After 15 years of making big investments in electronic government services, the public value outcomes are far from the expected. According to the latest report by Telefonica, 81% of Spanish citizens are internet users to access online services like social networks, travel agencies, shops, banks, etc.
However, in Catalonia, only 30% of procedures are submitted electronically to governments. This index is almost never shown on digital government reports. Many other indicators are published, like the percentage of citizens that have done at least one electronic procedure during a year. This is not a key metric, quite the contrary, and it is a banality metric because it delivers a wrong idea about what is a reality.
Between 81% of internet users and 30% of electronic procedures, there is a huge gap. There are several barriers that could justify the gap: usability, trust, awareness of e-services, etc. But the most important one is the electronic identification (eID) process.
Different user profiles require different eID solutions
We have to bear in mind that different user profiles have different use cases and they may require different eID solutions. There are three basic user profiles:
- Ordinary citizens: on average, they submit three procedures per year to all public administrations
- Business people: they submit quite a lot of procedures with governments
- Official governments and public employees: they do a lot of transactions within governments
Most of the business people, official governments, and public employees of Catalonia and Spain use a digital certificate for electronic identification, authentication, and signature. Digital certificates on a smart card (that provides a high level of assurance) or on software are not easy to use, but all these people have technical support from the IT department.
For the past 15 years, the strategy in Spain for digital identification has been based on providing digital certificates to all citizens integrated within the official Spanish ID card, with a high level of assurance. However, 95% of the procedures they submit have a medium or low risk. Why do we force citizens to use a high level of assurance system if they do not really need it? And when citizens have a problem with the extremely complicated configuration of the ID card, they do not have an IT department to solve their issues at home.
After spending more than 600 million euros (it is an estimation: there are no official figures), there are 40 million of Spanish citizens that have it. Yet, the usage is very low. Again, there are no official figures, but we have a survey conducted by the Orange Foundation about who used the Spanish eID card to submit the income declaration tax, that it is mandatory for all citizens of legal age. Only 0.02% of citizens used the Spanish eID card. My personal estimation is that only 2% have used it, at least once, with all public administrations.
Quite too often, the best is an enemy of the good. This is a very good example.
Kerckhoffs’ principles and Spanish eID card
Why hasn’t the Spanish eID card work? The answer is quite simple. It does not fulfill the Kerckhoffs’ principles. Mr. Kerckhoffs was an expert in cryptography who stated that in order to have a secure and useful cryptosystem, you have to comply with several principles. The most important are:
- It must be possible to remember the key without using written notes
- The system must be easy to use
The Spanish eID card does not fulfill any of them. It is not easy to use, at all: you have to be an IT expert in OS, browsers, Java and drivers. And you have to carry with you an eID card reader (most of the PCs don’t have one). Besides, users do not remember their password as they just use it three times per year. After three failed tries, the eID card gets blocked, and you have to go in person to a Police office. The result: there are thousands of eID cards blocked, including mine.
The funny thing about Kerckhoffs’ principles is that they were written down in 1833. It seems we haven’t learned much about this subject for the last 134 years.
Criteria for the ideal identification solution for ordinary citizens
My ideal solution for an ordinary citizen is the following:
- Available for all ordinary citizens
- Ready to be used for 95% of e-services
- There is no need to carry a new device
- There is nothing new to remember
- It is not required to do an on-site register
- The citizen has to do no set-up nor configuration
- It must be very easy to use
- It has to be trustworthy
- It should be broadly used by the public and private services
- It should follow the latest security recommendations
You may think that all these criteria are wishful thinking, but we believe there is at least one solution that fulfills all of them. This solution is based on three pillars.
1st Based on mobile
There is no need to carry a new device if you use an eID based on a mobile phone.
Besides, it is already available for almost all ordinary citizens. Actually, in Spain, there are 116 mobile phones per 100 people.
And it is very trustworthy because it is a very personal device. We always carry it with us; hence, if we lose it, we realize rapidly, and we can block it in few minutes.
2nd Based on a secure digital enrollment process
For medium and low-risk processes, we can do an online enrollment. Currently, the Consortium AOC (idCAT Mobil) and the Spanish central government (Cl@ve) are doing an online enrollment process based on asking personal information from the citizens, sending an OTP to their mobile phone, and sending a postal mail to the legal residence address. So far, it is working very fine.
We may enhance the online enrollment process using remote identity verification solutions:
- Scanning official documents and doing a detailed verification process
- Carrying out a biometric facial recognition between the official ID photo and a selfie, which includes a proof-of-life test: for example, blinking your eyes
- Doing a short video conference between citizens and a public employee that is recorded as an evidence
After the digital enrollment process, we legally register the personal mobile telephone number and e-mail, which will be used in future for identification, authentication, and signature.
3rd Based on a 2FA system
And finally, the solution is based on a two-factor authentication system (2FA) that complies with the following requirements:
- There is no nothing new to remember: citizens only have to remember their mobile phone number and ID number.
- The citizen has to do neither set-up nor configuration. The solution can be based on sending a one-time password by SMS or on Mobile Connect, which send a push notification that is managed by a small application installed automatically by the telecommunications operator in the SIM. In any case, the user does not have to do any configuration. By the way, there are some 2FA solutions based on a mobile APP: they are not working for most of the citizens. Latest reports show that users are not downloading nor using new apps unless they provide a great value and you spend a huge amount of money on advertising because there are more thant 2 million of Apps available on Apple or Android store.
- It must be very easy to use: just to do a simple action, either click on the URL in the SMS or accept a notification message.
- Ready to be used for 95% of e-services. According to the eIDAS European regulation, 2FA can be used in online services that have a medium or low risk. The 2FA is based on something you have and something you know. You have to accept the authentication process on your mobile. Hence, you must know your mobile phone number, ID number, and the mobile lock screen password.
- It should be broadly used by public and private services to take advantage of synergies. In Catalonia, we are using a 2FA solution based on mobile called idCAT Mòbil. In Spain, there is a similar system called Cl@ve pin. Both are excellent solutions, but they currently can only be used partially in the public sector. Using Mobile Connect, in combination with the government’s solutions, can be a good solution to boost synergies between public and private sector.
- It should follow the latest security recommendations from experts. The latest draft NIST recommendation that is not approved yet is a warning about some risks sending one-time passwords by SMS, and it recommends looking for alternatives in the near future. Using a solution like Mobile Connect provides extra security: it sends push notifications based on encrypted SMS.
Mobile identity: an exciting opportunity
Fostering a digital identity based on mobile, fulfilling all the previous requirements, is an exciting opportunity to increase the digitization index from 30% to 81% or more, and achieve greater benefits for citizens and governments in terms of paperless process savings, time-saving, reducing burden, and providing high-quality public services to citizens.
Digital government transformation is becoming a reality.