Page 49 - ITU-T Focus Group Digital Financial Services – Technology, innovation and competition
P. 49
ITU-T Focus Group Digital Financial Services
Technology, Innovation and Competition
• state-issued eID architecture,
• brokered IDP architecture,
• brokered credential service provider architecture,
• personal IDP architecture,
• no IDP architecture.
The ordering of the subsections embodies a hierarchy of consumer control and privacy. This ranges from
consumers having relatively low levels of control over how their data is used in the monolithic IDP model to
ultimate control in the no IDP architecture.
The intricacies of these architectures are presented in Appendix A.
2.5 Types of digital identity
2.5.1 Conventional / static
Conventional approaches to digital identity have generally revolved around the creation of a static digital
identity, hosted in a token such as a smart card. This approach is taken in the rollout of many national eID
schemes and in conventional KYC processes.
State eIDs are normally issued in order to provide access to government services. They can also serve as
official documents providing access to other services, such as KYC for financial services. As a consequence,
these identities are high value, and could potentially be used to enable fraud, if compromised, and so become
targets for attack.
The majority of state eID systems start off with the issuance of a smart card. This is a static technology that
does not integrate well with Internet-based services, due to the need for an additional, trusted interface device:
A card reader (though this need can be obviated through the use of a contactless smart card and near field
communication (NFC)-capable smart phone, but this is not currently a mass market solution). Similarly, for
PC-based online access, it has been necessary to provide the user with an expensive reader in order to use
the smart card. Consequently, eIDs are often not integrated as widely into third party services as had been
intended.
Identifiers may or may not be linkable. Austria’s Citizen Card is an example of best practice in this regard,
8
as the card carries multiple sector-specific identities, derived from the government-issued identity number
and individually cryptographically protected. This greatly enhances privacy, as it prevents the matching of
individuals across their use of multiple services, whilst also enabling the simple revocation and replacement
of encrypted identifiers in case of fraud.
In contrast, “smart” identifiers, where the identifier includes personal information (such as the UK driving
licence number which includes part of the citizen’s name and date of birth), clearly enable both disclosure
of personal information and linkability. So, there are clear privacy issues with smart numbers, particularly if a
person’s date of birth is used as part of the security checks for other services.
8 http:// www. buergerkarte. at
35