Providing a simple, trusted and efficient mechanism for authentication in digital services is one of the important steps towards fostering a bigger and better use of the Portuguese Government’s electronic services. Portugal was one of the pioneering countries to implement digital certificates with the Citizen’s Card. This eCard was implemented in 2007 and even then included an electronic signature for secure authentication within the chip, allowing citizens to complete electronic transactions in a simpler manner, and to sign electronic documents.
Important step in simplification
With Chave Móvel Digital (Digital Mobile Key), the Portuguese Government is taking another important step in simplification by turning the citizen’s mobile phone into a partner for authentication, following the best practices for security already in place in the banking systems with one-time passwords. The new service allows citizens to overcome some of the barriers for electronic authentication use: it does not require the Citizen’s Card and eCard reader in many situations where the mobile phone can be used instead with a PIN and a temporary Mobile Key security code sent by SMS or email.
To use the Digital Mobile Key citizens just have to register on a web portal, or in person at a public service desk, providing the Citizen´s Card, and connecting the electronic signature in the chip with the new system though a mobile phone number or email address. This way, they receive a temporary password every time an authentication for a service or identity verification is required. The system can also be used by citizens with other types of identity cards, like a passport, but in this case the registration has to be made in person at a public service desk. This means that foreigners can also access the benefits of the Digital Mobile Key.
The system is already in place for many different Government services and also some private counterparts, simplifying the use of the Citizens’ Portal, Entrepreneurs’ Desk and Health Portal. Agência para a Modernização Administrativa (AMA, the public agency for modernisation) is in charge of managing the system and is working with other public and private services to extend the use and application of Chave Móvel Digital.
The aim of Portugal’s eGovernment strategy is to transform the public sector into an integrated and collaborative customer-orientated entity, positioning Portugal among the leading countries in terms of quality of service to citizens and businesses. The increase in citizens’ satisfaction regarding these multichannel services, delivered 24/7, is fostering greater innovation and simplification in many areas, and the AMA is developing a number of projects that aim to simplify access, without compromising security.
To identify and authenticate citizens in an electronic service was one of the challenges to developing a public service and dematerialising a number of transactions and licensing procedures. The new Citizen’s Card with an electronic signature and chip for cryptographic authentication was the solution to many of the problems, and the project, implemented in 2007, has allowed Portugal to be at the forefront of electronic services. Although the process and security of the system was never questioned, the significantly low use of electronic signatures was a challenge to overcome in order to obtain a better response in multi-channel services.
Activate the electronic signature system
Only 30 % of Citizen’s Card users activate the electronic signature system; the true figure is much lower, although the card is implemented in a large number of public services, allowing for a faster and simpler use of eServices and a reduction in costs. The payment of licences and certificates can be 50 % lower in some transactions, for both the general public and companies. The challenge was to promote a broader use, overcoming the barriers of a somewhat complex procedure that involved the use of the Citizen’s Card, a card reader, a PIN and software installed in the computer to access the electronic services and provide the necessary authentication with cryptographic security.
Following on from the banking systems, the idea was to simplify the identification process, without compromising security, and connect the identity to a token – a smartphone or an email address – that can be used in a simpler way. This alternative mechanism for electronic authentication is more secure than the traditional username and password access to services, and proves to be simpler, but it also has advantages in cost rationalisation and technological evolution.
The Digital Mobile Key follows the main recommendations expressed in strategies recently adopted in Portugal, contained in the Global Strategic Plan for the Rationalisation of ICT Costs in Public Administration (PGETIC), in order to adopt and implement one multifactor mechanism for electronic authentication, which is efficient from a financial point of view and technologically future-proof.
Description of target users and groups
Portuguese citizens and businesses are the main targets of the project, which aims to simplify authentication for several public services. However, Chave Móvel Digital can also be used by foreign citizens registered on the platform, who can also benefit from the procedure’s simplification, although the registration process is slightly different: Portuguese citizens with a Citizen’s Card can register online using the electronic signature from the eCard to identify themselves and connect the identity to a smartphone or email; foreigners, or citizens with other identity cards, need to go to a public service desk in person to complete the process.
Description of the way to implement the initiative
Built upon the authentication platform already in place for the Citizen’s Card, Chave Móvel Digital was developed from scratch in just six months. It required a small and very focused team that benefited from AMA’s large experience of public service platforms, and also the connection to different services and platforms from other public agencies and institutes. The security validations necessary to guaranty safety, during the initial procedures of registration and also when in use, was one of the key points of the project, thus following in the steps of the financial services’ best practices regarding false uses, and blocking or suspending users for misuse and failed combinations of passwords and PINs.
The project required an infrastructure with a high degree of availability and scaling in order to support a high demand. Development was also required on applying the use of authentication systems, registration and monitoring so as to recognise uses outside the allowed patterns.Technology choice: Standards-based technology
Main results, benefits and impacts
The main result of the project is a simple-to-use system that does not compromise security. The service is quite new and no data is currently available, but the estimate target for the first phase is 200 000 registered users. The new authentication system is already in place for some of the most important electronic services for citizens and businesses, like the Citizen’s Portal and Entrepreneur’s Desk, but AMA is working to extend the range of public and private services that can use Chave Móvel Digital.
The digital certificate and electronic signature from the Citizen’s Card is used through a vast range of services in public entities and private companies, and already more than 10 million eCards have been produced with authentication certificates. The connection between the Citizen’s Card infrastructure, the Interoperability platform for Public Administration (iAP) and the simplification of procedures to use these tools for authentication on different services is key to the success of the project, allowing operational services to easily make the connection through the autenticacao.gov web service.
The STORK project
Participation in the European project STORK is also underway, which simplifies cross-boarder interoperability in different countries. Some pilot projects are already in place.