Credential Issuing

For people to use their credentials, they must first receive them. In some cases—such as user names, ID numbers, PKI-enabled SIM cards, and some non-smart cards—these could be issued instantly during registration and given to the user on the spot (or virtually via email) if identity proofing (including deduplication) can be carried out live. In other cases, credential issuing may take time or be done at a different location than registration, requiring a separate system of personalization, storage, and distribution. Depending on the method of issuance, a long lag between registration and credential issuance increases the chances that the person moves to another address and thus creates challenges to ensure that the right person receives the right credential.

The process for credential issuing is therefore important for the inclusivity and utility of the system, as well as its ability to guard against identity theft, fraud, and impersonation. Practitioners must decide how to personalize credentials—i.e., print, engrave, and/or encode them with information for each person—and distribute them in a way that is

• Cost effective and technically feasible for the ID provider

• Convenient for people

• Ensures that the true owners maintain total control over their own credentials

For physical credentials such as cards, there may be some instances when it is possible to issue these “on-the-spot” immediately after a successful registration, and before the person leaves the registration point. This is the most user-friendly scenario, as people will not need to wait for the credential or make subsequent trips to collect it. Furthermore, it reduces the risk of the person not receiving it by post or other means and can increase integrity by ensuring that the person who collects the card is the original applicant. At the same time, on-the-spot issuing requires the ability to complete all identity proofing and deduplication processes in real time, which necessitates connectivity, a robust core system, possibly live links to other systems, and sufficiently trained and skills frontline staff to manually adjudicate issues (e.g., matches detected during deduplication). It also requires the equipment to personalize cards or other credentials. If a country is issuing smartcards, data can also be encoded locally (e.g., as in Thailand). However, on-the-spot issuance may be infeasible for certain card materials and security features that require larger or more specialized equipment. A significant risk with on-the-spot issuance is controlling the pre-personalized cards, the loss of which could create risks of forgery on legitimate cards.

Where the identity proofing process cannot be completed in real time, or where credentials cannot be personalized at the point of registration, there will need to be a distribution mechanism that allows people to securely collect their credentials at a later date. Delayed collection can be done through one or a combination of the following channels:

• Pick-up points: People may be required to return to a pickup point (e.g. where they registered or other locations) in order to collect their credentials at a later date, which could be predetermined (e.g. after 15 days) or notified when it is ready (e.g. by SMS or email) following identity proofing. There are two options for personalization: (1) credentials are personalized on-demand at the pickup point or (2) they are personalized centrally and distributed to pick-up points. For on-demand, the feasibility of this depends on the material and features of the credentials and the capabilities at pickup points (e.g. internet connectivity, electricity and space), and requires personalization machine and, for cards, pre-personalized cards available (and securely managed). Certain specialized cards may require larger and/or more expensive personalization machines (e.g., for laser engraving), which means that these need to be personalized centrally (or at several different locations in the country) and then distributed to pick-up points. It may also be preferable (e.g., to reduce security risks of the card distribution or during the very high demand in a short period that accompanies an initial mass registration) to do centralized personalization. However, in many countries, this has resulted in local offices with a backlog of cards that are never claimed. Therefore, if on-demand distribution can be implemented, this is often the best approach. For integrity reasons, card collection should require some method of authentication in order to bind the person to the credential.

• Mail delivery: Credentials can also be personalized centrally or at several decentralized locations (e.g. regions or provinces) and delivered to applicants by post (e.g., as done in India). This is typically a more user-friendly option than office visits, however it requires a context with a strong postal system and one where people have addresses (or local post offices know the population well enough to facilitate delivery). Countries considering this approach should consider how quickly they can complete the identity proofing process—and, if cards, also the personalization process—because the longer it takes for a credential to be distributed, the greater the risk that the applicant will have a new address. Mail delivery has the added benefit that, for systems where address will be a collected attribute, people are more likely to give correct addresses if these will be used to send them the card. However, this method of distribution is less secure, as mail can be tampered with and intercepted, and involves additional actors in what is already a complex process. Furthermore, it may require some form of remote (online) authentication to activate the identity and credential or for the holder to confirm receipt. During the initial mass registration, the scale of credentials to be distributed can potentially place a strain on the standard postal system, so countries should be prepared for backlogs or to augment the capacity of the postal system. As a public company and considering the economies of scale, postal services could potentially negotiate marginal prices for the distribution of credentials. An alternative or complementary approach is to use the services of courier companies. Irrespective of the service provider or approach, ID agencies should ensure that relevant legal agreements are in place with performance standards, dispute resolution protocols, and clarity on respective roles and responsibilities.

• Mobile units: Certain countries (e.g., Indonesia, Malaysia, Peru, and Thailand) have mobile registration and/or credential distribution units (e.g. one-stop-shops) that periodically or on demand travel to remote communities and to the residences of elderly and people with disabilities who may face challenges accessing the two approaches above. Peru, for example, has boats to reach remote populations in the Amazon. Malaysia and Thailand bring card personalization equipment with them, so that the card can be personalized on-the-spot if the person has already been identity proofed or deduplicated and their identity can be authenticated. Mobile units can be used to supplement office visits or mail delivery to difficult-to-reach and vulnerable populations. As with office visits, this requires some method of authentication to ensure the identity of the person collecting the credential.

Importantly, delivery mechanisms should reduce barriers to collection as much as possible in order to facilitate inclusion. For example, by adopting multiple of the above approaches, countries can provide a choice to people when they register of how they want their credential delivered. Exclusion mitigation should also involve measures to reduce the indirect costs of collecting a credential, such as the ability to elect between multiple distribution channels, outreach to specific groups, and allowing people flexibility in where and when they are able to collect credentials. In addition, first credentials should be free of charge. Any delayed issuance process must also include notifications, procedures, systems, and grievance redress mechanisms to handle situations when a credential is lost at some point in the process.