Mobile identities – using your smartphone to take care of important matters

If a specialist wants to give his patient an x-ray, there are a number of options available: He can have the x-ray developed and printed out and can then hand it over to the patient in analogue form. Or, he can save the digital image file on a USB stick and hand this over to the patient. Some doctors send the file by e-mail – not always encrypted – or e-mail a link to the patient to download the file from a cloud. What all these variants have in common is that they involve a considerable amount of work. And are they really privacy-compliant?

More and more citizens, however, want to be able to exchange data online with their doctors and other contacts in a convenient and mobile process. The easiest way to do this is using a smartphone. The problem is that extremely secure data storage and encryption are needed while the key for decrypting and accessing the data must be securely stored on the smartphone.

Trust as an admission ticket

It is also essential here that users can be confident that digital communications are secured and that their sensitive data is handled correctly. Users are usually less confident when their data is stored remotely and they don't know who has access to this data. Confidence increases when users themselves are in control of the data and can track who had access to which data and when. Another important factor for confidence is when users can revoke previously granted authorisation.

Secure transfer of identity attributes to a smartphone

Up to now, an ID card was used to prove a person’s identity. It is also already possible to derive identities today. For example, in the Postident process in Germany, the ID data is transferred to a special coupon and signed with a signature and stamp. In this case, the identity is derived from the ID card and transferred to a coupon. When someone authenticates themselves with an online service provider using their electronic ID card and the online ID function, they are essentially deriving their identity.

This principle can also be used with smartphones. Many of today’s devices already have a so-called Secure Element (SE). The unique attributes of an identity can be securely derived from the secure source (e.g. the electronic ID card), transferred to the mobile device and linked to the SE. All users then need is their smartphone to identify (register) or authenticate (log in) themselves online with a high level of security. Access to the originally secure source is no longer necessary.

Security level in line with protection requirements

Depending on the application, different levels of assurance are needed. According to the Money Laundering Act, a high level of security is a prerequisite for opening an online bank account. The online ID function of the German electronic ID card, which is notified according to the eIDAS Regulation throughout Europe as a “high” level of assurance, is absolutely necessary for this. Data derived from the ID card and transferred to the smartphone will reach a "substantial" level in the future. This would be sufficient for 95 percent of eGovernment applications, for example, and would mean 100 percent user-friendliness for users.

High virtualisation in the medium term

Research is still underway into how traditional ID documents, such as ID cards, health cards  or driving licences, can be securely transferred to mobile devices. Experts believe that soon the online ID function will be very easy to use on the smartphone, without users having to authenticate themselves each time with their ID card. At the same time, administrative processes are also being aligned in order to enable their online use with derived identities.
 

Quelle: Bitkom, Smartphone-Markt wächst um 3 Prozent auf 34 Milliarden Euro