Trust Service Providers & Strong Authentication: Government Benefits

One of the greatest benefits of the digital age is the availability of being able to perform many different government processes online in a shorter amount of time versus having to depend upon the postal service or taking time out of a busy day to go stand in a line at a government office.However, when dealing with sensitive documents over the Internet, such as identification papers, travel documents or health records, certain precautions need to be in place. With identity fraud on the rise, it is imperative to ensure the integrity of important documents, in addition to providing assurance that the signatory or person gaining access to personal information is who they say they are. This is why strong authentication that can be provided through trust service providers is now required for many processes.

What is Strong Authentication?

Several levels of authentication are in use today over the Internet. For many years, just using a username and password has been the standard practice in authentication. However, as computer hackers have become more sophisticated, that method is not nearly enough to protect sensitive information. Two and multi-factor authentication offers more protection and can be considered to provide strong authentication if implemented according to certain requirements.

The European Central Bank (ECB) defines strong authentication as “layered authentication approach relying on two or more authentication factors to establish the identity of an originator or receiver of information.”

The two or more elements that may be involved during the authentication process, include:

• Knowledge, which is something only the user knows, such as a password, PIN or other code
• Ownership, which is something that only the user has, such as a mobile phone, token or smart card
• Inherence, which could be a biometric characteristic such as a fingerprint

Each of the three elements must be mutually independent of each other in the event that one is breached so that it does not compromise any other element. At least one of the elements must not be replicable or must not be used more than once, such as a one-time passcode (OTP).

How Do Governments Benefit from Strong Authentication

The use of strong authentication provides several benefits, including:

• With strong authentication, many government processes can now be performed over the Internet almost automatically instead of using the postal service or having to make a trip to a government office
• The potential problem of having an individual having to appear at a government office multiple times to provide additional documentation to prove their identity is eliminated.
• Less frustration not only on the individual’s part, but also on the part of the government employee.
• Whereas time is considered money, less time is spent on paperwork, thus saving time for the individual and the government agency.
• Cross-border acceptance of eIDAs allows for seamless transactions because qualified signatures are considered the carry the weight of a handwritten signature.

By using strong authentication methods, governments are taking a proactive stance against fraud, while building trust among their citizens and other Member states through more secure interactions.

What Trust Service Providers Do

Under the eIDAS Regulation, a Trust Service Provider (TSP) is defined as “a natural or a legal person who provides one or more trust services either as a qualified or as a non-qualified trust service provider.” In performing their duties, TSPs are responsible for assuring the electronic identification of signatories and services by using strong mechanisms for authentication, digital certificates and electronic signatures.

In the EU, qualified TSPs that are authorized for services used for authentication purposes must be granted qualified status from their supervisory government body. The TSP must be listed on the EU Trust List as stipulated by eIDAS or they are prohibited from providing qualified trust services, such as those used for strong authentication.

TSPs that have been granted qualified status must:

• Provide valid time and date stamps for the certificates or seals they create
• Immediately revoke signatures with expired certificates
• Provide appropriate training to their staff
• Use software and hardware that is capable of preventing forgery or unauthorized access of certificates

Governments need to reach a high level of assurance to reduce the likelihood of authentication errors when operating with personal data of their citizens. Third party trust services can provide high levels of security assurance, confirming that the person signing or accessing information is indeed who he or she claims to be. By using such services, government departments can focus on delivering better online services for their citizens while resting assured that the systems and users are secured with the best level of protection and security standards. 

References and Further Reading

• Selected articles on Authentication (2014-16), by Heather Walker, Luis Balbas, Guillaume Forget,and Dawn M. Turner
  
• Selected articles on Electronic Signing and Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Peter Landrock, Torben Pedersen, Dawn M. Turner and Tricia Wittig 
  
• REGULATION (EU) No 910/2014  on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
• Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
• Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
• NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
• Security Controls Related to Internet Banking Services (2016), Hong Kong Monetary Authority