Search

Mutual recognition of IDs across borders

When IDs issued by one country are recognized by other countries—whether for face-to-face or online transactions—they become a powerful driver of economic and regional integration, including to promote safe and orderly migration. Importantly, ID systems can be mutually-recognized without the need for harmonization into a common system through the use of minimum standards to facilitate interoperability and legal and trust frameworks (e.g., for levels of assurance) to set rules and build confidence in respective systems.

A key use case is migration, through which a physical or digital identity credential can be recognized as a travel document in lieu of a traditional passport. In Latin America, for example, MERCOSUR member States recognize each other’s ID cards (which meet ICAO Doc 9303 standards as machine-readable travel documents) at borders in lieu of a passport, and a similar arrangement exists between Kenya, Rwanda and Uganda in East Africa. The benefit of recognizing cards from foundational ID systems as a travel document—particularly within regional blocs—is that they are more accessible and practical than a passport because people should have one by default, rather than a passport that requires a fee and often can only be applied for in major urban centers.

Another important use case is cross-border electronic transactions as part of the digital economy, which can be facilitated when a digital identity issued by one country is recognized for transactions online in another country. With an increasing number of transactions moving from face-to-face to online, and with the digital economy emerging as a key driver of economic growth, mutual recognition of digital identities between countries can accelerate trade in digital services and products and expand markets. For example, someone could open a bank account, register a business, and electronically sign contracts to trade in another country without ever needing to set foot in that country. The most notable example of this is the EU’s electronic Identification, Authentication and trust Services (eIDAS) regulation, which came into force in 2016 (see Box 42).

Box 42. The European Union electronic Identification, Authentication and trust Services (eIDAS) regulation

eIDAS provides a predictable regulatory environment, standards, and governance mechanisms to enable secure and seamless electronic interactions between businesses, citizens and public authorities in the European Union. It ensures that people and businesses can use their national electronic identification schemes (eIDs) to access public services in other EU countries where eIDs are available. eIDAS also creates a European internal market for electronic Trust Services (eTS) by ensuring that they will work across borders and have the same legal status as traditional paper based processes. eID and eTS are key enablers for secure cross-border electronic transactions and central building blocks of the European

The eIDAS Network consists of a number of interconnected eIDAS-Nodes, one per participating country, which can either request or provide cross-border authentication. Service Providers (public administrations and private sector organizations) may then connect their services to this network by connecting to the eIDAS node, making these services accessible across borders and allowing them to enjoy the legal recognition brought by eIDAS.

It is the responsibility of each country to:

  1. Implement their eIDAS-Node.

  2. Support the connection of national Identity Providers and Attribute Providers to the eIDAS-Node, thus making their national eID schemes accessible to cross-border online services.

  3. Notify the European Commission of their eID scheme (which could be a national ID or any other functional ID like a driving license), including its assurance level, to show that it complies with the eIDAS regulations for cross border services.

  4. Peer review the eID scheme notified by other member countries

In practice, eIDAS means that people with a digital identity from a system notified by a member State to the European Commission can use that digital identity to access any service available online from any location. For example, a German can register a business or land in Malta or an Austrian can open a bank account in the France, using the IDs issued by their home country.

Source: EU (2015). See eIDAS for detailed information on regulation and implementation.

Several other regional blocs—notably the African Union (AU), the Economic Community of West African States (ECOWAS), the East African Community (EAC) (see Box 43), and Association of Southeast Asian Nations (ASEAN)—are now looking at options for mutual recognition of ID credentials across borders. Based on World Bank research, there are three broad potential architectures to facilitate mutual recognition while maintaining national sovereignty and without the need for harmonization:

  1. Web-based. Online web-based authentication using federation protocol (SAML or Open ID connect); similar architecture used under eIDAS.

  2. API-based. Online authentication using an API approach; similar architecture used among some Latin American countries.

  3. Public-Private Key-based. Offline and online authentication verifying the private key on a credential against a public key directory; similar architecture used for the ICAO Public Key Directory of electronic passports.

The architecture and workflows of these three options are illustrated below in Figure 33, Figure 34, and Figure 35.

Figure 33. Web-based mutual recognition—example architecture and workflows

web-based

 

Web-Based Mutual Recognition – Authentication Flow Prerequisites

  1. Person from Country B requests access to a service on a browser through the service provider’s website in Country A (any location, any device).

  2. Service provider’s website sends the request to its own Connector (A).

  3. Connector A asks the person for their country of origin, if not already provided.

  4. Request is forwarded to the Proxy Service of Country B.

  5. Proxy Service B sends the request to Identity Provider B for authentication (the person’s browser is redirected to the identity provider’s login page).

  6. The person logs in.

  7. Once authenticated, a response is returned to Proxy Service B

  8. Proxy Service B sends a SAML Assertion to the requesting Connector A, which forwards this response to the Service Provider (the person’s browser is redirected to the Service Provider’s website).

  9. The Service Provider grants access to the person.

  • Internet connectivity

  • Federation protocol implementation—SAML or Open ID Connect Server (eIDAS-node)

  • Web portal for user authentication to be provided by identity provider

  • Digital literacy of people to authenticate using password/OTP/PIN/FIDO authenticator of website

Figure 34. API-based mutual recognition—example architecture and workflows

api-based

 

API-Based Mutual Recognition – Authentication Flow Prerequisites

  1. Person from Country B provides country name, identification number, credential (e.g., fingerprint or OTP) to the Service Provider in Country A.

  2. Service Provider sends the request to their Connector A.

  3. Connector A sends the request to the Identity Provider of Country B.

  4. Identity Provider authenticates the person and sends response to Connector A.

  5. Connector A forwards the response to the Service Provider.

  6. The Service Provider grants access to the person.

  • Internet connectivity

  • Authentication API to be provided by Identity Provider

  • A connector component to route requests to the Identity Provider of the respective country

  • In-person authentication (e.g., biometrics, OTP, PIN)

Figure 35. Offline mutual recognition—example architecture and workflows

Offline

 

Offline Mutual Recognition – Authentication Flow Prerequisites

Credential Issuance:

  1. The attribute/claims which will be used in a credential to establish identity are predefined by ID agency in coordination with other countries.

  2. The attributes can be represented as a data structure (e.g., XML/JSON) and then digitally signed using the private key of the agency. Some of these fields may be password protected/encrypted. (e.g., a unique ID number may be hashed/masked/or replaced with a virtual ID number, and fingerprint should only be used if the storage medium is secure, e.g., on a smartcard).

  3. This data structure can be encoded in a barcode or represented as an electronic data file (JSON/XML/PDF) and stored on any electronic device.

Authentication:

  1. Person from Country B seeks in-person service in Country A using a credential issued by Country B.

  2. Service Provider verifies the credential using the signer (public key) certificate and root certificates which have been previously stored locally.

  3. Service provider compares the face image on the credential with that of the person and allows access. Other authentication factors such as password, PIN, etc. may be used for higher assurance transactions.

Note: transaction logs are uploaded when connectivity is available to the central system. Notification of the authentication even is sent to the user based on user choice (e.g., mobile or email).

  • Credential issuance

  • Service providers need to store signer certificates, root certificates, and revocation lists locally (e.g., for ICAO Public Key Directory model or adaptation)

  • The Identity Provider should keep the private key of the signer digital key pair in secure custody (tamper proof)

  • The credential should be digitally signed.

  • The service provider needs to compare the face/biometric of physically present person with that stored on the credential

Box 43. Proposal for mutual recognition of national IDs in the East African Community (EAC)

In 2017 and 2018, the World Bank partnered with the EAC secretariat and six Partner States to carry out a study of what options exist for mutual recognition of national IDs in the EAC, including for migration and for online cross-border transactions. The following roadmap was developed through the consultative process:

milestones

 

  • Milestone 1: National ID System envisions achievement of a legally-enabled, robust, inclusive, and responsible national ID system. This includes a national ID database that enables electronic authentication of individuals for electronic delivery of services, and the capacity to present a credential for electronic authentication at a service delivery point or for an online service.

  • Milestone 2: Presence-Based Authentication envisions face-to-face identity authentication at service points through various methods. Cross-border delivery of services would be based on authentication of a user with their national ID at the service delivery point, such as: border crossings; hospitals or schools; and banks.

  • Milestone 3: Presence-Less Authentication envisions identity authentication for online services from anywhere or from any device based on digital identity. Access to services would be enabled by assurance levels or trust levels through digital identity to open bank accounts, apply for a driver’s license, or apply to an educational institution, all online.

  • Milestone 4: Electronic and Digital Signatures envisions the capacity for online and high assurance transactions from anywhere based on digital identity and electronic and digital signatures. Users would be able to perform transactions which require legally acceptable signatures, such as electronic voting, land purchase transactions, or issuance of online certificates by Government/educational institutions.

    Source: Adapted from Study of Options for Mutual Recognition in East Africa