Secure Mobile Identity

Using innovative cryptography techniques, we have prototyped a mobile solution for digital identity with hardware-level security without the need for specialized hardware devices. This is the missing piece of a complete ecosystem necessary for a fast and efficient implementation of digital identity - one of the pillars for inclusion in digital economy.

While password-based digital identity is insecure, traditional PKI solutions based on hardware devices, such as USB tokens or SIM cards, require physical presence on enrollment and incur high distribution costs. Having a secure solution that does not require specialized hardware and enables efficient remote enrollment that takes advantage of AI to verify the identity, a bank or country can easily rollout digital identities to its clients or citizens.

Having an extensive experience of developing the rest of digital identity ecosystem in Republic of Moldova, we plan to innovate it and package it as a global solution.

PKI-based solutions have been proven to be secure. Besides technical complexity, the most common issue with PKI is that practical implementation requires physical handover of PKI devices, such as smart cards, USB sticks (which come with cumbersome drivers and additional software) or special purpose SIM cards that can securely store the private key of the user. These devices come with relatively high price tags and distribution costs.

Software solutions that do not involve a hardware device for private key storage and can be used offline (i.e. without any online trust verification) do not guarantee the same level of security as special hardware does, as they are susceptible to private key cloning and offline PIN guessing without user awareness.

In contrast, the proposed solution is seen by the user as a simple mobile or desktop application that the user controls. This app generates and stores only a part of the private key, thus alleviating the risks of private key attacks. The other part of the private key is stored on the server, ensuring identity verification, PIN locking, clone detection, certificate revocation and other advanced security features.

This also unlocks the possibility of remote enrollment based on AI.

A service provider responsible for the mobile identity service hosts a PKI, HSM and server-side components (.NET) of the solution.

Potential users install an app on their device (Xamarin) and initiate an enrollment process. After identity validation based on AI (Azure Cognitive Services, particularly Face API for face identification and position, hat, glasses and mask absence validation) using verifiable data (data about foundational ID, NFC passport scan, previous verified data from other providers), a human check is done by service provider registrator interacting with the user for a final check. If validation succeeds, the app and server each generates a key pair, app private key is split in 2 parts and one the parts is sent to the server for storage and use.

Initiated by the server, authentication or signature process is authorized by user device private key part protected with a PIN, then verified by private key part stored on server and combined with the private key held exclusively in HSM.

The whole process uses standard cryptography (RSA or EC Schnorr), protocols (HTTPS, OCSP, CRL, etc.) and formats (XAdES, PAdES, etc.) to ensure wide use and compatibility with existing tools. A standard-based timestamp is applied to ensure long-term validation.

The solution can be deployed at various levels, from clients of a bank to residents of a country. Being deployed at a national level and having the appropriate legal mandate, especially if based on foundational ID data, the solution significantly simplifies the implementation of Digital Identity, which is one of the main pillars of a country-wide e-Government implementation.

A cost-effective solution for digital identity is very important, as is it the basis for all electronic interactions of the citizens with the public sector (such as requesting information, documents, registering a company and requesting a license) and the private sector (from opening a bank account to signing contracts, invoices, processing transfers and leave requests).

This conclusion is based on our extensive experience in implementing e-Government for over 10 years in various sectors and at national level, including platform-level services, such as PKI, timestamping, authentication, digital signature, automated data exchange, electronic payment, notifications, etc.

Having a secure PKI-based solution that concentrates the complexity, expertise and costs in one place, while enabling a cost-effective remote enrollment for users, provides scalable foundation for digital identity with less compromises. The level of provided security matches the requirements of European eIDAS QSCD. Remote enrollment eliminates travel costs, distribution and registration centers and requires no physical contact with users.

A strong and efficient digital identity enables users to securely access digital services, including via exchanging legally binding signatures. A strong digital identity is a prerequisite for digital inclusion and truly secure financial services.

During the last 10 years we have build a complete "growth stage" cloud-native ecosystem that includes PKI, HSM, timestamping, data exchange platform (MConnect), logging service with events signed in a blockchain (MLog), single sign-on (MPass), digital signature services (MSign), self-service integration portal, as well as the required infrastructures (MCloud), orchestration (Kubernetes), scalable storage (MinIO) and observability (Prometheus, Elasticsearch, etc.) layers to support it.

During the last year we have developed a concept and a prototype for the proposed mobile identity, that will be integrated with the rest of ecosystem as an alternative authentication and digital signature instrument, to deliver a customizable and complete solution to digital identity at any scale, from a private company to a nation-wide level.

Being based on open standards, the proposed solution can also be integrated as a primary or alternative digital identity instrument into existing enterprise or government ecosystems.

Based on proven cryptography techniques, the innovative idea of the solution is that the effective private key is not actually materialized in any place at any point in time.

The effective private key is a composite of 2 key pairs, generated separately (on user-controlled app and server side) and safely stored in 3 places (user app, server app and HSM). Any use of the private key requires the participation of both sides, app (meaning user awareness) and server (meaning provider control). This enables key locking (in case of insuccessive attempts), clone detection, certificate revocation check during use and other techniques for improved security.

Resulting signature verification uses standard RSA or EC Schnorr algorithms and is based on the standard effective public key, which is computed as a combination of 2 public keys and certified using traditional certificate authority procedures.

The lack of the need in specialized hardware on user side and user physical presence at enrollment time opens up the possibility of efficient remote enrollment based on verifying authoritative data with the help of AI and a final human check.

Additionally, having a strong digital identity with legally binding signature, requiring a digital signature from a witness during remote enrollment can be applied as a social distribution network.

Our existing ecosystem, operating at national level of Republic of Moldova from 2013 has the following usage numbers:

• Around 100 public and private owned systems integrated with single sign-on service, having 200K unique users and around 250K authentications/month
• Around 90 public and private owned systems integrated with digital signature service, having around 2M signatures/month

Note that, while the total population of Moldova aged more than 18 years is 2M, a big part of it leaves abroad. A remote enrollment solution would enable our diaspora to actively participate in home country affairs.

We estimate that this more efficient solution will increase the number of digital identity owners to 500K in Moldova in the following few years.

The potential impact of the solution in Zambia is 10M citizens, and the leads we have in Romania and Botswana can impact the lives of up to 15M and 1.5M citizens, respectively.

As the solution is an alternative digital instrument in our existing ecosystem implemented in Moldova, here are the metrics we already collect:

• Number of unique users
• Number of integrated systems that use the solution
• Number of successful and unsuccessful transactions per instrument
• Total number of successful transactions (authentications and signatures)
• Number of support calls, their priority, effort spent, resolution, etc.

Taking into account that we plan to increase our customer base, the number of customers and their size is becoming an important indicator.

We plan to involve 6 full-time staff for solution development:

• 2 mobile developers
• 1 web developer
• 2 backend developers
• one architect

Our team comprises 4 experienced product owners, 2 persons with legal background and we can access 20 technical staff from DotGov Solutions LLC.

We have 10 years of experience in building up from nothing the digital identity ecosystem at national level in Republic of Moldova. Starting from a unused and expensive digital identity in 2010, based on expensive smart cards and almost unused PKI infrastructure, we have implemented mobile signature in 2012 in partnership with mobile operators and integrated it with the newly built single sign-on service (MPass) and digital signature service (MSign). Later on, other governmental organizations upgraded (from smart cards to USB sticks in 2013) or implemented alternative solutions (national id card in 2014 and tax office signature in 2016) which were easily integrated as alternatives in MPass and MSign. These platform-level service are hiding the differences of digital identity solutions which are thus applicable in 2021 to almost 200 distinct integrated services (both public and private) under our direct involvement and operational support.

This shall illustrate our extensive experience in the field. While people that need a digital identity often (such as public servants, companies CEOs and accountants) are all equipped with the instrument, the rest of citizens are usually using it only occasionally. This is mainly due to higher prices and inefficiencies of existing solutions, which are based on physical devices and physical presence during the enrollment.

The solution eliminates these main inefficiencies without compromising security and, having enough funds and time, we have the experience to roll it out in Moldova and abroad.

• We have always open for hiring in a non-discriminatory mode as soon as the candidate can complement and add value to the team.
• We do not have any issues in hiring people with disabilities or speaking another language (note that Moldova is a multilingual country).
• The members of our team have gathered the experience and worked together using a horizontal organization and attitude for more than 5 years. We know our strengths and weaknesses are always trying to help each other.

Having a hardware-level security for digital identity without specialized hardware requirements and hardware distribution issues, solving remote enrollment is crucial for its fastest and most efficient deployment in the field. This is scalable from clients of a bank to citizens of an entire country.

Therefore, we would like to gather more experience with any remote KYC and identity validation procedures, based on authoritative data sources and AI, including deep fake video identification, passport validation using NFC, biometrics validation or any other techniques to make it as efficient and secure as possible.

Having enough development funds would also help us get more time and energy in building a higher quality and security in the solution earlier, maybe even in the minimum viable product (MVP). External reviews of the solution and source code is an additional way to ensure that.

• Having a MIT Solve label on the solution would definitely help in marketing to potential clients.
• We are open to any proposals to co-create from companies that are involved in projects related to digital identity at any level.
• We would like to partner with teams that can bring additional experience in KYC procedures and AI technologies, especially the ones that are working on remote enrollment issues.

As stated above, we are open to get advisory, guidance or even partnership with any organization that can help us in building a secure remote enrollment for the solution.

We think that the proposed solution enables a secure multi-factor, impossible to forge, and remotely obtainable digital identity for refugees. It will enable the access various online services in an efficient and secure way.

Refugees could obtain a digital identity on initial physical registration or later via internet, without physical contact required. This identity can then be used to authenticate in online services or even sign various requests or confirmations related to refugee services and they can be sure that nobody, even the providers of those services, is able to forge their signatures.

Compared to alternatives, the solution is providing the foundations for a more cost-efficient and fast to deploy identity infrastructure at the level of clients of a private company, such as a bank, or even at a national level. Traditional PKI solutions are secure but cumbersome to implement. By eliminating the need for specialized hardware and physical presence for enrollment, they become more practical.

We really think that by implementing these missing pieces can boost digital identity adoption, which will result in real digital economy and digital government.

Having affordable and secure electronic services, clients of a company or citizens of a country get more equitable chances of succeeding in their endeavors and digital inclusion in general.

Although not directly targeted towards women, the solution can lower the digital divide. Having an affordable digital identity, women can have more impact in digital economy and digital government.

Digital identity is a pre-requisite and opens the possibility to implement online voting, including from people abroad, to boost the democracy. Our team have been part of an informal study to implement online secure, anonymous and, at the same time, transparent voting our the conclusion is that it is feasible as soon as digital identity is efficient.

The solution has a richer impact and can be more efficient when user enrollment for digital identity is remote and based on AI for identity verification, including document detection and matching from a photo and face recognition from a video.

Based on existing AI algorithms and previously verified user photo (such as from official documents) or even voice, the solution can pre-validate user's head position, presence of a hat, glasses or a mask, sufficient lighting, etc. The solution might also include a validation of the user video following instructions, such as confirming the intent to enroll, current date and time as well as turning the head or reading a phrase (with or without voice recognition) as well as face biometrics checks (similar to FaceID), when an authoritative source of data is available.

Taking into consideration the potential of deep fake algorithms, we still consider that a final human check must be performed, but only after the AI pre-checks are passed with certain minimal confidence to make it more efficient.

While we have validated Azure Cognitive Services for this, particularly Face API, we are still working on their integration in the solution. We are open for alternatives, including the ones that do not require a subscription or can work offline in a private datacenter.

The proposed solution is using innovative cryptography approach to maintain hardware-level security for user's digital identity without specialized hardware in their hands. Combined with remote enrollment with the help of AI, the solution is becoming highly efficient in practical deployment.

Certainly, many solutions can be enhanced by leveraging blockchain technologies. One such enhancements can be the recording of remote enrollment requests in a distributed ledger or, alternatively and probably more efficient, in a centralized blockchain that additionally sends signed block hashes to a public distributed blockchain to ensure non-repudiation, thus alleviating the internal attack vector (e.g. employee of digital identity provider issuing an identity to a user that did not ask for one).

Another way to lower the risk of remote enrollment is to ask for a digital signature from an already verified witness. This would also promote the digital identity in communities through existing social links.

Moreover, our team had been part of an informal study to identify a technically sound algorithm and procedures for online voting, without the need to trust electoral commission or any other party. One of the ways to ensure that is to use a blockchain to exchange online voting tokens obtained through verified digital identity of the citizen, mixed with other voters using coinjoin transactions, so that the final votes are cast from traceable anonymous wallets that hold the tokens after several mixes. To implement this, a secure digital identity is a must.

We are open to any other ideas for blockchain applicability.