Cl@ve: Unifying and Simplifying Identification for Spanish Online Public Services (Cl@ve)

Published on: 13/07/2015
Document

The Spanish public sector currently offers many ways of accessing public services on line, mainly based in the use of digital certificates, among them the Spanish e-DNI. The use of digital certificates, although very secured, may be complicated for certain users. Therefore, to foster e-government use by citizens, some public administrations started to provide different types of shared keys (a combination of user, password and SMS codes) to access their online services in the cases where the highest level of security was not required.

The Spanish public sector started to suffer from a proliferation of different ways of identifying individuals who needed access to online services. Furthermore, most of these identification methods were restricted to be used only for accessing the services of the public body that issued the identification means. This forced users to install different codes and applications, and to memorise the different ways of accessing the services.

Cl@ve aims to solve this problem by unifying existing online identification methods into a single solution deployed throughout the Spanish e-Administration for national, regional and local online services. Cl@ve has already been deployed and is being used in several departments throughout the country. Cl@ve is mandatory for national online services, which will have to adopt Cl@ve before the end of 2015, and open to be used by regional and local online services if the public bodies responsible for those services choose to do so.

Policy Context

Cl@ve has been developed within the current legal framework established in the Council of Ministers Agreement that pushed for the Reform of the Spanish Public Administration. To carry out this reform the Commission for Reform of Public Administration (CORA) was created in October 2012. CORA implements policies to unify, simplify and streamline organisations and services within the Spanish public administration. Specifically, with regards to IT infrastructure, CORA drives the rationalisation of current infrastructures, a more efficient use of technological resources, and the development of services with higher levels of quality.

In this respect Cl@ve aims to eliminate, absorb or complement various incompatible identification systems deployed across different public administration organisations. This will make it more convenient for citizens to interact with public entities, whether municipal, regional or national, while at the same time simplifying identification systems and reducing maintenance needs.

Cl@ve also seeks to be compatible with STORK, the European eID Interoperability Platform that will allow citizens to establish new e-relations across borders. This will allow Spanish citizens to carry out transactions EU-wide. To do so, Cl@ve will comply with the eIDAs Regulation promoting the widespread use and uptake of electronic identification and trust services.

Description of target users and groups

The main target users are private citizens who need to identify themselves in order to interact with services on public administration websites.

Regional public administrations are being encouraged to adopt Cl@ve as their main identification framework so as to offer a unified system to all Spanish citizens across all online public services.

Description of the way to implement the initiative

Cl@ve is a project spearheaded by the Spanish Ministerio de Hacienda y Administraciones
Públicas (Ministry of Finance and Public Administrations) through the Dirección de Tecnologías de la Información y las Comunicaciones (Directorate of Information Technology and Communications), managed by the Gerencia de Informática de la Seguridad Social (Computer Division of the Social Security) and with the collaboration of the Dirección General de la Policía (Police General Directorate), the Agencia Estatal de Administración Tributaria (State Tax Administration Agency) and the Dirección General de Tráfico (Department of Transport).

The implementation of Cl@ve is planned in two phases:

Phase I provides the mechanisms for identification and authentication. This phase entered production in November 2014. Cl@ve is currently available for use on the following sites:

  • Treasury of the Social Security for common queries and proceedings included in "Tu Seguridad Social" ("Your Social Security").
    "Tu Seguridad" portal.

     

  • National Institute of Social Security for services included in the "Tu Seguridad Social" ("Your Social Security") portal.
  • State Tax Administration Agency for all proceedings allowed with the previous PIN24H system.
    AEAT
  • Traffic Department where it can be used to query the points on users’ driving licenses and check their driving records.
    Department of Transport
  • Ministerio del Interior (Home Office) to query "Estado de Mis Solicitudes" ("State of My Petitions") and "Mis Tramitaciones" ("My Procedures").
    Home Office

 

All state departments and organisations are instructed to implement the Cl@ve identification service before the end of 2015.

Phase II concentrates on further developing signature mechanisms and is expected to be finished by the third quarter of 2015. See "Technology Solution" below.

Technology solution

The current version of Cl@ve (Phase I) implements four types of identification systems considering the different levels of authentication defined in the eIDAS regulation. The on-line service integrated with Cl@ve defines the level of authentication required to access it, and Cl@ve shows the authentication means complying with this level to the citizen, so that she can choose among them.  These systems are:

  • Digital certificates: Using the already existing @firma Platform (Spanish signature validation platform for public bodies), Cl@ve offers the option of identifying by using all the digital certificates approved by the Ministry of Industry, Energy and Tourism, as well as some foreign certificates recognised by bilateral agreements.
  • Cl@ve PIN: A password issued for a short time (usually 24 hours or less), targeted at occasional service users. This system is managed by the State Tax Administration Agency, and it is the evolution of the previous PIN24H identification service offered by this public body.
  • Cl@ve permanente: A password that is valid for a long, although not unlimited, period of time. This system is targeted at regular users of online services. It consists of a username/password combination, reinforced with a dynamic passcode sent by SMS to the user’s phone (i.e. two-factor authentication). This system is managed by the Computer Division of the Social Security, and will be further developed in Phase II to add cloud-based certificates (see below).
  • STORK: Allows the verification of electronic identities from those European countries integrated in the STORK platform.

Once Phase II is completed, users will be able to sign documents electronically with certificates stored in the cloud. This will provide the following advantages:

  • Users’ certificates will be stored on a centralised server protected by strong security measures.
  • The certificates will be issued by the General Directorate of the Police and will come with the same guarantees as the current electronic ID.
  • To access their certificates, users will use a username/password combination, plus a dynamic passcode sent by SMS to the user’s phone (two-factor authentication).
  • The signing process will be carried out on the server and not on the user’s own computer.
  • Users will not have to worry about managing their certificates, and will be able to sign from any device.
Technology choice: Standards-based technology

Main results, benefits and impacts

Since the beginning of the production stage of Phase I on 19 November 2014, there has been constant growth in the Cl@ve user base. On 20 May 2015 the number of registered users reached 1 million. During April 2015, Cl@ve’s information portal, www.clave.gob.es [http://www.clave.gob.es], received over 2 million visitors and the number of authentications carried out using Cl@ve PIN and Cl@ve was more than 880,000.

Track record of sharing

Cl@ve is designed as a collaborative electronic identification, authentication and signing system designed to solve the limitations of current systems. It integrates existing systems seamlessly and is open to all public administrations delivering state-wide, national or municipal services.

Cl@ve implements an electronic federated identity system, integrated via the following distinct actors:

  • Electronic Administration Service Providers (SPs) who use the platform to provide identity and authentication services for their users.
  • Identification and Authentication Service Providers (IdPs) who work as intermediaries between users and organisations, providing identification and authentication services.
  • Identification Management Platform, an intermediary platform that allows providers to access the different identification mechanisms.

Lessons learnt

The project creators claim that Cl@ve has shown that significant results, both in terms of efficiency and improvement in the usability of e-government services, can be achieved when basic infrastructure components, such as identification and authentication, are managed in a coordinated way by different public bodies.

Scope: National

Categorisation

Type of document
General case study

Attachment