Belgium gets the market to solve authentication for free

The Belgian federal public service Fedict is responsible for defining and implementing the federal e-government strategy in Belgium

Belgian federal public service Fedict asked supplers in the security market to come up with a new system for authentication on government internet applications – without it costing anything for either the users or the Belgian government. Chicago-based Vasco Data Security stepped up, and both the company and the government are pleased with the outcome.

Fedict is responsible for defining and implementing the federal e-government strategy in Belgium.

“We create building blocks the other federal public services in Belgium can use to get a head start. We have building blocks for doing identification and authentication, using data in e-government applications and we have templates for websites,” says Walter Van Assche, general director at Fedict.

The goal is to improve the federal public services’ portfolios and tailor them to meet the needs of the general public, businesses and civil servants.

“The systems we offer for authentication are used by more than 700 government applications, but they require the user to have a connected card reader and some software and drivers,” says Van Assche.

The users can also choose to use less secure ways of authentication for some services, like a password plus a card with token or text message.

But Van Assche said Fedict did not have a very secure identification mechanism for mobile or other devices that cannot connect to the card reader. It wanted a secure identification mechanism, such as those used by the banks, but instead of bank cards it wanted to use Belgian ID cards.

Read more about authentication

Every Belgian citizen is issued an electronic ID at birth. At the age of 12 they are issued with an electronic ID on a smart card with photo and personal information.

“This is a very strong and safe mechanism, so naturally we want to take advantage of it for the unconnected authentication. The question was whether we should develop the system ourselves, as we did with the connected authentication,” says Van Assche.

Cloud-based two-factor authentication

Since unconnected authentication systems were already on the market – although not ones that use Belgian ID cards – Fedict felt it was unnecessary to invest in the development itself, according to Van Assche. 

“We have to look at the market and include already existing standards in our applications. And why develop something yourself if someone else can do it for you? So we decided to ask the market,” he says.

Fedict created a list of criteria that interested players had to live up to. The first one to pass the audit was Chicago-based Vasco Data Security. It developed a system that will be taken into use by the first few government applications.

“The criteria said the authentications made for government applications are made for free, so this is a real win for the government since we did not have to invest. It is also a win for Vasco, since building a system for ten million Belgian people gives them a good reputation. This is a real win-win situation.”

The only thing Fedict had to do was to adapt the log-in pages to add the option “log-in with partner authentication”, according to Van Assche. If the citizen chooses that option, they go directly to Vasco’s cloud-based two-factor authentication service Mydigipass.

“Then they are sent back to us. Before using it the first time they have to activate a Mydigipass account with a connected device to make sure no one else does it in their place.”

A bank has decided to adapt its card readers to handle both ID and bank cards. The bank is also giving the card readers to customers for free.

“Citizens do not have to pay anything. The biggest improvements for citizens are that they do not need a connected device or have to install middleware. That makes it much simpler, especially for older people,” says Van Assche.

Reducing paperwork through electronic IDs

Jan Valcke, president and COO of Vasco Data Security, also thinks the situation is a win for all parties.

“Our business model is that we act as an identity broker and charge money for it from commercial applications. The licence Vasco has got from the government means we can see citizens' public information, such as age. We put it in our bunkers and then connect to the government. It then verifies the information and we add authentication,” says Valcke.

Mydigipass will give [commerical applications] the opportunity to grow their businesses, offering more and more applications and services

Jan Valcke, Vasco Data Security

He uses an internet-based casino as an example of a commercial application likely to use Vasco's system. Users have to prove their identity and authenticate themselves to be allowed to play. Currently, this is done by sending in papers.

“The e-IDs will save the casino a lot of money, since it means there will be no more paper administration,” says Valcke.

If the casino uses Mydigipass, the customer has to put the ID card in the reader once to prove his or her identity. On subsequent visits software authentication is used, which means the player only has to type in a password.

“So identity is a one-time delivery and authentication is a system used every time you log in – these two aspects are different businesses for us. Our customers buy authentication in bulk, for example 100,000 or a million clicks.”

Belgium an early adopter

Belgium is the first market where Vasco is using this new technique, and Valcke expects the first commercial customer to sign on before the end of June.

“In time, I think pretty much all commercial applications in Belgium that require identification and authentication will use our system, since paperwork is much more expensive. Mydigipass will also give them the opportunity to grow their businesses just as the banks have done, offering more and more applications and services.”

Fedict's Van Assche hopes that more identity brokers will enter the market, so that Vasco no longer has a monopoly.

“It’s really important that more authentication players follow and more banks adapt their card readers. This is one of the reasons we decided to use trust criteria instead of launching a public offer,” says Van Assche.

Read more on Identity and access management products