TRUST IN THE
DIGITAL WORLD

Trust is the linchpin of the digital world. Trust makes us give out our credit card details, share our personal information and enter into agreements with services we might not even be familiar with. And the higher the confidence, the greater the opportunities.

TRUST LEVELS MATCHING YOUR NEEDS

Identity is the foundation of trust – both in the physical and in the digital world. When you are certain of who you are dealing with, you can link everything that enables a meaningful relationship between an organization and an individual; responsibility, payment, consent, agreement and delivery.

In order for an identity to be reliable, two things are required:

  1. A reliable method of transferring the user’s real identity to a digital identity
  2. A secure way to ensure across time that it is the same individual who holds the digital identity.

An e-ID that meets both criteria can therefore be used as the leverage upon which all your digital business rests. Many make the mistake of settling for the first step. They issue a digital identity with careful checks of the user but allows the identity be borne by a user name and password. As vulnerable as the passwords are now, they do not meet the second criterion, to keep the identity secure across time.

More problematic is that even more businesses are content without any of the criteria; they make no check that the user is who he or she claims to be and lets this weak identity be carried by an uncertain password. In the digital future that awaits, these players will soon be out.

Freja eID is an e-ID designed and reviewed according to Swedish and international standards to fulfill both criteria.

TRUST LEVELS FOR eIDS

To assess the trust level of an e-ID, various international standards have been created. The levels in these different standards are to some extent similar and different services, public and private, may have different levels to relate to. Most often, however, it is up to you as an organization to assess the level of trust you want for your users and we can help you find the level that is appropriate, based on both regulatory as well as security-related requirements.

TRUST LEVEL ACCORDING TO SWEDISH STANDARD

DIGG – the Swedish Agency for Digital Government, which creates the framework for trust that forms the basis for the approval of the quality mark Svensk e-legitimation is based on an international standard with four trust levels.

Level 1: No proven identity and only requirements for password protection

Level 2: Identity proven with document which the individual possesses and requirements for two-factor authentication (2FA)

Level 3: Identity proven via physical meeting where the individual shows approved Swedish ID document. The identity is protected by a secure carrier with protection of, for example, PIN or biometrics and 2FA.

Level 4: Same requirements as for Level 3 with the addition that the identity must be protected by a chip that requires card readers when identifying.

TRUST LEVEL ACCORDING TO EU STANDARD

With the European initiative for cross-border electronic identification – eIDAS – the EU has developed three trust levels

Low: Limited degree of confidence in the claimed identity of a person. Typically fixed user name and password sent by post to registered address of the person.

Essential: Substantial degree of confidence in the claimed identity of a person. Issuance requires possession of ID trusted by government. Two-factor authentication required.

High: High degree of confidence in the claimed identity of a person. Requires verified biometric or photo ID for issuance. Authentication device must be protected against duplication and tampering.

THE TRUST LEVELS OF
FREJA eID

Freja eID is created for both national and international use. We also offer different levels of trust in Freja eID that allow you to choose based on your needs. A user can easy and free of charge upgrade to the different levels when the need arises.

Basic level: In situations where you as a service provider already have an established relationship with the user, or do not have specific requirements on the level of trust, you can use Freja eID as a cloud-based multifactor login. The only thing the user needs to do in relation to Freja eID is to download the app and confirm an e-mail address. This arrangement does not include social security numbers at all, which makes it scalable to all users, regardless of nationality and domicile.

Validated identity: On this level Freja eID validates the identity of the user, who then registers with, among other things, a valid ID document and an ID photo. Then our security personnel do an ID check in and issue an e-ID if all checks are approved. We can currently validate user identities with all the approved ID documents in Sweden, and with passports in Norway, Denmark, Finland and the UK.

The information that we gather from the user varies a bit depending on the country. In general, it is first and last name, social security number, date of birth and e-mail address. In Sweden and Norway we also do an address lookup and for some users we also store their mobile numbers, if they registered with it. In UK there are no social security numbers so we do not gather that data from the UK users.

The quality mark Svensk e-legitimation: In Sweden, DIGG – The Swedish Agency for Digital Government, issues a quality mark to e-ID’s that fulfill certain regulatory requirements. Freja eID fulfills these requirements, but in order to reach the highest level of trust – LOA3 – the user, after validating the identity as above, also has to do a physical ID check at one of our 2000 agents around Sweden.

THE QUALITY MARK SVENSK e-LEGITIMATION

To create a consensus in the issue of eID’s, the Swedish state has developed the quality mark Svensk e-legitimation. It is DIGG – the Swedish Agency for Digital Government which, based on national and international security criteria, reviews and approves Swedish e-ID’s for the quality mark.

Public and private actors with e-services that require e-ID can trust e-ID’s that have the quality mark Svensk e-legitimation, and users can feel confident that it is a secure identity document.

In order to get the quality mark, the e-ID must fulfill the requirements in the Framework of trust for Svensk e-legitimation. The purpose is to make sure that the e-ID can be issued and maintain the trust level which the application refers to. In addition to the technical architecture, the issuer is also reviewed on the following points:

– Financial stability
– Information security work and internal control
– Process for identifying people applying for an e-ID
– Producing and providing of e-IDs

Freja eID + is Sweden’s only mobile e-ID that has been approved for the governmental quality mark Svensk e-legitimation.

PREPARED FOR eIDAS

The EU Regulation eIDAS has been added to facilitate digital affairs between Member States, thus contributing to “digital first” for authorities. Within eIDAS, the goal is to create a cross-border e-identification, where each member state reports one or more national e-IDs to be used by the nation’s citizens for access to public e-services in other EU countries.

As of September 29, 2018, it is mandatory for public authorities to allow login with foreign eIDs. Each country has the opportunity together with its eID-providers to choose which e-IDs the country will register according to eIDAS in order to enable login to other countries digital services.

So far, about a third of EU countries have notified an eID to eIDAS. Before it is accepted, it must first undergo a trial of other countries and we are still at an early stage before the vision of cross-border e-identification becomes reality. Sweden has not yet notified any e-ID.

From the very start Freja eID was created to be approved for the governmental quality mark Svensk e-legitimation, and also to become an e-ID within eIDAS. Freja eID meets all technical and regulatory requirements and we have also made a formal application to the Government and wish to present Freja eID as Sweden’s e-ID in eIDAS.

However, Freja eID already has some connection to eIDAS, technically. Freja eID is an approved e-ID within the Valfrihetssystem 2017 and thus linked to the identity federation Sweden Connect. All traffic to and from Sweden within eIDAS will go through Sweden Connect, so an important piece of the puzzle is already in place.

Becoming a part of eIDAS is a long process and from a Swedish point of view we are still at a very early stage. However, there is – as far as we know – no other Swedish e-ID which is equally far ahead in its preparation for eIDAS as Freja eID.

PHYSICAL AND LOGICAL SECURITY

Security is absolutely fundamental to Freja eID. Protecting the user’s data and integrity is essential and trust in an e-ID is founded on the fact that it is secure. Freja eID is based on proven technology and world-leading security solutions to ensure the reliability of identity over time.

Verisec, which is behind Freja eID, has been working with IT security since 2002 and handles digital identities for millions of people worldwide. Much of the technology that forms the basis of Freja eID has been developed for banks, authorities and companies with large user groups and is proven and tested in large-scale contexts.

STRATIFIED SECURITY MODEL

The core of the Freja eID technology is a stratified security model. In order to protect users from different types of attack vectors, especially identity theft, and taking into account all the vulnerabilities of the mobile platform, Freja eID has built in security measures in both front-end and back-end for the mobile app.

ADVANCED APP SECURITY

Freja eID includes advanced app foreclosure technology, providing the best possible protection against driving in potentially hostile environments such as jailbreaked and rooted phones, or malware-infected systems. These technologies allow relying parties to focus on what’s important to their business rather than worrying about the security of the mobile devices their users have.

ENCRYPTION AND CERTIFICATES

All traffic between the Freja eID app and the backend system is encrypted and the encryption keys in Freja eID’s core are protected by security-classed HSMs (Hardware Security Model). For relying parties, a symmetric key or SSL client certificate and a uniquely relying party ID are required to use the service. All personal data in Freja eID’s database is protected by advanced technology.

PHYSICAL SECURITY

Freja eID is fully operated by its own safety classified personnel and all access to the system is controlled by at least two individuals in association. The system is completely redundant and located in one of the world’s most advanced data centers, Digiplex. The facility is shell-protected, fire-protected and equipped with advanced camera surveillance and 24-hour security staff security.