Recently the UAE Government announced its intention to deliver all government services through smartphones and devices under a scheme named ‘Smart Government’.
Here, Dr Ali Al-Khouri, Director General of Emirates Identity Authority, outlines his views on the subject of identity management in the age of mobilification and how the UAE is embracing this trend for the furtherment of benefits to their citizens in terms of digital economy development.
In light of the staggering evolution of mobile technologies, the concept of mobility is gaining more attention worldwide. Recent statistics demonstrate mobile channels’ increasing significance in outreach and service delivery. However, governments and businesses face a challenge in reaping the benefits of mobile platforms: how to confirm the authenticity of mobile users and transactions. Mobile devices, by design, are well suited for enabling authentication and digital signing services, similar to traditional PC and laptop environments. But although various implementations support different authentication schemes, they still do not instill sufficient levels of trust and confidence. In light of this, a solution framework has been adopted in the United Arab Emirates (UAE) to address recently launched mobile government transformation initiatives.
The Emirates Government recently announced ts intention to deliver all government services through smartphones and devices under a scheme named ‘Smart Government’. The scheme is an extension of the e-Transformation path of government services that work twenty-four hours and operate as a ‘one mobile stop shop’. All government agencies are now mobilifying, developing mobile apps and enabling mobile payments to process government fees. However, the biggest challenge government agencies face remains the identification and authentication of individuals in mobile environments.
The current and widely used authentication approach is still based on usernames and passwords. All mobile phone users in the UAE need to register their SIM cards with National IDs under scheme called ‘My Number, My Identity’. This registration transforms a default ‘unauthorized device’ into a registered authorized device. Mobile phone and smart device users are prompted to set a PIN during the registration process for logon. Although the basis of ‘Authorized-Device-Authenticated-User’ (AUAD) has been met, the overall approach is still not considered robust in digital security. The UAE is therefore using its existing identity management infrastructure to heighten the security levels in mobile platforms. That infrastructure is based on sophisticated technologies such as NFC-enabled smart cards, biometrics, and public key infrastructure. The infrastructure is designed to support both national security and digital economy development.
Digital identity
As such, the UAE smart identity card comes with a complete digital identity profile, and current infrastructure supports digital identification and authentication of identities through desktops and laptops equipped with smart card readers. The government is now mobilifying its existing identity card features by extending the digital profile to the mobile ecosystem. Figure xx illustrates the advanced features of UAE identity cards. All these features—the use of multi-factor authentication with mobile phones, and PKI-enabled security levels of confidentiality, integrity, and non-repudiation—have yielded successful test results.
Besides, the UAE has set up a national validation gateway to provide online, real-time identification and authentication services to ID card-based transactions. So in principle, the digital and mobile identity involves the use of a national gateway to provide more secure, online, real-time validation, verification and authentication of credentials: card, transaction, and holder genuineness.
In the ‘card present’ scenario, the digital ID credentials provide the perfect identification and authentication tools for both in-band and out-of-band modes. A mobile device can read the card using contact or contactless interfaces. Thus, whether the device is a phone, tablet, mobile PC, or handheld terminal, if it can read the card, the gateway validates online ID.
This does not thus warrant any further identity or device registration process in the future. The ‘card genuine’ check and data integrity authenticates identity, and provides the authentication response to the service provider with the Government Issuing Authority’s digital signature. The digital signature certificates in the card, accessible by PIN, allow any transaction. The validation gateway thus provides multiple authentication mechanisms.
In simple terms, users typically need to download onto their smartphones or mobile devices a government mobile app with NFC reading capability—either built-in or as external plug-in hardware. Users will need to tap their card only when authentication is required, and the phone will act as a secure element that will interface with the validation gateway. The above design supports the ‘card present’ scenario and provides maximum trust for mobile identities. However, the government comprehends that in the ‘card not present’ scenario, ID services need to be just as strong and secure. Subsequently, an identity authentication platform that accords these services using the national identity management infrastructure brings true mobilification of the digital identity.
True mobility
In the case of the ID card’s absence, the challenge is to find additional proxies that serve the real ID as efficiently and effectively. Considering that true mobility goes beyond phones with SIM cards, the ID authentication platform should be able to provide the ID verification and authentication services independent of the devices.
A mobile phone of course serves the purpose of a secure mobile digital ID proxy if the SIM/ UICC2 registration is done in conjunction with the national ID card. Thus for every SIM issued, there needs to be at least a one-to-one (1:1) correlation of the SIM with the national ID card. It could then be extended to accord an n:1 correlation of the SIM with the national ID card (with multiple SIM cards issued to a given national ID).
The national ID credentials set is planned to further expand to provide:
1. IVR credentials, by enabling registration with a T-PIN
2. an SMS-based credential set, by enabling the registration to an SMS-with a registered phone;
3. a USSD-based credential set by enabling the registration to an SMS-;
4. biometric credentials, including voice and face recognition; and
5. a call-in (call-back) facility for ID verification and authentication.
UICC is the same as the smart chip used in national smart ID cards today and will support mobility as per the GSM Association of mobile operators. UICC is expected to help identify user and application. It has on-board processing capabilities and thus can carry applets and run algorithms. It can communicate using Internet Protocol (IP), the same standard used in the Internet and the new generation of wireless networks. It also can support multiple PIN codes, which better protect one’s digital profile and personal information.
Major new developments in electronic ID regulation are also taking place in the UAE. Digital identity and electronic signature (e-Identification, eAuthentication and eSignature) framework is under review by a federal committee. The legal framework is designed to support building trust in digital environments and interactions, and support the transformation of government services through leveraging the national identity management infrastructure.
Cross-border interoperability
That structure will play a critical role in enabling secure and seamless electronic transactions between businesses, citizens, and administrations, thereby improving public and private electronic services, e-business and e-commerce.Additionally, the overall framework provides cross-border interoperability of stronger forms of identification and authentication, such as eID. All in all, its e-authentication platform and legal framework show the UAE government plans on more stringent rules for service providers, in terms of security, data protection, and overall trust requirements.
Although technological advances may substantially improve some aspect of an agency’s operations, be it a government or a business, they can also create their own set of challenges that must be addressed to achieve the intended benefits. As such, they are double-edged swords. The ever-changing expectations of communication options with government agencies and businesses will continue to create need for more tightly integrated experience across various heterogeneous digital channels.
Emerging mobile technologies, access, and capabilities will regenerate citizens’ expectations for immediate and self-service experiences. Amid all this, governments need to develop digital mobility strategies and put in place action plans to ensure that they are not left behind. Indeed, the future impact of mobile devices on fields such as insurance, banking, education, training, and healthcare can only be guessed.
Establishing trust should be the heart of such plans. Trust is crucial to electronic interactions between users, governments, and the private sector. Governments need to work beyond simple username/password schemes, and provide stronger authentication methods that support security, privacy, and safety in online environments. Building trust in online and mobile environments is critical to the growth of digital identity services and digital economies as a whole, and should become a preoccupation of governments and regulators around the world.
Governments need to understand that today’s digital ecosystem is dramatically different from what it was few a years ago. To protect citizens in cyberspace, all players—governments, network operators, device manufacturers and application/content developers—must work together. Identification and authentication issues will, in our opinion, remain a barrier, hindering the full potential of the digital (mobile) economy. Unless we have complete ID authentication architecture, it is practically impossible to prevent masquerades and identity thefts, abuse of the digital ID proxy and fraudulent transactions. Two basic questions will always need to be asked when evaluating any mobile ID solution: how do we ensure that the identity is authentic and how do we prove that the transaction is genuine?
m-Government transformation
The UAE’s national validation gateway extension is fundamental for true m-government transformation. The UAE mobile identity authentication architecture provides robust and reliable mechanisms to authenticate mobile identities and pave the way for revolutionary mobilified business models.
We foresee modern national identity programs, becoming more prevalent around the world, would serve the purpose of mobile identity best. Governments have been working eagerly to address cyberspace’s challenges and exploit its potential, but success is very limited. To make a true quantum leap, practitioners need to move out of their comfort zones, to examine digital transformation needs. Such examination should take into account overall political, economic, societal, technical, legal and environmental dimensions.