Dealing with bureaucracy has always been frustrating for citizens. They simply don’t want to wait in queue to resolve any government-related matters, and they want to get their official documents just as they get books or music — digitally. But as many European governments are digitalising their services, one big question arises: How do they reliably identify and verify citizens so as to provide them with safe and efficient access to public services?
Slovakia is an interesting example of providing both convenience and security to its citizens. To do this, the country implemented an electronic identification card (eID), a technologically advanced and safer version of a standard ID card, which all citizens can use to access public services, as well as obtain and submit official documents electronically. And their personal data is safer than ever.
The journey to the eID
After joining the European Union, the Slovakian government decided to transform to a digital government that will offer e-services and use digital channels to communicate with citizens and businesses. A provider offering e-services needs to be able to verify the identity of the people with whom they are communicating. The service provider needs to have a dependable authentication method to ensure that the person on the other side is who they claim to be, and at the same time allow citizens to control their consent about the use of their personal data.
The Slovakian eID card does that. It’s multifunctional; it can be used for identification, multifactor authentication and even authorization by qualified electronic signature. The eID card is the main government authenticator used for accessing any electronic public service. The card has an embedded contact chip that provides a high level of security for electronically stored personal data, and the visible data on the card is laser engraved. An Extended Access Control (EAC) mechanism makes the card much safer and superior to standard eID card solutions. The card is personalised in the National Personalisation Center, a new facility equipped with modern technology, infrastructure and an information system for the centralised personalisation of all official documents.
How does it work?
The user’s personal data is safely stored on the certified security chip of the card. To access the data, you need the consent of the card holder and an authorisation certificate from the service provider (public agency, bank). When using e-services, the holder has to provide a 6-digit personal identification number (PIN) to allow access to his or her personal data. The service provider also has to authenticate itself by providing an authorisation certificate issued by the Ministry of Internal Affairs. During this process, the EAC mechanism conducts authentication procedures to verify the authenticities of both sides.
The card is compliant with the European Union’s General Data Protection Regulation (GDPR). Citizens can see in advance what kind of data the provider requires to process their request and can choose to allow access only to that specific personal data. It’s a safe environment where citizens always have control over their personal data.
Citizens can use the card to automatically fill out personal data in the e-forms for various public services and file tax reports, register new companies, apply for social benefits, or even apply for a new eID card. It saves time and costs for both citizens and public agencies. Citizens don’t have to wait in public offices, and the agencies don’t have to deal with overwhelming lines of clients and paperwork.
The eID is also used as an e-health card and is available to use for commercial services. It can be used in the financial sector for strong client authentication and electronic banking services, such as opening bank accounts or requesting loans online without a physical presence. The card can help prevent internal banking fraud, because transactions can’t be completed without the personal PIN.
Gaining wider citizen acceptance of eID cards always takes some time, but Slovakia has seen great results. In 2013-2014 about 30,000 to 40,000 monthly authentications for using e-services were issued, while now there are more than 600,000 authentications per month. Slovakia is also trying to motivate citizens and businesses to use the eID and e-services by reducing the fees. For example, registering a new company online costs 50 per cent less than doing it in person.
Nonetheless, implementing the eID scheme is a challenging process. Governments need to educate citizens and communicate the features and use of the card in a very clear manner. To make progress according to a government’s digital agenda, we recommend that activation of the card for authentication purposes be mandatory. Some other key challenges and topics for considerations are:
- Orchestration. eID projects are complex in scope. Governments need to find reliable and experienced partners, since the process requires integration of a number of various systems and infrastructures – existing ones with new ones built for the eID project – as well as the synchronisation of various stakeholders. If the project is financed by the European Union, expect strict supervision and administrative procedures.
- Safety and security. Pay attention to the safety features and be alert at all times. Even the most secure and certified products may include potential undetected weaknesses, despite evaluations done by renowned testing laboratories.
- Don’t use authorisation by electronic signatures for authentication purposes. The EU regulation eIDAS (a regulation on electronic identification and trust services) forbids doing so based on recommendations by the EU Agency for Network and Information Security (ENISA).
- Have alternate authentication means available. If the citizens face any issue with one authenticator, another one should help you to continue to use a service. For example, use mobile electronic identity as an alternate authentication method alongside the eID card.
The Slovakian case shows that citizens will be more open to using the eID card if they are offered greater possibilities with it. Be sure to communicate with the commercial sector: banks, mobile operators, utility companies. Look for mutual interests and possible synergic effects, and make sure citizens can use the card for these services. The more public and commercial services citizens can use the card for, the greater the value of the eID card and a government’s investment in it.