Why consider open standards for ID solutions
October 21, 2019
Luiz Guimaraes, Latin American Sub-Working Group Chair at OSPT Alliance
Driving licenses, transport cards, employee access control, health services… governments and associated bodies across the world are faced with a number of ID solutions to be developed, managed and delivered. And in an increasing effort to streamline, centralize and formalize more services and operations, demand for new and advanced solutions has never been higher.
But for the agencies responsible, it’s a brave new world. Faced with numerous strategic and technical considerations, finding the right partners to help define and deliver these projects is challenging.
Open standards might not be high on the considerations list (or even on the list at all!) for those developing ID solutions, but they should be. Not only do they bring their own set of benefits, they also speak directly to a number of the common pain-points faced by government agencies.
The balancing act
In any ID project, agencies have multiple players to consider at each stage. Choosing open standards will enable solutions to have a level of independence that will be invaluable longer term. As requirements change, open standards can help governments feel confident that solutions are agnostic, flexible and safe from vendor lock-in.
With budgets often being crunched and closely inspected, this also empowers agencies to select from a range of vendors that best meet their budget and strategic requirements. Not to mention that with full interoperability across the whole end-to-end ‘transaction’, managing the evolution and scalability of solutions over time is dramatically simplified.
More, more, more
There are also several technical considerations needed. Consumer demands for greater convenience, easy-to-use, multi-application (combining two or more functions onto one card or device) solutions are on the rise, as well as a desire to identify on multiple devices – whether that’s a smartcard, mobile or wearable device.
From adding access control to a library card, to managing a loyalty scheme with transport ticketing – these types of solutions deliver real value to consumers and governments alike, but can be costly and complex to develop.
Utilizing an open standard, solutions are instantly interoperable, dramatically simplifying the introduction of new form factors or applications. Agencies are also better empowered to take ownership of their solutions, determining the functionality levels themselves and negotiating the best deals across multiple vendors.
Security, sensitivity and privacy
ID solutions deal in extremely sensitive data. Government agencies are acutely aware of the damage a compromise in citizen data protection can cause and consumer trust is essential to the success of any new solution. Thankfully, a move to open standards doesn’t mean reduced security or privacy.
CIPURSE™, the open, non-proprietary standard developed and maintained by OSPT Alliance, is one perfect example. It uses AES 128 cryptography – part of the encryption utilized by most passports – as well as proven smartcard standards including ISO/IEC 7816-4 and ISO/IEC 14443 that are widely used in major payments infrastructures. What’s more, the specifications respect privacy management regulation and are patent protected by OSPT Alliance’s patent pool.
As such, players can reap the best of both worlds: commercial efficiencies with a high-level of security and privacy protection.
To dive into the tech a little, its CIPURSE’s unique key management system that’s bringing real value. Multiple applications can easily be added onto one solution but, crucially, each have their own unique keys. This means that for different authorities and agencies managing their designated applications on one solution, each can intercommunicate simply, securely and without interference.
Three different levels can be defined on an application: access rights to ‘read’ and ‘write’, separation of ‘more sensitive’ and ‘less sensitive’ data, and the access rights for each. Say, for example, a toll payment card and driver’s licence are stored on one card. With CIPURSE, it is simple to separate access rights to ‘read’ and ‘write’ for each data within an application, respectively, and even limit access to more sensitive data, such as biometrics, to specific authorities. Every application can define its authorities and access rights separately, so applications can co-exist without interference or a compromise to security.
What can be achieved with CIPURSE is really determined by the agency. It’s a truly flexible standard set that can support applications covering anything from public transport and health cards, micro-payments and loyalty, and access control – even unique citizen access could be added, should an individual desire!
Already powering a number of ID projects across the globe and recently chosen by Brazil to power its new driving licence, learn more about the power of CIPURSE here.
Categorised in: Blog