I’ve seen many approaches for strong authentication – most of them are either too expensive, too complicated, or they aren’t really appealing. The latter is true for approaches like “passfaces” have to pick one or some known faces from different pictures. Many approaches are complicated to deliver. And many of the token-based approaches are complex from a logistics perspective and are expensive. However, many of these approaches and especially combinations of for example hardware tokens and soft-tokens will work for many use cases.

But there are other approaches which are interesting as well. One which looks pretty interesting is GrIDsure, provided by an UK vendor and implemented by several OEMs right now. The idea is to provide a grid of numbers and to define a pattern within this grid per user. One user might decide on picking the numbers in the corners, clockwise. The next one might pick numbers from the second line from the right to the left. Even a relatively small grid allows for many different combinations. And due to the fact that the numbers within the grid change every time, there is a very high number of changing PINs which then can be entered. The concept is easy to understand, doesn’t require additional hardware and works with any type of device with a display.

Despite being really reluctant when a new vendor appears and likes to tell me that he has found the solution for strong authentication, the conversation with GrIDsure was definitely interesting. At least interesting enough to cover it in my blog and to do further research on that solution.

OK, everyone has used that claim “yes we can” right now. But it fit’s pretty well to the German project ePA (Elektronischer Personalausweis) which is one amongst several projects in different European countries for a new type of personal identification card. It’s not an ePassport but an personal identification card – you have to have the latter in Germany, you can obtain the first if you require it for international travel.

In contrast to some other countries like the USA and the United Kingdom, a personal ID card is mandatory in Germany. Currently it is an “old-school” type of printed document. The ePA will replace this with an electronic ID card which will be issued by the German state -  using the same deployment mechanism with the so called “Meldeämter”, e.g. registration offices (local offices run by cities where every address change and so on has to be registred). Thus there is a personal identification included when requesting and deploying the ID card.

For a long time I have been a little sceptical regarding German eGovernment initiatives. Many of the didn’t convince me, either due to their obvious lacks of identity management (like in the area of tax declarations with the ridiculous ELSTER project) or because there was far too much ideology in (Linux vs. Microsoft). But the ePA proves that Germany is able to really run a leading-edge project not only in the manufacturing industry, but as well in eGovernment.

The ePA supports different use cases, from the identification at border controls, the police, and in other situations up to several public use cases. The interesting point is that these use cases will then be supported by a strong authentication, based on the ePA and readers for that ID card. It will be possible, to give an example, to provide age verification – while enforcing the concept of “minimal disclosure”. For example, the answer might be “yes” when asking for age verification above 18 years instead of supplying the full birth date. The ePA will as well provide the capability to store the qualified electronic signature which can be used to sign contracts and official documents as well in the private as governmental use.

All these features are implemented in a well-thought way, based on distributed stores on the ID card. And they are backed by valid business models as well for providers of digital certificates (qualified electronic signature) as for relying parties, e.g. service providers which plan to support the ePA as a means for strong authentication, age verification, or other purposes.

For sure there are still some open questions: What about foreigners (there will be interoperability, there will be other solutions)? How long will it take for the critical mass (the old ID card has a validity of ten years thus replacement will take some time)? How about integration with concepts like Information Cards (some companies are working on that)? But despite open questions, the concept of the ePA is a promising one which might as well support eGovernment concepts as the strong authentication for private use cases. I expect that we’ll see a lot of interesting use cases and applications around ePA soon – and some things you might learn as well at our European Identity Conference 2009 in Munich.