TRUST IN THE
DIGITAL WORLD

Trust is the linchpin of the digital world. Trust makes us give out our credit card details, share our personal information and enter into agreements with services we might not even be familiar with. And the higher the confidence, the greater the opportunities.

TRUST LEVELS MATCHING YOUR NEEDS

Identity is the foundation of trust – both in the physical and in the digital world. When you are certain of who you are dealing with, you can link everything that enables a meaningful relationship between an organization and an individual; responsibility, payment, consent, agreement and delivery.

In order for an identity to be reliable, two things are required:

  1. A reliable method of transferring the user’s real identity to a digital identity
  2. A secure way to ensure across time that it is the same individual who holds the digital identity.

An e-ID that meets both criteria can therefore be used as the leverage upon which all your digital business rests. Many make the mistake of settling for the first step. They issue a digital identity with careful checks of the user but allows the identity be borne by a user name and password. As vulnerable as the passwords are now, they do not meet the second criterion, to keep the identity secure across time.

More problematic is that even more businesses are content without any of the criteria; they make no check that the user is who he or she claims to be and lets this weak identity be carried by an uncertain password. In the digital future that awaits, these players will soon be out.

Freja eID is an e-ID designed and reviewed according to Swedish and international standards to fulfill both criteria.

TRUST LEVELS FOR eIDS

To assess the trust level of an e-ID, various international standards have been created. The levels in these different standards are to some extent similar and different services, public and private, may have different levels to relate to. Most often, however, it is up to you as an organization to assess the level of trust you want for your users and we can help you find the level that is appropriate, based on both regulatory as well as security-related requirements.

TRUST LEVEL ACCORDING TO SWEDISH STANDARD

DIGG – the Swedish Agency for Digital Government, which creates the framework for trust that forms the basis for the approval of the quality mark Svensk e-legitimation is based on an international standard with four trust levels.

Level 1: No proven identity and only requirements for password protection

Level 2: Identity proven with document which the individual possesses and requirements for two-factor authentication (2FA)

Level 3: Identity proven via physical meeting where the individual shows approved Swedish ID document. The identity is protected by a secure carrier with protection of, for example, PIN or biometrics and 2FA.

Level 4: Same requirements as for Level 3 with the addition that the identity must be protected by a chip that requires card readers when identifying.

TRUST LEVEL ACCORDING TO EU STANDARD

With the European initiative for cross-border electronic identification – eIDAS – the EU has developed three trust levels

Low: Limited degree of confidence in the claimed identity of a person. Typically fixed user name and password sent by post to registered address of the person.

Essential: Substantial degree of confidence in the claimed identity of a person. Issuance requires possession of ID trusted by government. Two-factor authentication required.

High: High degree of confidence in the claimed identity of a person. Requires verified biometric or photo ID for issuance. Authentication device must be protected against duplication and tampering.

THE TRUST LEVELS OF
FREJA eID

Freja eID is created for both national and international use. We also offer different levels of trust in Freja eID that allow you to choose based on your needs. A user can easy and free of charge upgrade to the different levels when the need arises.

Basic level: In situations where you as a service provider already have an established relationship with the user, or do not have specific requirements on the level of trust, you can use Freja eID as a cloud-based multifactor login. The only thing the user needs to do in relation to Freja eID is to download the app and confirm an e-mail address. This arrangement does not include social security numbers at all, which makes it scalable to all users, regardless of nationality and domicile.

Validated identity: On this level Freja eID validates the identity of the user, who then registers with, among other things, a valid ID document and an ID photo. Then our security personnel do an ID check in and issue an e-ID if all checks are approved. We can currently validate user identities with all the approved ID documents in Sweden, and with passports in Norway, Denmark, Finland and the UK.

The information that we gather from the user varies a bit depending on the country. In general, it is first and last name, social security number, date of birth and e-mail address. In Sweden and Norway we also do an address lookup and for some users we also store their mobile numbers, if they registered with it. In UK there are no social security numbers so we do not gather that data from the UK users.

The quality mark Svensk e-legitimation: In Sweden, DIGG – The Swedish Agency for Digital Government, issues a quality mark to e-ID’s that fulfill certain regulatory requirements. Freja eID fulfills these requirements, but in order to reach the highest level of trust – LOA3 – the user, after validating the identity as above, also has to do a physical ID check at one of our 2000 agents around Sweden.

THE QUALITY MARK SVENSK e-LEGITIMATION

To create a consensus in the issue of eID’s, the Swedish state has developed the quality mark Svensk e-legitimation. It is DIGG – the Swedish Agency for Digital Government which, based on national and international security criteria, reviews and approves Swedish e-ID’s for the quality mark.

Public and private actors with e-services that require e-ID can trust e-ID’s that have the quality mark Svensk e-legitimation, and users can feel confident that it is a secure identity document.

In order to get the quality mark, the e-ID must fulfill the requirements in the Framework of trust for Svensk e-legitimation. The purpose is to make sure that the e-ID can be issued and maintain the trust level which the application refers to. In addition to the technical architecture, the issuer is also reviewed on the following points:

– Financial stability
– Information security work and internal control
– Process for identifying people applying for an e-ID
– Producing and providing of e-IDs

Freja eID + is Sweden’s only mobile e-ID that has been approved for the governmental quality mark Svensk e-legitimation.