Oct 2 / 2023

E-Identity plays a vital role in modernizing and streamlining processes in sectors such as e-commerce, e-governance, financial services, and more, offering convenience and efficiency while posing new challenges related to privacy, cybersecurity, and data protection.

Electronic identity, often referred to as e-identity, is a digital representation of an individual’s identity and personal information in the online world, in other words a way to tie the electronic identity of a person with his real one.

E-identity also plays a crucial role in safeguarding against identity theft and fraudulent activities, as the digital realm continues to intertwine with everyday life. Such solutions are designed to enhance security and convenience in online activities, from accessing government services and financial transactions to participating in social networks and e-commerce. These solutions often employ encryption and authentication mechanisms to ensure the privacy and integrity of the individual’s identity.

What is electronic identity and what types of e-identity exist?

An electronic identification (“eID”) is a digital solution for proof of identity of people or organizations. They can be used to access benefits or services provided by government authorities, banks or other companies, for mobile payments, etc. Apart from online authentication and login, many electronic identity services also give users the option to sign electronic documents with a digital signature. There are various types of e-identity approaches, each with its own level of security, convenience, and use cases.

The common types of e-identity:

Username/Password: This is the most basic form of e-identity, where users create a username and password combination to access online services. While convenient, it’s often considered less secure due to issues like password reuse and vulnerability to phishing attacks.

Biometric Identity: Biometric e-identity involves using unique physical characteristics like fingerprints, facial recognition, or iris scans for authentication. Biometrics provide a high level of security, but their implementation can be complex and may raise privacy concerns.

Mobile Identity: Mobile e-identity leverages smartphones for authentication. This could involve using one-time passwords (OTP) sent via SMS or mobile apps, or biometric data stored on the device for verification.

Smart Cards: Smart cards, such as electronic ID cards or chip-enabled credit cards, store digital credentials for authentication. These cards can be used for various purposes, including access to government services, physical entry, and online authentication.

Digital Certificates: Digital certificates are cryptographic credentials issued by a trusted authority. They are commonly used in Public Key Infrastructure (PKI) systems to authenticate users, devices, and websites.

Blockchain-based Identity: Some systems leverage blockchain technology to create decentralized and self-sovereign identities, giving users more control over their personal data and credentials.

National eID Programs: Some countries have implemented national electronic identity programs that issue electronic ID cards or digital identity credentials to citizens. These programs are used for various purposes, such as accessing government services and securely identifying individuals online.

Multi-Factor Authentication (MFA): MFA combines multiple types of e-identity for stronger security. For example, a user might need to provide a password, a fingerprint scan, and a one-time password to access a service.

These types of e-identity solutions cater to different security levels, user preferences, and regulatory requirements. The choice of e-identity depends on factors such as the level of security needed, user convenience, the nature of the service, and the technological infrastructure in place.

Why is it important?

Electronic identity is the gateway for anyone who wishes to enjoy the advantages offered by modern technologies and safely access the digital world. Overall several key aspects can be named, that make e-identity so important these days:

A) It saves costs and time (efficient, modern, everything moves to online environment)

Things simply get done much faster when they can be done in an online format. No more piles of paperwork, no more standing in long lines, or rushing around to reach every meeting on time. In a modern world one needs only his computer, internet access and his e-identity to manage his business, join meetings or access base records. To put it simply, e-identity is incredibly efficient, since it expedites the registration and verification stages for services such as signing up for online platforms, or accessing government services. The result is a reduction in administrative overload, faster customer interactions, and improved overall user experiences. Moreover, E-identity enables secure and efficient access to digital resources and communication tools from any location. Employees can log in securely to company systems, access sensitive data, and collaborate on projects without the constraints of physical proximity. This flexibility enhances productivity and ensures business continuity, especially in times of crisis or when a distributed workforce is the norm.

B) It prevents the possibility of Identity Theft:

E-identity solutions can help mitigate identity theft and fraud. Strong authentication mechanisms make it difficult for malicious actors to impersonate individuals and gain unauthorized access to personal and financial information. Moreover, it reduces the risk of fraudulent activities and unauthorized access, protecting both users and service providers. E-identity systems contribute to overall cybersecurity efforts by adding layers of protection and reducing the attack surface for cybercriminals. E-identity acts as a digital shield, fortifying online transactions and data exchanges against potential breaches and empowers users to conduct transactions and share information confidently in the digital sphere. By employing advanced authentication methods like biometrics and multi-factor authentication, e-identity systems verify users’ identities with a high degree of certainty. Moreover, by adhering to frameworks such as the General Data Protection Regulation (GDPR), Know Your Customer (KYC), and Anti-Money Laundering (AML) requirements, e-identity systems enforce robust security practices. This not only protects individuals’ privacy but also bolsters the integrity of financial transactions and business operations. Organizations that prioritize compliance demonstrate their commitment to maintaining a secure digital environment, bolstering trust among their customers and partners.

C) It provides globalization and mobility:

E-identity solutions are especially important in a globalized world where individuals frequently travel or access services from different locations. They enable individuals to prove their identity and access services from anywhere. Moreover, governments use e-identity solutions for secure online interactions with citizens, including filing taxes, applying for benefits, and accessing official documents. The state-backed e-identity programs establish a recognized and authoritative digital identity that transcends national boundaries. This empowers individuals to engage in international transactions, access services, and interact with foreign institutions without the traditional barriers of proving identity through physical documents. The state-backed electronic identity programs serve as cornerstones for embracing globalization and mobility in the digital age. By unifying authentication, breaking down identity-related barriers, and establishing trust across borders, these programs enable individuals to partake in a world where opportunities are no longer constrained by geographical limitations.

Possible concerns

Is it reliable?

If there is one thing one can value aside from efficiency of any tool, it is the reliability. A solution that is applicable time and again, that is in constant development making it better, that gains more and more options over the time is always a good investment. Electronic identification is one of the tools to ensure secure and reliable access to online services and to carry out electronic transactions in a safer way. eID service providers minimize fraud and comply with KYC, AML and Combating the Financing of Terrorism (CFT) laws. Within the European Union, a central authority – the Government, securely stores personal identifying data to issue physical ID documents. In turn, individuals trust their IDs and extend this trust into the digital world, where they use this information to gain access to a variety of services where identities must be proven, such as, making a payment or proving your age. Of course, one must ensure to use reliable e-identity systems, some of which will be listed below.

Is it safe?

Modern solutions in the field of e-identity aim to not only provide an efficient solution for people to rely on, but also create a system that safeguards the personal data of a person, preventing anyone from using it for ill gains or goals. Electronic identities are useful also, because one can rely on them as a secure and safe way to reliably identify a person, a feature that can’t be overlooked with the modern tendency for tight KYC procedures. After all, modern challenges require modern solutions.

Today, some of the safest e-identity systems are those created or directly supported by governments, who concentrate not only on the usefulness of the system, but also, make sure that it is in conformity with legal principles, including protection of personal data and applicable security measures.

Electronic Identity: the issue of Customer Trust and Regulatory Compliance

In an increasingly digital world, electronic identity (eID) has emerged as a pivotal solution for secure online interactions. However, the success of eID programs hinges on overcoming challenges related to customer trust and regulatory compliance. As organizations and governments strive to harness the potential of eID, several critical factors come to the forefront. As more services and transactions move online, the issue of customer trust and regulatory compliance becomes paramount in ensuring the widespread adoption and success of electronic identity programs.

Building Customer Confidence in Online Services:

Online services often require users to share personal and sensitive information. Building customer confidence involves creating a seamless and secure user experience. This can be achieved by implementing robust security measures, offering user-friendly authentication methods, and transparently communicating how user data will be used and protected. By communicating the benefits of eID and the rigorous security measures in place, organizations can foster trust among users.

Addressing Privacy Concerns and Data Protection:

Privacy concerns are a major factor in customer reluctance to adopt electronic identity programs. Organizations must adhere to data protection regulations (such as GDPR in the European Union) and implement privacy-enhancing technologies to safeguard user data. Giving users control over their data and minimizing data collection contribute to a more secure and privacy-respecting eID ecosystem.

Establishing a Reputation for Secure and Reliable Business Practices:

Businesses that adopt robust electronic identity practices and prioritize security can establish a reputation for reliability and trustworthiness. This reputation can positively impact customer loyalty and attract new users. Implementing strong cybersecurity measures, regularly updating security protocols, and undergoing third-party security audits can contribute to this reputation.

Importance of State-Backed Electronic Identity Programs:

State-backed electronic identity programs, often driven by government initiatives, offer a unique advantage in terms of credibility and widespread acceptance. When government institutions are involved, there’s an inherent level of trust associated with the program. These programs can streamline online interactions with government services, enhance security through advanced authentication methods (such as biometrics), and enable citizens to access a wide range of public and private services conveniently.

Comparison of email/password vs ID card/pin codes

While passwords and PINs appear to be the same at first glance, they really serve as a remote authentication vs local authentication methods, which is why a PIN can be FIDO approved (Alliance program which manages functional certification programs for its core specifications (UAF, U2F and FIDO2) to validate product conformance and interoperability, and in addition has introduced programs to delineate security capabilities of FIDO Certified Authenticators as well as to test and validate the efficacy of biometric components), while passwords are not. Most people would assume a password is more secure than a PIN because of the length and complexity. However, applications that allow the use of PINs are considered harder for cybercriminals to crack. A PIN that is four numbers long has only 10,000 possible combinations, which you’d think would be easy for a password cracker to defeat, but it’s not. Below is the comparison table presented to view the main differences between email/password vs ID card/pin codes and their advantages and disadvantages:

Email/Password:

Electronic ID Card/PIN Code Authentication:

Advantages:

Familiarity:
Email/password authentication is widely used and familiar to most users, making it easy to implement and understand.

Accessibility:
Users can access their accounts from any device with internet access and an email client.

Password Recovery:
In case of forgotten passwords, password recovery mechanisms (like security questions or password reset emails) can be set up to help users regain access.

Granular Control:
Users can choose complex passwords to enhance security, and services can enforce password policies to ensure a certain level of complexity.

Strong Authentication:
Electronic ID cards provide a physical token that’s difficult to replicate, and PIN codes add an extra layer of security.

Reduced Password Burden:
Users don’t need to remember passwords for each service, decreasing the risk of weak or reused passwords.

Enhanced Security:
The combination of a physical card and a PIN code provides robust two-factor authentication (2FA).

Less Vulnerable to Phishing:
The physical nature of the ID card makes it less susceptible to online phishing attacks.

Disadvantages:

Security Concerns:
Weak passwords, password reuse, and vulnerabilities in the authentication process can lead to security breaches. Users often have poor password hygiene.

Phishing Attacks:
Users might fall victim to phishing attacks where they disclose their passwords to malicious actors.

Password Management:
Users may struggle with managing multiple passwords across different services.

Recovery Challenges:
If password recovery mechanisms are not well-designed, they can become points of vulnerability.

Replacement Challenges:
Replacing lost or damaged electronic ID cards can be time-consuming and might involve government bureaucracy.

Limited Accessibility:
Users must possess the ID card to access services, which could be inconvenient if forgotten or lost.

Implementation Complexity:
Setting up systems to read electronic ID cards and manage PIN codes might be more complex and expensive.

Privacy Concerns:
Some users might have concerns about their personal data being stored on electronic ID cards.

In modern security practices, combining elements from both methods can provide a balanced approach. For instance, using email/password as the first step for access and then requiring an electronic ID card/PIN code for additional verification (two-factor authentication) can enhance security while maintaining user convenience. Ultimately, the choice depends on factors such as the level of security needed, user behavior, resources available, and the balance between security and usability.

What systems are currently in use?

Mobile ID: Some countries offer mobile ID solutions, where users can access services using their mobile phones and associated SIM cards. This method often involves secure mobile apps or SMS-based authentication. For instance, the Mobile-ID system in Estonia allows citizens to use their mobile phones for secure digital authentication.

Banking e-IDs: Some countries, like Sweden, have introduced banking electronic IDs. These are often provided by banks and allow individuals to authenticate themselves for various services, including online banking and government services.

eIDAS (Electronic Identification, Authentication and Trust Services): eIDAS is a European Union regulation that aims to facilitate secure electronic transactions across member states. It establishes a framework for recognizing and accepting electronic identities and trust services from different EU countries.

National ID Cards and Electronic Identity Cards: Many countries issue electronic national identity cards that contain embedded chips with digital certificates. These cards are used for a wide range of purposes, including accessing government services, signing documents digitally, and more. Moverover, many countries issue national electronic identity cards that use embedded chips to provide secure identification and access to online services. Examples of such application can be seen in the table below:

	Digital signature of documents	Access to the state Database	Available to non-residents	Can be obtained abroad	You can apply online	Term of receip
Estonia	Yes	Yes	Yes	Yes	Yes	30 days
Portugal	Yes	Yes	No	No	No	4 to 6 weeks
Belgium	Yes	Yes	No	No	No	2 to 3 weeks
Italy	Yes	Yes	No	No	No	within 6 working days

These are just a few examples of electronic identity systems from around the world. Each system has its own features, benefits, and use cases, but they all aim to provide secure and convenient ways for individuals to authenticate themselves and access various services.

E-identity in Estonia

E-residents use their Estonian ID card to sign contracts, access financial services, and run their Estonian company, where and when suits them best.

Estonia is internationally recognized as an E-state: we have implemented digital signing and e-services, e-government and Digilugu patient portal, e-school, e-voting and much more.

Magrat OÜ, your SFAI partner in Estonia, is happy to introduce the Estonian e-identity program, the gateway for your clients to do business remotely across the EU and the world.

Estonians can use their e-ID via state-issued identity or ID-card, using Mobile-ID on their smartphones, or the application Smart-ID. Holders of a digital identity need not be Estonian residents anymore however. Since 2014, Estonia has also offered a program called e-Residency for anyone who wishes to become an e-resident of Estonia and access its diverse digital services, regardless of citizenship or location.

This electronic identity system, called eID, has existed for 20 years and is the cornerstone of the country’s e-state. e-ID and the ecosystem around it is part of any citizen’s daily transactions in the public and private sectors. People use their e-IDs to pay bills, vote online, sign contracts, shop, access their health information, and much more.

ID-card in Estonia

Estonia has by far the most highly-developed national ID-card system in the world. Much more than just a legal photo ID, the mandatory national card also provides digital access to all of Estonia’s secure e-services.

There are several types of identity documents issued by the Estonian state that are usually referred to as the Estonian ID card. These are the identity card, the digital identity card, the residence permit card, the e-resident’s digital identity card and the diplomatic identity card.
While these identity documents are issued to different categories of persons, which include citizens, residents and non-residents, and have a different appearance, all these documents provide the same electronic functionality via a smart card chip regardless of the nationality and citizenship of a person.

One of such benefits for non-residents is an e-Resident’s digital ID, which is a digital document that can only be used to identify a person and provide a digital signature in an electronic environment. e-Resident’s digital-ID allows holders of such ID to participate in public-law and private-law operations in Estonia regardless of her or his physical location, consequently overcoming a border barrier by providing an opportunity to globally participate in day-to-day operations.

Here are some examples of how it is regularly used in Estonia:

as a legal travel ID for Estonian citizens traveling within the EU
as a national health insurance card
as proof of identification when logging into bank accounts
for digital signatures
for e-Voting
to check medical records, submit tax claims, etc.
to use the e-Prescription service

E-services commonly used by e-residents

Below is a list of the most commonly used Estonian government e-services. Such services will enable you to make the most of your digital ID.

State Portal: Log in to see and manage your personal information
Service Providers: Some service providers have integrated e-Residency digital ID login on their websites
e-Business Register: Register your company online and manage your business information
e-Financials: Web-based public accounting software
e-Tax/e-Customs: Submit relevant documentation to the Estonian Tax and Customs Board
e-Notary: Buy, sell or pledge shares of your Estonian company, authenticate powers of attorney
e-apostille: Use e-apostille when you need your company formation documents apostilled

Cyber security

Cybersecurity in e-identity is the practice of protecting digital identities from unauthorized access, data breaches, and malicious activities in the online sphere. As individuals and organizations increasingly rely on electronic identities for various online transactions and interactions, ensuring the security of these identities is crucial.

This involves implementing a range of measures, including authentication methods like biometrics and multi-factor authentication, encryption to secure data during transmission and storage, continuous monitoring for suspicious activities, and strict adherence to data protection regulations. By safeguarding e-identities against cyber threats, individuals can confidently engage in online services, and organizations can establish trust with their users while maintaining the integrity of sensitive personal information.

For example, Estonia’s expertise in the field comes from world-class skills in cyber security and active collaboration between government, telecommunication, and financial service providers such as Telia, Swedbank, and SEB. Such ultra-high user convenience and strong legal protection create the trust required for use across different applications. Estonia’s transition to high-speed, mobile telecommunications has driven innovation in the field. Mobile-ID solutions allow users to utilize their smartphones for e-services by creating a secure, encrypted connection to the service provider. Smart-ID is a next-generation e-ID solution, providing secure authentication and electronic signing for device-independent transactions where there is no SIM card. Already used in three countries and eIDAS-compliant, Smart-ID is the most advanced e-ID solution in the European Union today.

The Future of Electronic Identity

The landscape of electronic identity (eID) is reshaping how individuals interact in the digital world. As technology propels us forward, several key factors are poised to shape the future of eID.

Advancements in Biometrics and Authentication Technologies heavily influence the future of eID. Traditional password-based systems are making way for more secure and convenient methods. Facial recognition, fingerprint scanning, iris detection, and even behavioral biometrics are gaining traction. These advancements not only enhance security but also offer seamless user experiences, ensuring that accessing services is both intuitive and safeguarded.

Interoperability and Cross-Platform Compatibility is of prime importance in an increasingly interconnected world. Users expect a unified experience across devices and services. Future eID systems will transcend silos, allowing individuals to seamlessly authenticate and access services across various platforms. This shift not only streamlines user experiences but also enhances security by creating a consistent and trusted identity framework.

Potential Challenges and Solutions in the Evolving Landscape will undoubtedly emerge due to the evolving nature of eID. Privacy concerns, data breaches, and user consent remain significant hurdles. Striking a balance between convenience and privacy will require a delicate approach. Robust data protection regulations and transparent data usage policies will play a vital role in addressing these concerns.

Furthermore, ensuring that the benefits of eID are accessible to all, regardless of socioeconomic status or technological literacy, is crucial. Simplified interfaces and user education efforts will bridge this gap.

The future of electronic identity is a promising horizon filled with innovation and empowerment. With advancements in biometrics paving the way for secure and seamless experiences, and a push for interoperability fostering interconnectedness, eID is poised to redefine the digital landscape. While challenges like privacy and accessibility persist, they also serve as catalysts for refining eID systems to better serve the society at large. As we navigate this evolution, collaboration between tech innovators, policymakers, and users will be pivotal in realizing the full potential of electronic identity in a rapidly changing world.

Invitation to the webinar

We are happy to invite our partners and clients to participate in our e-identity webinar which will take place on 13th October 2023. You will have the opportunity to get a deeper insight on how e-identity works in Estonia and its benefits, as well as the ability to ask questions from our e-residency team partners. We hope to see you there!

Next post: Changes in VAT Law in Estonia

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
caosLocalGa	1 month	This cookie is used to determine whether the browser accepts cookies. It expires when we close the browser.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp-wpml_current_language	1 day	Stores the current language

Cookie	Duration	Description
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
_ym_d	1 year	This domain of this cookie is owned by Yandex.Matrica. This cookie is used to store the date of the users first site session.
_ym_isad	20 hours	This domain of this cookie is owned by Yandex.Matrica. This cookie is used to collect information about the user like his characteristics, behaviour on page and targeted actions.
_ym_uid	1 year	This cookie is by Yandex.Metrica. This cookie is used to set a unique ID to the visitor and to collect information about how visitor use the website. Thus it help to track the user and the collected informationn is used to improve the site.
_ym_visorc	30 minutes	Allows Session Replay to function correctly
_ym_wasSynced	never	This cookie is set by the provider Yandex Metrica. This cookie is used for collecting information about the user interaction with the website. This tracked information is used for optimizing the website.
caosLocalGa_gid	1 day	This cookie is used to count how many people use the website in a day.
i	10 years	Used for identifying site users
sync_cookie_csrf	10 minutes	This cookie is set by the Yandex metrica. This cookie is used to monitor the connection with the website and third party Data Management Platforms. The cookie also collects information on the user behaviour on the website which is used for optimizing the website.
sync_cookie_ok	1 day	This cookie is set by the provider WebVisor. This cookie is used for marketing purposes.
yabs-sid	session	These are cookies used by Yandex Matrica script belonging to the company Yandex. This cookies are used to measure and analyse the traffic of the website by giving information about how the users use the website.
yandexuid	1 year	This cookie is used to identify the users. This cookie collects information about how visitors use the website. This information is used for internal analysis and site optimization.
ymex	1 year	This cookie is set by yandex. This cookie is used to collect information about the user behaviour on the website. This information is used for website analysis and for website optimisation.
yuidss	1 year	Used for identifying site users