Viky Manaila, an international expert in the field of electronic signatures, digital identity, and digital transformation processes. She is a member of several high-level working groups set up by the European Commission and ETSI that aim to align policies and operations around the implementation of digital trust services, digital identities, and cross-border recognition. She recently joined to CSC as a Board Member

In this interview, Viky talks to the CSC Blog about her perspective on current and future industry trends, as well as the regulatory requirements on eIDs.

What are the key challenges to the development of digital identity and digital signatures by ID providers?

Digital Identity and Identification are the key challenges to the digital world that we are all living in today. Technology has profoundly changed the ways in which individuals, organizations and devices digitally interact with one another. Telemedicine, electronic prescriptions, digital banking, government services are all now offering personalized experiences with exceptional delivery times that were unimaginable only a few years ago.

In recent years, companies and governments have been reinventing their digital identity services. This has meant that the protection of sensitive personal data has become the foundation of the trust that users place in service providers, who have the duty to ensure that the digital identities of their customers are not misused or stolen. Within this context, digital identity security has become a top priority for digital services providers, which has created alternative business models that have resulted in the emergence of new market players.

As a Qualified Trust Service Provider, Intesi Group has redesigned our relationship with our customers by being able to meet their expectations of having a seamless online experience that is devoid of friction. Identity verification is a critical step in the process of issuance of digital certificates for electronic signatures. In the past, digital identity was one of the most significant barriers to paperless business, with users having to be identified in-person. Therefore, Intesi Group has developed and implemented innovative solutions that allow for cloud-based certificates to be issued in minutes directly from signing applications, whilst always remaining compliant with the E.U.’s eIDAS regulation.

In order to simplify the identity verification phase of issuing digital certificates, Intesi Group decided to use all the existing electronic identity schemes that have been pre-developed by the governments, banks and telecommunications providers, namely the eIDs that are present in Northern Europe. In addition to BankID Sweden, BankID Norway, NemID Denmark, FTN Finland, Intesi group has recently added iDIN Netherlands to our service offering. Essentially, most citizens from northern European countries can now re-use their verified identity from their own bank to sign documents digitally using an Intesi Group’s qualified or advanced certificates.

What is needed to sustain growth in the digital ID infrastructure, both nationally and globally?

Identity is fundamentally a combination of individual attributes that all define an individual, such as personal history, beliefs, and behaviors. Therefore, there are many fundamental questions that need to be answered to facilitate the expansion of digital identity infrastructure, both nationally and worldwide. For example, how can we safely collect and share all these individual attributes together in the digital environment? Who owns our identity data? Can we trust the cloud-based infrastructures that store our attributes? Can the providers assure us that our data is being protected, and cannot be compromised or misused without our explicit consent?

To adequately respond to these all challenges, the way both companies and governments work with digital identity must be reimagined and reinvented. By transitioning away from siloed capabilities that are centered on business needs, we need to move towards a collaborative sharing culture across all industries as well as internationally between governments. By overcoming these challenges, the repetitive processes of providing credentials online will be eliminated. This will allow both citizens and businesses to benefit from reduced costs and increased efficiency savings.

Through initiatives such as the Cloud Signature Consortium, public and private sector organisations can put together their capabilities for trusted services and unleash the potential of these new business models. In Europe today, we have 9 countries with eID notified and approved schemes that abide by the EU’s eIDAS Regulation.

Italy has become the second EU Member State to offer to its citizen’s full electronic identities that are legally valid across Europe. Using this eIDAS infrastructure,  service providers such as banks, telecommunications operations, and airlines, can now reach new markets in EU member states by allowing foreign EU citizens to access their services online. For instance, a bank can now allow a foreign EU citizen to open a bank account with greater ease thanks to this eIDAS infrastructure. By providing secure and trusted access to such online services to a broader international customer market, the growth of eID infrastructure will become an important enabler for the growth of private sector services.

To give you a clear example of this digitalisation trend, let’s examine the private sector’s use of the federated eIDs provided by Nordic banks. Over 90% of citizens in Norway, Sweden, Denmark, and Finland now have a form of digital identity that is issued by their bank. This in itself, is a clear digitalisation success story. The use of eID’s by Nordic banks is just one example of new models where a group of banks has switched from identity consumers to identity providers.

All forms of digital identity can now be used by citizens and businesses to access an ever-growing range of e-services that are not only related to the financial sector. Intesi Group, in partnership with Adobe, has been one of the early pioneers to integrate this technological innovation within concrete use cases. To name just a few, Intesi has implemented eID use cases in Know-Your-Customer authentication, mobile peer-to-peer payment systems, mortgage applications, insurance claims, tax declarations, all via e-Signature scan be executed instantly using Intesi Group’s cloud-based digital certificates via Adobe Sign.

In your opinion, what are the important issues and topics that will emerge in the year to come in this field?

The ownership and control of identity data is the most pressing issue that needs to be tackled by all stakeholders who are operating in the digital services space. We must all support and share the same values, implement appropriate policies for data collection and sharing, and explore new models of collaboration through organsiations such as the Cloud Signature Consortium. In doing so, we will support each other in implementing cutting-edge technologies that verify and manage digital identities. Both the public and private sectors need to take the necessary steps today to make sure that identity systems work better by enabling all citizens to have access to digital identity services. No one should be left behind by the digitalisation of identities.

What is needed to create the coherent and interoperable spectrum of solutions and how is CSC looking to address these challenges?

The Cloud Signature Consortium has initiated collaborations with ETSI and multi-stakeholder industry initiatives such as the FIDO Alliance to develop the next generation of authentication and identity verification standards. This will help online businesses by allowing them to use multiple authoritative sources of identity verification, which will in turn, enable a network of new service providers that will accelerate market adoption and expansion. The passwordless online experience is the dream of both consumers as well as service providers, and we at Intesi are convinced that dream will soon become reality. Stay tuned.

About Intesti Group: Intesi Group is an Italian Qualified Trust Service Provider according to eIDAS Regulation that has played an important role in the growth of the global market for PKI and security technologies since 1998. Intesi Group was among the founding members of Cloud Signature Consortium, and has enthusiastically contributed to the development of CSC API specification and Standard over the course of the past two years.

Bundesdruckerei GmbH (BDR) is a leading German high-tech security company that is based in Berlin. As providers of trust services in both analog and digital industries, the secure identities, data and infrastructures that the BDR provides, enable governments, private companies and citizens to act with confidence. BDR’s products and services are “Made in Germany”, and are firmly rooted in the reliable and lawful identification of individuals and institutions. Working as a security company on behalf of the German government, and with more than 250 years of experience under their belt, the BDR is paving the way for a secure digital age.

Here, Dr. Fabian Grabicki, and expert in Trusted Services with D-TRUST GmbH, one of the companies affiliated with the Bundesdruckerei, talks about BDR’s work and its relationship with the Cloud Signature Consortium.

What companies are involved in the BDR and what are the main focuses of those affiliated with it?

The Bundesdruckerei Group includes affiliated companies D-TRUST GmbH, Genua GmbH, Maurer Electronics GmbH, and iNCO Sp. z o.o. The Group employs a workforce of over 2,700 employees, and generated revenue of around €556m in 2018. The Bundesdruckerei also holds shares in Veridos GmbH, DERMALOG Identification Systems GmbH, cv Cryptovision GmbH and Verimi GmbH.

Berlin-based D-TRUST GmbH is a company of the Bundesdruckerei Group. D‑TRUST GmbH is one of the pioneers in the field of secure digital identities. Since 2016, the company has been listed with the German Federal Network Agency as a qualified trust service provider in accordance with the European eIDAS Regulation. The company issues qualified digital certificates for electronic signatures, seals and qualified remote signatures. It also offers other Public Key Infrastructure (PKI) products and services, such as its AusweisIDent service.

What services do you offer in terms of Cloud Signatures, and how do these help your clients?

Our sign-me product provides users with identification services that are based on various methods, namely on-site, video or ID card verification. Identified users can then remotely sign different types of documents via basic, advanced or qualified different eIDAS levels. The product is supplied as a software development kit (SDK) that can be integrated into standard document workflow systems or customer-specific workflows. It can also be used directly on its own web portal.

What are the benefits of using electronic signatures and in what way are they used by your clients?

Electronic signatures offer a vast range of benefits, especially when using the remote signature solution (sign-me). This solution is very convenient as you can basically sign anything from anywhere. It is very secure, as the service is eIDAS-compliant and provided by a qualified trust service provider. It is also very flexible, as it is not bound to any hardware (card), reading device or other middleware. All in all, the service saves you time and storage because you no longer need to appear in person while ridding you of paperwork.

What was the logic behind becoming involved with the development of the CSC specification? How has BDR contributed to its development?

It has always been BDR’s strategy to drive standardization. In this context, we have been able to put our expertise in security solutions, our good relationship with stakeholders, and our understanding of the demands of our customers to good work.

What is your relationship to the Cloud Signature Consortium and how has this helped your business? What has CSC helped to bring to your clients?

BDR is an executive and founding member of CSC. We have assumed a leadership role and are shaping the future of trust service technology. CSC is supporting our industry by jointly producing standardized solutions. We have also benefitted from several joint offerings with other members, in particular, with Adobe Sign.

Can you explain how BDR makes its sign-me service available both to its clients and users?

Sign-me can be used in three ways. First, the client can use its own workflow and then connect to our service via an API. The second option is for a client who already uses Adobe Sign; it can use the existing interface between Adobe and our service to complete signing. The third way is for the client, as an individual party, can use our web portal to sign its documents.

In which sectors have your services proved popular, and what products do you supply to clients in these sectors?

Many clients currently use the service to sign customer loan contracts and personnel leasing contracts with employment agencies or various insurance policies. A substantial amount of our business comes from use in internal processes in public companies and private institutions. Overall, the most interesting sectors besides the public sector are currently the insurance, banking and human resources industries, with the health sector also being expected to grow in future.

Can you give me any other examples of ‘success stories’ where BDR’s services have helped a company/sector and transformed the way they do business in terms of using e-signatures?

Let me share one of our success stories with our business partner Zenjob, https://www.zenjob.de/press/e-signature. In this case, BDR/D-TRUST offered Zenjob, an employment agency for working students, the unique opportunity to sign their contracts with prospective employees using sign-me literally ’on the go’. This solution is convenient, it reduces costs and storage and is more efficient. Another advantage is that both companies share a similar digital and technological background and mindset which made handling processes even smoother.

What does the next year hold for BDR? Are there any exciting developments on the horizon in 2020?

We expect to see some new features that will make remote signing even more attractive, such as in the area of second factor (Strong Customer Authentication/SCA). We also foresee a significant uptake of the market, at least in Germany, driven by legislation in the health sector as well as in the public sector (Law for the Improvement of Online Access to Administration Services/OZG). The new service offerings in the public sector will drive the penetration of digital identities and this, in turn, will result in increased usage of qualified electronic signatures, mainly by remote signing, in the private sector.

Many thanks to Dr. Fabian Grabicki for taking the time to speak with CSC.