IDunion: All (identity) power to the user

57 million Germans, or 83 per cent of the population, shop online. They all face the same problem: always having to enter their personal details towards the end of the ordering process. This can be a long and tedious procedure, especially for payment methods that require so-called two-factor authentication for security purposes. In order to simplify the process and receive the desired product more quickly, many people save their payment, address and other personal details in the browser or in the online shop. By doing so, most customers accept that they are also relinquishing control of their data for the sake of convenience.

This complicated shopping process, which compromises the customer’s personal data, may soon be a thing of the past. It is expected to be replaced by a process based on SSI called Smart Checkout System. This is a secure digital identity, whereby the customer stores his or her personal data in a digital wallet on his or her smartphone prior the purchase process. Shipping addresses, payment details and even loyalty cards can easily be sent to the seller when ordering, for example via a QR code on the online shop’s website. The payment process runs automatically in the background. This checkout process is much easier for the customer, and allows the seller to verify the data through digital verification such as a digital identity card.

IDunion

The Smart Checkout System is currently a concept that only exists on paper. It is one of 40 pilot applications that will be developed and implemented within the framework of the IDunion ecosystem over the next three years. The aim of the consortium, which consists of public and private institutions headed by Main Incubator, the R&D unit for the Commerzbank Group, is to build an open ecosystem for decentralised identity management, which can be used worldwide and conforms with European values and regulations. It will be based on the so-called self-sovereign identity (SSI) approach, or decentralised identity, which strives for a new identity management for all parties involved - from citizens to companies to things.

Self-sovereign identity: giving users control of their digital identities

Control is placed in the hands of the user: he or she has the power to create and control a digital identity. This can consist of self-certified data, a history of transactions on an e-commerce website or a certificate of employment. "Every European has an average of around 90 digital identities," says Helge Michael, blockchain and prototyping consultant at Main Incubator. Up until now, this along with an associated identifier - for example an email address - have been provided centrally by technology companies and thus under their control. Companies like Facebook, for example, offer a central username and password for logging into many different services. "From the user's perspective, this seems convenient, but also leads to the user losing sovereignty over his or her data and being bound to a provider in the long term without being able to change this service in the future," adds Michael, highlighting the problem. “In addition, this central provider is a popular target for hacker attacks.” This is not the case with the self-determined identity concept: Here the users save their data themselves and decide when and with whom to share their personal information. The data is “stored” locally in a digital wallet. This wallet is in the form of an app that can be downloaded on mobile devices. It allows users not only to store their personal data, but also to choose how to manage and share it.

But the two wallets, Lissi (Let's initiate Self-Sovereign Identity) and esatus Wallet from esatus, which currently support the IDunion network, have even more to offer: In contrast to previous solutions, users can use it to receive digital certificates issued by public institutions. "The user receives a verified credential, for example from a bank, which is stored in the wallet app," says Helge Michael. “The bank signs the credential with an electronic signature.” In the analogue world, this is probably comparable to the PostIdent identity check. If the user wants to log on to another service, he or she simply presents his or her credential, which has been verified and signed by the bank. The third-party service can then use the bank’s signature to cross-check the authenticity of the credential.” The digital signature helps to verify the credential presented, so that it can be used in a legally secure manner in everyday life. For example, credentials can be presented when placing an order in an online shop, or whenever a certificate of employment or proof of education is requested for a job application. The data wallet enables the user to control what personal data should be transmitted/shared. Namely, only individual identity attributes such as the name or the date of birth can be selected and transmitted. The data is transmitted exclusively for a specific purpose and via encrypted end-to-end channels between the individual participants. "In the background runs a DLT solution, on which the signature data is stored immutable and forgery-proof, and can be viewed by anyone who wants to cross-check the verification of the data," says Helge Michael. "It is very important to us that our solution does not store any user-specific data on the blockchain, but only the data of public institutions, such as a bank.” This prevents sensitive data from being used for purposes other than intended. The data transfer history allows the user to easily see who has received his or her personal data, as well as when, for what reason and with what rights.

Full control and GDPR compliant

Solutions that give citizens full data control over their sensitive, personal information and make it easier to access to services also offer enormous advantages for companies: Since they can independently check the identities of business partners, identity fraud is largely prevented. Institutions such as local authorities or citizens’ registration offices can also clearly identify their citizens and provide easy access to their services and systems. This saves time, money and administrative effort. The fact that personal data is stored by the user also complies with EU law: IDunion complies with the requirements of the General Data Protection Regulation (GDPR), which serves as the legal basis for the handling of personal data. It is also compliant with the eIDAS regulation, which forms the most important framework for trust in electronic identification in the EU. This in turn benefits companies and institutions, as it ensures the likelihood of data protection violations or fines is low.

The advantages of this new system of identity verification seem to be gaining traction: At the start of the project in 2020, there were almost 20 partners involved in IDunion. Today, the network comprises almost 40 established companies and institutions. They include Bank-Verlag, Bundesdruckerei (Federal Printing Office), DB Systel, Deutsche Telekom, esatus, GS1 Germany, ING-DiBa, Main Incubator, Robert Bosch, Siemens, the City of Cologne, Spherity, Technical University of Berlin, Institute for Internet Security (Westphalian University) and YES Payment Services. The network is also supported by associated partners, including Deutsche Post, the Federal Office for Migration and Refugees, the Berlin Senate Department for Economics, Energy and Public Enterprises and Berlin Partner.

From "shop window" to one of the "leading and most secure identity networks in Europe"

Since last year, IDunion has been funded by the Federal Ministry for Economic Affairs and Energy (BMWi) as part of the innovation competition “Showcase Secure Digital Identities”. “We are increasingly seeing that American platforms are pushing more and more identification solutions onto the market. I think it is important that there is a state-secured identification option for smartphones, which functions without a hidden commercial agenda with regard to user data. In the past, state projects have not been sufficiently user-friendly or were too complicated,” said Thomas Jarzombek, BMWi's representative for the digital economy and start-ups, in a press release. “In particular, we need to create a service that will also be used by companies and becomes a normal part of people's everyday lives.” IDunion has the potential to create such a service. The consortium was the first of three showcase projects to progress to the implementation phase at the beginning of April 2021. Financed with € 15.6 million in funding, the start-up wants to achieve its ambitious goal over the next three years: to build one of the leading and most secure identity networks in Europe.

The next steps have already been decided: A European cooperative (Societas Cooperative Europaea S.C.E.) for IDunion is to be established this year. In addition, the network aims to build a comprehensive framework for secure digital interactions and thus further promote trust in the underlying technology. In order to increase its credibility, the network has also used on open source software and standardised data formats from the start. “We align our activities with the international standards of the World Wide Web Consortium (W3C), the Decentralized Identity Foundation (DIF) and the Trust over IP Foundation (ToIP). The aim is to ensure the best possible interoperability with other SSI networks,” says the website. Furthermore, the partners work together on the conception and implementation of security-relevant aspects. The wallets and other software applications developed within the consortium are also to be expanded to ensure an optimal user-friendly experience and greater distribution.

How well SSI technology can be integrated into everyday life will be tested by IDunion in specific use cases in the pilot regions, Berlin and Cologne. They are divided into the following areas: education, e-commerce, mobility, e-government, e-health, finance, Identity & Access Management (IAM) and industry/IoT. In addition to the Smart Checkout System, this includes, for example, a digital employee ID that allows passwords to easily be reset whenever required by office personnel. Instead of having to call IT support whenever you forget your password, in future you should be able to reset your password on your own, without any help from a third party. This will be made possible by the digital storage of your identity verification, an integrated ID function and stored authorisation information. The solution offers enormous savings potential, especially for large companies, as studies show that employees forget a password on average once a year. For a company with 20,000 employees, this could result in employees spending several thousand working hours each year waiting in support hotline queues.

Focus Berlin: Digital student ID

The Technische Universität of Berlin, an IDunion project partner, has also rolled another special project: The digital student ID will combine authorisations such as the student ID, semester ticket, library ID, cafeteria card and access data to the examination platform in one digital location. The use of a verified credential should ensure security and ease of use. Since a credential can also contain a verified photo or an ID card photo, these can also be used for visual verification. This is particularly useful, for example, in an exam: the students have to prove that they have the credential and that it belongs to them. "Practicality and easy handling of valid authentication are essential for us," explains Prof Dr Axel Küpper, Head of the Service-centric Networking (SNET) at TU Berlin, outlining the goals of the project. If the SSI system makes life easier for students at TU Berlin, the next step will be to extend it to other Berlin educational institutions. The transfer to other cities and universities in Germany or even worldwide is only a matter of time.