Search

Mutual recognition of IDs across borders

When IDs issued by one country are recognized by other countries—whether for face-to-face or online transactions—they become a powerful driver of economic and regional integration, including to promote safe and orderly migration. Importantly, ID systems can be mutually-recognized without the need for harmonization into a common system through the use of minimum standards to facilitate interoperability and legal and trust frameworks (e.g., for levels of assurance) to set rules and build confidence in respective systems.

A key use case is migration, through which a physical or digital identity credential can be recognized as a travel document in lieu of a traditional passport. In Latin America, for example, MERCOSUR member States recognize each other’s ID cards (which meet ICAO Doc 9303 standards as machine-readable travel documents) at borders in lieu of a passport, and a similar arrangement exists between Kenya, Rwanda and Uganda in East Africa. The benefit of recognizing cards from foundational ID systems as a travel document—particularly within regional blocs—is that they are more accessible and practical than a passport because people should have one by default, rather than a passport that requires a fee and often can only be applied for in major urban centers.

Another important use case is cross-border electronic transactions as part of the digital economy, which can be facilitated when a digital identity issued by one country is recognized for transactions online in another country. With an increasing number of transactions moving from face-to-face to online, and with the digital economy emerging as a key driver of economic growth, mutual recognition of digital identities between countries can accelerate trade in digital services and products and expand markets. For example, someone could open a bank account, register a business, and electronically sign contracts to trade in another country without ever needing to set foot in that country. The most notable example of this is the EU’s electronic Identification, Authentication and trust Services (eIDAS) regulation, which came into force in 2016 (see Box 42).

Box 42. The European Union electronic Identification, Authentication and trust Services (eIDAS) regulation

eIDAS provides a predictable regulatory environment, standards, and governance mechanisms to enable secure and seamless electronic interactions between businesses, citizens and public authorities in the European Union. It ensures that people and businesses can use their national electronic identification schemes (eIDs) to access public services in other EU countries where eIDs are available. eIDAS also creates a European internal market for electronic Trust Services (eTS) by ensuring that they will work across borders and have the same legal status as traditional paper based processes. eID and eTS are key enablers for secure cross-border electronic transactions and central building blocks of the European

The eIDAS Network consists of a number of interconnected eIDAS-Nodes, one per participating country, which can either request or provide cross-border authentication. Service Providers (public administrations and private sector organizations) may then connect their services to this network by connecting to the eIDAS node, making these services accessible across borders and allowing them to enjoy the legal recognition brought by eIDAS.

It is the responsibility of each country to:

  1. Implement their eIDAS-Node.

  2. Support the connection of national Identity Providers and Attribute Providers to the eIDAS-Node, thus making their national eID schemes accessible to cross-border online services.

  3. Notify the European Commission of their eID scheme (which could be a national ID or any other functional ID like a driving license), including its assurance level, to show that it complies with the eIDAS regulations for cross border services.

  4. Peer review the eID scheme notified by other member countries

In practice, eIDAS means that people with a digital identity from a system notified by a member State to the European Commission can use that digital identity to access any service available online from any location. For example, a German can register a business or land in Malta or an Austrian can open a bank account in the France, using the IDs issued by their home country.

Source: EU (2015). See https://www.eid.as/home/ for detailed information on eIDAS regulation and implementation.

Several other regional blocs—notably the African Union (AU), the Economic Community of West African States (ECOWAS), the East African Community (EAC) (see Box 43), and Association of Southeast Asian Nations (ASEAN)—are now looking at options for mutual recognition of ID credentials across borders. Based on World Bank research, there are three broad potential architectures to facilitate mutual recognition while maintaining national sovereignty and without the need for harmonization:

  1. Web-based. Online web-based authentication using federation protocol (SAML or Open ID connect); similar architecture used under eIDAS.

  2. API-based. Online authentication using an API approach; similar architecture used among some Latin American countries.

  3. Public-Private Key-based. Offline and online authentication verifying the private key on a credential against a public key directory; similar architecture used for the ICAO Public Key Directory of electronic passports.

The architecture and workflows of these three options are illustrated below in Figure 33, Figure 34, and Figure 35.

Figure 33. Web-based mutual recognition—example architecture and workflows

web-based mutual recognition

 

Web-Based Mutual Recognition – Authentication Flow Prerequisites

  1. Person from Country B requests access to a service on a browser through the service provider’s website in Country A (any location, any device).

  2. Service provider’s website sends the request to its own Connector (A).

  3. Connector A asks the person for their country of origin, if not already provided.

  4. Request is forwarded to the Proxy Service of Country B.

  5. Proxy Service B sends the request to Identity Provider B for authentication (the person’s browser is redirected to the identity provider’s login page).

  6. The person logs in.

  7. Once authenticated, a response is returned to Proxy Service B

  8. Proxy Service B sends a SAML Assertion to the requesting Connector A, which forwards this response to the Service Provider (the person’s browser is redirected to the Service Provider’s website).

  9. The Service Provider grants access to the person.

  • Internet connectivity

  • Federation protocol implementation—SAML or Open ID Connect Server (eIDAS-node)

  • Web portal for user authentication to be provided by identity provider

  • Digital literacy of people to authenticate using password/OTP/PIN/FIDO authenticator of website

Figure 34. API-based mutual recognition—example architecture and workflows

 

API-Based Mutual Recognition – Authentication Flow Prerequisites

  1. Person from Country B provides country name, identification number, credential (e.g., fingerprint or OTP) to the Service Provider in Country A.

  2. Service Provider sends the request to their Connector A.

  3. Connector A sends the request to the Identity Provider of Country B.

  4. Identity Provider authenticates the person and sends response to Connector A.

  5. Connector A forwards the response to the Service Provider.

  6. The Service Provider grants access to the person.

  • Internet connectivity

  • Authentication API to be provided by Identity Provider

  • A connector component to route requests to the Identity Provider of the respective country

  • In-person authentication (e.g., biometrics, OTP, PIN)

Figure 35. Offline mutual recognition—example architecture and workflows

 

api=-based mutual recognition