Portugal began developing its digital identity system in 2007, becoming one of the pioneering countries to aggregate in one card 5 different identification numbers and implement digital certificates with its eID ‘Citizen Card’. Since then, the Portuguese government has continuously invested in its eID scheme by launching several secure and easy-to-use mechanisms.
In 2014, the country presented the Digital Mobile Key, a mobile solution, spreading its usage to the private sector; extended the eID schemes to include professional attributes (‘SCAP’, 2018); and recently launched the ID.gov app (2019), a mobile application that allows citizens to save, access and share their personal documents’ data at any time, with full legal validity; among other.
This article aims at giving readers an overview of the different digital identity solutions that comprise the Portuguese eID ecosystem, allowing citizens to digitally manage their identities through different mechanisms adapted to the users’ needs and expectations.
Citizen Card (2007)
The Citizen Card is the cornerstone of the citizens’ recognition, a physical citizenship document that contains a chip (smartcard), allowing for the secure digital identification and authentication of users, as well as the digital signature of documents.
In Portugal, the Citizen Card replaced several other documents, namely the civil identification card, the tax identification card, the National Health Service card, the Social Security card, and the voter’s card (and respective number).
In addition to being a physical identification document, mandatory for all citizens, the Citizen Card allows access to digital services through the mere use of a PIN code, eliminating the need to remember numerous logins and keywords. The combination of a keyword and a physical element (in this case a smartcard that includes electronic certificates stored securely on a microchip) ensured high security for electronic authentication and signature.
However, it presented challenges, as the need for carrying a smartcard reader or a device with an integrated card reader. Additionally, smartphones and mobile devices are nowadays the most common toll citizens carry and use in their daily basis. As so, the Digital Mobil Key was born.
Digital Mobile Key (2014)
The Digital Mobile Key (DMK) is the national mobile eID solution which allows citizens to digitally authenticate themselves in public and private websites as well as digitally sign documents, in a secure manner.
It was developed to address the increasing use of mobile devices by citizens and subsequent demand of mobile solutions, as well as to offer a more user-friendly alternative to the Citizen Card mechanism, which requires a smartcard reader.
The Digital Mobile Key provides a simple and secure way to access digital services, totally free of charges and operating 24/7, allowing citizens to both authenticate themselves and use qualified electronic signatures. This is done through a permanent password (PIN) and a temporary security numeric code, automatically generated and sent by SMS, email or a dedicated app.
By the end of 2018, protocols with some of the major private service providers (banking, telcos, utilities) lead to a significant surge of DMK’s subscriptions. The adoption of the DMK by service providers with recurrent interactions with Portuguese citizens has proven to be fundamental to the increased adoption of DMK, as it promptly became the preferred option of authentication within the national eID schemes, surpassing for the first time the “old” Citizen Card.
In 2020, this tendency remained unchanged, as the number of DMK subscribers continues to grow and it remains as the chosen eID mechanism in the national scene.
The Digital Mobile Key was built as a Government---Platform (GaaP), providing public and private organizations with a standardized and open API which supports authentication and signature reuse across government and third-party service providers.
SCAP – Professional Attributes Certification System (2018)
SCAP allows Citizens to digitally authenticate and/or sign according to their professional or business attributes. For example, a citizen can sign a project evoking the attribute recognised by a professional association, or oblige a company to associate the attribute it has conferred on it.
The Portuguese SCAP eID is an online digital identity service, whose main purposes are:
- Enable the addition, to a Citizen Card or Digital Mobile Key qualified signature certificate, of the functions the signee performs in society as a qualified professional and/or the powers and capacities of the signee in the context of a public/private company;
- Enable secure electronic identification of the functions that natural persons perform in society as qualified professional and/or their powers and capacities in the context of a public/private company, when accessing services in portals and websites of public and private entities.
The SCAP eID is automatically activated for owners of a valid Portuguese Citizen Card (CC) or Digital Mobile Key (DMK), aged 16 years or older. Its usage starts upon user request and it links professional, business or public attributes to their CC eID and/or DMK.
ID.gov.pt (2019)
Because the world is ever-changing and the digital revolution is taking place at an abyssal speed, the Portuguese Government allowed citizens to "forget" (in the physical world) their documents at home, and start carrying on their mobile phones not only "digital money", but also their personal identification in different contexts.
The ID.gov.pt mobile application (2019) is a digital wallet that allows citizens to keep and consult their ID cards anytime and anywhere - either the Citizen Card, the drivers’ license or the ADSE card (health subsystem of public servants). It is also possible to use it offline and currently other identification means (e.g., military or public servants) are in the process of being added to the app.
This application is based on the Digital Mobile Key electronic authentication. The cards are loaded by the user through their Digital Mobile Key which, using the national interoperability platform, makes the data available. The data are stored (temporarily) in the app and are updated every 24 hours.
Finally, citizens can also validate their virtual ID documents using the authentic data sources that emit them. This central validation is based on a QR Code generated by the holder's application which can be read by the same application installed on another mobile device or with the insertion of a numerical code (with limited time validity) in a reserved area of the Portuguese authentication portal, https://www.autenticacao.gov.pt/.
Autenticacao.gov
Last, but not least, Autenticacao.gov is the platform that brings together the various national electronic authentication and signature solutions available to citizens and businesses, also providing them with complete information about the potential of these solutions.
It is the National Identification Provider that makes available the different eID schemes and mechanisms previous described. Autenticacao.gov provides common API for service providers (as Portals, mobile apps, and other systems) access all authentication mechanisms, and request citizen attributes. The API, supported in open standards (as SAML and OAuth) allows service provides to requested citizen attributes, and puts citizens in control by authorizing, refusing and auditing who can or has access his or her data.
The Portuguese eID ecosystem has consistently grown throughout the years and, although the Citizen Card is mandatory for all citizens, subscriptions to the Digital Mobile Key have been steadily increasing – significantly so ever since private entities started using it as the preferred identity provider.
In terms of usage, there was also a significant increase in 2019 – in line with the DMK’s subscriptions growth – the number of authentications in national portals and websites doubled, going from roughly 3 million in 2018 to 7,5 million in 2019. The COVID pandemics brought a higher usage of digital identity schemes and, given its track record on the area, Portugal offered its citizens the possibility to perform the public services digitally and not be deprived of their right to them.
Reliable, easy to use digital services go hand-in-hand with secure and trustworthy eID mechanisms. The year of 2020 made blatant the fundamental role they play in any modern society, as proven by a new surge in authentications through the national eID providers, that rose from 7,5 million to almost 13 million, but also from the number of services that nowadays use the Portuguese eID ecosystem, that currently amounts to 246, ranging from central and local Government to private sector services.