The Federation of eID Providers: A Polish Perspective

The growth of electronic identification systems has been different for each European country during the past several years. European countries have different eID solutions based on whether the issuer is a government or a private eID provider. This article discusses the Federation of eID providers in Poland, which has become the national identification scheme. 

Electronic Identification Means are categorized by one of three Levels of Assurance (LoA) under eIDAS:

1. Low

2. Substantial

3. High

An electronic identification scheme must meet security controls for each level of assurance. The most commonly used will be LoA Substantial, which is flexible and secure enough for most public services.

Authentication Based on Electronic Banking in Poland

In the past, Poland applied a government identification scheme using a simple login and password that was available for citizens after they registered with a public office, but it was rarely used. Recently, the largest Polish bank, in partnership with the government, initiated the first solution for accessing public administration services with the use of the electronic banking systems.

Providing access to electronic public administration services from banks is just the beginning of the changes expected during the next two years. Soon other Polish banks will join the scheme to provide electronic identification services for their clients. This solution is open to others e.g. telecoms and companies who administer databases of their users. The electronic identification scheme based on an eID node will be initiated in 2017. This will expand the scope of banking identification to other areas, including commercial applications and trust services. 

Federated Electronic Identification

eIDAS notified electronic identification will be recognized in 2018 throughout the European Union to access public services in other countries. Poland’s next step is to introduce legal and technical frames for the National Electronic Identification Scheme. The national scheme will allow using electronic identification from various identity providers, i.e. banks, telecoms and other institutions to register users. Such eIDs will be recognized by the public administration and by private entities as well, including:

• Stores
• Service and content providers
• Financial institutions

Implementation of the National Electronic Identification Scheme means legal recognition for registered and supervised providers of eIDs. This year, the National Identification Node will allow the use of identity providers. Additional commercial nodes may be created that accomplish the same as the National Node, but are based on direct agreements with providers and recipients of the electronic identity. 

Trust Services Based on Electronic Identification

The availability of the electronic identification service does not address the entire risk associated with the provision of services by electronic means. Trust services provide an additional mechanism implemented under eIDAS at the level of the European Union. They may provide certification of transaction acceptance, sending and delivering electronic documents.

The best-known trust service is the electronic signature service. Reliable electronic identification provides the possibility of secure electronic signing via virtually any user device (laptop, tablet, mobile...), by using strong authentication. The next step for the electronic transactions will be verifying electronic signatures with qualified electronic signatures driven by electronic identification from the National Electronic Identification Scheme.

eIDAS Makes the Single Digital Market

eIDAS applies throughout the entire EU. Each member state supervises their own trust service providers and accepts trust services coming from other member states. This provides competition in the market and a possibility to use competitive trust services.

The regulations on electronic identification and trust services will have an impact throughout the EU. The involvement of financial institutions in the development of these devices will enable faster remote services to customers and financial products that fit for the purposes of electronic transactions. New business models enable reaching users directly with electronic services and will potentially lead to decreasing costs and time used for direct services and the handling of documents.  

References and Further Reading

• Selected articles on Authentication (2014-16), by Heather Walker, Luis Balbas, Guillaume Forget and Dawn M. Turner
• Selected articles on Electronic Signing and Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Peter Landrock, Torben Pedersen, Dawn M. Turner and Tricia Wittig 
• REGULATION (EU) No 910/2014  on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
• Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
• Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
• NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
• Security Controls Related to Internet Banking Services (2016), Hong Kong Monetary Authority

 Image: "The palace of culture - Warsaw, Poland - Travel photography", courtesy of Guiseppe Milo, (CC BY 2.0)