In this FAQ we present the answers to several questions that may arise, in a recurring way, when defining criteria to be followed to decide which identification and electronic signature mechanisms citizens can use to relate to a Public Administration (AP).
The identification and electronic signature mechanisms that, in summary, interested parties can use are:
- Qualified electronic certificates of electronic signature issued by providers included in the Trusted List of Certification Service Providers.
- Qualified electronic certificates of electronic seal issued by providers included in the Trusted List of certification service providers.
- Any other system that the APs consider valid, as long as they have a previous registration of the user that allows their identity to be guaranteed.
Regarding this list, it is indicated that the acceptance - by the AP - of the mechanisms based on qualified certificates (points 1 and 2 above) is mandatory in compliance with EU Regulation no. 910/2014 of the European Parliament and of the Council, of 23 July, relating to electronic identification and trust services (REIDAS); instead, the acceptance of mechanisms based on the user's previous registration (point 3 above) is optional.
The National Security Scheme foresees three levels of security (low, medium and high) for electronic identification and signature mechanisms; at the same time, it also defines the basic principles and minimum requirements for assigning a security level to each mechanism.
In summary, the relationship between the identification mechanisms and each level of security is as follows:
- Low level: any identification mechanism supported by regulations, such as shared key systems based on prior user registration; username and password is also a low-level identification mechanism, although it is only supported in specific cases.
- Medium level : that identification mechanism that requires, at least, the use of a second authentication factor, consisting of a one-time password.
- High level : that mechanism that meets the same requirements as for the medium level (the ENS does not establish additional measures).
Regarding the electronic signature mechanisms, the relationship with the security levels is as follows:
- Low level : any electronic signature mechanism accepted by current legislation.
- Middle level : that advanced electronic signature mechanism based on an electronic certificate that, in addition, must be qualified; in this sense, it is necessary to use algorithms and parameters authorized by the National Cryptologic Center (or whatever is applicable).
- High level: that advanced electronic signature mechanism based on a qualified electronic certificate that, in addition, uses a second authentication factor for the activation of its private key.
Each AP must select the identification and signature mechanisms allowed for each specific action.
Despite the above, the regulations do not define which electronic signature must be used for each case; it would have been useful if a law where, part of its subjective area of application is the APs, had made an effort to specify criteria for the selection of these mechanisms (especially for the municipal area).
To make this decision, the PA has assessed aspects such as:
- The level of security required by your information systems.
- The type of credential admissible for the identification and electronic signature of the action in question.
- The level of acceptable risk for each action.
- The ENS requirements described above.
- Other aspects established in specific regulations, if any.
So which mechanism do I select for my procedure?
A good practice is one that makes it possible to find the balance between security and usability and that, in the end, allows citizens to relate electronically with the APs.
In this sense, opting for the low level of identification and signature as a "universally" accepted mechanism for all the procedures of an AP (or most), means:
- Make the requirements for electronic processing with guarantees more flexible and,
- Facilitate the access of people interested in digital public services.
Be that as it may, the AOC services allow user APs to select these mechanisms in an agile and simple way (expanded in the next section).
Finally, we mention the selection process of the identification and electronic signature mechanisms carried out by the Generalitat of Catalonia, through Order VPD/93/2022, of April 28, which approves the Catalog of identification and electronic signature systems, and in particular by Order PRE/158/2022, of June 30, which approves the Guide for the use of identification and electronic signature systems in the field of the Administration of the Generalitat.
Thus, these two provisions establish, in general terms, the admission of all the mechanisms of the Catalog to carry out all the procedures and services in the area of the Administration of the Generalitat; while restrictions on the use of certain mechanisms are exceptional.
The Guide itself establishes the procedure for excluding the application of the general criterion and limiting the use of any of the mechanisms for specific procedures. In this way, the possibility of limiting the use of some identification and signature mechanisms is foreseen, when the existence of the following risks is appreciated (always, in relation to a specific procedure):
- Legal: when the possible existence of a risk that prevents guaranteeing the viability and legal security of the procedure is appreciated, which has as its origin the lack of robustness of the identification or electronic signature systems; for example, possible fraud in the signing of the document or impersonation of the persons concerned.
- Cybersecurity or data protection: when more restrictive specific measures are necessary due to the level of risk or classification of the information, of the service (or procedure) or, due to the possible processing of personal data of the service (or procedure) in respect of which it is planned to be used the identification or electronic signature system.
As mentioned, the regulations establish the security levels to be taken into account when configuring access to the procedure or process. But in the absence of selection criteria for the mechanisms that help to specify it, especially at the municipal level, the following may be useful:
- Be a user of the AOC VALid service, because it allows you to validate your identity credentials and informs you of the level of security used.
- Adopt an own Protocol or Guide for identification and electronic signature that establishes criteria for choosing. If you are interested, you have a model of the Protocol of identification and electronic signature.
For more information, we refer you to the blog entry Selection of electronic signature and identification mechanisms .
The VALID Service allows the verification of the person's identity credentials (known as authentication), by virtue of the criteria and security levels provided for in the ENS.
In this way, the AP user of VALID can select the identification and signature mechanisms allowed for each procedure, in accordance with what is provided for in the regulations: it accepts identification with the mobile idCAT, Cl@ve and certificates qualified in processes and offers an electronic signature mechanism linked to the mechanism used.
That is, you can decide whether to accept all or only some of these mechanisms, and have different configurations to do so according to each specific need for electronic identification.
For more information, you can check these entries:
REIDAS: art. 25
Law 39/2015: art. 9 to 11
ENS: Annex I (point 3), Annex II (point 4 4.2.5 Authentication mechanism (external users [op.acc.5]) and Annex II Point 5. Protection measures [mp] 5.7.3 Electronic signature [ mp.info.3].