SCA for eID – a marriage made in heaven?
As SCA gains footing within the banking industry it is only natural to address the topic of eIDs. A successful implementation of nation-wide - or even international - eIDs would benefit more than just the banking industry.
Europe has had a long and varied history of electronic ID introductions. Back in the late 1990s, some European countries started issuing smart-chip based cards as electronic IDs. These required the user to have a PC with a card reader and some quite specialized software. Needless to say, this was not a big success. Now, more than 20 years later there is a renewed focus on electronic IDs, this time fueled by the growth in Strong Customer Authentication.
In Norway, where Okay is headquartered, we have actually had a system for eIDs since 2004. BankID is governmentally-backed but issued by banks in cooperation with the telecoms using cryptography running on the SIM card.
BankID in a practical use-case
Now, after 16 years, nearly everyone in Norway is using BankID, which has opened some really interesting possibilities. A good example is how it has simplified selling your car. Selling a car can be a complicated affair, with contracts, payments, liens and ownership issues. All of this has been greatly simplified by using apps offered by the banks:
- The contract is signed by both parties, and as they use an eID everything is filled out correctly with a low fraud risk.
- The bank handles the money transfer after the contract is signed. The bank also checks if there are any liens on the car.
- The app helps you fill out the ownership transfer with the governmental vehicle registry, which also uses BankID
- If you have a car toll agreement for the car it is automatically transferred to the new owner of the car
- You get one-month free car insurance
- And, of course, the bank offers you a loan if you need it
The apps are offered for free by the banks, as they see this as a really good way to sell loans and insurance. During the process, both the seller and the buyer have to identify themselves using their electronic IDs several times, but the cost for this to the bank is minimal. For banks, this is a really efficient way of providing a valuable service to their customers, and a good way to sell loans and insurance.
How to succeed with eIDs?
The relevance to SCA should be quite obvious, as it is the SCA process which makes it all possible. In addition, nearly everyone can use it with their phone, and the eID issued by one bank is recognized by all other banks. Exactly who provides the ID is not important, it could be the telecoms, the government or a private company specialized in providing electronic IDs. A key factor is that the penetration of the eID is high enough that you can assume that everyone has access to it – before you get a critical mass of users it is a hard sell, and potentially quite expensive to introduce. Linking the possession to the SIM card has also been a success factor, as that is something you’re very likely to bring with you at all times.
As a single company, it is really hard to implement the scheme described above, as even if you’re a really big company you’re unlikely to reach a critical mass of users. On a worldwide level, there might only be the services provided by WeChat in China that comes close. In China, WeChat has become a de-facto ID, as it can be used for payments both in stores and online. But, the identity you get through WeChat is unlikely to become strong enough to be used to sign a contract for buying a house.
Here in Europe, there are also clear limits with offering cross-border eID solutions, as the successful schemes so far have all been national initiatives. As a result of this, you get private companies offering eID services, such as Freja from VERISEC, with the goal to capture the market across borders. We believe that there is enormous potential in offering eID services across Europe (and the world), and that secure SCA is the central component to make it possible. Banks and issuers have a real opportunity to provide this service, but that might require involvement from the EBA.
You can read more about this topic in an article by our CEO, Fabien Ignaccolo, where he discusses how this can be seen in relation to a future PSD3.