Identité mobile : une approche prometteuse tant pour les administrations que les entreprises

Infineon_Josef_Haid[Version anglaise uniquement] More than a billion electronic documents, such as eID cards featuring contactless functionality, have been deployed around the world. ABI Research reports more than 500 million NFC-enabled mobile handsets will be shipped in 2014. The fact that NFC-enabled mobile devices can interact with contactless identification documents – NFC-based Mobile ID – paves the way for innovative and secure services in the governmental and private sector. This article provides an overview on the basics of mobile ID based on NFC, use cases, the required technology, and trends in the Mobile ID market.

By Joseph Haid, Infineon Technologies AG

What is the idea behind Mobile ID? Already the term provides a rough idea about the concept: a mobile device of any form factor – mobile phone, tablet, or laptop – is used to perform an operation based on the information of an individual person, i.e. electronic identification. The main difference between the implementations of this idea is where the credentials, e.g. name, date of birth, are stored and how they can be retrieved. Two basic concepts of Mobile ID can be distinguished:
• Credentials and security functions are stored on the mobile phone. They can either be physically located on the removable UICC (‘SIM card’) or on an embedded secure element soldered within the mobile device.
• Credentials and security functions are stored on a contactless ID card and are accessed via contactless NFC interface.
The latter approach relies simply on the requirements and environmental conditions in different countries around the world. Both have in common that individual credentials, e.g. fingerprints, and secrets, e.g. keys, do not leave the secure element of the certified eID card, thus they are not disclosed to the mobile phone itself. By its nature this solution benefits from hardware-based security as most eID cards are using certified security controllers. This article focuses on possibilities of NFC-based Mobile ID as it recently gains much attention around the globe.

The possibilities of NFC-based Mobile ID

Obviously, the mobile phone and its user are the central elements of Mobile ID use cases. The user downloads a mobile application onto the mobile device. To initiate the service, the user starts the application and selects the service to be performed, for instance signing a document digitally. The application requires certain credentials and secure functions to perform the task. All required functions/data are either provided by the contactless ID card or performed in collaboration with a background system. In extreme cases the mobile device acts just as the user interface, while the function is performed only by the ID card and the background system. During the transaction, the user presents the contactless ID card on request to the mobile device. The mobile phone works now in reader mode, i.e. acts like any contactless reader holding a reader application. The security function is now performed, for instance, the ID card digitally signs the document or a strong authentication is performed. After the security function is finished the data is sent back to the phone and/or to the background system. The application on the phone then closes and the eID card can be removed.

NFC-based Mobile ID is enabled by the increasing popularity of contactless ID cards within the population. In the past years, most Mobile ID systems were based on UICC-based approaches due to practical reasons. The deployment of NFC-enabled mobile phones was simply too low to reach a significant portion of the population. Examples of UICC-based systems can be found in Estonia (Mobile ID) and Finland (Valimo Mobile ID).
The growing penetration of NFC-enabled phones together with the growing number of contactless ID cards has already changed this situation. Governments around the world are starting to think about Mobile ID services in order to simplify the public sector processes for its citizens. Furthermore, there are ideas to offer Mobile ID-based services to private services. One example is that a company could offer its employees the possibility to electronically sign internal documents using the contactless identification document. To integrate this functionality, the application on the mobile phone can be extended with a ready-to-use service offered by a government.
The growing attention on the large potential of the Mobile ID market is obvious at the many mobile industry conferences, trade shows and events around the world. One of the basic ideas, which are already being demonstrated in various products, is to transfer the processes already existing today, i.e. using a PC combined with a contactless reader, to NFC-enabled phones. This straightforward approach does not require the design of new contactless identification cards, but broadens the number of potential users for Mobile ID services.
It can also be observed in the market that mobile phones are considered as an attractive alternative to contactless readers. In this case, the mobile phone is connected to a governmental background system and performs the desired action, e.g. the identification of a cardholder. Thus, a number of freely available applications are available to read out contactless cards. In the government identification application segment several NFC-based ePassport readers are available.

What kinds of application scenarios are attractive and realistic?


One possible use case is strong authentication using NFC-enabled Mobile IDs. Services provided via networks require a strong authentication mechanism for the user to prevent misuse and digital fraud. Authentication can be done in several ways, e.g. via user name, password, fingerprint, and/or secure physical tokens. The NFC-enabled eID card can serve as a secure token communicating conveniently with the mobile device. In this case the eID card is an extension to typical user name/password authentication, and an alternative to dedicated physical tokens. The principle described is called “Second Factor Authentication”: combining “Something I know” (e.g. password, user name, pin) with a second factor “Something I have” (e.g. eID card). This type of strong authentication is already used in many eGovernment applications, often still based on the contact interface of a smart card. ID cards support a secure authentication towards several eServices, e.g. tax declaration systems, and private/commercial accounts, e.g. banking systems in several countries, e.g eCard/Austria, National eID card (nPA)/Germany. It is expected that a growing number of contactless eID cards will be able to provide the strong authentication function together with an NFC-based enabled phone. A practical reason limiting the use of this authentication functionality is the relatively small number of smart card readers in the population. In the NFC-enabled Mobile ID use case, the mobile phones act as a smart card reader, thus overcoming this limitation.

Another use case is signing documents using the NFC interface: Document signature in the governmental and private sectors is one of the most attractive use cases for NFC-based Mobile ID. Documents to be signed include legal contracts and income tax statements, but also documents of everyday life such as registrations of the kids to kindergarten activities. In this use case, the eID card is presented to the phone and establishes a secure channel. In a second step a secure channel to the background system is established to enable secure exchange of data between the phone, card, and background system. In a third step the background system checks the authenticity of the eID card based on strong authentication. Based on a successful authentication, the card electronically signs the document and returns it (or a secure hash value) back to the mobile phone. Finally, the card can be removed from the phone and the process is finished. Exploiting the possibilities of mobile devices, the signed document can be sent via e-mail to the desired addressee. The described use case combines the hardware-based security of the eID card with the convenience of contactless technology.

Remaining challenges

So, with a demand for mobile ID solutions in the market and an increase in NFC-enabled mobile devices, what are the technical challenges that remain? As is so often the case, it is the matter of standards and interoperability. Despite the availability of NFC-enabled phones, not all specifications are finally released and tested yet. This implies that NFC-enabled devices may have different contactless behaviors. This situation results in a heterogeneous NFC infrastructure causing undesired interoperability issues between smart cards and mobile phones. The challenge for contactless smart card IC vendors is to provide interoperable products beyond the functionality described in ISO/IEC 14443, and even NFC Forum Specifications. Further challenges are multi-application scenarios, i.e. combining several applications on one eID card, such as secure transport application with governmental services. In order be independent on any proprietary solution not available on all NFC-enabled devices, an open standard is the solution to choose best. The CIPURSE™ standard, developed by the OSPT (Open Standard for Public Transport) Alliance, fulfills these basic requirements.

The strength of the NFC-based Mobile ID approach is the seamless combination of intuitive usability via NFC with the security using a contactless, security certified eID card. The large deployment of more than a billion of contactless ID cards combined with the availability of more than 500 million of NFC-enabled mobile devices in 2014 opens up a completely new space for innovative, customer-centric services and applications. It is expected that Mobile ID will not only evolutionally, but revolutionarily change the landscape of governmental services on mobile devices in the next few years. One important step will be the interoperability between NFC-enabled mobile devices as well as contactless documents, mostly designed with respect to ISO/IEC 14443. This is already addressed in all relevant standardization and specification bodies. The challenge for contactless smart card IC vendors is to enable interoperability within the know ISO/IEC standards, NFC Forum specifications, the installed contactless infrastructure, and mobile phones. The use cases described in this document – strong authentication and electronic signature – show the high attractively of NFC-enabled Mobile ID. The advantage of combining hardware-based security on eID cards with the convenience of contactless technology makes NFC-based Mobile ID a promising approach for use in governmental and private sector.

See also
Dr. Josef Haid, Principal Technical Marketing, Infineon Technologies AG
Since 2011 Dr. Josef Haid is responsible for definition of high security controllers for future e-Government applications at Infineon Technologies AG. He joined Infineon`s Chip Card & Security division in 2004. His focus lies on smart card technologies for contactless applications such as Very High Bitrates (VHBR) and NFC.


© 2015 Strategies Telecoms & Multimedia | Contact |  -