In the afterglow of the launch of iDIN we would like to give you an overview of the different eID schemes in The Netherlands including DigiD, iDIN, Idensys and many more.
The Dutch Payments Association (an organization comprised of the majority of Dutch banks) kicked off the New Year by providing a name for their prospective addition to the Dutch national electronic identity market. Formerly known under the working title BankID, the service has been officially christened iDIN. This new acronym refers to both the electronic ID it will provide as well as the PIN-code traditionally used to authenticate oneself to – amongst others – a bank. In any case iDIN will soon become part of the Dutch vernacular as the Payments Association hopes to commence a pilot project as soon as the first of March.
Before we dive into the details of said pilot project, it may be appropriate to provide you, dear reader, with an overview of the current state pertaining to electronic identity in the Netherlands. Including DigiD, Idensys, eHerkenning, iDEAL and Burgerservicenummer. If however you feel you already have a firm grasp of this state, feel free to skip the overview.
OVERVIEW eID IN THE NETHERLANDS
The Netherlands is unique in the way it is handling the need for an electronic identity. Whilst other European countries have chosen either to privatize the distribution of eID or to provide a government issued eID, the Netherlands is seemingly providing the customer (their citizens) with a choice. By creating a “System of Standardization Agreements for Electronic Access-services” (Afsprakenstelsel Elektronische Toegangsdiensten), the Dutch have decided on a public-private partnership. Hereby the government provides several links in the chain and leaves others to private corporations whilst providing a regulatory framework to manage this cooperation.
However, the banking sector has decided to create a whole new chain by themselves, capitalizing on the large investment that has been made by the banking community in identity management. This paper will discuss the path the banks have chosen to take. In a future blogpost we will take an in-depth look at this public-private partnership. For now however we will only provide a brief overview.
The Burgerservicenummer (translated Citizen Service Number) or BSN is a unique personal number given to any person registered within the Dutch Municipal Personal Records Database. This 9 (or 8)-digit number can be found on the passport, ID-card or driver’s license of anyone that is registered. A BSN is automatically attributed to a person upon enrollment in the civil registry. The BSN improves security against identity fraud and is the accepted authentication method for corresponding as well as exchanging personal information with Dutch government authorities.
DigiD consists of a username and password of the user’s choice, in recent times additional measures were added to better comply with 2-factor verification. It can be applied for by providing a BSN along with date of birth and address. DigiD is used to prove your identity when corresponding with Dutch government authorities online as well as exchanging personal information with said authorities. With your DigiD you can also authorize a third-party to act on your behalf. Think of DigiD as the electronic extension of a BSN.
Organisations that accept BSN and DigiD as a method of authentication include (but are certainly not limited to) municipalities, tax and customs administration, police, pension funds and health insurers.
eHerkenning (translated: eRecognition) is a standardized log-in system. It is based on a trust framework (the aforementioned Afsprakenstelsel Elektronische Toegangsdiensten) which was set up by the Dutch government (Ministry of Economic Affairs and Ministry of the Interior and Kingdom Relations) in cooperation with public- and private sector organizations and businesses. In short, it is used as an authentication service for companies, it is composed of several different certified providers and it handles different methods of authentication each of which has a certain level of reliability.
We’ll summarize our introduction of Idensys by quoting (and translating) Michiel Groeneveld, communication advisor for Logius, which manages the Idensys project:
“Idensys is not an authentication method, like DigiD, but a collection of agreements which authentication methods must satisfy. These agreements pertain to safety, reliability and the protection of personal data. Different authentication methods will be covered by Idensys. Both log-in methods provided by the government, such as DigiD, as well as log-in methods provided by the private sector.”
Through this system, users will thus be able to choose any authentication-method which is compliant with the Idensys agreements to log into both public- and private services as long as that method of authentication satisfies the required reliability level.
A separate pilot project for Idensys has been set up by the Dutch government in cooperation with several other companies (including but not limited to KPN, Aegon and Delta Lloyd Group). This pilot project was initated this month and will allow 30 000 users to test Idensys.
We will discuss eHerkenning and its “successor” Idensys in-depth with a future blogpost.
iDEAL is a payment method used by consumers for online payments through their own bank. Upon payment, the consumer is guided from the merchant’s webshop (or other online organization) to the trusted online banking portal of the bank of his choice. Using this portal the consumer authenticates him- or herself and confirms the payment. This is usually done through a traditional challenge-response query. Upon confirmation a SEPA credit transfer (SCT) to a certified payment service provider is carried out. This CPSP then securely messages the merchant as notification that payment took place. This process is carried out in real-time. The Payment Association is currently working on an initiative for real-time payments which allow for processing SCT’s in seconds, 7 days per week. This will create a unique service within Europe and underlines the innovative character of the Dutch financial sector.
iDEAL is thus not a centralized electronic payment system but rather a collection of technical agreements between banks and transaction processors. These technical agreements allow iDEAL to be integrated with the online banking platforms offered by Dutch banks.
iDEAL is by far the most popular payment option for online purchases. According to research carried out by the GfK (Gesselschaft für Konsumforschung) in the first part of 2015 more than half of online purchases in the Netherlands were paid for using iDEAL.
Since 2014, activities pertaining to iDEAL are managed by the Dutch Payments Association, however the brand is still property of Currence, a facilitator for payments in the Netherlands.
A BANK ID NAMED iDIN
iDIN could become an identification service provided by banks. It functions besides Idensys and not within it. Because banks fall under the oversight of De Nederlandse Bank (The Dutch Bank, central bank for the Netherlands) and not the Ministry of Economic Affairs, they cannot at this moment join the Idensys pilot. However, banks hope to preemptively free themselves from the complex governance-structures that could accompany Idensys. Furthermore banks have invested large funds to secure identity management and have distributed tokens that are used on a very regular basis. Rather than sit idly by, the banks (through the Dutch Payments Association) have decided to cooperate with de Belastingdienst (the Dutch Tax and Custom Administration) and other pilot companies to set up their own electronic identity framework and associated pilot project: iDIN.
Through iDIN, banks’ customers can identify themselves online to other organizations. Customers are no longer burdened with the need to provide separate passwords or authentication methods for logging into a wide range of online services. These services could include insurance providers, government institutions, online webshops and many others.
Through iDIN, customers can not only consolidate their method of authentication they maintain control over which information is passed on to which organization. The customer decides and determines which elements of his or her personal data are provided to other organizations. Some of which could be allowed access to name, date of birth and place of residence whilst others may only be allowed to know that this particular customer is above a certain age-limit. In the latter case, no actual date of birth would be provided only an age group to which that customer belongs.
iDIN is said to work in a similar manner as iDEAL (similar in user experience):
- User creates an account with – e.g. –a webshop.
- User chooses his or her bank.
- User is directed to the iDIN portal of this bank.
- User authenticates with a bank-card and bank-specific authentication method.
- Personal data that was required by the webshop is automatically filled in to the form.
- User agrees this information is to be provided.
- User returns to the webshop.
Another similarity between iDIN and iDEAL we can speculate on, is its use as a payment method for online transactions. However this has not been decided upon, similar to other added value services that could be envisioned such as e-signing. However, as iDIN is described by the DPA as a successor to iDEAL, this supposition certainly doesn’t seem farfetched.
Organisations can provide iDIN as one of many authentication methods. In this manner they can provide customers with a choice for registering and logging-in.
With iDIN the task of initial authentication is transferred to the banks. A customer goes through a more rigorous process of customer due diligence when opening a bank account. Once this process is completed however, the customer has satisfied the banks’ requests for authentication i.e. the customer has proven he actually is who he says he is. Through iDIN, other organizations need not burden themselves with organizing such an arduous (and costly) process and customers only need to go through it once.
What do we know about this iDIN pilot? It is set to commence on the first of March. It will be led by de Belastingsdienst alongside ABN Amro, ING, Rabobank, SNS Bank and Triodos Bank. Also insurers like Delta Lloyd and Freo have agreed to participate with the pilot. Up to 65,000 customers of the aforementioned banks will participate in the pilot. The banks will not use the BSN to identity their customers to de Belastingsdienst due to privacy regulation. Instead they will use the BSN-koppelregister which uses pseudo-identities (or pseudonyms) and is said to guarantee customer anonymity.
Connective provides a leading DTM technology platform to create, sign and distribute digital documents based on relevant business data. Because of our extensive experience with the Belgian eID and its applications, Connective is currently in talks with the Dutch Payment Association and will closely follow any and all developments concerning the state of electronic identity in the Netherlands. Particularly our experience with digital signatures and digital transactions in combination with e-ID schemes will quickly demonstrate added value in subsequent phases.