Specialists in mobile apps for eID and PSD2 Strong Customer Authentication

    We offer a dedicated smartphone app for Electronic Identification, Authentication and Authorisation.

The user credentials take the form of an X.509 certificate which binds the person's identity (incl. attributes) to a cryptographic private key. The key is stored within the Separated Secure Execution Environment of the user's smartphone. The key is unlocked with a PIN and/or using the biometric sensor on the device.

Users can register multiple identities; for example, their personal identity, identities associated with their employment and identities associated with other responsibilities e.g. multiple directorships.

Trust Framework
    eIDAS is an example of a Trust Framework, backed by government regulations. This is a prerequisite for the federation of identities, where an eID issued by one party can be consumed by others. Today in Nordic countries, bank issued eIDs can be used by individuals to sign 3rd party contracts and their tax returns.

The app creates independently verifiable proof in the form of an Advanced Electronic Signature (AdES). As well as the signature (created by the private key), the AdES proof includes the data that was signed, plus the user's X.509 certificate. It also includes the complete certificate chain up to but not including the country root certificate.

All parties that verify the proof must previously have sourced a copy of the country root certificates via official eIDAS channels. By adding the appropriate country root certificate to the chain they can verify the signature and identify the person.

Our approach adopts AdES countersignature standards to implement a comprehensive audit trail. All eID requests must be signed by the requesting party. This enables the eID app to authenticate the request before the user is asked to sign. The eID proof includes the user's countersignature of the request.

See our eID Website Login demonstration.

Online / Offline
    As well as an internet connection, the app supports proximity technologies such as QR codes and BLE. The eID procedure can still be completed when the eID app and/or terminal have no network connection.

Both the eID app and terminal hold local copies of the country root certificates (and potentially certificate revocation information). This enables them to authenticate each other and fully verify the proof, even when offline.

    Within the SCA procedure, PSD2 requires the display of the payment information. This must include amount and payee(s). An SCA app on a smartphone easily performs this task.

The same user SCA credentials can support multiple modes of SCA. In the Embedded mode, SCA is performed before a payment is initiated. In the Decoupled mode, on receipt of an unauthorised payment request, the bank alerts the user asking for their approval.

Embedded SCA is ideal when paying at a merchant Point of Sale (POS) because it minimises friction caused by a lack of cellular signal or network latency. See our POS demonstration.

Decoupled SCA is ideal in situations where the user was not present at payment initiation. Examples include approving payments initiated by a smart fridge and multi-user approval of bulk corporate payments, initiated by an ERP system. See our Corporate Payments demonstration.

    In the future, Central Bank Digital Currency transactions will require both eID and SCA. In addition, as a replacement for physical cash, the BIS and central banks have identified the key requirement for CBDC payments to continue even during periods of power or network outage.

For both Person-to-Person and POS transactions, assuming both devices have battery power and proximity (e.g. BLE) connectivity, CBDC transactions can be completed even with both devices offline.