Digital identification learning from traditional identifications (part 1: road traveled)

The evolution of digital identification

For several decades in the digital world, we have used a specific identification in each of the systems, portals or digital services; usually by combining a username and a password. Unlike traditional identifications, in the digital world identification and identity verification is necessary, since we are not present to prove that it is indeed us and we are alive! The combined identification and verification are known as authentication and the act of authenticating is also known as ”login” (for its English name log-in). In short, people have credentials that allow us to identify ourselves and enter computer systems by accessing personal information. Digital identification is an essential and extremely critical component since it is the border between the public digital world and our personal data and services.

Outside the digital world, we obtain our national identification (ID, ID card, etc.) in a recognized organization and use it in many public and private places. The same goes for the passport that we use at all borders. In this way, we have a reduced set of identifications issued by recognized organizations, which are trusted by an entire ecosystem composed of multiple public and private organizations as the case may be.

For several years now, digital IDs have been evolving towards a behavior similar to that of physical IDs. This is how various digital services on the Internet began to integrate identification providers and, similarly, large concentrators of user credentials began to position themselves as providers of digital IDs. Today it is possible to log in to Spotify, Booking and many digital portals and services using a Google, Apple, LinkedIn or Facebook account (ID), among others..

This trend, where digital IDs are approaching the behavior of traditional IDs, simplifies and reduces risks in the digital world. We can have a reduced number of identifications, but more secure and use them in multiple digital services. The following image illustrates some examples:

Not all ID providers have the necessary characteristics to be used in sectors that manage overly sensitive information such as health, the financial sector or the state. In less sensitive sectors, if we log in to a service such as Spotify with an account that does not identify us (example “pepe@gmail.com ”) from Google but we entered a valid means of payment, Spotify is going to enable its contents for us since it doesn’t really care which person is behind “pepe@gmail.com ”. This is not possible in many cases where confidential or sensitive information for the user is managed.

Some countries, mainly in the public sector, have been building an ecosystem for a few years with identification providers that meet certain conditions suitable for use in the public sector. It is necessary to develop strategies, regulatory frameworks, standards and requirements that ensure that digital IDs will be suitable for digital ecosystem services, as is the case with traditional or physical ID providers (ID, Identity Card, Passport, etc.).

 

Ecosystem at the national level

In many countries, digital ID services are being developed where a single username/password of each person is used to digitally identify themselves to many digital services, in some known as “single account”. In Uruguay and Brazil, inspired by the regulatory framework and the good practices promoted by the European Union, progress was made towards another level in this regard. That is how the digital ID brokers were born in the region.

A digital ID broker is a platform that is positioned between digital systems and digital ID providers.  On the one hand, it integrates digital ID providers suitable for its ecosystem. On the other hand, it is integrated into digital services (online procedures, portals, state management systems, etc.) that inherit the entire digital identification ecosystem. The following diagram illustrates this situation in simplified form:

A citizen who needs to access a digital ecosystem service, through the broker chooses an identification provider, digitally identifies himself to his provider and returns to the service accessing his personal information. The services delegate the digital identification (or authentication) of people to the providers integrated into the broker. In this way, the digital identification of people is unique for the entire ecosystem, as happens in traditional identifications. Access control is specifically defined by each digital service depending on the profile or role of the person who identified themselves and the level of trust of the identification they used, in the same way that happens in our non-digital life.

In Uruguay, the broker ID Uruguay [i] it has been in operation since 2018 and currently has 4 digital identification providers regulated by the Electronic Certification Unit [ii] that manage three levels of trust or security in the digital identification [iii]:

  • Basic: A user who registered online, validated the account from his email and the system performed some simple checks, but there are no guarantees that the person is who he claims to be since his identity was not validated. When he identifies himself digitally (authenticates) he uses his username and a strong password.
  • Intermediate: A user who was initially basic and validated his identification by some enabled means (in person, video call using facial biometrics or using the digital signature). When they identify themselves digitally, they use their username, a password considered strong and a second authentication factor (an OTP – one time password or one-time code generated by an app on their cell phone or an OTP sent to their email).
  • Advanced: A user who registered with a provider in person and a biometric validation of their fingerprint was performed with the public registry. The registration has an expiration date, so it is necessary to renew it periodically. When the user is digitally identified (authenticates), it does so from a digital certificate recognized by the National Public Key Infrastructure, using the advanced electronic signature for digital identification. According to Uruguayan regulations, this level is considered equivalent to face-to-face identification with the national identity document.

Currently there are more than 170 services, portals, public agencies and digital systems oriented to the citizen, but also internal State management integrated to ID Uruguay [iv]. On average, more than 70,000 identifications were made daily in working days during 2024 and since 2023 the use of the advanced level exceeded the basic one, achieving more security and confidence in digital identification throughout the ecosystem.

The Directorate General of Taxation (DGI) [v] in Uruguay has always been a key partner for the development of digital government, supporting the strategy promoted by the Agency for Electronic Government and Information and Knowledge Society (AGESIC)[vi] to promote the development of digital government in the country. In the digital identification was not the exception and from the beginning supported this initiative gradually joining the ID Uruguay platform [vii]. By mid-2024, more than 95% of individuals accessing the DGI did so with some ID Uruguay digital identification and more than 70% of companies also accessed using the ID Uruguay ecosystem. This decision by the DGI has been key to the development of the ID Uruguay ecosystem. Currently, the accesses to DGI through ID Uruguay are approximately 50% of the total accesses through the ID Uruguay ecosystem.

Brazil has a broker, called GOV.br [viii] with the same technical characteristics and with three levels of security: silver (equivalent to the basic), bronze (equivalent to the intermediate) and gold (equivalent to the advanced). The case of GOV.br it is interesting not only for its volume (4,500 integrated digital services and 300 million accesses per month), but also because it has managed to include the main local banks as identification providers in its broker:

This implies that a person who has a digital identification in a bank can use it to identify himself in the public services integrated to GOV.br . This is an excellent example of the use of digital identification through a broker in a public-private ecosystem. Private organizations can be constituted as identification providers, as long as they meet the requirements of the ecosystem and also as consumers, as are the digital services integrated into the broker.

This new concept of digital identification where people own their IDs in different providers and use them in multiple public and private organizations is one of the pillars of the Digital Public Infrastructure (or DPI for its acronym in English) so promoted by various international organizations and defined as “a set of shared, secure and interoperable digital systems, built on open technologies, to offer equitable access to public and/or private services at a social scale” by the G20 leaders in 2023 [ix].

 

More secure national identification ecosystem

A broker is a critical part of a digital identification ecosystem in a country, but through its regulation it must demand controls and security requirements from integrated digital identification providers. This has a direct impact on the benefit of the entire ecosystem, making digital IDs more secure and dependable.

Likewise, a broker centralizes a large volume of events related to digital IDs at the country level. This situation makes it easier to develop controls and integrate it into sophisticated security services, including tools based on the use of Artificial Intelligence and/or a Security Operations Center (SOC, Security Operation Center) that significantly increase the security of digital identification at the country level. This centralization of information also generates a lot of wealth in terms of statistics on the uses of digital services, important information for decision-making, for example, for the design of public policies or for economic impact studies, for example, in reducing costs and time for all citizens.

 

[i] More information about ID Uruguay: https://www.gub.uy/agencia-gobierno-electronico-sociedad-informacion-conocimiento/id-uruguay

[ii] Portal of the Electronic Certification Unit: https://www.gub.uy/unidad-certificacion-electronica/

[iii] Digital Identification Policy: https://www.gub.uy/unidad-certificacion-electronica/comunicacion/publicaciones/politica-identificacion-digital

[iv] Access to ID Uruguay: https://mi.iduruguay.gub.uy/login

[v] Tax Administration in Uruguay, Directorate General of Taxation: https://www.gub.uy/direccion-general-impositiva/

[vi] The AGESIC Portal: https://www.gub.uy/agencia-gobierno-electronico-sociedad-informacion-conocimiento/

[vii] Promotional video ID Uruguay – DGI (2021): https://www.youtube.com/watch?v=jAvWrZAYA6Q&t=124s

[viii] Access to GOV.br: https://sso.acesso.gov.br/

[ix] Statement of the G20 leaders in New Delhi 2023: https://www.undp.org/india/press-releases/g20-digital-ministers-recognize-digital-public-infrastructure-accelerator-sdgs

224 total views, 37 views today

Disclaimer. Readers are informed that the views, thoughts, and opinions expressed in the text belong solely to the author, and not necessarily to the author's employer, organization, committee or other group the author might be associated with, nor to the Executive Secretariat of CIAT. The author is also responsible for the precision and accuracy of data and sources.

Leave a Reply

Your email address will not be published.

CIAT Subscriptions

Browse through the site without restrictions. Consult and download the contents.

Subscribe to our electronic newsletters:

  • Blog
  • Academic offer (Only in spanish)
  • Newsletter
  • Publications
  • News alert

Activate subscription

CIAT Members

Representatives, Correspondent and Authorized staff (TA)