Digital identity: towards the age of reason?

FranceConnect, which has been adopted by nearly 40 million French citizens and now represents 1,500 service providers, launched FranceConnect+ a few months ago. The objective of this new offer is to integrate online services that will avoid the citizen having to travel to carry out a procedure, to prove his identity. It also allows access to services that process sensitive data, such as health data.

« FranceConnect+, a new identity federator, is currently offering to use the digital identity of the French Post Office, the first digital identity to be certified at a substantial level by Anssi. Soon, we will also offer the ARIADNEXT YRIS digital identity, » said Stéphane Mavel, Business Development Manager at FranceConnect.

The “France Identité” application currently in test phase

Another news item mentioned: the France Identité application, which is currently in a test phase. If a citizen is in possession of the new electronic identity card and a phone with an NFC chip, he or she will soon be able to test this application, which will allow authentication with online services linked to FranceConnect.

A decree published in the Journal Officiel on April 27 defines the regulatory framework for this SGIN (« Service de garantie de l’identité numérique »), designed to provide a secure means of access to online services using the FranceConnect identification solution, such as the Ameli account, tax records, social welfare, etc.

« The France Identité application is a very interesting initiative. It’s a very good combination of smart cards, which ensure security, and the cell phone, which is a device you always have with you, » notes Yann Haguet, EVP Identity at IN Groupe.

Anssi fully plays its role as a control body

In the context of this proliferation of innovations, Anssi is fully playing its role as the French digital identity watchdog. « Under the eIDAS regulation, Anssi is a control body. One of our missions is to evaluate and certify the compliance of digital identities deployed in France against a set of requirements. For example, today we have assessed the digital identity of the La Poste group at a substantial level. And we will be asked to evaluate the digital identity proposed by the France Identité program at the substantial level, » says Hugo Mania, SVP Deputy Head of BDS, at Anssi.

Anssi has two requirement repositories. The first one is the repository on electronic identification means. The second is the PVID standard, which concerns remote identity verification providers. Its purpose is to provide confidence, particularly in the banking context (fight against money laundering and terrorism financing).

Another control body at the French level is the Cnil, which also keeps a close eye on the situation. It has issued a favorable opinion on the France Identité application. « The Commission welcomes this project, noting that it is the result of extensive discussions with the ministry and that it allows the development of a high-level digital identity that respects the privacy of users, » states the France Identité website.

The decree of April 27, 2022 repeals the previous means of electronic identification called Certified Online Authentication on Mobile (Alicem), which was finally abandoned because it used facial recognition. « The CNIL is in favor of having a digital identity. On the previous system (Alicem), the Cnil had made a number of remarks and reservations. On this new system, which was the result of long discussions between the Ministry and the Cnil, the Cnil has issued an opinion welcoming the system as it is presented today. The system is indeed more intuitive, it is based on the process of issuing secure identity cards, it no longer includes biometrics, so it is a little more « frugal » in terms of personal data« , analyses Armand Heslot, Head of the Cnil’s technological expertise department.

eIDAS: towards the creation of a « V2”

At the European level, 2022 is a pivotal year: it marks a milestone in the creation of the European digital identity, which will facilitate and secure the daily actions of hundreds of millions of people and businesses. In cooperation with their industry partners, the 27 EU Member States and the European Commission are defining the regulatory framework and the technical toolbox to deploy the new digital identity by 2025.

It should be recalled that the 2014 eIDAS regulation was the first identity legislation introducing common standards for electronic identity in Europe, allowing for mutual recognition of that identity across the Union. However, the implementation of eIDAS has been mixed, with clear differences between countries. The European Commission’s evaluation has highlighted the need to modify the eIDAS regulation. Therefore, a revision (V2) is underway.

The European Commission is also working on a second technical foundation, with the definition of a « toolbox » ensuring the deployment of viable, sustainable solutions that respect fundamental European values, namely: better protected personal data, interoperable solutions according to international standards, and access for all citizens.

The eIDAS v2 framework is open to all EU countries as well as to businesses, with the addition of the possibility of access from cell phones and applications. Under the new regulation, individuals and companies will be able to link their national digital identity to proof of other attributes or certificates. Portfolios incorporating this identity will come from public authorities or private organizations recognized by the Member States.

In terms of digital identity, there are still many uses to be imagined, particularly in the health sector, education or virtual worlds such as metavers. « The cornerstone of many digital innovations is based on identities, and if the identity guarantee is not present, we can quickly be confronted with usurpations. We are in an era where, on the European wallet for example, we are talking about attributes, which is a very good thing, but we need to be able to rely on a guaranteed identity, » concludes Stéphane Mavel, Business Development Manager at FranceConnect.