How do you manage to build actions that allow you to authenticate knowing full legal support? Digital identity is as important as physical identity and thanks to this we are able to accelerate operations. Indeed, this makes it necessary to create measures that guarantee security when identifying. Let’s analyze them.
What are the “bricks” of digital identity?
By “bricks” of digital identity we mean those elements responsible for ensuring the identity and that encompasses the various digital signature procedures.
Within these “bricks” we can include certificates, both qualified and non-qualified, the “bricks” considered of biometric type and Identity Providers, a concept that we will explain later.
Let’s begin by mentioning certificate-based signatures, which are certificates issued by certification authorities and that are responsible for identifying the person who signs without making any mistakes. As previously mentioned, these certificates can be of qualified type if they are issued by a Qualified Trust Service Provider.
There is a noticable trend, both at government level and in the private sector, to replace the local certificate with a certificate hosted on a secure server (centralized or cloud certificate).
But digital identity is not only based on digital certificates. Any feature that allows associating the information to a person of the real world can be considered another type of “brick”. Another market trend which is on the rise is to use the following features:
- “Something that we are”, that is, biometric factors such as the fingerprint, utterance, face recognition, iris, or even the biometric signature (that is, a signature in which biometric data is collected such as pressure, stroke, speed, inclination applied, etc).
- “Something the user knows,” such as one-time passwords (OTP).
- A scombination of all the above, both for digital identification (robust authentication) and for signature (advanced esignatures).
The concept of Identity Provider (IdP)
Unless we use a qualified certificate for the signature, we will need to incorporate some evidence if we want to enjoy all legal guarantees. It is why that we must introduce the concept of IdP.
What is an IdP? With these acronyms we are referring to an Identity Provider. It is a computer concept that describes an entity in charge of creating, maintaining and managing information on the identity of a system and provides authentication services for trusted applications.
The most basic example is when we identify in both application or in a web portal, via username and password. Here we are using an IdP. It is true that it’s an insufficient level of security, as we will discuss later.
Identity Providers used in digital signatures
Now, let’s talk about some of these IdP services and their use in digital signatures. Nowadays, there are many different identification factors. The most frequent ones are:
- OTP Token (One Time Password): these are single-use passwords valid for 30 seconds. This is generated through applications, such as Viafirma OTP.
- SMS token: this identification factor implies sending a shortcode, also called OTP, via SMS to the signatory.
- Email Token: Similar to the SMS Token, though the one-time password is sent via email.
- PIN code: this code is made up of 4 digits set by the person responsible for the signature at the time of creating or importing the certificate. The security is very low, if not followed by the other factors.
- Password: password set by the signer and that must comply with the conditions imposed in the usage policies, that is, a certain length, the obligation to use figures or characters to combine upper and lower case letters. Security is somewhat greater than the PIN, but it is increasingly common to be followed by another identity factor.
- LDAP/Active Directory: The Lightweight Directory Access Protocol is responsible for accessing an active directory of the corporate server with username and password.
- Biometrics: Here we can have the example of the fingerprint. The corresponding fingerprint reader device is required, as well as a record of the authorized fingerprints. And like the fingerprint, we can use the face ID, voice, and biometric features of the signature, iris and a long list that is increasing every day thanks to research.
The “bricks” of digital identity “are useless” without digital identity and digital signature solutions
Why do we call all the previous elements “bricks” of digital identity? Because they are a “key element” for digital identity. But this is not enough. A brick on it’s own, only serves as paperweight.
Something similar happens in the digital world: digital certificates, biometric factors and other identity factors make sense when used for something.
And, every day, in a cyber-world full of digital threats, any platform, any service, in order to offer security guarantees and to convey confidence must be associated to a robust digital identification system, and must include any type of consent by means of digital signature.
The first serious approach to the use of digital identities came from Public Administrations, which put the so-called Electronic Administration for the first time for the public, by means of certificates that the public administrations issued themselves then other certified entities arrived.
Then secure and reliable identity and signature procedures were added to the sectors of electronic commerce (e-commerce), electronic banking (e-banking) and practically the rest of the sectors, since there is no business outside digital transformation. The legislation, which is increasingly demanding in terms of securing the digital identity of users, is accelerating the whole process.
It is very that these procedures for authentication and verification of digital identities, as well as signing contracts, invoices, taxes, deliveries, etc., are not carried out by the developers of digital business (e-business) solutions, but instead they integrate solutions from cybersecurity companies specialized in these type of trusted services.
Here is where companies like Viafirma appear.
Viafirma and the “bricks” of digital identity
How do Viafirma solutions contribute to these digital identity verification processes?
We will start talking about Viafirma, our app to create, manage and sign documents online. This tool allows authentication by multiple factors, as well as the adding of evidence, which can be mixed up according to the client’s needs.
Viafirma Fortress is a software specifically developed to manage certificates stored in the cloud and what is known as cloud certificate. But access to these certificates requires a secure identification process, which is done via robust authentication. That is, using a combination of two or more identity factors, which can be configured according to the requirements of each case scenario.
Viafirma Fortress also allows delegating the use of certificates in a restricted and fully secure way.
Finally, we will talk about Viafirma RA (Registration Authority), a solution for the creation and management of Registration Authorities, which we provide thanks to our subsidiary in the Dominican Republic, Avansi, the First ever Certifying Entity in the Dominican Republic, legally trained to issue digital certificates according to Law 126-02 of Electronic Commerce, Documents and Digital Signature.
With Viafirma RA you can validate the identity of natural and legal persons, subscribers of certificates and provide other validation services related to digital signatures. It is also possible to manage the life cycle of issuing digital certificates.
We all have a digital identity, to a greater or lesser extent. And every company, large or small, that wants to advance in digital transformation must pay special attention to the processes in which these identities are involved. We can make the most of a safe, reliable and legal way, protected against legal conflicts, fraud or malicious uses.
At Viafirma we are strongly committed to protect digital identity, offering solutions that allow us to extract all its value and to improve the lives of citizens and businesses. If you want to know more, do not hesitate to contact us.