Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business


Log in and watch the full video!

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of threats and ultimately trust. 

For more than 15 years, Denmark has provided public access to eID. 3. generation is now available delivering one unified system giving both citizens, employees, public authorities, and businesses easy access to solely accepting and using validated digital identities. Ensuring compliance within the framework of eIDAS and ultimately NIS2.

Bjarke Alling - current member and prior co-chair of the Danish National Cyber Security Council, founder and Group Director of the IT cybersecurity software company Liga, and a key contributor to the development of the Danish eID solution, will share insights into the solution and put it into a broader broader-crossing perspective.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Yeah, and welcome everyone. See a few one day in there. So you would know it already. For those of you that do not know, just your demonstrate on here. Yeah. I'm b galling. I'm a member of the Danish National Cybersecurity Council. I were prior chair also of this council. I think we saw yesterday a story on the German way that is being put together. I think the Danish one has made it a little bit different, adding in also the private sector and that position as chair, it's, it's kind of, you know, you have a, you have a term and then you change that position to someone else in the industry. So it's kind of mixing around. So we attend members from the private sector and 10 members from the public sector right now in, in that council. Besides that also, I've been a long term member in the Dan IT Business Association and worked in the various ways there, especially on IT security for years.
As also I'm in the, the board of the new certification system, which is actually, I think one of the first ones in Europe that is looking specifically on businesses way of handling a responsible data, IT security. It's a seal that you can obtain and by that show to your customers that you take cybersecurity seriously. And finally, also I work as in my kind of day-to-day work as group director of the business of legal in which where we work with software. So let's jump into the Dan Z I D and the story on what I'm here to talk to you about today. So the Danish service is something that we have had since 2003. It's a, right now we are in the position and the process of implementing the search generation and the, the thing, and which is important, why it has and will come also to the reasoning why become successful.
It's, it's a low cost, it's actually free of chances for citizens and it has comes at a very low cost for businesses. So there's a, you know, a great motivation for, for doing that. It's also for, for the citizens and for the businesses. It's, it's for everyone that is more than 15 years old, actually. You can even get them if, if you are younger than that. But that's a special version for, for banking access. But mostly for everyone that is more than 15 years. They can, they can using this, we have and will come to some of the use cases in, in a few minutes. So they are, you know, multiple use cases. Authentication as well as the qualified digital signing service, which is also obviously a, a very crucial part of, of any ID service. We also are facing, that's the search generation of the I compliance.
So it will move into the substantial and it will also move it in next year coming into level level high. Right now there are, I think that was even an old number, about 1.1 billion transactions a year using this year id, and we have a, I think numbers of users, five, 5.4 million and they will say, okay, what are the difference in, in the total, in the total population? They are, you know, as probably the ones that are beyond the 15, below the 15 years. So that's kind of the, the baseline of where we are right now. And we are looking at saying, okay, we are in a cybersecurity context. We have to understand that there's a risk, there's a challenge. And I say, you know, if we don't act, others will act on our behalf or against our interest. I think that's the challenge we are facing.
I think I also mentioned that on, on the panel discussion yesterday. You know, not doing something is not necessarily, you know, it causes us problems. We will have to act proactively to become more resilient. I think now with today, this track is about resilience and, and, and being resilient. And resilient is, is a combination of multiple things. But one thing is that we are aware of a risk and we act on the risk even though that we cannot necessarily, you know, pinpoint it in, in in financial numbers. So it's more than just traffic lighting discussions. So I think when, when we look at the challenge, I think you, you know, and probably some, most of you already are familiar with the kind of these numbers, 80% of breaches released to, to bad passwords. 250, 260 $5 billion in ransomware damage by Forester in 2031. You have the links here.
And also as I mentioned yesterday, we are lacking huge numbers of, of people in as experts just in the eu. This is in European Union number saying 200,000 people is literally something we need to have. So we have some, some challenges ahead. This is just one simple example of how the e i d services is protecting the Dan's financial sector. I think it, it's, it might be, but in the first half year 2021, the banks prevented frauds of about 25 million euros being stolen from, which is more than 60% of the fraud attempts this graph. And there's a lot of more statistics on that. I think for you, for those of you that that has an interest in, in understanding what these E I D does and the way it works. I will also explain that the ED services is part of the banking sector. So because we have had that system, we have been avoiding, you know, a tremendous growth in fraud on online banking, especially for the Covid period.
So what are the blueprint for validated digital identities? How can we think about that in, in, in a broader context? That's more or less the, the point here. So looking at the Danish model, let's just click one further through here just explaining a little bit. So from the prior version in Denmark, we had the version two. Now moving as a set to version three, we have a nice functionality, but it's not a future proof. It's expensive, complex, complex, complicated to develop and it consists of two different systems. So in Denmark we have hat coming back also to the prevention of fraud. We have a private sector, we have a public sector, we have one company in the middle that's been running this service on behalf of a contract from the finance sector and from the, and from the public authorities. It has kind of, you know, spinned out in, in, in many many ways.
So you have service provide us acting on the private sector, we have service providers acting on the public sector. It's simply just gone too complicated. So what we have done now in Denmark is make one system more future proof, easy to develop one unified system. So you have this, what they call mid id. Mid ID more or let's say is my, my my id. So this is the ID that every single citizen is, is getting, as I said, from year 15 and onwards. But that's also what every single business is getting. So every single business that has a v t number I able Ella will get access to, to digital service. And around that we have a range of different brokers. So you have some brokers serving the financial sector, you have some brokers that serves more or less everything. So if you sign up for, let's say for a lease agreement on an apartment with a, with a a real estate company, you can sign that digital, they will put it out, they will use their business ID and you will use your own ID and you can sign that. So that's kind of the architecture that we have today. So one unified identity that is then just spoiling out in, in, in, in these different, in these different directions.
So looking at what kind of, where, I think it's is always an ongoing discussion in different countries. Some countries are choosing smart cards, others are choosing different. I just wanna give you a small glimpse into the way that we have done that, which is being done. So all end users must have use e d and choose one of the following identification means. So we have obviously, I think I would be weird not having an app today. So, but it still maintain this code display for many reason. The, the app here, which is I think everyone that has tried to change phone has realized that well, you know, do not delete your old phone until you have migrated your identities to the new phone because things are not necessarily easy migrated. This is just not a piece of data that you just copy from one phone to another.
So the ID here is tight, very, you know, closely to the cryptographic modules that is inside the phone. So yeah, be aware of that on, otherwise you will literally lock yourself out of, out of the room. And then, yeah, then it starts to be complicated but not, not necessarily everyone has a smartphone. So you have this option, you have even a, we can always discuss on the chip, but, but it's actually just U2 F chip, that's not even a 5 0 2 chip right now. But we'll see where that goes. And finally, for people with different conditions, a hearing problem, you know, visibility impaired, they can get a special code reader. Also, this one here is able to read the numbers and you can type that on a BRI p and you can do other things for serving this kind of population. So the point here is that it's kind of been thought through on, on all the various parts of, of where you can identify yourself in, in a secure way. And, and obviously this one here is, I don't know by, by the number, but I think I would, I wouldn't be wrong saying a 90% whatever. Some somehow, I know I heard the numbers that they have acquired less than 10,000 of these. So back to the four, 5.4 million, then you can easily calculate, I think this use case here is, is is not that much. Well so I'm, I'm one of them. Of course I ordered one of those.
Anyhow. So what are the use cases for this? E i service any tax system as I look at this from a citizen point of view now as, as a regular citizen. So I can use it from my, my taxing, I can use it for the legal systems of various kinds. I can use it for financial system as I mentioned the, the banking sector make payments, accessing my account change, et cetera, etcetera. Healthcare systems, education system and much, much more. As an example, I can actually log into my phone company using my e I d and change my subscription plan or whatever I wanna do or just check my, whatever is on my, my phone bill. I, I can do it with my electrical company, my electrical supplier or as we do today also looking at our natural gas supplier. That's, that's one of the ones that I suddenly start studying.
Unfortunately they only two metering one, one time per year while the electrical bill is, you know, I dunno how that is, but that's, monitor it more carefully so you can at least see that. So 500 or plus systems, it's enormous amount of system. I think that's even a small number. I guess it is even bigger coming to the businesses. I think this is where this use case also be doing in the resilient society is interesting. So again, public tax and VHC systems, I think it it, I probably in many, many countries you have digital reporting of your vhc, this kind of service, but also for tax and for others some financial systems. It's been a long term debate. I think we will see now an approved e I D system coming from this version two to the version three, which also would encourage the banks to even further use this because the validation of the onboarding process has been enriched and become more strong public mail system. Say, what the heck is that? Well that's about that you as a company, you receive your mail not physically by the postman, but going to a Porwal and you download your mail from there. That's a case that was invented was that 10 years ago developed into also version. So, so that's the way it works.
Mail encryption, you can use it for if, if you want. So you can actually get certificates. It's about free euro for getting a certificate that you can use that is worldwide trusted. I think it's compared to commercial certificate systems, it's it's, it's a quite aggressive price. Digital signing and again, much, much more. And I think the, yeah, we will see new use cases coming. And this is exactly where I think this is, this is so interesting. E i d validation of employees. It's a part of this onboarding system today that you do this e i d validation. At the end of the day we can talk about kyx because we can use that also as, as to me as just before here talked about that you also you for your third party. So you have the option now, you know, working with your suppliers, the truck drivers, the intermediate people coming doing stuff, you, you can use that in many, many ways to to make that IT validation. Yeah, smaller things like password reset authentication. But even that saying, I had that discussion with some people from from Elastic yesterday are saying, you know, what do you do if you wanna go passwordless then we have always have the discussion, okay, what do you do if you lose that phone or you use your device? How do you kind of come back? So suddenly we have actually a system here that is also passwordless that you can make a fallback option two.
So last year in 2021 we made this report here with, with co coal and it says a compelling way to enable business to continue smoothly while adding additional security to the onboarding and lifecycle management of identities to leverage a network of trusted identities by utilizing the AI desk framework that is already in place and operational. If private sector use organized organizations can pull from a pool of verified densities when onboarding, validate the identity data of the employee contract partner, et cetera, and active and issued by the correct source and enroll strong authentication tokens for continued use. So that report you can find on co Nicole's website, you can download it from there. You can actually also download it from from our business website. But just give you a glimpse that this is something worth considering when you wanna build a resilient infrastructure that there is tools out there in which we can inherit trust.
So this more video just show you how simple actually and the validation process can be conducted in this case here it text messages sends to a user's phone. The user answers a pin code, sorry, their username, which obviously they need to know in advance. They use their media id. That's how the app looks like. And now this is a sample so we'll just repeat itself, but more or less just show you how it actually, how easy it can be conducted. So saying you have a contractor, you have someone, service person that wanna insert your facilities, need a temporary access, you know I need to run an ID validation for you, base data is inside the system, please go there, do that on your phone, click next, next done. It is actually completed in, I don't know, 30 seconds, 60 seconds.
So those are the things that we see as an option. Looking at, I will say steps to embark on the path for a more secure future. The first thing is to establish your foundation. So validated digital identities is the foundation of all other cybersecurity measures. The fundamental factor determining the eness and efficiency of everything else. That's the position that I have saying, you know, it really doesn't make sense to put up a very efficient system with high degree of authentication controls if the access to the base system is opened and, and and simple. So it's kind of, we have to address that at the first point. It also gives you an advance that if you have validated identities, it's very easy to filter through let's say 5,000, 10,000 users. Because you know, you would, let's say the 5,000 users, you would know that if 4,800 they are validated, they are validated against an identity in which we trust. So you have a rest of 200, what are they? Are they, you know, should they have been deleted, duplicated, et cetera or that just one single fraudster we were searching for implement across cyber criminals don't care which way to enter validated digital identities must be the only singular author authorized way to identify and gain access across user groups, services and devices. The point here is I see that, I mean that we have the discussion, we only do authentic validations on the important people, but some of the other ones they continue with the username password
Say,
Why is that? It doesn't matter if we are in the balloon, the needle goes in as soon as you inside that network and lateral movement, et cetera, cetera. Everyone can, can easily calculate how, how that disaster can happen. So you know, you need to implement that across all your organization and all means all establishing a secure digital infrastructure with an end to end implementation of validate digital identities requires a shared understanding of the gravity and needed actions. This applies to everyone regardless of position and affiliation. That's exactly my point. That is actually out there. Depending on the country here, at least in Europe you are, you can go back and you can start using that in Sweden with the bank ID and the d d ID and the Netherlands even. And I know now we in Germany person wise, which yeah,
Five
People, maybe three or five. But I, I at least I heard a little bit numbers about the house vice fire app, which is growing. Okay. So, but you can always invite PSI to, to speak about to speak about that. So at the end of the day, this is my 20 minutes or 19. So thank you everyone for listening in and I hopefully inspired you to go and use the EIDS that is available.
Yes, thank you. B please raise your hands. I think Truman is a bit drey, so, so I think what helps a lot about Truman Eid D function is that not even me is using it and I think I should be one of the first who should be attracted by it. And I'm definitely not attracted but the opposite. But it's a different story. We can talk long about it I think, nor definitely in some other countries to the better Trump and death than the Germans.
I, I know that the German government
Only very little time for questions for ones I have here, I would grab one, which is what about people from other countries that reside in Denmark or need to Danish government services.
If you are,
I would buy a second home in Denmark.
Everyone that has living in Denmark can obtain a mid can get that. So it, it's, there's a process for that. You, you will apply for the citizen service at local municipality and there you will go through depending on from where you come, there's a validation process and in many cases with the IDAs framework, you can also use potentially the identity from the country in which you already come. So if you have a national identity that is the IDAs compliant, then you can actually rely on that and obtain the media. Okay. Okay. Thank you again.

Stay Connected

KuppingerCole on social media

Related Videos

Video

Recap Cybersecurity Leadership Summit 2022

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Interview

Key Findings on Malign Information, Misinformation, and Cyberattacks

Ksenia Iliuk, Head of Research at Detector Media, Ukraine tells us about some key findings of their research in the media landscape of Ukraine. Find out what she has to say about Telegram and what it has to do with #cybersecurity .

Analyst Chat

Analyst Chat #149: The Top 5 Cybersecurity Trends - Looking Back at CSLS 2022

Deep Fakes, AI as friend and foe, Business Resilience, Mis-, Dis- and Malinformation: The Cybersecurity Leadership Summit has taken place in Berlin and covered all of this and much more. Martin Kuppinger and Matthias look back on the event and identify their Top 5 Trends from CSLS2022 in…

Event Recording

Assessing your Cybersecurity Tools Portfolio: Optimize Cost, Increase Security

Most organizations don’t suffer from a lack of cybersecurity tools. They suffer from the cost and administrative burden of running too many of these. They suffer from the lack of integration. They suffer from the lack of skills in optimally configuring the tools and analyzing the…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00