Evrotrust developed an innovative, state-of-the art online identity service in Macedonia, based on i4p’s unique remote signature solution, that is the first eIDAS-listed solution where the Signature Activation Module comes from the same vendor as the underlying Crypto Module.
The challenge: building a safe and user-friendly ID service
Digital transformation has changed our lives fundamentally in recent years, and companies and individual users both benefit from its advantages. The global pandemic was also a strong drive for digitalization in recent years and changed a number of things in several fields in our habits and preferences. One of these is the demand to be able to do everything remotely, without having to handle matters in person and visiting the stores or the customer services of the service providers.
New opportunities, new challenges
However, you need more serious and reliable circumstances when you are dealing with official administration tasks online. It is easier to ensure the optimal security and user experience for food order services or online theater show streaming, but when you are dealing with banking, insurance, or government issues, the risks are higher, and the regulations are stricter. When people arrange tasks online, cybercriminals might intervene and hijack processes, steal money or information from the users, or do other kinds of harm. Identity fraud is a serious problem; the cyber criminals might harm businesses as well, posing as harmless customers.
Therefore, strict regulations are in place all over the world for online services. In the European Union, the eIDAS (Regulation (EU) No 910/2014 of the European Parliament and of the Council1) contains the official requirements for electronic identification and trust services for electronic transactions. However, there are smart solutions available nowadays that help companies ensure that their online services are secure, compliant and yet easy to use for end-users.
Digital identities and signatures
A great example of these is ID operated by Evrotrust, a digital identity service of Mastercard, operated in the Republic of North Macedonia by Evrotrust Technologies2. The innovative services enable organizations to seamlessly verify their customers’ identity in real time. It contains several options for the users, including e-identification that allows users to create reusable digital identities from their mobile devices and then use it like an ID card when using online services of banks, insurance companies or government offices. The identity information of the users is verified in a simple but secure way by a qualified trust service provider remotely, through one or more official data sources.
ID operated by Evrotrust also offers e-signatures that allow users to sign documents remotely, placing qualified electronic signatures using their mobile devices. This has the same legal effect as paper-based documents with handwritten signatures, thus eliminating the need for papers and offering an easy, effective and eco-friendly method.
Digital Identity Services in Macedonia
Evrotrust Technologies is an innovative company that started its operations in 2018 with headquarters in Sofia, Bulgaria. By 2022 it had active subsidiaries in Austria and Macedonia and cooperates with over 150 partners from Bulgaria, Austria, Macedonia, UK, Hungary, Albania, and Kenya, from the leading sectors as banking, MNO (mobile network operators) and insurance. It offers its clients completely remote digital identity and qualified trust services straight, intercontinentally accepted with the highest legal value, thus enabling the digital transformation for any company.
The goal of the project was for the qualified trust service provider to develop a completely remote e-Identification and e-Signing solution, following the highest security requirements and being compliant with the strictest regulations as eIDAS, GDPR and many more, while also offering the users a fast, smooth, and seamless user experience. Evrotrust decided to develop this system based on i4p’s Trident HSM.
The Solution:
It took 6 months to build the system from scratch. Evrotrust’s professionals found i4p and its product when they were searching in the certified Common Criteria (CC) products list3 for a device required by eIDAS for these types of processes, namely an SCAL-2 Signature Activation Module (SAM).
Meeting all expectations
Besides being CC evaluated and eIDAS listed, i4p’s solution met Evrotrust’s requirements for high availability and load balance as well, due to its distributed architecture.
“i4p’s solution was the best match for our desired implementation design and security requirements. We were and still are impressed with the quick and adequate i4p support and good cooperation”
Stefan Hadjistoytchev, Chief Technical Officer of Evrotrust
The foundation of the solution is Trident HSM, a hardware security module that offers advanced cryptographic, security, and key management capabilities. The effectiveness and reliability of Trident HSM is verified by its Common Criteria EAL4+ certificate, the international security certificate recognized worldwide. It also complies with the European eIDAS regulations and norms, thus can be used for creating qualified signatures, qualified remote signatures, qualified seals, timestamps, and OCSP responses besides certificates.
i4p offers a remote signature solution that operates seamlessly with the HSM. The Trident RSS is the first eIDAS listed Remote Signature Solution with the SAM (Signature Activation Module) coming from the same vendor as the underlying Crypto Module (CM). For organizations that want to offer their clients, employees, partners, and users convenient Remote Signature services without compromising their security, this is the leanest solution with the lowest cost of acquisition and ownership. The SAM manages the users of the Signature Service, generates cryptographic keys for them, receives data-to-be-signed through an easily implementable Signature Activation Protocol, and securely connects to the CM to have it manage the keys.
Scaling according to the latest needs
“Evrotrust required scaling in a field that was not a common demand, and this was an exciting challenge” explains Ferenc Pető, Chief Technology Officer of i4p.
“Evrotrust wanted to be able to provide an extremely high number of certificates within a short period of time in order to meet exceptionally high interest, like extreme demands during Black Friday sales. Our previous customers laid emphasis on the number of signatures that can be created during a given time. In this case, the speed of the key generation was more important, and it was also a novel challenge that the keys did not have to be stored for a long time, and a rather low number of keys were required at the same time. We really enjoyed working on it, discovering the needs with the client, and finding the ideal solution for this special case. We are proud that we could serve this new kind of need in an agile way within a short time. It was exciting to contribute to this innovative solution that operates successfully ever since the launch, without any issues. We are looking forward to the opportunities in the future since we keep on working together with Evrotrust on providing better performance and efficiency."
The Result:
The service has been operating since 2021 and both enterprises and end users are satisfied with it. “Our electronic identification and e-signature services enable real-time, remote on-boarding of clients, 24/7. This not only enriches the user experience, but enables real-time engagement with clients, who may electronically identify themselves and sign contracts, declarations and documents needed for providing a service. These services are compliant with eIDAS, AML, KYC, PSD2, GDPR, consumer protection and other applicable laws” – says Stefan Hadjistoytchev.
Simple, yet secure
It is very easy for the users to use the services. They just download the application ID operated by Evrotrust from the AppStore or Google Play and register by following the given instructions, which only takes a minute. Then later whenever they have to electronically identify themselves or sign a document before the government or a private entity, they receive a push notification to the mobile device, which they can confirm with a face or fingerprint in a rather simple manner.
The solution meets the highest technological and industry standards for cybersecurity, cryptography and data protection, so the customers can rest assured. The users’ personal data is heavily encrypted through asymmetric algorithms. And because of the biometrics used to unlock their ID on your device, only the users can access and use their data.
The method for remote first onboarding is certified under eIDAS as having the same level of assurance as to a physical presence. It may be used not only for identification but also for digital transformation purposes like electronic signing of contracts, declarations, payment orders, and any other binding documents.