Page 47 - Implementation of Secure Authentication Technologies for Digital Financial Services
P. 47
Notes on user’s identity: The authenticity of this data can be validated by
checking its digital signature on the blockchain.
• Before step six happens where the FIDO client In the second quarter of 2018 Zug planned to
requests the user certificate issuance, the user is organise a consultation on a specific topic for exist-
assumed to have finished user identification using ing eID holders. Its primary goal was to collect ideas
such a mechanism like mobile authentication, for e-voting based on the new eID.
accredited certificate, bank account authentica-
tion, etc. Thus, the user identity is known at the 7.1.5 Example: FIDO Enrolment example
sixth step. FIDO specifications have made an explicit and
• The user uses FIDO authentication after the user conscientious decision to separate “identity proof-
has finished identification, while it is not tightly ing” step from “enrolment” step. The seperation
coupled. The general scenarios are as follows; allows for a more modular architecture whereby any
identity proofing technique can be combined with
1) A user performs user's identification defined FIDO enrolment, including Alipay, Aadhaar eKYC,
by a service provider. existing PKI credentials (such as K-FIDO above) and
2) A user uses FIDO or K-FIDO service (the various NIST / FIPS LOAs.
scope of K-FIDO). A preferential architecture with FIDO is that
strong identity proofing is performed once, and then
• Authenticators decide where the user certificates identity is bound to cryptographically and physically
are stored. KISA recommends secure elements secure credentials.
such as keyStore, keyChain, USIM, or Trustzone, A complete list of validation steps can be found in
etc. the WebAuthn specification [9]. Assuming that the
checks pan out, the server will store the new public
7.1.4 Example: Zug eID – Ethereum Blockchain- key associated with the user's account for future use
based Digital ID – that is, whenever the user desires to use the public
Since November 2017 the Swiss City of Zug has been key for authentication.
offering blockchain-based digital IDs to all of its
30,000 citizens. [17]
The Zug eID consists of three parts. First is the
digital vault, which is part of the mobile app. This
contains the actual digital ID, which is encrypted;
it can be unlocked by the owner biometrically or
using a PIN code. Second is the Ethereum block-
chain where the app creates a unique cryptographic
address for its holder. Third is the certification portal
used by the officials who check that the applicant is
a resident of Zug.
After the applicant's name, address, date of birth,
nationality, and passport number or ID card number
have been verified, this data is digitally signed by the
City of Zug, and the signature is stored as a certifi-
cate in the citizen's digital vault. Since the City's pub-
lic key is publicly available from the Ethereum block-
chain, anyone who receives an eID from its holder
can readily verify its authenticity.
After a successful residency check, the City of Zug
— itself a digital identity on the blockchain, albeit with
special privileges — signs the identity contract of the
user, for anyone to see and verify on the Internet. The
owner of this special identity is the Zug city clerk.
From that moment on, the owner of the eID can
use the mobile app to provide identity information.
Implementation of Secure Authentication Technologies for Digital Financial Services 45
