Federated Digital Identities: a renowed example from the Nordics

Home / Blog / Federated Digital Identities: a renowed example from the Nordics

Raise your hand if, at least once in your life, you had to enter your username and password, but you had forgotten one (if not both!) of them. And now raise your hand if, when having to log in to some app or website, you preferred to click on “log in with Google”, or an equivalent, in order to avoid creating yet another password.

These are situations in which you were asked to authenticate starting from two different identification modes even if both can be associated to a form of centralized identification, which has been the most popular for years.

Nowadays we are witnessing the rising of other forms of identifications, such as the federated identification. In fact, this is particularly becoming more and more popular, with some virtuous examples coming from Northern Europe.

Before delving deeper into this, it may be useful to clarify some definitions and what the differences between the two methods are.

First of all, it is important to distinguish between the concept of “identification” and “authentication”. “Identification” means “claiming who you are” and being able to prove it, while “authentication” means “verifying that you are who you say you are”. Obviously, they are two interrelated concepts.

We can consider at least three approaches for end-user identities: Centralized identities and Federated identities, as mentioned above, and Self-sovereign identities, but in this article, we will take into consideration just the first two.

We talk about “Centralized identities” when a single institution, either public or private, has the authority to issue and manage identity credentials. This can be the case of governmental systems (e.g., the Ministry of Interior who issues ID cards) or private actors, such as Google, Facebook or Apple, who collect the users’ personal data when they first register and log in and link them to a pair of credentials, which then may become usable for login on other websites.

In these cases, generally, once your identity has been verified by the Institution you are given a username and password, which are necessary to sign in to the Institution’s portals.

The repeated application of this method will obviously lead to a proliferation of credentials that one might forget or even lose. According to a report from LastPass, on average an employee uses 191 passwords, so you can easily imagine the consequences.

Many Institutions are therefore concentrating on Federated identities. We talk about “Federated Identities” when in the presence of more than one actor who share the same set of identity credentials. In Italy, for example, the SPID system (Sistema Pubblico di Identità Digitale - Public Digital Identity System) is distributed: a citizen can choose among several identity providers to obtain his or her SPID credentials and thus be able to authenticate to the portals of public - but also some private - institutions.

In general, we can claim that they are based on mutual trust relationships between a Service Provider (SP) and an Identity Provider (IdP). They are called “federated” because when someone needs to access a service of an SP, the SP delegates the authentication to the IdP.

The great advantage of using Federated Identities is that one does not have to remember lots of passwords and insert them every single time, since they are already stored in the IdP’s database.

This is particularly beneficial in the corporate world, since using a federated-identity credential has many benefits, such as cost savings, time savings, greater peace of mind for employees (no need to remember their credentials every time) and increased data protection.

Even some Financial Institutions have started playing the role of IdP’s and, as mentioned above, a very interesting example of this comes from Northern Europe, Norway and Sweden to be precise.

BankID is the schoolbook example of federated identity, since it is an electronic identification system based on a personal credential issued by a bank (the provider) that allows to confirm who you are in order to access to a variety of service portals.

Getting a BankID is very simple: you just need to have a bank account and an ID document. Once you have obtained your credential – after a meeting at your branch – you can store it on your smartphone and use it in place of your physical ID card, driving license or passport in many circumstances in the countries where it’s in use. In order to access to the app, you can use the method you prefer, either with a passcode or via biometrics.

BankID is particularly useful as it allows, in addition to verifying identities, to sign documents and contracts, to interact with government services and also to sign money transfers. According to BankID.no, today 4.3 million Nowegians are using BankID – over a total population below 5.5M.

To sum up, the main difference between centralized and federated identities is based on the number of actors who can issue and manage identity credentials.

This example from the Nordic countries is a concrete demonstration of the trend towards the use of federated identities, which is good news for many reasons… especially for those who often forget their passwords!