Discussions to Start on Proposal of New International Standard for “Smartphone-based Personal Identification”

Efforts for managing personal identification using mobile devices

June 22, 2020

There have been considerable advancements overseas in research and demonstrations of commercializing systems for the management of personal identification using mobile devices. These systems have come to be known as “digital driver’s licensing”. Along with this trend, there have been discussions on stipulations of international standards for such systems that address challenges such as trustworthiness and ensured security of the system.

Against this backdrop, it was decided that discussions start on the proposal for development of a new international standard for trustworthiness of secure elements (*1) embedded in IoT devices capable of conducting personal authentication, which was submitted by Japan.

*1. The term “secure elements” refers to semiconductor products with security that can withstand analysis attacks from the outside, e.g., SIM cards.

Purpose of and background to the proposal

Efforts to install personal identification functions in mobile devices have been advancing overseas.. However, the process of embedding personal identification functions into mobile devices that require high precision identity verification for documents such as, passports and driver’s licenses, also require the development of an international system to prevent counterfeiting and falsification. Security functions with a quality equivalent to or higher than that of IC cards also need to factored. The fact that mobile devices per se are products manufactured and distributed worldwide also must be considered. To achieve these goals, the international community has discussed a system for realizing the function that a personal identification document has by making use of a smartphone application and for securing synchronization with the latest information on personal identification, security updating and other functions, as necessary (*2).

International standardization organizations have been advancing the development of international standards for this system from four perspectives (see Parts 2 to 5 shown in the figure below). Concerning this approach, Japan submitted a proposal for developing a new international standard for a “Mechanism for use of certification on trustworthiness of secure area (*3)” as a fifth perspective, aiming to ensure the security of important information. In response, in May 2020, the ISO/IEC Joint Technical Committee officially approved the proposal and decided to start discussions on international standardization of the system.

*2. This standardization will be discussed by the Subcommittee 17 (SC17) (cards and security devices for personal identification) under the Joint Technical Committee 1 (JTC1) jointly established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

*3. The term “secure area” refers to isolated areas to allow users to safely store and process data even during irregular actions of the OS. These areas are categorized into: those built in mobile devices and those externally attached to them.

Details of the proposal

In issuing IC cards for personal identification with security functions, which are now in mainstream use, issuers of the IC cards confirm the level of trustworthiness of their IC cards before issuing them to users. However, when making use of users’ mobile devices, e.g., smartphones, for such identification, issuers of personal identification documents, i.e., businesses adding and overwriting personal information or identification information, face difficulties in confirming by themselves the level of trustworthiness of secure areas in users’ mobile devices.. To overcome this challenge, Japan submitted a proposal for the development of a new international standard that stipulates a system in which before issuing personal identification to users, such issuers are able to confirm whether or not the secure areas in users’ mobile devices with personal authentication capabilities satisfy the predetermined performance requirements (see the figure below). The SC17 will start full-fledged discussions in July 2020 and aim to establish a new international standard in 2022.

Figure: Overview of the series of ISO/IEC23220 under development and the positions of the respective parts

The conventional standards stipulate the four perspectives of Parts 2 to 5 based on Part 1 for architectures (designing of entire systems). Japan submitted a proposal pointing out the need for developing an international standard for Part 6 (ability of security areas and elements for assessing the level of trustworthiness of the areas as well as composition of certifications concerning these elements and methods of managing them, etc.) and approval was given to the proposal for developing the standard. In the meantime, the international standard for Part 2 was also developed based on Japan’s proposal.

3. Expected effects

Establishment of the new standard and future dissemination of mobile devices that satisfy related standards are expected to contribute to fully ensuring the security of such mobile devices for users in downloading a variety of functions involving personal identification. In addition, establishment of the new standard is expected to help conduct higher, more precise identity verification and verification of attributes, rights and qualifications based on information that is correct and highly trustworthy.  Furthermore, the new standard is expected to contribute to establishing an environment in which users are able to use their personal identification documents in a safe manner as they will be able to update the security of their mobile devices by themselves. These effects are considered to allow more and more people to make use of online identity verification and qualification confirmation through smartphones and other devices.