Published: 24 September 2019
Roderick van Cann, Product Owner at Connectis, has written a piece for ICT Magazine explaining what supporting multiple eIDs entails.
More and more login systems are entering use, and the Digital Government Act will soon take effect. For many online service providers, it’s consequently no longer an option to expect all users to log in using the same type of eID.
However, various pitfalls await an organisation trying to enable support for multiple eIDs. Multi-system support implies a complex IT environment and increased risk of implementation errors. Here are four key points that need to be addressed when enabling multiple eID support:
Point 1: Technical requirements differ
The technical requirements for interfacing differ from one eID provider to the next. For example, a variety of certificate requirements apply, meaning that the reuse of certificates can be difficult unless the differences have been factored in at an early stage. The various eID providers also tend to use different message traffic specifications. DigiD uses a special variant of the SAML protocol, while iDIN has its own (IDx) protocol and most social accounts are based on OpenID Connect.
Any online service provider wanting to interface directly with the eID providers in question therefore needs to support a variety of protocols and meet a variety of requirements.
Point 2: Security and convenience both matter
Effective user authentication is vital for the prevention of online identity fraud. However, users’ prime concern is being able to log in quickly and easily. A service provider therefore has to strike a delicate balance between convenience and security.
That implies thinking carefully about what assurance level is required, and which eID is therefore the best fit. A high-assurance eID such as iDIN will usually be inappropriate, for example, when all the user wants to do is post in a forum. On the other hand, you will certainly want to control access to legal documents with something more robust than a social login.
Point 3: Data from eID providers isn’t consistent
Unfortunately, the differences between eIDs aren’t exclusively outward. They vary a lot ‘under the hood’ as well. When a user logs in with DigiD, only a Public Service Number is delivered to the application. Therefore, if you support only DigiD, you’ll need to identify the user from a number combination. Other login systems deliver other attributes, such as surnames and dates of birth. And alphabetical data, such as a name, is obviously problematic for a receiving system that accepts only numeric data. Configuring a system to handle all the different attribute types can be extremely labour-intensive. In the worst case, enabling additional eIDs can involve implementing a completely new system.
Point 4: Attribute nomenclature isn’t standardised
Is it ’email’, ‘e-mail’, ‘e-mailaddress’ or ‘mailaddress’? To the human eye, they are obviously the same thing, but not to a machine. Every eID provider uses its own terminology and nomenclature. So a system that interfaces with multiple eID providers has to understand multiple ‘languages’ and translate them into a consistent set of labels. What’s more, the data associated with each label has to be consistent.
All of the four issues highlighted above represent major technical challenges for service providers. It’s necessary to have an IT infrastructure that supports multiple eIDs, plus the capability to process data of various different types. All while keeping the administrative burden as light as possible and the configuration as simple as possible to minimise errors and manage costs. Fortunately, many of the headaches involved can be cured by using Connectis’s CIAM (Customer Identity and Access Management) platform and associated self-service portal.
The original Dutch-language article by Roderick van Cann can be found on ICTmagazine.nl.
Want to know more about making online services accessible with multiple eIDs? Your Connectis account manager is always happy to talk you through the options on a no-strings basis. Or you can get in touch using the contact form below.