak to people in Australia, the US, and India. They very much look at us, at Europe, and how we are developing digital identity.”
Being based in Brussels is an important factor, Joran adds. “Belgium is one of the pioneers in citizen identity.” In 2003, Belgium rolled out its eID: an electronic identity card that contains a chip that not only allows secure authentication, but also offers free qualified electronic signatures to citizens. However, it still required middleware. Therefore, in 2017, a consortium of four major Belgium banks and three telecommunication companies also launched a digital identification app that allows Belgian citizens to log in to government, banks, insurers and other private companies. The app, called Itsme, makes it possible to share identity data, confirm payments and sign digitally with eIDAS-qualified electronic signatures – all fully mobile, at public and private organizations.
Citizen identity & the growing role of the private domain
Unlike the Netherlands, Belgium already has experience with the co-existence of two separate digital identity methods: one created by the government, and one created by the private sector. In the next few years, this will be something we will be seeing more and more of, Joran says. “The concept of citizen identity is developing at a fast pace: not just because of European legislation, but also driven by the market. Organizations don’t want to ask customers to re-verify data in lengthy or expensive processes, when that data is already available and validated somewhere else. We can really see a growing demand and supply from the private domain in this area.”
Organizations are increasingly becoming aware that digital identity isn’t something that belongs in the cybersecurity domain, Joran explains. “We’re currently at a point where everyone knows the importance of secure passwords, of multi-factor authentication, and other cyber hygiene measures. That part, of securely logging into accounts, we know how to do. More and more, the focus is shifting to supporting the real core business – improving customer journeys driven by digital identity. eIDAS 2.0 is about much more than just logging in, bringing questions such as: How do we deal with identity? Who has access to what? How do I make things as easy and secure as possible?”
Digital identity as part of business management
These types of conversations are becoming increasingly possible, as the concept of digital identity expands, Joran says. “Digital identity is no longer a singular concept, but can contain all types of varied data points. Beyond your name and address, you can share proof of income, whether you are a registered doctor, or have a university diploma. This wide availability of attributes allows many more use cases, especially in the private sector.”
However, the expansion of the concept also brings a shift in how we should approach digital identity, Joran adds. “Traditionally, identity has always been part of the cyber domain. But the goal of digital identity is not to block all security risks as best as possible. The goal is to ensure that all business processes run much more efficiently. That when you start a new job, you have the right access to the right resources from day one. That when you come to the office in the morning, you have direct access to everything you need access to – and no more than that. Digital identity is not just a technical solution: it’s intended to contribute to the entire process.”
This might also mean that in the case that identity or cyber security is not your core business, that you may be better off outsourcing it, Joran says. “For organizations, digital identity makes it increasingly important how they deal with customer data, identities and processes. For example, every hospital, every retail organization, every airline will be sitting with a huge amount of customer data. Would it be possible to outsource this in a way that customers can bring in their own data, rather than those large organizations owning it and needing customers to verify it?”
Room for broker solutions
Considering the fact that an ecosystem approach is required, bringing many stakeholders together, Joran expects a lot of room for the so-called broker solutions or even broker wallets. “As a Dutch bank, for example, I want to be able to accept all types of identity methods, not just DigiD, but also a Belgian eID and an Itsme, and any other new wallet solution. Ideally, as a bank, you make one connection with that broker solution and that broker solution actually arranges all those different connections for you in the background. And if a new resource is added or eliminated, you as a bank actually have to make very few changes in your own applications for that. So that is much easier than doing everything yourself.”
These broker solutions do not have to be limited to the financial sector, Joran notes. Broker solutions can be an option for many different sectors, making digital identity more accessible for many more organizations.
However, it’s important to make a distinction between the high-security or high-level use cases, and the low-level or substantial-level use cases, Joran adds. “For opening a bank account or canceling airline tickets, you simply need high-level assurance: these organizations have to be very certain that you are who you say you are. For football matches or concerts, a lower-level of security might be needed. That brings up the question: are we going to use different apps for different types of attributes? While that brings privacy advantages as users may prefer to store different attributes in different wallets, it might also be inefficient. So these are important questions that will need to be answered while we roll out the EUDI Wallets throughout Europe.”
Moving forward with digital identity
The changes brought forward by eIDAS 2.0 are not simple, and with lots of decisions to be made, trials to be conducted, and technical problems to be solved, it will take some time before the system stands. However, Joran has witnessed a move in the right direction.
“In the past ten years, we’ve really seen an evolution in the way governments think about digital identity, in which they’re increasingly understanding that the operational part of digital identity may or should not be a core business. Consequently, more room for private providers opened up on the market. And I think that has really contributed to the adoption of a digital identity, to lowering costs, and to increasing citizen trust.”
Time to get started
With the growing importance of the private sector in the citizen identity sphere, there’s a lot of opportunities to be found, Joran argues. But where do you begin?
“My advice is always: just get started. I see a lot of organizations that are just looking around and are thinking: should we start this today? And when they all look at each other, it will take a long time. There’s always someone who needs to make the first step. Yes, there might be some agreements about security or interoperability missing, but in most cases, organizations can also start with the important preparations.”
What’s more, it’s important to realize that digital identity is not just about the technology behind it, Joran says. “Organizations need to start looking from the business point of view, and the benefits that can be achieved. Only then can we start looking at the technical hurdles and their solutions. And these kinds of trajectories don't have to take two or three years anymore. At the moment, we work on fast, short projects with which we can actually get a working solution with basic capabilities, an MVP, up and running to give people the feeling of working with those solutions and noticing what the benefits can be immediately. This way, we can unlock some of the potential of customer digital identity and eIDAS 2.0.”
