One of the greatest benefits of the digital age is the availability of being able to perform many different government processes online in a shorter amount of time versus having to depend upon the postal service or taking time out of a busy day to go stand in a line at a government office.However, when dealing with sensitive documents over the Internet, such as identification papers, travel documents or health records, certain precautions need to be in place. With identity fraud on the rise, it is imperative to ensure the integrity of important documents, in addition to providing assurance that the signatory or person gaining access to personal information is who they say they are. This is why strong authentication that can be provided through trust service providers is now required for many processes.
Several levels of authentication are in use today over the Internet. For many years, just using a username and password has been the standard practice in authentication. However, as computer hackers have become more sophisticated, that method is not nearly enough to protect sensitive information. Two and multi-factor authentication offers more protection and can be considered to provide strong authentication if implemented according to certain requirements.
The European Central Bank (ECB) defines strong authentication as “layered authentication approach relying on two or more authentication factors to establish the identity of an originator or receiver of information.”
The two or more elements that may be involved during the authentication process, include:
Each of the three elements must be mutually independent of each other in the event that one is breached so that it does not compromise any other element. At least one of the elements must not be replicable or must not be used more than once, such as a one-time passcode (OTP).
The use of strong authentication provides several benefits, including:
By using strong authentication methods, governments are taking a proactive stance against fraud, while building trust among their citizens and other Member states through more secure interactions.
Under the eIDAS Regulation, a Trust Service Provider (TSP) is defined as “a natural or a legal person who provides one or more trust services either as a qualified or as a non-qualified trust service provider.” In performing their duties, TSPs are responsible for assuring the electronic identification of signatories and services by using strong mechanisms for authentication, digital certificates and electronic signatures.
In the EU, qualified TSPs that are authorized for services used for authentication purposes must be granted qualified status from their supervisory government body. The TSP must be listed on the EU Trust List as stipulated by eIDAS or they are prohibited from providing qualified trust services, such as those used for strong authentication.
TSPs that have been granted qualified status must:
Governments need to reach a high level of assurance to reduce the likelihood of authentication errors when operating with personal data of their citizens. Third party trust services can provide high levels of security assurance, confirming that the person signing or accessing information is indeed who he or she claims to be. By using such services, government departments can focus on delivering better online services for their citizens while resting assured that the systems and users are secured with the best level of protection and security standards.