1.
A whitepaper by Accenture®
Identity Management (IDM) Architecture Considerations
Statement of Confidentiality
This document contains highly sensitive, confidential and proprietary information from
Accenture and should not be duplicated, used, or disclosed, except as solely necessary to
continue discussions with Accenture regarding the subject.
Copyright © 2008-2009 Accenture. All rights reserved. No part of this document may be
photocopied, reproduced, or translated to another language without Accenture’s prior written
consent. Accenture, its logo, and Accenture High Performance Delivered are trademarks of
Accenture.
Social, political and technological considerations
for
national identity management (e.g. UID initiative in India)

2.
IDM Architecture Considerations
2
Contents
1 IDENTITY MANAGEMENT......................................................................................6
1.1 NATIONAL IDENTITY MANAGEMENT...........................................................................................6
1.2 IDENTITY ......................................................................................................................................6
1.3 DRIVERS FOR NATIONAL IDENTITY MANAGEMENT ....................................................................7
1.4 COMPONENTS OF NATIONAL IDENTITY MANAGEMENT ..............................................................8
1.5 TYPICAL OBJECTIVES OF NATIONAL IDENTITY MANAGEMENT ..................................................9
1.6 NATIONAL IDENTITY MANAGEMENT SCHEMES GLOBALLY......................................................10
1.7 SOME IMPLICATIONS FOR NATIONAL IDENTITY MANAGEMENT ...............................................11
1.8 TYPICAL CONCEPTUAL COMPONENTS OF THE IDENTITY MANAGEMENT SYSTEM ...................12
2 TECHNOLOGIES...................................................................................................14
2.1 OVERVIEW..................................................................................................................................14
2.2 BIOMETRIC TECHNOLOGIES.......................................................................................................14
2.3 TECHNOLOGIES FOR ID TOKENS................................................................................................19
2.4 SECURITY AND CRYPTOGRAPHY...............................................................................................25
3 THE KEY ISSUES AND IMPLICATIONS ..............................................................30
3.1 OVERVIEW..................................................................................................................................30
3.2 TECHNOLOGICAL IMPLICATIONS ...............................................................................................31
3.3 PROCESSES IMPLICATIONS.........................................................................................................37
3.4 GOVERNMENTAL IMPLICATIONS................................................................................................41
3.5 CITIZEN AND SOCIETY IMPLICATIONS .......................................................................................42
3.6 CONCLUSION..............................................................................................................................48
4 REFERENCES.......................................................................................................49

3.
IDM Architecture Considerations
3
EXECUTIVE SUMMARY
Government agencies face the intricate challenge of effectively and securely controlling population flows,
identifying individuals, and managing their access to services, while aligning their strategies with citizen’s
expectations for convenience, security and privacy. Identity Management initiatives, especially after the
increased frequency of terrorist attacks around the world, have become a political imperative of
unprecedented urgency, for an increasing number of governments around the world. The India’s answer
to this challenge is expressed through the proposed UID Scheme.
Enrollment/Registration will be the process determining the overall success of the scheme. It is vital that
the government agencies, in collaboration with the subcontracted private sector organisations, build a
reliable infrastructure that will be able to accommodate the diverse needs of the India’s population. The
challenges they will face include the enormous volume of applicants, the coverage of all exceptional
cases (in terms of biometrics) and the building of trust and familiarization.
Identity Authentication will be the most important operational process of an IDM since it will be the means
of providing assurance of the claimed identity of an individual. However, extensive use of Identity
Authentication may raise concerns about citizen expectations and thus authentication processes should
be limited to the minimum level (only if absolutely necessary). In most transactions the service provider
need not know the identity of the individual, but only to verify that the returning individual is the same
individual as the one on the previous transaction.
In addition, it is particularly crucial to regulate the uses of data and purposes of collection to avoid the
catastrophic effects of function and identification creep.
The selection of technologies should be considered in parallel with the processes that are implemented
around them to ensure the operational efficiency and the protection of individuals’ civil liberties.
- Biometrics
Biometric technologies provide uniqueness and enable higher levels of security due to the appliance of
encryption/ decryption operations. Biometrics have accuracy, reliability and performance weaknesses,
which can be overcome at a great extent, by the development and establishment of multimodal systems.
Multimodal systems minimize noise and intra-class variability effects, thus reducing false acceptance
and reject rates. However, serious implementation risks emerge by the implementation of such a large-
scale project, in terms of security, bottleneck, false alarms and people’s resistance. Effective training of
the human operators is required in order to handle the cases of false rejection and acceptance.
- National Identity Repository
There are several ways to implement the IDM scheme. The centralization of core personal information
enables the efficient verification of personal details (such as identity, address). However the possibility
for data misuse increases in parallel with the risk of mass data theft. The establishment of an
independent Trusted Third Party may decrease some of these risks. Alternative models for the
organisation of the scheme include the Federated solution, that creates circles of trust where identity
needs not be authenticated against centralised data records.
- ID cards technologies

4.
IDM Architecture Considerations
4
Smartcard technologies appear to offer significant advantages compared to magnetic stripe
technologies; it is more difficult to clone them, they have mush larger memory capacity and it may be
possible to update the chip’s content.
RFID chips set new challenges for national IDM systems, due to their appropriateness for large scale
projects, their reprogrammable and undetectable nature. However, the cost of the active RFID tags,
which are the most secure and reliable ones, sets constraints, at the current situation at least.
Optical Memory Cards is another prospective technology; it provides a comparatively large storage
capacity (5-6 Mbytes of digital data), which is appropriate for the storage of multiple biometric
information and records of transaction details. In addition, it has the ability to create laser image of the
photograph, thus enabling higher security and making it one of the most counterfeit-resistant machine-
readable technology available.
- Security/ Cryptography
Ensuring the security of the smart ID card-enabled IDM system will be crucial for the success of the
scheme. It seems important that multiple layers of security (embedded in technologies, processes and
policies) are considered in the architectural design of the system. Security issues arise from the smart
chip that will be used (tampering, unauthorized access), the communication channels (between card,
reader and NIR), as well as from the establishment of a central database (NIR). It is important that
unauthorized access to the NIR is prevented at any cost, as compromised personal data can be used to
commit mass ID fraud at a much larger scale than currently.
- Other Architectural Issues
It is likely that future research in the field will proceed towards the direction of Privacy Enhancing IDM
Systems. The aim of PE IDM systems is the creation of a secure infrastructure with the ability to
support pseudonymity (here pseudonymity comprises of all degrees of authenticity and linkability to an
individual – including anonymity and full identification) while also supporting the required degrees of
confidentiality, integrity, authenticity and non-repudiation. PE IDM systems are based on the principle of
‘notice and choice’, where the flow of information is transparent and individuals have control over data
linkage.
A multiplicity of strategic partnerships between government agencies and private sector organisations
forms the basis of the implementation of the multifaceted IDM Scheme. Control over these partnerships,
transparency of the processes and the competent project management are key factors that will influence
the procurement process.
- The complexity, diverse dimensions and lack of previous experience make cost estimation a
controversial issue. Infrastructure issues (hardware and software), technological (e.g. smartcard, RFID)
and process decisions (e.g. enrollment process design), training needs, operational and risk
management costs are some aspects that must be assessed. The need for recurrent biometric
registration – in case biometrics are incorporated in the system – is an additional source of cost. The
cost of legal liability should be added in the long cost list, as long as individuals may sue government for
inconvenience and turmoil in case of access denial to services they are entitled to.
- The private sector (and especially high tech service providers) will play a central role towards the
successful implementation and operation of the scheme. PPPs (Public Private Partnerships) will form

5.
IDM Architecture Considerations
5
the basis for several components of the IDM scheme ranging from the installation of the technological
infrastructure to the training of the system operators and the system’s maintenance. Success in
delivering the scheme may also enable trusting relationships with the government with long term
benefits.
- A clearly stated legislative framework within which the national IDM system will be developed and grow,
is prerequisite. The clear Data and Privacy Guidelines should be articulated and establish safeguard
mechanisms for their enforcement.
Citizen should always be considered as the core element of an IDM scheme; citizen’s rights,
expectations, needs and interests should be incorporated in the system and be protected by multiple
established mechanisms and policies.
- The development of a citizen-centered system is important to enable the smooth diffusion and long term
success of the smart ID card. Citizens will benefit from the IDM scheme through the convenient and
efficient access to services. However, one should consider the cost barriers; individuals may not be
willing to pay an excessive amount for acquiring the smart ID card.
- The right of anonymity and confidentiality are core elements in the designing of a national IDM system.
Failure to appreciate the importance of protecting the citizen’s interests and rights and adapt them in the
proposals may lead to increased sense of distrust and unrest, and thus to the rejection of the scheme.
Privacy is affected by the technological choices and the design decisions incorporated in the IDM
system; there are more or less privacy invasive systems (biometric centralized VS biometric
decentralized). Embodying citizen’s consent in the designing of the IDM system may lead to privacy
enhancement; Federated IDM architectures incorporating the concept of “Circle of Trust” may provide
the ability for increased individual’s control over the data sharing by supporting the use of pseudo-
identifiers and limiting identity verification to the absolutely necessary.
- The need for cultivating trust and instilling confidence among the population, that the system is secure
and personal data protected, seems to be indispensable. In addition, government will have to improve
its image in respect to the ability to deliver a successful and secure IDM system, and thus achieve public
support.
- There are different social groups that may face difficulties and obstacles in their interaction with the
system and their access to the services. People with physical disabilities, marginalized social groups,
travelers/ tourists and business people who enter the country without being enrolled in the system are
some examples of cases that need to be identified, explored and handled efficiently. Efforts in this
direction should be integrated in wider packages of measures, and be consistent with other
governmental initiatives.
About Presenter
Ravinder Pal Singh is a Lead Enterprise Architect in Accenture Technology
Consulting, with over 14 years of global technology consulting experience
across India, North America, Europe, South America and Asia.

6.
IDM Architecture Considerations
6
1 IDENTITY MANAGEMENT
1.1 National Identity Management
The concept of Identity Management is not new at all. It is something that state has always tried to deal with,
in order to connect the citizen and the society (of which he/she is part of), and thus establish the rights and
obligations that grow out of this relation. Today, social services, law enforcement and national security are all
depended on the ability of the state to connect people to records reliably.
In what many people have claimed to be the Information Age, issues regarding identity management mount
while society has seen transformations in various levels. Individuals are more mobile, use multiple
communication channels and require reliable, efficient and personalized services. As a result government
institutions around the world face the imperatives of improving service quality by seamlessly integrating
citizens’ personal information while reducing costs associated with public service provision. In essence, a
simple identity management system associates reliably a unique identifier with every individual inside the
system’s boundaries. The rationale is that governmental institutions can ameliorate their governance ability
by securely identifying and managing (interactions with) its citizens. Identity management incorporates a
broad administrative area responsible for identifying individuals in a system (such as a country, a network, or
an enterprise) and controlling their access to resources within that system by associating user rights and
restrictions with the established identity. In effect, identity management can be said to be the set of
technologies and processes that contributes in (a) identifying resources, (b) authenticating resources and (c)
authorizing access to other resources. However it is insufficient to conceptualise identity management solely
as a system; it is also an infrastructure that is pervasive into its social context – supporting both centralized
and decentralized administration.
Governments want to meet citizens’ expectations regarding public service delivery and to do so the best
practice approach would be a secure nation-wide identity management system. The government identity
service delivery should incorporate a citizen-centered perspective (to tailor interactions to the needs of the
individual), well-coordinated cohesive multi-channel services, fluid cross-governmental services (provide
integrated services to the citizen) and proactive outreach/ communication. It is necessary that governmental
institutions consider a wider service delivery agenda and undertake larger change initiatives (that incorporate
or facilitate eGovernment) in order to increase the government’s capability to deliver better services, more
efficiently at less cost and eventually redefine the citizen-society relationship.
Finally, identity management is a dynamic concept. As such its strategic objectives vary according to the
technological, business and governmental environment in which identity management takes place over time.
Identity management in a nation-wide context can be seen as a convergence of technologies and
governmental operations, materializing in processes facilitated by the existence and use of a unique national
identification (UID) standard. Governmental institutions must respond to citizens’ needs by motivating
necessary resources and applying the appropriate processes and tactics to eventually promote an optimal
service delivery strategy, manage access to services and the country as well as counter crime and terrorism.
1.2 Identity
Before proceeding to examine the factors that drive the need for identity management, it would be
appropriate to refer briefly to the notion of identity and the basic components that is constituted of. Identity
refers to the set of information about a person that can be used to tell who that person is. This personal
information is what makes something or someone the same today as he/she/it was yesterday, in respect to
his/her/its social context. A person may have multiple identities and identity may also belong to a non human
entity (e.g. a computer). In this paper, when we refer to identity, we refer to the three basic elements of
human identity. Firstly, biometric identity can be described as ‘the things that one is’ or the unique to an
individual attributes (DNA, iris, fingerprints, hand shape etc). Biometric information that forms the biometric
identity of an individual in respect to national identity management is the most promising area of national
identification schemes because of the (inherent in the nature of biometrics) 1-to-1 relationship between the
composite values of biometric information and individuals. The next element is attributed identity, which refers
to things that are given to an individual at his/her birth, (i.e. full name, date & place of birth, parents). Finally,
biographical identity defines things, which happen to one during his/her life (life events, education details,

7.
IDM Architecture Considerations
7
issue of marriage certificate, insurance policies, etc). Each of the aforementioned types of identity
encompasses a set of related challenges regarding national identity management that will be further
examined in this paper.
1.3 Drivers for National Identity Management
In an ever increasing in complexity social environment, identity has become a pivotal issue for both public
and private sector organisations. The past years, investment decisions in public services have seen a
continuous increase in terms of the level of importance to both the government and citizens; consequently,
understanding the citizens' preferences and practices is / will becoming / become a central government
objective. In this section, an investigation into the main driving forces that make identity management a
necessary component of any governmental institution that wants to provide high-level service quality and
security to its citizens is provided.
Mobility
The rising mobility of a globalised world has introduced new factors and dimensions, in respect to how
individuals today interact with private and public sector agencies. People and goods move continuously
within and between countries, fact that requires increased control. It is not only refugees and immigrants, but
tourists, students, business people and so on, that cross the borders in an ever increasing pace. Obviously
as the globe becomes increasingly interconnected the borders become more permeable and vulnerable. The
need for identification keeps up with the increasing mobility, in order to ensure which visitors are eligible to
enter, work, ask for medical insurance and remain in the country for appropriate time periods etc.
Migration Stream and Illegal Working
Governments have a legitimate interest in managing and controlling their borders. In other words,
governments face various challenges in managing the flow of citizens/individuals entering/leaving the
country. By simplifying the process of immigration controls the state may minimize the effects of illegal
immigration and working (exploitation, taxes loses, unfair competition etc).
Identity Fraud
Identity fraud refers to an action whereby a person adopts a completely false identity, falsifies part of his own
identity (i.e. age) or adopts the identity of another person. The continuously increasing reporting of identity
theft calls for direct response addressing identity fraud at the following operational levels:
the reliability of identification;
the ID system enrollment process;
public and private (sector) services access management.
Need for Increased Efficiency and Effectiveness in the Public Sector
Simplifying the identity management processes required for every transaction and relation created
between the citizen and the governmental bodies and reducing the error possibilities are major driving
forces that demand the development and establishment of an identity management scheme. In context,
where identity management is poor, public and private services identify individuals through distinct (not
cross referencing) methods. It is considered crucial in respect to the future of government service delivery
to reduce the complexity of integrating and operating the public sector information systems and
processes. Other elements of this driving force are to avoid duplication of data and effort (from both the
service providers and the individuals [i.e. by giving out their information in several different forms]), as
well as to reduce extensive bureaucratic procedures and create a more citizen-friendly system. The
absolute control of the services provided only to the entitled people is necessary. Overall, moving towards
a consistent set of identity (management) standards will enable higher level of public service delivery.
eGovernment
The citizen-centered perspective of the governmental services, the integration of the services provided and
the establishment of multi-channel services make obvious the need for an efficient and effective identity
management system. Thus, eGovernment in order to interact with the citizens and offer all the expected
benefits must be able to identify them; in light of future developments in eGovernment, the need for a digital
identity management system is inevitable. Speed, usability and security are key issues. The aim of effective
eGovernment has become a major driver for identity management and secure authentication of the citizens.

8.
IDM Architecture Considerations
8
The key to integration is to tie up the different accounts and numbers of people from different systems
together, in secure centralized data management architecture.
Terrorism, Organized Crime and National Security
The concept of multiple identities used by terrorists and other types of criminals renders the identity
management scheme imperative (more than 1/3 of known suspects have used more than one identity).
Drug crimes, people trafficking, prostitution, human exploitation are phenomena that are taking place at a
great extend, undermining the social order and security that democratic societies deserve to live in.
A more effective national identity management scheme would also allow national security services to
access, as part of their investigations, centrally stored biometric information. The need for rehabilitating
the social perception of security and order and empowering the national security drives to the same
direction.
Convenience – the New Lifestyle
Citizens nowadays interface with more service providers in the ordinary course of their lives, than ever.
These services have to accommodate a large number of individuals; as a result the citizen interfaces with
complex institutions, creating the need (from all parties) of an efficient identity management solution. The
notion of convenience has become so intense nowadays; people seek for maximum benefits at the least
possible cost. Time is considered a great source of cost and thus individuals when they interact with public
and private service providers look for convenience and speed. For example, most citizens prefer to use credit
or loyalty cards for their everyday transactions. An ID card may be used as a convenient travel document, as
well as an integrated services card. Technological developments provide the foundations for this new lifestyle
and can serve the needs for convenience and speed at the point of service.
The trends and streams of modern societies, as described above represent substantial forces driving the
development of national identity management systems that essentially aim at establishing and maintaining
reliable individual identification.
Apart from these more or less obvious driving forces, it is necessary to highlight the significance of the
‘event’, which can become the milestone of the world’s social structure. An event can have a decisive impact
on the flow of human’s lives; it actually plays the role of a “transformational device between the past and the
future” and it is an indispensable prism through which social structure and processes maybe seen.
Undoubtedly, the bombing attacks of IRA in mid-1990s in the UK, the terrorist attack in Spain, New York’s
September 11, London tragedy of July 7
th,
and the most recent Mumbai terrorist attack of 26/11 are events
that have contributed in the transformation of the world processes subsequently altering the
discourse/conceptualisation of and the most recent.
1.4 Components of National Identity Management
As mentioned identity management is a dynamic concept. Nonetheless, it can be argued that there is an
underlying fundamental purpose in any identity management system, irrespective of the processes and
technologies used to implement it. This section will present and distinguish five essential, mutually
complementary building blocks of any identity management system, as in the table below.
Fundamental Components of Identity Management
i. Identification: Who are you?
ii. Authentication: How do we know?
iii. Authorization: What services and transactions are available to you?
iv. Access to Data: - Who (service provider) has authority to access what data
and under what terms?
- How can you access the data collected referring to
yourself?
v. Security: Is the information about you secure and not misused?

9.
IDM Architecture Considerations
9
i. Identification tries to answer the question ‘who are you’ and refers to one or more elements of the identity
of someone that uniquely identifies that user in the context of use. It may be an identifier already associated
with the individual such as his/her SSN or in the case of the UK ID cards scheme it is the NIRN or in Indian
context it may (will) be UID.
ii. Authentication can be defined as the provision of assurance of the claimed identity of an entity. In other
words by authentication we refer to the process used to verify that individual’s, or ‘subject’s’ association
with an identifier. There are three authentication methods; 1. based on tokens (something one has, such as
smartcard, key, passport, etc), 2. based on knowledge (something one knows, such PIN and password)
and 3. based on biometrics (something that one is, such as one’s face, fingerprint, iris, voice, etc), which
appears as the most promising form of authentication today.
iii.Authorisation is defined as the process whereby the requester is allowed to access a given service. In a
more formal way authorisation refers to the way of determining whether the policy at the point of service
allows/permits an intended action to proceed. In some systems, such as most governmental services, the
authorisation service either grants or denies access to the individual, whereas in other systems (e.g. private
sector), users are linked with access rights and thus access is protected through role or group-based
management. The efficacy of the process is limited by the availability of subjects’ attributes and by how
faithfully policy is incorporated in the infrastructure or application.
iv.Access to Data has a dual meaning. First, it refers to the definition of the service providers that are
authorized to access the data collected. According to the needs, the nature of transaction and the given
circumstances each service provider has different authority to access data. Secondly, the individual has the
legitimate right to access the data referring to him/ her and control the nature, quality and accuracy of the
information.
v.The fifth component of IDM is claimed to be security, in respect to the personal information of individuals
and the identity management system as a whole. When identity management takes place in any form,
personal information of individuals is exposed to entities outside the control of the individual. Authorised
and unauthorized misuse of the personal information should be prevented, as much as possible of course,
since there are not absolute secure systems. It follows that the level of security is compromised in complex
identity management systems, and both technological and process safeguards must be establish to shield
the system.
1.5 Typical Objectives of National Identity Management
The clear and precise recognition and statement of the objectives of an identity management system is more
than important, since objectives are the main driving factor of the decisions and the policies of the system.
The absence of accurate limits and well defined framework within which the identity management scheme will
be developed would generate serious issues in terms of privacy, functionality and security. In this section, a
summary of the main aims and objectives of typical identity management are presented.
It is necessary to explore the objectives from the viewpoint of the three major stakeholders: citizens,
governmental bodies and private sector. These objectives should be the drivers of every choice and decision;
the selection of the technologies incorporated in the system and the design of the processes should be in
accordance with the following objectives. However, it needs to be recognized that it is not possible to create
one single system serving all the following aims in total. However, our intention is to provide with an overview
of what each stakeholder wants to achieve and then introduce the problematisation that these objectives
should be prioritized and evaluated in parallel with the potential options/ solutions.
Identity Management Objectives
A. Governmental Bodies want to:
A1
Identify individuals for effective provision of services (speed, accuracy, minimum errors, no
duplications)
A2
Integrate identity records across governmental services (more personalized pro-active and
targeted communications and services)
A3 Preserve privacy and ensure data security
A4 Provide equal and universal identification (avoid current exclusions, when driving license,

10.
IDM Architecture Considerations
10
passport etc are not available)
A5 Increase the border and immigration flow control
A6 Enhance and facilitate the evolution of e-government
A7
Create the perception of safety to the public, reduce the fear of crime and cultivate trust to the
system
A8 Facilitate the law enforcement
A9 Establish and maintain cost-benefit balance in the short and long run
A10 Avoid misuse of services – such as free riding
A11 Reduce organized crime, identity fraud, terrorism & illegal working
B. Citizens want to:
B1 Access services with convenience and speed (avoid bureaucratic processes) at a reasonable cost
B2 Keep anonymity where and when is possible
B3 Be dealt with equally, without discrimination (no groundless exclusion or inclusion)
B4 Secure their right of privacy and ensure data security
B5
Ensure transparency of the system (open black boxed processes) to prevent illegitimate data
collection & usage
C. Private Sector wants to:
C1
Identify individuals for effective provision of services (speed, accuracy, minimum errors, no
duplications)
C2 Increase the strength and reliability of the customer base to deliver better services
C3 Enhance and facilitate the e-services’ provision.
C4 Reduce ID fraud, organized crime and illegal working
1.6 National Identity Management Schemes Globally
It is interesting to take a short glance at national identity management schemes applied in different countries,
in order to have a view of what is happening globally. Indicatively, the case of three different countries:
France, Singapore and Spain is presented in this section.
France
France has introduced national IDM system but without enabling the linkage of all public service providers.
French national ID number, which is a 15 digits number (first digit reflects the sex, the next two refer to the
year of birth, the next two refer to the month of birth, the next two are relates to the administrative district, the
next three show the municipality of birth, the next three are random and the final two are check digits), is not
an identifier used widely for every service provision. The main area of use is the field of social security, thus
enables only the social security organizations to the data. Other service providers, such as Tax departments,
require legal permission and prior authorization by the President of the Republic in order to obtain access.
The private sector is also excluded by the scheme, with exception to the services related to health and social
welfare (doctors, private health insurance etc).
Singapore
Singapore has the SingPass ID card, which enables citizens to interact across all governmental services.
SingPass is a single-factor authentication system which demands only one single password. Citizens are
able to apply for their ID card on-line and receive their SingPass by post. In Singapore, there is not a core
central legal framework on data privacy, but only separate laws dealing with personal information.
Spain
In Spain, there is a single ID card, which holds a single identification number (algorithm based), which is an
eight digits number (randomly created) plus one letter. This number is used in every interaction with the
public sector; even the passport holds the same number. However, despite the universality of the ID number,
some service providers (such as Social Security, Public Health Service, etc) keep additional identification
numbers. Parents may ask for ID number when their child is born, but the compulsion emerges when the
child reaches the 14
th
year of its life. The foreigners living in Spain obtain a Foreigner Identification Number.

11.
IDM Architecture Considerations
11
1.7 Some Implications for National Identity Management
‘System’ may be the most important (and heretofore least discussed) aspect of the term “nationwide identity
management system”, because it implies the linking together of many social, legal and technological
components in complex and interdependent ways. The control of these interdependencies, and the mitigation
of security vulnerabilities and their unintended consequences, would determine the effectiveness of the
system”
At this point, it would be interesting to introduce some implications generated when a national identity
management scheme is proposed to be implemented. First, implemented over very large populations, it is
assumed that it will take considerable time to coordinate the activities required for full population
enrollment/registration (critical mass). A universal national identity management system will probably be
targeted by organized criminals, increasing the risk for cyber-terrorism. Experience of identity management
systems implemented the past decades in both the private and public sectors suggests that identity is best
proven if agencies do not rely on one single proof of identity (a token such as document, card, etc.) to
establish a person’s identity. In addition, a number of organisations (public, private) tolerate an amount of
fraud since the financial benefits of stopping fraudulent behaviour may be less than the cost of checking.
These implications regard the success of the system. However identity management exists within the
technological, political and social context in which it is implemented.
Nowadays, the use of Information Communication Technologies (ICT) are affecting both the private and the
public sectors through the ‘imposition’ of more efficient techniques for gathering and managing information,
reaching and interacting with customers in addition to managing the processes (to name but a few). The
current technological environment provides a variety of possibilities and alternatives for the implementation of
identity management systems, such as RFID (Radio Frequency Identification) and other types of chip-
enabled cards (e.g. oyster cards). In brief, technological implications include protecting the confidentiality,
integrity and availability of the data and information systems, as through the following positions:
The larger and more complex the network, the more complex the security infrastructure needed
The more information in a token (the ID card) the greater its importance for service transactions
The strength of the authentication is directly related to the value of the resources protected
The consideration of card technologies in respect to cryptography and security.
At a political and societal level, implications root from concerns on data centralization, the protection of civil
liberties and individuals’ privacy expectations, as well as the involvement of independent private sector
organisations. Identity management technologies lead to the transformation of the national landscape they
are applied, the result being the internalization of social norms (that may soon not be regarded as
repressive). There are generated valid fears that more intense discrimination issues will be provoked,
acknowledging the discrimination against certain minority population groups and non-population groups
(such as travelers, business people, etc) that already takes place in the name of national security.
Nevertheless, it is very crucial to identify and map out the ways all this accumulated data is going to be
organized in terms of managing individuals and populations. The main argument used that citizens have to
counter a trade-off between their civil liberties and national security should be assessed thoroughly, in order
to secure the social gains with the least personal costs. The amount and the type of information revealed at
different circumstances and the risk of profiling are also crucial issues. In terms of adoption, failure to explain
the benefits of an identity management scheme and how security and privacy can be maintained may
heighten resistance to the scheme. The compatibility of the scheme with the Data Protection, Human Rights,
Freedom of Movement generate important implications that need to be assessed.
Finally at the organisational level, identity management must take into account the processes (i.e. human
activity models) that surround the established information policies. identity management provides with a
framework to manage citizens’ access to services as well as to redefine the communication and interaction
between the individuals and the state. It follows that the way identity management processes are designed
and implemented are central to defining the scope and boundaries of governmental ‘reach’. The main
processes that should be considered include the registration and renewal of ID cards, the retention and use
of information by service providers, service access management (authentication) and citizen relationship
management (the processes of interacting, communicating, etc).

12.
IDM Architecture Considerations
12
1.8 Typical Conceptual Components of the Identity Management System
Under this section the aim is to describe the identity management scheme at a conceptual level. In the
following figure the typical components, processes and a high level view of the structure of the ID cards
scheme is provided.
A conceptual model of the identity management system
The model depicts four coloured sections each representing different aspects of the identity management
(IdM / IDM) system. First (in the green area - left) the individual, biometric information, the smart ID card and
any combination of these, represent the proof of identity needed for IDM. This block shows the main actor of
the system – the citizen – and the related to him (a) ID Card and (b) biometric information. In the yellow-
shadowed area the main processes of interaction between cardholder and the IDM scheme is presented.
Registration, Identification, Authentication and Authorisation is the order of processes that deal with the proof
of identity. In the middle right sector, the model presents the ICT network that operates as the infrastructure
for the processes to take place. This includes all technologies and, internal to the service provider, processes
for using the individuals’ proof identity at the point of service. Finally, at the right hand side of the model, the
central datastore of personal information is portrayed; it is accessed by a trusted third party (TTP) for
authentication & data exchange purposes and by certified database management applications (for adding,
deleting, updating).
The National Identity Repository (NIR), will hold core personal information about individuals who have
registered and been issued with an ID card. Essentially it will be a new data warehouse or database that may
be created as people apply for ID cards. The amount of personal information considered as ‘core’ must be
sufficient for the individual to allow for the issuing of an ID card. The National Identity Repository will provide
a record of registrable facts about individuals in the country, other individuals who entered or have applied for
entering the country. The NIR will be accessible from public service applications (for the cross referencing of
information), with the potential of integrating access from interested private sectors (banking institutions,
insurance companies, etc).

13.
IDM Architecture Considerations
13
The Identity Number (IN), which is a unique identification number provided to every successful applicant to
the scheme. This number is actually the key for the citizen to access the services that he/she entitled to and
for the governmental bodies and private sector to access the information on the NIR. This unique identifier is
the basis for many national IDM schemes; however recent developments in IDM (e.g. as in France) have
been seeking more privacy-protective ways of integrating the unique identification number into the overall
scheme.
The ID card will provide all legal residents of the country with an easy and secure way of demonstrating their
identity and accessing the services they are entitled to, by establishing a single universal identifier. The ID
cards will contain part of the information stored in the NIR and will be issued by a governmental agency, that
will work in collaboration with immigration and passport agencies. Depending on the technology used within
the card, there will be different processes and mechanisms for authorizing access to individuals (card
readers, RFID readers, human).
A Biometric is a unique physical characteristic such as facial dimensions, iris patterns and fingerprints.
Biometrics used in an IDM scheme tie a verified identity to an individual. Moreover, biometrics can be used to
associate an individual to an ID card, supplementing traditional methods (e.g. signature, photograph). To
enable these two mechanisms and exploit the potential of biometrics, biometric information will be held both
centrally and inside the card. Hence, an IDM system exploits the advantages of biometric information to
ensure that a person did not establish more than one identity in the scheme and at the same time that the
entitlement card, passport, driving license are being used by the correct person.
Service Providers are those agencies and/or organisations from the public or private sectors that require the
verification of identity to allow a transaction to proceed. While identity fraud has been an enormous problem
for free public sector agencies, it is also a predicament of delivering effective services for independent service
providers. Service providers require the reliable authentication of the cardholders, in order to increase their
capability to manage access to their services. When private sector service providers connect to centralized,
state-owned information, the establishment of information gateways that operate in synergy with
authentication agencies is essential.
The Authentication service is also a key component of the proposed IDM scheme. Its purpose is to enable
the service provider or biometric reader to authenticate the identity of an individual in order to authorize
access to certain services. The Authorisation Service operating independently, is responsible for connecting
to the NIR and verifying that the details provided (by the Service Provider) match to no more than one
records in the register. Then depending on the context of application it may return personal information to be
combined with what is locally available or simply communicate the result of the matching process (match, no-
match).
Another component that we consider to be central is Legislation. Understanding the privacy concerns, it is
important to impose exhaustive legislation regarding all aspects of the Identity Lifecycle. IDM may pose
threats to the human rights and/or civil liberties of certain societal groups or individuals and therefore
legislation should go beyond existing privacy laws and the data protection / IT laws. In addition, new crimes
and penalties need to be established in order to ensure the compliance of people with the new requirements.
Finally, IDM systems do not consist only of the set of technologies (network communications, cards,
databases, etc) but also of detailed policies and procedures, to account for the numerous security and
privacy considerations. Procedures are needed to be established to register individuals, manipulate (manage)
information about them, issue credentials and verify access to services (to name but a few). At this point it is
important to mention the elements of the identity lifecycle which are: account set up, maintenance and
teardown. Account setup refers to providing to the users the appropriate level of access to resources they
need. Account maintenance refers to continuously keeping the users’ records updated and adjusting the
levels of access to the resources needed. Account teardown is the deactivation of the accounts that are not
necessary anymore. IDM schemes attempt and aim at managing these three stages as effectively and
efficiently as possible.

14.
IDM Architecture Considerations
14
2 TECHNOLOGIES
2.1 Overview
As is the case with all large scale organisational projects, a national IDM scheme comprises of a complex
network of technologies and processes. In this part, the aim is to identify and present briefly a variety of
technologies that play a crucial role for the success of the project.
First, in this paper we will try to shed some light on the strengths, weaknesses and risks of alternative
biometric technologies. Second, we will examine card technologies and in specific focus on RFID technology
as one of the most prominent technologies for use in ID cards. Apart from RFID-enabled cards a short
evaluation of other types of smart cards is also provided. We will argue that the debate about RFID
technology is not quite the same with a similar debate about barcodes that took place some years ago. We
will examine RFID advantages and disadvantages through an assessment of available card technologies, in
order to provide the basis of determining the viability of an RFID approach in a national IDM scheme. Finally,
we will frame security as a problem that can be approached through a combination of security and
cryptography technologies.
2.2 Biometric Technologies
Introduction
Biometric technologies have received great interest as a powerful weapon against terrorism, crime and as an
effective proof of identity. The term biometric is derived from the Greek words bio=life and metric=to measure
and it stands for the measurement, digitization and statistical analysis of biological data. Biometric
technologies are mechanisms that automatically recognize individuals based on unique human physiological
and behavioral characteristics, which cannot be easily duplicated or forged. The more important and widely
used biometric technologies are finger print biometrics, eye biometrics (iris, retinal), face biometrics, hand
geometry biometrics, signature biometrics, and voice biometrics. There is also some more biometrics found in
literature, such as DNA, gait biometrics, body odor measurements, vein recognition (hand), movement
pattern recognition and ear shape. The elements of universality, uniqueness, stability, forge resistance and
collectability are some of the main reasons that render biometrics the most effective and important source of
proving identity. The objectives of generic biometric applications are better security, higher efficiency and
user convenience.
There is a distinction between the static (or physiological) biometrics, which are based on features that are
always present and dynamic (or behavioral) biometrics, which are based on certain behavioral patterns. For
example, fingerprint, iris scan and retinal scan are static biometrics, while signature and gait biometrics
belong in the dynamic methods. Each method offers different degree of exactness and accuracy, depending
on the context and the purpose of the biometric application.
Biometric systems have three main uses:
to check that applicants are not erroneously issued documents based upon two different identities;
to help confirm that the correct person is associated with a certain document’s or service’s
credentials;
to check identity against a ‘watch-list’.
In other words, s biometric system could be used for identification, for authentication or screening. The first
type recognizes a person (who does not make any claim of identity) by comparing the captured images to an
entire template database. Thus this is a one-to-many match and aims at establishing an individual’s identity
without the person having to declare his/her identity. The second system authenticates an individual who
claims identity by comparing the captured biometric elements with the biometric template of that person that
are already stored in the system or in a distributed storage, such a smart card. This is a one-to-one match in
order to make sure that the person is the one who claims to be. The screening process is actually the
comparison of the biometrics captured against a watch-list, which may have only biometrics or other
information as well.

15.
IDM Architecture Considerations
15
Biometric system’s architecture, is the combination of the major processes of a biometric system namely
Data collection, Signal processing, Matching, Decision, Storage, and Transmission. These processes
together with a set of technological components form a generic biometric system architecture, as presented
in the following schematic.
Biometric System Architecture
Data Collection
This sub-system handles the acquisition of the biometric data of the applicants and requires a biometric
device or sensor (such as finger scanner, digital camera) in order to retrieve the biometric sample.
Transmission Channel
The transmission channel sub-system is concerned with passing the data on a distributed environment.
Data compression techniques can be imposed/applied on the biometric data to economise system
resources and handle large volumes of data that need to be transmitted.
Signal Processing
The signal processing sub-system illustrates two main activities. (1) The biometric sample is processed and
segmented from the environment/noise in order to extract the feature information and create the biometric
template, which is a mathematical representation in a more compact version of the original image that
captures just those features of the image that contribute to the distinctiveness of each person’s fingerprint,
iris, face etc. In the end of this process a score is presented evaluating the quality of the extracted image (if
everything went well). (2) The new template is compared with one or more reference templates by using a
matching algorithm and a match score that illustrates the similarities of the various templates is created.
Data Storage
All created templates, before stored, they are compared with the already stored templates. Biometric
templates can be stored in a centralized biometric database, in a distributed system or on ID tokens and
smart cards (which remains at the user’s possession).
Matching
A new biometric sample is required and follows the three first stages and when it has obtained the
appropriate template format it is submitted to the biometric verification engine. According to the type of
process required (either identification [one-to-many] or authentication [one-to-one]), the system compares
the new template to all stored biometric samples generating zero to many possible matches or compares
the new template to the suspected identity generating a yes/no score.
Decision
The match score is translated into a decision by using a threshold score, which would have been initially
defined. The user is authenticated if the match score is above the threshold else the user is rejected. In
general, people will never present themselves in exactly the same way every single time, thus biometric
systems should allow some latitude in this matching process. The described matching/decision processes
introduce risks and fears, because this latitude may lead people to match templates other than their own.
Biometric systems in practice can generate four possible outcomes:

16.
IDM Architecture Considerations
16
correct person accepted or rejected,
impostor rejected or accepted.
Thus there are two possible situations that the system may provoke an error. A False Reject Rate (FRR)
occurs when ‘correct’ individuals are rejected. A False Accept Rate (FAR) occurs when an impostor is
accepted by the biometric matching algorithm. False reject and False acceptance are included as part of a
generic biometric system process.
Generic Biometric System Process Model
FAR and FRR cases increases when the threshold value used in the matching algorithm is ‘looser’, as in
application of biometric systems in airports. A one biometric modality system can increase its performance by
processing a biometric through more than one matching algorithms. Then a logic algorithm can be applied in
order to ‘fuse’ the results and arrive to a more accurate decision, as in the following schematic.
Fusion Unimodal Biometric System
Alternative Biometrics
When reviewing different physiological or behavioural elements (of humans), there are numerous
requirements against which each biometric can be assessed. These include biometric’s universality,
distinctiveness, permanence (over a time period) and collectability (quantitatable characteristic). Moreover,
the performance issues (accuracy, speed, immunity from external factors), the level of acceptability that
people show and the circumvention (the possibility for cheating the system by fraudulent methods) should
also be evaluated and assessed. A brief description of the four most widely used biometric technologies
(fingerprint, handshape, iris and face recognition) and a comparative table of them is provided below.
Fingerprint Recognition
Fingerprint is one of the most widespread biometric since a long time ago for the purpose of identification.
Apart from the correlation of the fingerprint with the crimes detection there are already established many
fingerprint systems which contribute in the establishment of a unique identity for the individual.

17.
IDM Architecture Considerations
17
There are two methods of fingerprint recognition that could be applied; the minutiae based recognition and
the fingerprint pattern. The minutiae-based operates using the coordinates of points on the fingerprint where
ridges end or split, while the second method is using the whole fingerprint pattern, which is more costly and
more appropriate for one-to-one matching processes. The minutiae-based is more appropriate for large-scale
systems and one-to-many matching. It is suggested that at least 4 fingerprints should be captured for each
applicant, in order to help verify any potential false matches and hence reduce false match rates.
The main benefits of this technology is the high accuracy, usability (ease of use), the ability to exploit already
existing databases and the distinctiveness (8/20), while the major drawbacks is that it demands the
involvement of the individual, there is an estimated 10% of the population that cannot enroll, there are
environmental factors that affect the result (humidity, temperature), there have been invented ways to spoof
the system quite easily and the perception of this technology is strongly linked with criminal context.
Iris Recognition
Camera of extra high resolution and a source of light are necessary for iris capture. The absolute uniqueness
of each iris - even the two iris of the same person are completely different – and the inability to create a fake
duplication of an iris, because of its numerous characteristics and properties, contribute in characterizing iris
recognition the most promising biometric technology. Under normal conditions (avoid injuries, illnesses etc)
iris remain the same throughout one’s life.
Iris recognition is a very attractive method, as it is estimated that an iris image is as efficient in identification
matching as two or more fingerprints and is very fast. It demands the involvement of the subject, both in
registering the image of the iris (and creating the template) and in providing successfully the captured image
of the iris. However, it is a rather new technology that has not been tested at large-scale applications.
Face Recognition
Lately, Interest in facial recognition systems has been triggered because they are relatively inexpensive and
do not require the active involvement of the individuals (subjects), thus it is a silent technology that acts in the
background. Face is considered as the most commonly used biometric element so far; people purposefully
provide photos as means of identification in numerous transactions involving tokens such as their passport,
driving license, library card etc. The level of acceptability to reveal one’s face is high, as people are used to it.
But apart from the moments that consciously people submit their face image there are many other points
where one’s face is captured without his/her awareness and consent.
During the enrolment process a series of digital photos is taken, which allow capturing the face at different
angles and expressions, in order to extract the distinctive features that will create the template. There are two
main methods: the 2D, which consists of four main methods (eigenface, feature analysis, neutral network,
and automatic face processing) and 3D capture and modeling.
Face recognition technologies do not require great involvement of the individual and they may also obtain a
covered format. The other significant advantage is that everyone can enroll. However, the performance of the
face recognition is rather low in comparison with the two previous technologies, even in small populations. A
single fingerprint provides higher accuracy than face recognition and the fingerprint identification can be
improved by using multiple fingers, while in face this is not feasible. In addition, in case of identical twins this
method is not reliable to provide accurate identification and the number of this case is not rare at all (1:200
are identical twins). Furthermore, there have been identified some factors that diminish its reliability, such as
poor illumination, shadows, glasses, facial expression. The screening applications that are used in order to
capture the images mainly on the move, like CCTV in airports and shopping malls, diminish the quality of the
image and the task of matching faces against a certain database becomes really difficult and time
consuming. The size of the database is another significant factor that should be mentioned; the bigger the
database the more false recognition occurs. Overall, face recognition technologies are most suitable in the
checking process for one-to-one authentication or for small watch-list applications.
Hand shape Recognition
Hand recognition is a quite old technology that uses different geometric measurements. There are many
geometric features that can distinguish one hand from another, such as width and length of fingers, hand size
and height, distance between knuckles etc. It is considered as a more easy to enroll technology in
comparison to iris and fingerprint recognition that creates anxiety to the subject. In addition, it is shows high
accuracy and it is hard to spoof.

18.
IDM Architecture Considerations
18
However, the capture of the hand features with most of the existing technologies
has constraints because the individual has to place his/ her hand on the platform
between fixation pegs (see figure). Moreover, these techniques do not record the
shape of the fingers but just measure feature on the fingers. This may be beneficial
for the storage space, though may omit significantly geometric elements that can
empower the recognition process. Thus, there has been started being proposed
other methods that can overcome these constraints and limitations. B-Spline
curves is an alternative method that can record the shape of the fingers and
removes the difficulty of the fixed-pegs, thus increasing the accuracy and the
convenience of the method.
Evaluation of different biometrics
The following table portrays a comparison among the main biometric technologies. The criteria upon which it
is established are: cost, security, acceptability of the public, easiness of usage, transparency of the capture
process, stability of the biometric information, the proposed applications for each one and their suitability for
one-to-one and one-to-many authentication.
Table: Comparing different biometrics
Suitability for
Cost Security Acceptability
Ease of
Use
Transparency Stability
Suitable
applications 1 : 1 1 : N
Face Medium Medium
– Low
Medium
– High
Medium
– High
Covert Medium
– Low
Watch-list
scanning,
verification
Yes Potenti
ally
Fingerprint Medium
– Low
Medium
– High
Medium High Overt High Verification,
medium- to
large-scale
identification
Yes Yes
Iris High High Medium Medium
– Low
Overt High High security
access, large-
scale
identification
Yes Yes
Voice Low Medium
– Low
High High Covert Medium
– Low
Telephone
authentication,
low security
verification
Yes No
Signature Medium Medium
– Low
High High Overt Medium
– Low
Applications
with traditional
signature
Yes No
Hand Medium Medium
– High
Medium
– High
Medium
– High
Overt Medium
– High
Verification for
access control
Yes No
Combining Biometrics in a Multimodal Biometric System
Biometrics seem to offer solution of stronger and more solid identification and current circumstances
(increase of digitalization, increase of mobility, social and national demand for more accurate and effective
identification etc.) render their use pivotal in respect to the success of proposed IDM schemes. Despite the
potential and beneficial effects that biometrics seem to have, there are some concerns raised; the
incorporation of biometrics in a national IDM scheme is an extremely large-scale and untested emprise. Up to
now, biometrics are usually used at small-scale projects mainly in the private sector. Nevertheless, airports -
given the involvement of a larger number of people - have implemented some pilots that just recently have
started getting bigger dimensions.
Unimodal biometric systems are currently deployed in a variety of application contexts (including airport,
passport, logical and physical access control). In general they are subject to a variety of errors including
noise associated with the acquired biometric data and intra-class variability. Noise is linked to the reader’s
performance when reading/scanning biometrics, poor ambient conditions and by user behaviour (i.e.
misplaced finger). Intra-class variability is defined as the variation between biometric data acquisitions for the
same person. Combining technologies with mixed intra-class variability could result in systems which exhibit
overall better performance characteristics.
Fig. : Fixation Pegs
on Hand Shape
Recognition

19.
IDM Architecture Considerations
19
In order to reduce the inadequacies and errors of unimodal biometric systems, multimodal systems combine
more than one biometric modality, resulting in enhanced performance, reliability and even increased user
acceptance. In other words, the aim of multimodal systems is to minimize noise and intra-class variability
effects, thus reducing false acceptance and reject rates. There are two alternative ways of using multimodal
systems: (1) In sequence: multiple biometric readers are used the one after the other, strengthening the
performance and security of the biometric system (2) In parallel: multiple biometric scanners/readers are
used in parallel, providing alternative modes for the identification/authentication process, thus strengthening
the overall flexibility of the system. Biometric systems their implications and their process significance in
national IDM schemes will be discussed later in this paper.
Two Alternative Applications of Multimodal Systems
I. In Sequence
In this scenario, multiple biometric readers are used the one after the other; the user must ‘pass’ from a
series of biometric scans. In sequence multimodal biometric systems allow for multiple biometric checks; as
a result this type of biometric multimodality strengthens the performance and security of the biometric
system. Combining biometric technologies in sequence is likely to counter attacks since a lot more effort
will be required to spoof the combined system.
II. In Parallel
In this scenario multiple biometric scanners/readers are used in parallel. The cardholder (user of the
system) chooses which type of biometric he prefers to be taken. By providing alternative modes for the
identification/authentication process, the service equipped with a parallel multimodal system strengthens
the overall flexibility of the system. This type of multimodal system could prove useful to citizens who have
temporarily lost the ability to provide one of their biometric traits (e.g. a temporary eye problem that rules
out an iris scan) or in cases where people refuse to use a specific modality (for religious or health
purposes, for instance).
In the following diagram, the generic processes of a ‘’in-parallel multimodal biometric system are
presented. It is clear that with a reasonably good logic algorithm, the proposed system reduces the
probability of a FAR and FRR and improves the overall of performance towards lawful citizens.
The operation of a ‘in parallel’ multimodal biometric system
At this point it is necessary to underline the need to combine biometrics instead of relying on one of them in
order to increase performance and accuracy and at the same time reduce the exception cases (few people
don’t have iris and fingers). Although biometrics are considered as universal, a certain portion of the
population may have biometric identifiers that cannot be captured and quantifiable or even does not have at
all (such as truncate or blind people). Moreover, the security of a multiple biometrics system increases as
long as it is much more difficult to fake all the biometrics of a person and cheat the system. In addition, the
possibility of interoperability and future upgrades increases. This increases the cost and the amount of data
collected, which may raise issues about the right of privacy and other implications that will be examined in
more details later in this paper.
2.3 Technologies for ID Tokens
Citizen’s identification goes back to 3000 BC and the ancient Babylonian culture where slaves where
identified by either their tattoos or branded on their face/back of their hands. Today, after years of social and

20.
IDM Architecture Considerations
20
political ‘framing’, national identity tokens take the form of plastic cards for two main reasons. First, cards can
contain both human readable (text, images, visual security features) and computer readable information, thus
assisting in both human and technology assisted methods of identification, authentication and authorisation.
Second, plastic cards can be stored in wallets and can be sent over by any post service with convenience (as
defined in our society). Smart cards are plastic cards embedded with computer chips that can hold a wide
variety of data types, including identification strings, biometric templates, security access information,
applications, and records.
Smartcards can be distinguished into four categories according to their communication with readers (contact
or contactless) and their functionality (memory or microprocessor). In the following table a brief categorization
of smartcards is presented according to their communication with readers (contact or contacless) and their
functionality (memory or microprocessor).
Smartcard categorization
1. Contact 2. Contactless
Smartcards in this category have golden plates and
contact pads on one corner of the card. These are
used to supply the necessary energy and
communicate via direct electric with the reader.
The connection between reader and card is done via
Radio Frequency (i.e. as in RFID). They also have a
wire loop which feeds energy to the chip when the
card goes into the RF field of the reader.
3. Memory 4. Microprocessor
Usually contain EEPROM (Electrically erasable
Programmable Read-Only Memory) non-volatile
memory. Data is managed via a microcontroller
responsible for accessing the data and accepting
the communication. This type of smartcard does not
support cryptography.
Contain EEPROM (file system), ROM (operating
system) and RAM (fuctions) memories, together with
a microprocessor. With the addition of a crypto
module, the smartcard can process complex
mathematical computations in relation to a Public
Key Infrastructure (PKI).
Current ID cards can contain technology ranging from simple barcodes and magnetic stripes to integrated
circuits and RFID tags. Magnetic stripe technology has reached a saturation point in term of its capabilities to
process and store data. Smartcards offer several key advantages over traditional magnetic stripe cards. They
are more difficult to clone than traditional cards; the information they hold can be considerably more complex;
and they can be updated. Nowadays, governments around the world are considering the issuance of smart
ID cards for numerous expressed and unexpressed reasons.
Reasons for national smart ID cards
Expressed Unexpressed
Efficient and faster service delivery leading to
citizen satisfaction
Government process automation
Clearly show where taxpayers’ money go Long-term cost reductions
Track and reduce identity theft/forgery, fraud and
abuse
Data sharing between governmental agencies
and between the public and private sector
Customized and always available public services Active archives
Promote wide usage of information systems Infrastructure for monitoring unusual behaviour
Increase the security of identification
mechanisms
Collect taxes more efficiently
In general, the move towards smart multi-application cards is happening and as a result citizens expect real
service delivery improvements. Overall, national smart ID card projects are complex and involve important
considerations for privacy and security, as explored later in the paper.
Current ID cards can contain technology ranging from simple barcodes and magnetic stripes to integrated
circuits and RFID tags. Magnetic stripe technology has reached a saturation point in term of its capabilities to
process and store data. Smartcards offer several key advantages over traditional magnetic stripe cards. They
are more difficult to clone than traditional cards; the information they hold can be considerably more complex;
and they can be updated.

21.
IDM Architecture Considerations
21
In general, the move towards smart multi-application cards is happening and as a result citizens expect real
service delivery improvements. Overall, national smart ID card projects are complex and involve important
considerations for privacy and security.
2.3.1 RFID Technology
Introduction
RFID or Radio Frequency Identification is a set of technologies that use radio waves to automatically detect
individual entities. From an academic viewpoint, RFID falls under the umbrella of Ubiquitous Computing, a
broad research area that has received increased interest the past decade. Ubiquitous Computing refers to
the application of computation technologies that disappear/are embedded into the environment and space
itself becomes intelligent. The significance of RFID technology lies in the fact that it changes the global e-
network of computers to a global e-network of computers and objects – and humans who carry/use the RFID
enabled objects as a result. Essentially, RFID-enabled cards are a special type of smartcard that use of radio
waves and thus no contact to a reader device is necessary (compared to other smartcards that require
contact with the reader in order to operate).
RFID technology is designed to enable the remote capture of data from physical objects. Data collected
through RFID systems can be stored on a small token (the tag) embedded in the object. In the case of
nationwide IDM systems, the object is the ID card used by individuals/citizens in their routine interactions with
private and public services. Today, data can be read via these tags by RFID Readers which are usually
connected to computer networks, databases and database management systems. As a result RFID facilitates
the transfer of information to remote datastores and allows for the tracking of the tags through space. Current
successful applications of RFID include animal tracking, electronic roadway toll collection, and most
importantly revolutionizing supply chain management.
If we follow the chronological evolution of RFID Technology, we can argue that the market is moving towards
true globally unified standards for UHF RFID technology, thus encouraging the global interoperability of
private and national (public) IDM systems. Interest in RFID technology by organisations has seen a dramatic
increase the last years mainly because (after years of technology refinement) the RFID tags have now
become very small and inexpensive.
Before proceeding to an operational description of RFID systems, it would be useful to make evident the
components of a basic RFID system. All RFID systems have three major components: the RFID tag, the
RFID Reader and a Database system, as shown in the following figure.
The components of a RFID system
The RFID tag refers to a microchip attached to an antenna, able to transmit identification information by
transmitting to and/or receiving data from the RFID Reader. Moreover, RFID tags have embedded memory
that can be read-only, read-write, or write-once read-many. Readers use their own antenna to communicate
with the tag and can process multiple tags simultaneously, allowing for increased read processing times.
In practice, the Reader sends energy to the tag to provide it with sufficient power to operate and send data
back to the Reader (if the tag has an embedded battery, this step is not needed). Depending on the type of
RFID system the Reader can receive the data held by the tag (read process), write or update data on the tag
(write process). In other words, the Reader then performs a series of read/write operations while the tag has

22.
IDM Architecture Considerations
22
data storing and sending abilities. The tag is able to store data that the Reader writes unto it or data that was
originally stored unto it by the issuing authority. These operations constitute the centre of any RFID system,
and allow for the Reader to track the object carrying the tag in its vicinity.
Another aspect of RFID Readers is anti-collision techniques implemented to prevent the ‘collision’ of data
when the reader reads from more than one tag at the same time. Anti-collision algorithms include spatial,
frequency and time domain techniques that essentially aim at regulating the replies so that a Reader can
detect exactly all tags in its vicinity.
Types of RFID Technology
It would be also useful to draw a distinction between different RFID tag categories. In this section we will
discuss the three identified categories are passive, semi-passive and active RFID tags; their typical
characteristics are presented in the following table.
Typical Characteristics of RFID Technology
Source: National Institute of Standards and Technology and Robert W. Baird & Co., Inc., “RFID Explained: A Basic Overview”
(February 2004)
Passive
Passive tags represent the simplest form of RFID tag technology and do not contain their own power source
(i.e. battery), nor they can initiate communication with a reader. As described in the previous section, passive
tags derive their power from energy waves and respond to radio frequency emissions form the reader.
Minimum storage requirements of passive tags include the unique identification number of the object in which
it is embedded; as storage capacity increases so do costs. In addition, typical passive tags allow for read-only
operations on their data, while their memory is around 64 bits of permanently programmed data (e.g. cannot
be altered or updated). Costs vary depending on the communication frequency used, design of the antenna
as well as the packaging around the transponder. The read range of passive RFID tags varies according to
four key factors: the design/length of the tag antenna, the radio wave frequency used, the power of the reader
and the material between tag and reader.
Common RFID operating frequencies (for passive RFID tags)
Source: National Institute of Standards and Technology and Bear Steams “Supply Chain Technology” (January 2004)
The development of inexpensive passive tags has made able the consideration of RFID technology adoption
in wide-scale implementations in an effort to optimize government and industry processes.
Semi-passive

23.
IDM Architecture Considerations
23
Compared to passive tags, semi passive tags have embedded a power source used for specific purposes.
These include the monitoring of environmental conditions and powering the tag’s internal micro-electronics.
The main use of the power source of semi-passive tags is in enabling the efficient data storage. On the other
hand, semi-passive tags do not initiate communications with (do not actively transmit information to) readers.
Most of the tags in this category remain dormant (thus conserving battery life) until they receive a signal from
a reader. Finally, it is worth mentioning that semi-passive tags have the lowest lifetime from all types of RFID
technology, fact that poses serious considerations regarding IDM.
Active
Active tags represent the most powerful RFID technology mainly because they contain a power source and a
transmitter. These tags have read/write capabilities ensuring communication over distances reaching up to
hundreds feet (depending on the battery power). In addition to storing data, active tags can allow the data in
the tag’s memory to be updated when necessary; this means that the tag has larger memory capacity
compared to the other types of RFID tags as well as increased costs. It is important considering that the
read/write capability of active tags represents both a revolutionizing advantage and a huge risk depending on
the context of use of the RFID system.
Benefits of using RFID Technologies
It can be argued that RFID is a new and enhanced barcode. However compared to barcodes, RFID offers
three significant advantages. RFID puts forward sufficient storage capacity for larger scale implementations,
is reprogrammable and can be undetectable (if examined by the human eye) due to its miniature size.
The most important advantage of an RFID system is that it expands the range and function of databases. In
the private sector, RFID technology has revolutionised the management of the supply chain (and other
business processes that involve utilization management and/or tracking), by enabling identification, tracking
and data processing for each individual item (compared to previous solutions that identified items per product
category). Accenture highlights that RFID has already been used in public service provision such as public
transport services around the world. The benefits in the public transport domain extend to all involved parties
(passenger, driver and the transport company) since the RFID system enables (1) security by eliminating the
exchange of money, (2) less distraction to the driver, (3) convenience for the passengers who do not need a
ticket or to know the precise ticket price before they ascend in the bus and (4) reduces maintenance costs for
sales dispensers and optimizes the fare collection process. Similar advantages are expected to public service
providers’ transactions with citizens in a range of contexts.
The individuals’ and society’s privacy issues arising from the use of RFID technology will be discussed in
detail later in the paper.
2.3.2 Other Card Technologies
Apart from RFID tags, other types of silicon chips can be used in plastic ID cards. Depending on the
sophistication of the silicon chip, smart cards (carrying alternative to RFID tag chips) have the ability to both
store data in their memory cell (RAM) that is processed by the smartcard reader, and to store procedures
(ROM) to manipulate data through an embedded microprocessor.
The movement towards smart cards and away from magnetic-stripe cards has been driven from a need to
both update data in the card as well as the limited infrastructure to ensure an acceptable level of security (in
magnetic stripe cards). And while ISO 3 allowed for update operations on the magnetic stripe, it failed to be
widely adopted for the reasons of inexistent offline security and high cost for installing and maintaining
reliable readers/writers. Smartcards unlike magnetic stripe cards can carry all necessary functions and
information on the card. Therefore, they do not require access to remote databases at the time of the
transaction and depending on their memory capacity can have embedded security (cryptography) modules.
Smartcard Lifecycle
The smartcards lifecycle typically consists of five distinct stages. First there is the fabrication phase where the
manufacturer assigns a fabrication key to protect the chips from unauthorized tampering. Then the card is
mounted on the actual card and the fabrication key is replaced by a personalization key. During the third
phase, the manufacturer equips the card with the functions it will need during its lifetime. Application and data
are written on the card including the unique identifier, the name of the card holder and a utilization lock to
indicate that the card is in use. Access to the card is limited by the user’s PIN or other authentication key that

24.
IDM Architecture Considerations
24
indicates how many of the functions of the card the cardholder can access. Last, in the end-of-life phase the
card is discarded and must be disabled (also in cases where the card is lost or malfunctioning).
Structure of integrated circuit (IC) microprocessor cards
The integrated circuit (IC) microprocessor card has a file structure as presented in the following schematic.
The internal structure of an integrated circuit processor card
The Master File (MF) is a list of all the headers of all the dedicated and elementary files that contain the MF in
their parental hierarchy, acting as an indexing service. A dedicated file includes data (itself) and headers of its
immediate children, whereas an elementary file contains its own header and data. The microprocessor reads
access information first and if the entity ‘calling’ for the information does not have the access rights to the file,
then the microprocessor locks access to the elementary file.
Optical Memory Cards
Optical Memory cards is another type of smart card technology that seems to have many advantages, in
terms of storage capacity, durability, ability for laser image creation of the photograph and some other.
Different vendors provide with different types of smartcard technologies; the latest technological development
in smart cards is the Optical Memory Card. Optical Memory Cards have two advantages over other
technologies including RFID tags. First it has a comparatively large storage capacity reaching 5 to 6 Mbytes
(typical card has 2.8 Mbytes) of digital data. This is particularly helpful in governmental IDM and immigration
systems as it allows for the storage of facial images, fingerprint images, and iris patterns (and probably
chronological series for each biometric). Furthermore, an identification scheme can take advantage of the
large storage capacity of the cards by recording transaction details (thousands of transaction records can be
stored). Finally, it has been widely suggested by forensic documents specialists that optical memory is the
most counterfeit-resistant machine-readable technology available.
An additional characteristic of optical memory cards is
that the optical memory card writers can create a laser
image (is indestructible) of the photograph at resolutions
up to 12,000 dots per inch and etch it in the card. This is
a unique feature for machine readable cards and enables
higher ID security by allowing the comparison of the
photograph in the card with the laser image and the
person. It is worth mentioning that the optical media is
laminated between multi-layer polycarbonate, fact that
ensures the high card durability. However, the price of
readers/writers for Optical Memory Card is high
compared to RFID readers/writers, a factor that may seriously impede its adoption in governmental
implementations.
Card Technologies Comparison
As it has been described, smart cards can be read either by direct contact (i.e. inserted in a reader) or by
being placed in close proximity to the readers (i.e. contactless technologies such as RFID). Contact cards
may contain embedded microprocessors and offer better security whereas contactless cards contain

25.
IDM Architecture Considerations
25
antennae and offer the advantages of convenience and may speed up transaction times. Smartcards can
also be online, offline or hybrid. Briefly, online smartcards allow access to external databases rather than
holding information in their memory cell, whereas offline cards hold data physically with no computer backup.
Most smartcards are a combination of the two types, to allow for both online and offline verification of identity
depending on the level of security at the point of service.
In the following table, a variety of alternative smartcards are compared according to their costs, processing
power and maximum data capacity.
Comparison of card technologies
2.4 Security and Cryptography
A major driving force for IDM schemes around the world is to increase national and social security; in order to
achieve this, it is required that a reasonable degree of information protection is achieved. The concept of
security in a national IDM system is similar to other Information Systems; it refers to mechanisms and
procedures designed to ensure that information is not stolen, misused, damaged, unauthorized modified or
access to it groundlessly denied.
After the events of 9/11 the photo ID has been rendered as a useless security measure; and as we have
argued governments around the world are adopting the use of alternative biometric technologies. The NIR
(UID repository) will be accessed by a variety of public and private service providers, other governmental
agencies (police, national security office and other) and citizens through the use of biometric smart ID cards
and/or a nation Identification Number (IN). Moreover, as mentioned, one of the objectives of the scheme
should be to enable more efficient eGovernment including eVoting and access to existing governmental
eServices. In order to do so, but also to enable the secure communication between card readers and the
NIR, the scheme presupposes the existence of (a) cryptographic technologies and (b) a national PKI that will
issue (inside the ID card) and use digital certificates to each citizen enrolled to enable the secure and efficient
citizen authentication/ eService access control. The microprocessor with a cryptographic engine on-board
ensures the right security in terms of identification and authentication based on symmetric and asymmetric
cryptography. This is dealt through a PKI responsible for enabling citizen authentication and access to both
data and services. Furthermore, by the incorporation of digital signatures inside the smart ID card the
proposed scheme achieves non-repudiation.
Security in a national IDM scheme should address at a minimum level:
a. the visual security of the plastic card itself (against card forgery),
b. the security of the card data from being accessed/read/altered by an unauthorized entity,
c. the security of communication channels in the resulting network (network security),
d. authentication and access management at the level of the NIR (against unauthorized access),
e. the preservation of the security and reliability of the privacy-sensitive data held in the NIR
Traditional ways for ensuring the visual security of the ID card

26.
IDM Architecture Considerations
26
In secure IDM systems, ID cards usually have visual security features that make the card more difficult to
manufacture, copy and/or imitate. Visual security features today consist of a combination of the following:
ultra violet printing optical variable ink
rainbow and guilloches multiple laser images
softened personalized area anti-copy patterns
microtext hidden text
holograms
It is worth noting that a combination of these as defined by card specialists would be an ideal measure to
prevent card replication at a first level.
Cryptography and Security Mechanisms in IDM
Cryptography offers the following possible functionalities (see table below), with differing degrees of interest
depending on the IDM subsystem.
Table : Generic Objectives of Cryptography
Objective Description
Data confidentiality ~ the message must be decrypted for the information to be understood.
Data integrity ~ provide assurance that an intruder is not able to alter (in any way) the
message’s content in transit.
Authentication ~ the message recipient should be able to confirm that the message originates
from the message sender.
Electronic certification
and digital signatures
~ protection against unauthorized changes to electronic documents.
Non repudiation ~ assurance that the sender will not able to later deny sending the message (if
he has send it).
In practice, security in IDM comprises of three basic building blocks:
Encryption is used to provide confidentiality, can provide authentication and integrity protection
Digital signatures are used to provide authentication, integrity protection, and non-repudiation
Checksums/hash algorithms are used to provide integrity protection and can provide authentication
Securing the database
Needless to mention that NIR database will be secure and shall include a mapping mechanism between
readers’ serial numbers, readers’ locations on the network, and readers’ access permissions. The database
should be maintained by a governmental agency. It is important that through the design of the database,
access will be controlled for different service providers/ agencies under relevant information policies and
legislation.
Securing the communication channel
The following diagram explicates a possible way for ensuring that the communication between a card reader
and a database (i.e. the NIR) occurs over a secure communication channel, in order to minimize risks arising
from eavesdropping activities.

27.
IDM Architecture Considerations
27
Secure communication channel
After the process as shown in the above schematic is finished successfully, the citizen’s public key can be
used to decrypt the information on the card, and the cardholder/citizen can be verified.
National Public Key Infrastructures and Digital Certificates
Regarding IDM schemes, the most prominent cryptography and security developments revolve around the
development of a national Public Key Infrastructure (PKI) and its operation through digital certificates or
digital signatures stored in the ID card. PKIs are a basic requirement for national IDM schemes where the ID
card is designed to fulfill a dual purpose:
Act as a physical identity mechanism – to physically identify a citizen
Act as an electronic authentication mechanism - to secure electronic identification, authentication and
access to specific network resources (e.g. web-based government services)
With the rolling out of smart ID cards, the establishment of a PKI for efficient web service provision may be a
seductive opportunity for future uses of the IDM system.
RSA Security defines a PKI as consisting of ‘protocols, services, and standards supporting applications of
public-key cryptography’. PKI sometimes refers simply to a trust hierarchy based on public-key certificates,
and in other contexts embraces encryption and digital signature services provided to end-user applications.
Although PKIs can take several different forms, they essentially involve the existence of a Certification
Authority (CA), a Registration Authority (RA), a user (citizen), a repository and a relying party. In a highly
secure PKI, the main requirement is to have more than one PKI authorities (i.e. CAs). The PKI authorities
involved must interoperate so as to establish trust relationship between governmental agencies and in order
to do so the PKI architecture can take two forms as presented in the following table.
Two Alternative PKI Architectures
A. Hierarchical PKI The common trust point is provided by a root CA, trusted by all subordinate CAs
(subordinate CAs are cross-certified by the root CA). This means that subordinate
CAs can interoperate as each has a verifiable path to the root CA. However as
with single CA models, the Hierarchical PKI has a single point of failure. Its
realization may fail to both practical and political grounds.
B. Mesh PKI CAs are connected in a set of peer-to-peer bi-lateral relationships (by one- or two-
way cross-certification). That results in no single trust point; trust is established
through the bi-lateral relationships in the form of a ‘trust network’, enabling for
adaptability and scalability but introduces performance drawbacks in large
networks.

28.
IDM Architecture Considerations
28
In the Registration stage of the national ID card, the only difference is that the local authority (where the
registration takes place) will have to forward a request at the CA for issuance of a digital certificate. Once the
registration is validated and the digital certificate is issued, the smart ID card can be issued to the citizen.
Experience form electronic ID projects around the world has shown that each national ID card should contain
at least two discreet PKI based digital certificates. One will be used for authentication and the other for digital
signing. These certificates will have two associated private keys that will be stored on the card and protected
by a unique user PIN code.
One of the most important issues in national PKIs is how is the certificates issued and managed. One
possible scenario is that the CA and RA lie within the boundaries of governmental control. In this case, it is
necessary to establish a governmental agency to control the registration and certification process. In an
alternative scenario where the government cannot provide with assurance or does not possess the resources
to run and maintain this service, a Trusted Third Party (TTP) can be subcontracted, under a strict service
level agreement. The TTP will be responsible for decrypting the message sent by citizen A to service provider
(can be an eGovernement service) B, with a secret key he shares with A, and then re-encrypt the message
with a secret key common with B. Finally the message recipient (service provider or web based govt. service)
B, will decrypt the message from A with a secret key shared between the TTP and B.
Finally, in order for any PKI to be successful, a properly functioning revocation system must be put into place
to provide individuals and agencies dealing with individuals with a way to identify bad certificates. Certificates
can become invalid for many reasons, including the loss or theft of the corresponding private key or
termination of the certificate.
Thus, if we consider the existence of a national smart ID card, (with incorporated biometric data), the ID card
would contain a microprocessor, crypto-engine and issued digital certificates in its memory. The master file
(revert to: Other Card Technologies) will therefore include two dedicated files (DF) for the storage of:
[DF1:] the digital certificate(s) (usually X509 type certificates)
[DF2:] information about the installed services and the public keys of the institutions providing the
service
In order to ensure that the digital certificates and public keys information are protected against unauthorized
alteration or deletion, the access mode to the DFs can be restricted to read-only. Other uses of the crypto-
engine include the strong network authentication, the signature operations of the card, and the authentication
and secure messaging process during the installation phase of the qualified national services.
The crypto-engine is used to generate the two keys used for the strong
network authentication of the card based on asymmetric cryptography
(block ciphers).
The private key length defines the strength of the encryption decryption
processes ( key length of 1024 bits or more may be justified for the
purposes of national IDM), and the algorithm used for service installation
can be any ‘secure’ block cipher like 3-DES, or AES (Advanced
Encryption Standard). Iterative block ciphers are block ciphers that can
have multiple encryption rounds. A set of sub-keys is created from the
original secret key and they are applied at each iteration of the algorithm
so as to transform the data. As it can be understood there is a trade off
between security (being added by each round of transformation) and
speed (the more the rounds the slower the computation).
An alternative way to implement the digital certificates based PKI, is through a TTP-enabled Pseudonymity
scheme that fulfills two tasks:
Creating personal pseudonyms (offline)
Certifying pseudonyms (online)
The registration is offline, because the service must be convinced of the correctness of the individual's
identity data outside the identity management system. After registration of the user's data, the user gets a