Signicat white paper. Signicat Solutions. This document introduces the Signicat solutions for digital identities and electronic signatures

Transcription

1 Signicat white paper Signicat Solutions This document introduces the Signicat solutions for digital identities and electronic signatures Version

2 Disclaimer Please note that this document is for information purposes only, and that Signicat has no obligation to pursue any course of business outlined in this document or to develop or release any functionality mentioned in this document. The future strategy and possible future developments by Signicat are subject to change and may be changed by Signicat at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. Signicat assumes no responsibility for errors or omissions in this document. Some functionality are still in development, and some functionality may not be available in all regions. Page 2 of 20 Copyright Signicat Solutions

3 Table of contents About Signicat... 4 Signicat solutions overview... 5 Signicat Assure... 6 Signicat Connect... 8 Signicat Sign Signicat Preserve Signicat Identity Other digital identities Use cases Terminology Signicat Solutions Copyright Page 3 of 20

4 About Signicat Signicat is one of the leading providers of electronic identity and electronic signature solutions in Europe. The company, founded in 2007, has offices in Norway, Sweden, Denmark and Finland. The solutions fulfill operational capabilities in line with international standards and requirements, such as Privacy, Anti-Money Laundering (AML) and Anti-Terrorist legislation and regulations, as well as Know Your Customer (KYC) requirements for onboarding of new users. Signicat offers some of the most advanced solutions for electronic identity and electronic signatures. The goal is to enable customers to do business more effectively by delivering great user experiences for the end users and at the same time reduce the risk by using advanced security technology. The Signicat solutions are used by banks and financial institutions, insurance companies, government agencies and large corporations as well as small and medium sized businesses. Customers trust Signicat with the responsibility of authenticating users, providing electronic signing, identity proofing and document preservation. «Carrier grade» SLAs are offered, matching customers need for scalability and reliability. Innovation Signicat is dedicated to innovate in the areas of electronic identity and signatures, and to offer customers solutions that enable them to offer their products and services in new and innovative ways. Signicat has previously won the international Identity Deployment of the Year Award and Best Innovation Award at the Cards and Payments Europe Awards. Solutions Signicat has previously won the international Identity Deployment of the Year Award (IDDY-Award) in the US Signicat specializes in cross border cloud based electronic identity services and electronic signatures. Signicat makes it simple to offer login, identification and electronic signatures for web and mobile solutions, and supports different levels of authentication depending on the customer requirements. Signicat is the preferred provider of electronic identity and signature solutions for many major players in the banking, finance, insurance and etrade industries. Page 4 of 20 Copyright Signicat Solutions

5 Signicat solutions overview The Signicat solution consists of the following components: Signicat Assure Establish assurance of a user s identity. Signicat Connect Authenticate a user with the purpose of enabling user access to online services or resources. Signicat Sign Signicat Preserve Signicat Identity Add digital signatures to documents, to provide authenticity, origin and integrity, and assure nonrepudiation. Ensure the lifecycle of digitally signed documents, securing future validation of the digital signatures are possible, as well as archiving. Hosting and management of identity data. Cloud identities eid providers Major cloud services which offer access to identity data, such as social networks, CRM providers and others. Providers specializing in delivering strong eids, such as BankID (Norway and Sweden), NemID (Denmark) and others. Signicat Solutions Copyright Page 5 of 20

6 Signicat Assure Introduction An important part of any business is to know your customers. In the digital marketplace, you will not meet your customers face-to-face, and the customer s identity must be established digitally. There is an increased pressure to comply with Anti-Money Laundering (AML) and Know Your Customer (KYC). Using Signicat Assure will assist in complying with these directives. Signicat Assure uses different methods to establish the identity of a person, using digital means. These methods can be used separately, or in combination with any other mentioned method, depending on the assurance level required, tailor made to individual customer needs. Assurance methods Assuring an identity is about collecting sufficient evidence. The more evidence collected, the higher the certainty that the identity is genuine. Each customer, depending on the business process, decides which assurance level is required, and which methods should be used for assurance. There are three levels of doing user assurance: possession of device, identity and reliability, as described in the following sections. Possession of device The following methods are used to prove that the user is in possession of a given device or account. Possession of handset. This is done by sending a One Time Password (OTP) as a text message to a cell phone. Possession of address. An OTP is sent to an , and the user confirms possession of the by entering the OTP. Identity Assurance of possession, identity and reliability Identification paper. The user will be asked to take a photo of an identity paper, such as driver s license, passport or other official ID. The ID is then verified for authenticity. Proof of address. A physical address is verified by sending a letter to this address with a One Time Password. When the user enters this OTP, the address is verified. If this combined with an address lookup in a central registry, this increases the identity assurance level. Cloud identities, social media. This includes Facebook, Google+, Microsoft Live and LinkedIn. By checking additional parameters like when the account was created, and how many friends the account has, the assurance level will be increased. Page 6 of 20 Copyright Signicat Solutions

7 Proof of access to account. This method will verify that the user has access to a monetary account, such as a bank account or a credit card. This is typically done by doing a micro-transaction from the account, which is either returned to the user or donated to a humanitarian cause. The withdrawal will have a comment, which is the One Time Password, which the user enters to prove access to the account. Derived identity. In countries where there are eid providers, such as BankID in Norway, it may be possible to use this as part of the assurance process to establish the user s identity. Using the eids in this way, may be subject to restrictions Derived identity from Mobile Connect (GSMA). Mobile Connect is a secure universal login solution, which works by matching the user to their mobile phone. Reliability In addition to knowing that the person is who he or she claims to be, it may be required to get more information about the trustworthiness of the user. This can for example be to check the credit rating of the user, if the user has a driver s license or by checking user ratings. Bisnode is used in the Scandinavian countries to obtain additional information about the user, such as credit rating. Central national registries can be used to check a person s roles in various organizations. For example The Brønnøysund Register Center in Norway. User rating is another way of establishing the user reliability. If a user has received many positive ratings in social networks, shopping networks or travel websites. Signicat Assure helps organizations to gain the required assurance of digital identities when onboarding new users. For businesses with regulatory requirements, Signicat Assure helps you to be compliant with AML and KYC processes when onboarding new customers Combining methods - customization In many cases, using a single method will not be sufficient to establish the desired assurance level of the user s identity. By combining several methods, the assurance level will increase. For example by combining possession of handset, with ID paper and social media the assurance level for the user could be sufficient for a given scenario. Signicat Solutions Copyright Page 7 of 20

8 Signicat Connect Introduction Allowing users to log in to an online service with only a username and a password does not offer sufficient security in many cases. Security requirements often dictates that a multi-factor authentication is to be used. Signicat Connect offers a number of methods for implementing multi-factor authentication, as well as a simple and secure way of setting up multi-step authentication for your online services. Connect methods First step authentication Normally, the first step for the user is to enter a username and a password. The username is required to have sufficient information to choose the second step. As an alternative, social media can be used for authentication. The social media account must be connected to the user account and the user is logged in, there is no need to ask for the user name or password. National eids can be used for authentication Second step authentication After the user is authenticated, one of the following methods may be used as a second step authentication: Possession of handset. This works by sending a One Time Password (OTP) to a handset, and the user will enter this OTP during login. This will confirm the identity, which was established in Signicat Assure. Possession of account. Works in the same way as the OTP sent to the handset, but the OTP is instead sent to an account. Time based OTP. This is a code generator, which runs on your cell phone or tablet, which generates time-based OTP (TOTP) according to RFC One TOTP application, is the Google Authenticator. Handset application. This works by having an application installed on the mobile device, which is used as second step of the authentication. Hardware tokens. This use a hardware token (USB based) which is inserted into a USB port, and takes care of the second step of authentication. The use of the above methods can be used as stand-alone or they can use information in Signicat Identity, which has been provided by the customer or through Signicat Assure. National eids authentication It is possible to use National eid providers for connecting. See the section Other digital identities on page 14 for more information. Page 8 of 20 Copyright Signicat Solutions

9 Step-Up When the user has connected using a specific set of methods, it may result in an access level that is sufficient for accessing some information, but not everything. If the user tries to perform additional operations, for example transferring more than a given amount of money, additional authentication may be required. In this case, the existing information from Signicat Connect is used, but the user will have to provide an additional step to increase the access level. This can also be combined with contextual information, as described below. Signicat Connect helps organizations choosing and setting up the required methods for authenticating users in a simple and secure way Contextual information When connected to a service, it is also possible to retrieve contextual information about the user. This can for example be a device fingerprint, the IP address of the user and in many cases the geographic location of the user. This information may be combined with other Signicat Connect methods, as an additional confirmation of the user, and create a confidence score. The customer policy can then determine whether other factors are required. If the user is at the regular location, the password may be sufficient to get a low-level access to the service without having to perform the second step, for example seeing the account balance. Signicat Solutions Copyright Page 9 of 20

10 Signicat Sign Introduction As more and more business is conducted online, the need for adding digital signatures to documents increases. Signicat Sign offers a flexible solution for adding digital signatures to text and PDF documents. When the document is signed, it can later be shown who signed the document, when the signature was added, that the signature was valid when the document was signed and that the document has not been modified. All this evidence of the signature can later be used as legal evidence, as well as for non-repudiation. Signing ceremony The signing ceremony is an important part of adding a digital signature. Signicat focuses on a user-friendly experience, which works across multiple devices, from PC/Mac to tablets and cell phones. Resulting document formats For Signicat Sign, PAdES is the default result format. The main advantages are that the signed document can be viewed using any PDF reader, while the Adobe Reader also verifies that the signatures are valid. The PDF document can be formatted according to customer requirements, and for example include a footer on each page showing who signed the document. It is also possible to deliver LTVSDO (Long Term Validation Signed Data Object), which is an XML based format for the signed document. This may be desirable if the documents are to be processed automatically. Sign methods Signicat Sign can add a digital signature to documents based on authentication with any of the methods supported by Signicat Connect (see page 8). This means that it is possible to add a simple signature with a simple OTP to a mobile device, using a strong eid method like a national eid as BankID or it is possible to require multiple steps to add a stronger signature. InkSign method PAdES means that the digital signatures can be verified by anybody using the Adobe Reader InkSign is a separate way of adding digital signatures. In this case, the user will add the signature on a mobile phone or tablet by imitating the ink-based signature on the device. This hand-written signature will be captured, and stored as part of the digitally signed document. Page 10 of 20 Copyright Signicat Solutions

11 Multiple documents Signicat Sign can sign several documents in one operation. The output format can be one result document containing all the signed documents, or one result document for each signed document, as if they were signed separately. Multiple signers In many cases, multiple people have to sign the same document for it to be valid, if for example if a couple want to buy a house. Signicat Sign allows for a workflow, including multiple signers. In some cases, the order of signatures are important. It is possible to specify this, so the second person does not get the document to sign, before it is signed by the first person. Require authentication for each document Depending on the scenario, the customer may require the user to authenticate for each document being signed, or the customer may allow the user to sign multiple documents after logging in, without having to reauthenticate. This will give a better user experience. Signicat Sign helps organizations digitize the document workflow by adding digital signatures, using any means of authentication. These can later be legally verified, and this assures non-repudiation Digital forms Signicat Sign supports form filling, followed by a signature. The fields in the form are added to fields in the PDF, which is then signed, and the result is saved as a PAdES document. Document upload As part of a signature process, the user may also add additional documents. When filling in an application the user may be required to submit additional information, such as a payment slip, or a letter of recognition. Sign plugins The Signicat Sign plug-in for Superoffice allows the end-users to request other users to add electronic signatures without having to leave Superoffice. A sign request will be generated and sent directly to the recipient. Signicat Solutions Copyright Page 11 of 20

12 Signicat Preserve Introduction Documents that are electronically signed are normally contractual documents, and it is important that it is possible to retrieve and verify the signatures in the future. Signatures may have to be validated decades in the future. Time stamping Adding trusted timestamps will increase the trustworthiness of the document. The time a document was signed may be of high importance. As it is rather simple to manipulate the time on a computer, it is important to use a registered Time Stamp Authority, and timestamps are added accordingly to the Time Stamp Protocol (TSP) defined in RFC3161. Long Term Validation Long Term Validation (LTV) is a way to ensure the durability of digital signatures. When packing an LTV document, additional information is added, to ensure that it can be verified in the future, even though algorithms and certificates are no longer valid. Re-sealing Re-sealing ensures that the signature can be verified in the future Over time, computers get faster and algorithms that were safe from attacks when the signature was added, may no longer be safe today. In addition, private keys and certificates may be compromised over time. Therefore, it is important that signed documents must be periodically resealed, so that it is possible to verify it in the future. A typical frequency for this is every 5 years. Validation Signicat is a registered Time Stamp Authority An important factor of LTV is that the documents must periodically be re-signed. This means adding an additional layer of digital signatures on the documents. Documents archived by Signicat may automatically be resealed. If the customer has archived the documents, Signicat offers a service for re-sealing, but the responsibility is with the customer. The validation feature of Signicat Preserve can receive one or more documents, and will validate the signatures of these documents, without any human intervention. That means that the customer can perform a batch validation of multiple documents. Page 12 of 20 Copyright Signicat Solutions

13 Archiving Signicat Preserve offer archiving of documents. If desired, these may automatically be re-sealed. Signicat Preserve helps organizations archive documents and ensure that digital signatures are valid in decades to come Sealing Sealing of documents is used by companies that want to prove the authenticity of documents. A seal is similar to a digital signature, but there is no personal signature, only the signature by the organization. However, anybody can verify that the document was signed by the organization at the given time. Normally, the seal is added automatically, with no human interaction. Typical examples are public registries sending out company reports and universities sending out grade cards. Some companies also want to preserve historic documents, for future validation. Signicat Solutions Copyright Page 13 of 20

14 Signicat Identity Introduction Signicat Identity stores information about users including the user name and one or more authentication methods. Users can be added in Signicat Identity as the result of Signicat Assure, or being added directly by the customer. In addition to the user information, Signicat Identity will also have information from the methods used by Signicat Assure. It is up to the customer to decide which user information to store. Activation During the activation process, the user will have to activate the account, set the password, in addition to activating the connect methods. To activate a method, the user must verify possession of the given method, for example verifying an OTP sent to a mobile device. In some cases, activation includes initiating the method, such as linking a hardware token to the user. The complexity of activating an account for the user depends on the security requirements of the customer. After activation, the user can use Signicat Connect and Signicat Sign. Signicat Identity manages identities on behalf of customers, who can use these for authentication or for electronic signatures. The identities are loaded by the customer, or created by a user self-service, using Signicat Assure Management Signicat Identity has management functions for users to add, modify and remove authentication methods. For closed identity-systems (like B2B relationships) Signicat Identity can handle different authorization levels, as well as outsourcing the user administration to the business client. Privacy Signicat will never disclose or share personal information without user consent or justified legal obligations. All data is stored in data centers located in Northern Europe and all access is regulated based on least privilege principle, as well as documented policies and procedures. Page 14 of 20 Copyright Signicat Solutions

15 Other digital identities eid providers eid providers are created by organizations, where the main purpose is to provide establish and manage identities. The identity data is intended for authentication and digital signatures. The identities provided normally have a very high assurance rate, and are often limited to a geographical area (country). Signicat Connect and Signicat Assure offer a number of public eid providers. By integrating with Signicat, the customer will be able to reach multiple providers with one integration (subject to agreements). BankID mobil BankID Buypass Commfides IdPorten BankId Telia NemId EstEID EstEID mobile Tupas FINeID Mobiilivarmenne DNIe Mobile Connect (GSMA) These methods do not require any user storage by Signicat, as each eid provider holds sufficient information to perform the authentication. Signicat Solutions Copyright Page 15 of 20

16 Cloud identities The general cloud identities are issued by a player in the cloud for logging into the specific service, but is also available for others for authentication, and also (to some degree) proofing of a user. The assurance rate is medium to low, but there are no geographic limits. Identity comparison Page 16 of 20 Copyright Signicat Solutions

17 Use cases This section contains a number of use cases, and shows which of the Signicat Components are used in each use-case. One-time Point-of-sales A store and a credit card company are working together to offer users immediate credit when buying expensive equipment. The credit card company wants to make sure that the user is who he or she claims to be, before extending the credit. In this use case, the credit card company will use Signicat Assure to perform the check of the user. The identities may or may not be involved, depending on the options selected. There may for example be a check including social media combined with an ID card check and the use of an eid provider. After the assurance is performed, Signicat will not save any of the user identification data. Online Services Log-In using public eid A customer want to offer login to the online service using one of the eid providers. Signicat Connect uses one of the public eids for authentication. In this way, the customer s users can use any available eid for logging in, and the customer only have to do one integration with Signicat Connect. Outsource user authentication The customer already has a customer base, but want to outsource the authentication to Signicat. The customer transfers all the user data to Signicat Identity, where each user will have to activate their account. When the users are activated, they can use Signicat Connect to log in. As new users are added and removed, the customer will perform the management of the users in Signicat Identity using Web Services interface. Signicat Solutions Copyright Page 17 of 20

18 Outsource user on-boarding Signicat Identity can also be used to on-board new users. In this case, Signicat Assure is used to validate the user s identity, and may include multiple steps. One may for example include existing cloud identities as part of this validation. After user creation and validation, the user may use Signicat Connect to authenticate. Signing using generic digital signatures A customer wants to offer a flexible way of signing documents. Signicat Sign offers the possibility to add digital signatures using any means of authentication. The identity can be for example be stored in Signicat Identity, or social media or eid providers can be used.. Signing using public eid signatures and archiving Signicat Sign can be used directly with the public eid providers, without having to use Signicat Identity. Signicat will interface directly with each of these on behalf of the customer, simplifying integration. This can also be combined with Signicat Preserve to create both time stamped and long-term validation documents, as well as archiving the signed documents, if required. If the customer wants to manage their own archive, Signicat Preserve can still be used for re-sealing, but the management of this must then be done by the customers. Sealing student diplomas A university wants to send out sealed diplomas. This is achieved by Signicat Sign. The student will receive the diploma as a signed PDF (PAdES), which can be sent to employers or other universities, and the authenticity can be verified directly. Page 18 of 20 Copyright Signicat Solutions

19 Terminology AML Customer PAdES Digital identity Electronic seal Electronic signature KYC Non- Repudiation OTP User Anti-money laundering (AML) is a term mainly used in the financial and legal industries to describe the legal controls that require financial institutions and other regulated entities to prevent, detect, and report moneylaundering activities. The term customer is used to indicate the organization that is the Signicat customer. PAdES (PDF Advanced Electronic Signatures) is a set of restrictions and extension to PDF and ISO , making it suitable for electronic signatures, and is according to EU directive 1999/93/EC. Identity of a user, established in a digital context, where face-to-face verification is not practical. Same as an electronic signature, but added without any user interaction, typically using an organizational certificate. Electronic protection of a document with the purpose of providing authenticity, origin and integrity, and assure non-repudiation. Know your customer (KYC) is the process of a business verifying the identity of its clients. The objective of KYC guidelines is to prevent banks from being used, intentionally or unintentionally, by criminal elements for money laundering activities. Non-repudiation is the assurance that someone cannot deny something. In the case of digital signatures, this means that the signer cannot deny having signed the document. A One-Time-Password (OTP) is a random generated password, which is given to the user for example as a text message (SMS), an , a postal letter, by an app on a smartphone, or by a device. When entering the OTP, the user proves that he or she is in possession of the given item. This is typically used as part of a two-step authentication. The term user is used to indicate the end-user, which is the user of a service. The user is the customer of the Signicat customer. Signicat Solutions Copyright Page 19 of 20

20