We are, we have a live wallet since 2018. Yeah. So we have quite some experience in actually having that life in the regulated sectors and it, so we often talk about sort of technology and security and standards and how we should work together and how the J W T should be formulated and transformed and TLS should be secured, blah blah. But at the end of the day, the fight of a successful valid business model is with a partner side. And within the use case, that's a key question. No sort of success will be made for the best security sort of wise technology implemented solution.
But the only interest the user has, from my understanding, of all the users we have, we have millions of users using the wallet is, please let me in fast. Don't ask me too many things. Don't give me any choice about ta, pin or biometrics.
What kind, how do you want authenticate yourself password rules? Just let me in because the wallet is not a service, which is which you wake up in the morning and say, Hey, let's use a wallet. The wallet is used. So I would like to log in, I would open a bank account, I would sort of open a door. That's the use case. And the wallet is just the nasty thing.
Yeah. And so always think about UX and the wallet is just a service for a good use case and not the use case itself. Yeah.
So, but now I would love to talk about the differences because the Germans guys has invented some special thing you may say as as always because they say, Hey, let's, let's have a wallet within the public service sector. That's a good idea.
Wallet, very good. Nice regulated, very sort of high security.
It's about health data, blah blah. But the German said, let's have a closed system.
Ah, don't open up to anything. And wiki still here? No. So article two, so IDAs is not sort of valid in closed systems.
So yeah, it is a closed system. That's why I can do whatever I want. And I would love to share a few insights about the German wallet in the eHealth sector.
Alright, good. How it looks like it's like that. So we have on the left hand side the called, so-called ti, the telematic infrastructure, which is basically sort of a connection between doctors and, and hospitals and some backend services and smart cards from, from doctors, smart cards from institutions and smart cards from, from, from the user. It's called er, sort of electronic health card. And now they would love to move in the internet. Very good. So that you can use your, your mobile phone.
So, so on the left hand side you cannot move it. And the idea, it's called TI 2.0, ah, it's only if I pay yet. But they talk about digital identities, federation, user-centric and eHealth data.
So, which is good. I love that. And one of the key thing is sort of, they call it idp. Basically the, the technical term is sectoral idp, that's a product name I call it just, we call it ID wallet in the eHealth sector.
So, and the good thing is they're gonna use some standards open id. Yeah. Not for verified credentials, but classical open ID with par.
But let's, let's talk about the framework. So we have two identity sources, which is one is the EID D, the German person wise or your German sort of electronic card. And you have of course the insurance, which is also providing some data, your number and which state you have.
Yeah. Are you insured or not? Are you blocked maybe which tariff you have?
So, so you have two ID sources and then you put it in the wallet in the mobile phone and then you can log in or identify yourself in the different, at different applications. We call it relying parties. Sometimes we call it verifier. And there are two options. One in the sort of TI itself but also outside the ti, the telematic infrastructure, which is good. So it little bit open up. And the thing is you cannot use any wallet. So the wallet providers is the insurance itself. So we have more than 200 insurance companies for eHealth in Germany.
So you have 200 wallet issuer in Germany, which is giving up the chance to have a very nice large ecosystem, which is federated. So, and the, there's only one trust level which is called high.
But what is high, according to IDAs or to I unclear as they call it, matic is authority in Germany. So they call it matic, whatever that means. And they say of course, hi for identification, authentic education and the mandatory sort of date by law for go life is January the first, next year. So not too much time to do.
And so everyone is a little bit under pressure, especially the 200 insurance companies. So they offer that. Okay. And very also have one. But unfortunately we cannot use our VER wallet, which maybe you have on your phone or I have had at least you have to build up your own wallet within that infrastructure. And that is issued by the insurance company and not by nevertheless let's look into the requirements. The Germans do a decent job. They came up with sort of a pile of paper is like that.
That is a requirements out printed out more than 400 requirements. And some of them are easy.
So TLS 1.2 that that's okay and some other stuff. But one, one, a few things are very important. One is open IDs. That's good. High availability, 99.9 sounds okay. But have a geo redundancy of 200 kilometers. So that sort of who has 99% and 200 kilometers sort of redundancy, which is, so then that's very interesting. No profiling by design, you know, open ID connect is a central service. So everyone is going over, over the open Id connect server, so to the relying party. So we need to make sure that by design for us as a wallet provider, we cannot see where the user has locked into that.
That sounds impossible because of course how can I do that? So we need to make sure that all the information is just visible to the user and not visible to any administrator, which is a very nice thing to develop for my developers.
Then trust execution environment. So it's a latest generation of hardware, sort of every user has separated session every, of course every insurance as well. So it's also very demanding. It's cost at least a factor by 10 in the hardware, in the cloud services, maybe, maybe a factor of 50. So makes good and all the keys has to be in HSMs. Sounds reasonable.
You know, HSMs, hardware security models. But all the keys, you'll see all the TLS keys, all the signing keys and all the encryption keys for all the user datas has to be, have to be in the hsm, which is really as good for towers who are offering HSMs.
Yeah, it's good for the cloud service providers, they, they charge for it. But having that redundancy for 200 kilometer away and 99% availability and all the keys somewhere in heart in HSMs, you see that's more an infrastructure than an application.
Yeah.
But so, and the good thing is to be sort of backward compatible. You have to log in with your smart cards with your phone all the time. They of course they allow app, this pin biometrics, no discussion biometrics is out of discussion. So it's only this pin, but they think most of the user will use their smart cards. So they log in into, let's say in hospital, take the smartphone do something and then they with smart card in the back of the cart types a pin, put the bar card back again and then you log in very safely. But that's also a very nice use case.
So that's, that's basically sort of what, how we do it is very easy. We provide an sdk, the valid sdk, which is included in the insurance app. And then we have the cloud and the special infrastructure as I said before. And then we use normal open ID connect flows to lock in into the e-health services.
Yeah, so I, I, I don't want to talk bore you regarding the requirements. It's quite challenging having this requirement to offer a nice ux, but at least we tried it. So and con has now the, the, the task to show you how the React UX looks like. And I really have to say unfortunately it's not the best UX because of the requirements, but you will see how it works.
Yeah, sure.
Thank you
To count that. Thanks.
So let's move on after the requirements and the background now, how the solution will look like. We are now in approval process. So we already developed it and we are in the approval process with the healthcare regulator gi. So just a quick demo case, two videos, first use cases login with a new user. What is important here is that we are in the use case, the use case is the electronic health record of a insured person.
So the user has no account, no wallet, but wants to get access to the data and have register with three steps, registration basis process to set up the wallet, second factor set up and then the identification with E I D or locally in the branch of the insurance provider. And the second use case is the reuse of the wallet in the login. And so maybe let's just watch the video if it's working. Yeah. Now the user that types in registration with an email address to verify the email.
Yeah.
Has to put in the insurance number.
This insurance number will be checked later in the backend that the match between the person and the insured databases possible. And then the user has to set up the two factor authentication to create a pin six digit digits to reenter the pin, to confirm the pin. And now is asked to use biometrics in other use cases than telematic infrastructure because insurance services for instance, it's possible to use biometrics. Now we see the P recovery, which is another number for recovery reasons. And the user has to enter it again to confirm that he or she knows the book.
So now second factor is set up and now we are coming to the identification electronic house card for locally in the branch or electronic E i d, we choose here the E I d. And now the identification process started
Another pin. It's a third pin, no book pin poke. The user knows exactly what to do. Now we decided, so I, we are part of the,
So now the data is read out. Now a check with the insurance database takes place that the user is in the database and now the data is confirmed, transferred to the health record and the user is successfully logged in.
So this is the process for a new user with no wallet, with the wish to log in on a has record in. Yeah. And now the second use case, we have a user already has a successful ID wallet with all the processes we have seen. So the user coming back next time I want to get access to my data and now we see the login browsers authentication is possible by smart card and by app, by ID wallet and biometrics in case of health services or a six digit pin when it comes to telematic infrastructure use cases and that's it.
Yeah. What we have seen is the login is very easy. So just one click, which is cool.
The other one's entering sort of two sources into two FA in the wallet. So there's three steps which is also in the IDAs wallet will happen. Yeah. You have different sources. You have to authenticate against this source, the ID source or the issuer sort of import the identity storage to have a, so this will come and the, the biggest challenge I think on the UX side will be how to authenticate against the ID source. Here we have pin book, so to the E I D and all that. So I don't know how to overcome it.
So how to import different ID sources diploma or sort of a driver's license or the A I D or my email address or who, whatever I would like to import. It's always a challenge that I need to authenticate against the ID source.
So, and I think the crucial part will be on the wallet side, although it's part of the issuer to actually take care that DI is asking for a driver's license in the driver's license registry. But di needs di needs to be authenticated against the driver's license registry. So who's doing that?
So, and I think the wallet will play the, the, the, the role, say the wallet comes here, tur with all the maybe e I D data here, driver's license registry. Please give me the driver's li or issue the driver's license into my wallet. So that's not part of the discussion yet because we are still in regulations, but UX will follow I I I'm pretty sure and how to do that. Let's see how how it comes. And thank you for your attention.
Yeah, thank you.
Poor question. Thank you.
Thank you very much. Really good example of how simple user interface can be. And I think people will need to learn a new ceremony, you know, of, of how this stuff works and it's up to projects like this to help people to start learning, right? And and how that works. I think in what you, the point you raised just now about how will the issuer know it's Dirk? Well they should hopefully be able to provide a pi. Yes. But there's a bit of a gap which is they don't know it's Dirk providing the pi.
They just know someone who's got access to the wallet is providing the pi. Exactly. And with no face, no photo in the pit. It's a match against How do they know
It's you? I'll That's a crucial card which is coming from the wallet asking. Very
Tricky. Any questions for these guys?
Bang, please say who you are and where you're from.
Germany. One question. So I saw there that the plan is start to, in Germany in January, 2024, how you solve the problems for the person which don't have a bid, which don't have any e i d like kids.
You have to go into the branch with your sort of parents and then you do that over there. Yeah. And and the other question is what to do with all the people who has not done German person with a i d. Yeah.
You know, only 10% of the entire population of Germany knows what to do with that nfc, E I C departure protocol stuff. So yeah, go to the branch, bought that wallet in the branch, face-to-face on and then you have it. That
Means if I have six kids I must to make the registration process here six times plus
Me.
No, no, there was, there was, there was a, so also hit, I don't have a I d I can go to the branch and then there'll be a branch selector and then you go have an appointment and then go there.
Yeah. You should have thought about the complexities of E I D before you had 60. Ah
Ah. But actually it's me. You know that you have also sort of a local ent. You go somewhere and say, hey, I would love to sort of fill my wallet and here's my card. Please. Please. Yeah.
Actually for with it's me, we've got different enrollment methods. The first one that we developed was bank enrollment.
So in the banks they already did a strong kyc. The banks are the shareholders of it's me. And so we integrated directly with the banks and so a user can use his bank card to do a strong authentication. And with that we get the identity data from the banks to do the enrollment, which is very easy to do. A second one is e i d self enrollment, which is with the E I D card. But that's with the connected reader, not with nfc because in Belgium most of them don't have NFC yet. So that's a bit more difficult but it's a one off and a lot of people find it interesting enough cuz it's me. So easy to use.
And then a last one that we've now developed is indeed also NFC cards, but that's mainly for outside of Belgium because we're expanding to other countries as well. And so that's a third one which is coupled with biometrics and stuff like that. So a face-to-face is, is not an option for its me.
Oh,
I'm sorry. I've heard, no, we have also asked sort of the banks, sort of the, the fund, the financial institution to export that identity from banks in including strong customer education from the online banking. The matic said it's not on the trust level high.
It's really easy to get the banks to do work as well. Isn't it a question at
The bank? Yeah. I have a question regarding sharing the, the card between other people.
So we have people that are in the health system that cannot identify even they have the number like people in coma, people after a serious accident and stuff like that. Did you solve somehow ability to giving that identity to a family member so the family member can basically make a decision on behalf of that person that cannot do it?
Yeah,
It's What is it in English? Sortation?
Yeah, ation. Yeah, it's, it's from the process, it's, it's horrible. Yeah. So there's a lot of posts and cons. It's not in version 1.0 but will come later next year, early next year. So today is just go into the branch and sort it out there.
Maybe to add what is important. I mean the whole requirement specification process is still ongoing. I mean this is the first draft and you can get now the approval with the basic scope and all the questions about family, men members and mandating. These are all topics that are not covered by the more than 400 requirements.
So there is still a lot of work to do also for the regulator. And this is part of a longer process in Germany to get to the digital identity in the healthcare sector using also the ID wallet when you go to a doctor for instance, that you can offline identification. So the division at the end is to somehow replace or have an alternative to the smart cards. But we are at the beginning of this process.
That's, I think it's important to mention.
Sadly, all good things come to an end.
Yeah,
I have a prediction, Mike as well. Yeah, sorry. We should thank these guys.
Thank the speakers for this talk.
You're welcome.
Thank you. Thank you.
