NIK Project
The Internet has changed the relationship between people. The choice of digital services we use is increasing, both in the professional field and in leisure where social networks play an important role. In the digital field, a fundamental aspect is the identity of the user, who must be "presented" in these services. Identities can be weak or strong. Valid ones are those that have been physically confirmed using one of the person's identity documents (ID, AIZ, passport, etc.). Some examples of strong identities are BakQ (user/password + OTP), digital name certificate, electronic ID card or FNMT certificate. Those who have confirmed that the person has an email, phone number, or mailing address are vulnerable.
The NIK Patrika Digitala project was created with the aim of providing a mobile space from which to access day-to-day public services offered by City Councils, Provincial Councils and the Basque Government. In order to use NIK it is necessary to have a strong identity, all legally accepted ones being valid. If using an identity based on username and password (e.g. BAKQ), the initial configuration of NIK will be carried out directly from the mobile application itself. If you want to use a digital certificate, it will be necessary to use a computer, or device that recognizes said certificate, to authenticate and where a QR code will be generated that, after being read from the mobile application, will be used to launch NIK.
The Internet has gone from being a content space to being an environment of interrelation, which is why security is of vital importance. Every day we are becoming more aware of this. NIK Patrika Digitala was designed as an information transport channel that provided security and where the protection of the data exchanged was protected in such a way that only the extremes could have access to it.
The NIK brand has its origins in putting the focus on the person who performs the action. In Basque NI means “I” and when an action is involved the “K” is added: I collect my medicines, I open the pool turnstile, I use my youth card to get a discount at the cinema... Patrika means pocket and hence its logo corresponds to the back pocket of a pair of jeans.
I like the idea. What do you offer? NIK allows you to download cards that are stored locally on the mobile device of the person who owns them, access websites securely and receive communications on different topics; if we so wish. At any time, the person can decline to receive these communications, in fact, in the first message received from a sending entity, they will be asked if they want to receive notices from the entity that sends it.
I don't have a strong identity... How do I get it? The BAKQ can be obtained through video identification on the Izenpe website (https://servicios.izenpe.com/solicitud_online/mostrarIRBakqInfoInicio.do). It is also possible to obtain the BAKQ at a health center or at the KZGunea in your municipality where they will also help you launch the mobile application. It is possible to make an appointment by clicking here (https://www.kzgunea.eus/es/cita-previa)
As a society we have organized ourselves based on models of trust where it is possible to attest to things such as our identity, knowledge, property... There are entities that certify, for example, that we have completed studies (degrees), that we have a nationality, that we are owners of a property or that we form a family unit based on a physical document that implements mechanisms that attest that the document is true and has not been manipulated (stamps, signatures, holograms,...). These types of documents are also called credentials.
When the digital age arrived, certifications were reflected in digitally signed electronic documents, using digital certificates, which could be validated to determine that the information was reliable.
In previous times, documentary certification was also used (photocopy + comparison by a person against the original document + seal) which, in substance and at a conceptual level, is the same.
Signed digital documents have worked very well for years, but the need arises to be able to prove information in a more operational way. At this point is where verifiable credentials emerge that provide the ability to work with metadata that attests to people's characteristics. In essence, it is nothing more than a second round of the digital signature model where the roles of issuers of verifiable credentials, holder of the credential and validators appear.
At NIK, all cards have technically been implemented as a verifiable credential that is signed so that they can be shared and validated. A special case is that of the identity of the person who owns the NIK instance, which is implemented as a special verifiable credential, which in the project is called a security session, which is accessible from the APP settings screen.
Once the security session credential is obtained, after the initial configuration process of the APP, it is used to obtain other cards (verifiable credentials) or to access websites securely.
There are especially important features in the solution:
- Sovereignty: Verifiable credentials are stored on the person's mobile device locally. In fact, the application works without internet except in the case of wanting to access web services or request new cards.
- Consent: the person has full control of their data and can decide in what cases and with whom to share it.
- Privacy: the data exchanged is encrypted and signed bidirectionally so that only the recipients of the information can read it. In the background, NIK generates a certificate on each mobile installation that is used for both encryption and signing.
- Temporality: everything digital, by its nature, must have a limited temporal scope (“expire”) in order to be as secure as possible. The essential thing is that the “renewal” of things is simple. In the case, for example, of the security session (verifiable credential), it is established that its validity is 6 months or when the strong identity on which it is based expires, whichever occurs first. In the rest of the cards (verifiable credentials) it is the issuing entities that define their temporary validity.
The world of digital certificates that we currently use is formally based on a European Union regulation that regulates electronic identification, authentication and trust services. The main objective of the regulation was to promote interoperability between member states and generated what is known as eiDAS1.
Currently, in Europe, work is being done on the evolution of the aforementioned regulation, where, broadly speaking, the concepts described in the Model section are described: issuer, validator, taker, verifiable credential... It is expected that throughout 2024 the new version of the regulation will be finished; eiDAS2, subsequently defining the technical rules.
As far as standards are concerned, the World Wide Web Consortium (W3C) has established working groups to advance the technical definition of verifiable credentials: