Specialists in mobile apps for eID and PSD2 Strong Customer Authentication

Features > Identity Management

An electronic identity is represented by a subscription. A subscription associates a device (i.e. the smartphone) with a user and either their personal or organisational identity.
A user's electronic identity is managed by an Identity Service Provider. The Identity Service Provider is often the issuer of the Electronic Identification (eID) app, however multiple Identity Service Providers can choose to jointly operate a common app.
An individual user can operate multiple subscriptions within the same eID app on the same device. For example, they can operate a personal identity alongside multiple organisational identities within the same app.
Adding a new subscription
To set up a new subscription within the app, the user must first input identifiers assigned by their Identity Service Provider.
A cryptographic public/private key pair is then generated by the app for the subscription. This key pair represents the possession element in the Strong Customer Authentication (SCA) procedure. The private key is bound to the device as it is created and remains in (never leaves) the Separated Secure Execution Enviroment of the device. A subscription only ever operates a single SCA public/private key pair at any one time.
The app then creates a certificate request, containing a copy of the public key together with the identifiers. The user is asked to sign the certificate request. The private key is activated using the biometric sensor on the device (inheritance) and/or by supplying a PIN (knowledge). The signed certificate request (i.e. the Certificate Signing Request, CSR) is then transmitted to the Identity Service Provider.
Associating the user
Before the Identity Service Provider can issue the user with credentials (represented by X.509 certificates), they must associate the user with their security credentials, device and software (see Article 24 of PSD2 RTS on SCA and CSC).
For this association to be undertaken remotely, SCA must be performed. If the user already has active eID/SCA credentials assigned to the same personal identity, they can use these to perform SCA on the CSR. Or if the subscription represents the user's organisational identity, a colleague with delegated administration entitlements can perform SCA on the CSR.
The user may already possess another active eID whose Identity Service Provider operates within the same Trust Framework as the new subscription's Identity Service Provider. In this circumstance, the new Identity Service Provider may be able activate the new eID/SCA credentials remotely by asking the user to perform SCA with their other active eID. This is referred to as Federated Identity. In this circumstance the new Identity Service Provider performs the role of Identity Consumer (and relying party).
Issuing credentials
Once the association has been performed, the Identity Service Provider is now ready to issue the user with credentials for use with the subscription.
The Identity Service Provider issues an Identity Certificate to the user, linked to their subscription. This certificate represents the user's subscription SCA credentials. It contains the public key and the pseudonym of the user.
Attribute Service Providers are then are able to issue the user with additional Attribute Certificates, linked to their Identity Certificate. These certificates represent verifiable claims about the user. Examples include: proof of age; proof of name; proof of address.
The same provider can issue both identity and attribute certificates, the requirement for the separation of attributes from identity is in support of data minimisation. I.e. the purchase of alcohol requires proof of age, but not name or address.
These certificates are downloaded automatically to the app and the user is requested to Initialize their subscription.
Initializing a subscription
With the certificates held locally within the app, the user can now Initialize (activate) their subscription.
The status of the subscription changes to Ready on the Identity Service Provider's server.
A copy of the user profile (e.g. including a list of bank accounts and entitlements) is downloaded to the eID app.
If there are pending (i.e. within the Decoupled SCA procedure) payments, consent or other requests (i.e. orders) awaiting the user's signature, these orders will be downloaded to the eID app for the user's approval.
As new orders enter the Decoupled SCA procedure, the app will receive push events to trigger the download of order data.
Suspending a subscription
From time to time, a user may wish to temporarily suspend a subscription, e.g. for an organisational identity while they are on annual leave.
A user can suspend their subscription at any time, from within the app. They must perform SCA on the suspend request. The status of the subscription (and associated certificates) on the Identity Service Provider's server is changed to Suspended.
While a subscription is suspended, the app will no longer be able to download related order data or receive push events.
A minimal amount of subscription data is retained within the app in order for the user to Initialize the subscription again. This data includes the subscription identifiers and associated certificates.
Replacing credentials
All user credentials, including certificates, must be replaced on a regular basis. The Identity Service Provider will determine the frequency with which the identity certificate is replaced. Because attribute certificates are linked to identity certificates, these must also be replaced at the same time.
Some use cases, for example CBDC, may require credentials to be replaced after only a short period of time (e.g. every 7 days). This is to prevent third parties from tracking the user activity and deriving their identity.
A user can also request that their credentials are replaced at any time, from within the app.
To replace credentials, a new public/private key pair is generated and an associated CSR is created within the app. The user must perform SCA on the CSR, which is then transmitted to the Identity/Attribute Service Provider. The Identity/Attribute Service Provider can then automatically issue the user with new certificates which are automatically downloaded to the app.
Once these new certificates are available locally on the device, the user is requested to replace their existing subscription credentials with the new ones.
The Identity/Attribute Service Provider(s) will revoke the old certificates and the associated private key will be deleted from the device.
Deleting a subscription
Suspended subscriptions can be deleted by the user.
This will remove all remaining subscription data from the device, including the certificates and the private key.