Over 2020-2021, the COVID-19 healthcare emergency has ignited our need to own our digital identity. On the one hand, this is increasingly necessary to be able to access the online services of public administrations with a certain and secure identity, given the need for social distancing and the innovations introduced by Simplification Decree 2020. On the other hand, the digital identity is now essential for participating in some government initiatives that have focused on promoting digital identities and electronic payments. We are referring, for example, to the state cashback initiative through the IO app or the request for bicycle-scooter bonuses through a platform that is only accessible through one’s digital identities.
For these reasons, there has been an exponential growth in the delivery of SPID digital identities to citizens, going from 5,600,000 SPIDs issued in January 2020 to over 18,600,000 SPIDs issued in March 2021.
What is the SPID digital identity?
For those who don’t know, a digital identity is used to access a digital service, an IT system, or to sign IT documents. The Public Digital Identity System (SPID – Sistema Pubblico per l’Identità Digitale) allows users to access both public services and those provided by private members of the system, through a pair of personal credentials formed by username and password.
In the coming months, a further boom in SPID digital identity activations is expected as the 2020 Simplification Decree (Decree-Law No. 76 of July 16, 2020) established that, as of February 28, 2021, public administrations shall exclusively use SPID digital identities or the electronic identity card (CIE – Carta d’Identità Elettronica) for the purpose of identifying citizens accessing their online services. Although many public administrations have not yet complied with the new obligation, despite the deadline imposed by the Decree, the road is now clearly marked and in the future, access to public services through the SPID digital identity is destined to become the predominant mode of use, if not the only one.
To request their SPID identity, citizens can turn to one of the nine Identity Providers or, if present in the territory, to public Registration Authority Officers (R.A.O.). Digital Identity Managers (or Identity Providers) are subjects accredited to SPID by AgID with the task of identifying the user in a certain way, generating digital identities, assigning access credentials, and managing user attributes.
The three levels of SPID
The SPID legislation provides for three levels of security:
- level 1, defined as Low: The first level SPID identity allows authentication through an ID and a password established by the user of at least 8 characters and to be renewed at least every 180 days, according to the classic security criteria. This level, adopting a single factor authentication system, ensures a good degree of reliability;
- level 2, defined as Significant: The second level SPID identity allows dual-factor authentication, then through password and the generation of a One Time Password <<use and discard>> sent to the user. This level guarantees a high degree of reliability and is the most widespread. The OTP is generally sent through the Identity Provider app or via SMS.
- level 3, defined as High: The third level SPID identity allows authentication via password and smart card. This level guarantees a very high degree of reliability;
In November 2019, all Digital Identity Managers pledged to provide free SPID Level 1 and Level 2 credentials to citizens forever.
> WHITEPAPER – The digitalization of documents in sales process
SPID identity verification as a mode of recognition
Technology and legislation now make it possible to recognize a person through more innovative and modern techniques, such as through the verification of a certain and guaranteed digital identity, and no longer through the acquisition of an identification document, perhaps produced by scanning or from a copy of the image.
To possess a digital identity, a person must be identified in a certain way beforehand at the time of the release of the identity itself. In this way, every time a user accesses digital services, whether public or private, the digital identity can be used to verify and recognize his identity: this represents a value of great importance for the innovation of business processes.
This important principle has been definitively sanctioned also from a regulatory point of view by the already mentioned Simplifications Decree 2020 which, introducing to art. 64 of the Digital Administration Code (CAD) the paragraph 2-duodecies, established that the verification of the SPID digital identity with at least a significant level of guarantee and of the CIE, pursuant to article 8, paragraph 2, of EU Regulation No 910/2014 of the European Parliament and of the Council of 23 July 2014, produces, in electronic transactions or for access to services on the network, effects equivalent to those of the identification document.
Integrating SPID identification with e-signature solutions
Integrating online e-signature solutions with SPID identification is a natural and innovative evolution of signature processes. At the same time, it is a path that is already fully feasible.
Let’s start from the axiom that an electronic signature is more robust, the identification of the signer is also more robust. As a result, in providing online signature solutions, both simple electronic signature (FES – Firma Elettronica Semplice) and advanced electronic signature (FEA – Firma Elettronica Avanzata) solutions, an application and automatic integration not only provides legal and probative value to the signature solution, but it also offers a more effective and streamlined procedure since it automatically recognizes the signer user.
A simple electronic signature (FES) integrated with automatic recognition through SPID certainly ensures greater robustness as its security features are strengthened, as they guarantee the identity of the signer.
An advanced electronic signature solution (FEA), on the other hand, expressly requires, as of art. 26 of the European eIDAS Regulation and in art. 56 of the DPCM 22 February 2013 to comply with the requirement of mandatory identification of the signatory, prior to the first subscription. It also requires that evidence of the recognition that was performed, together with the adhesion or declaration of acceptance of the signatory, must be kept for 20 years.
So, in case of identification performed automatically through the SPID digital identity, we will simply keep the evidence of the verification performed by the Manager of the digital identity for 20 years. This is represented by an assertion of authentication or an XML file called SAML <Response>: we will not keep the scan of the identification document or the video recording of the recognition performed remotely by an operator.
The signature with SPID according to AgID Guidelines
A further signature possibility that exploits SPID identification is the SPID signature governed by art. 20 paragraph 1-bis of the CAD, whose implementation has been defined by the AgID (Italian Agency for Digital Italy) Guidelines of 23 April 2020. This additional signing solution can be offered by Digital Identity Managers and eventually employed by service providers who use it.
The IT document signed with this type of signature will bear a qualified electronic seal of the service provider as evidence of the signature. In addition, the document will also bear as many qualified electronic seals, affixed by the Manager of the digital identity, as a point and click confirmation of signature by the user.
In a single SPID authentication session, the signing process allows a user to confirm a signature at multiple points in the document. In addition, it is also possible for multiple signatory users to confirm their signature on the same document, with separate timelines and SPID authentication sessions.
To date, however, this type of signature has not yet become widespread, also because the AgID Guidelines have only recently been issued.
The future of SPID in the biennium 2021-2022
The federated SPID ecosystem is constantly evolving, and 2021-2022 will certainly be a period of great growth and maturation for the system.
To date, the electronic signatures that integrate with SPID can only be used in the B2C scenario, as the more than 18.5 million digital identities issued relate only to citizens.
Therefore, the start of the diffusion of digital identities for business use for professionals and representatives of legal entities is still to come.
In this regard, the 2020 Simplification Decree established that a subsequent decree will be issued that will set the date from which exclusive access via SPID of professionals and businesses to the online services of public administrations will be provided, as soon as the digital identities for professional use, governed by the recent AgID Guidelines published in November 2019 and entered into force as of December 1, 2019, are more widespread.
Another novelty expected for the diffusion of SPID digital identity in the private sector is AgID’s definition of the convention and rules for Aggregators of private services, i.e. service providers through which other private service providers (so-called Aggregates) allow the computer authentication of users through the use of SPID for access to their online services (so-called aggregated services). Aggregators are facilitators in the sense that they facilitate and support entry into the SPID federation of service providers who do not consider it convenient to activate the structure necessary to offer their services on the network through SPID authentication.
Ultimately, three more pieces will be needed to truly ignite the use of SPID to full capacity:
- complete the implementation framework for Qualified Attribute Managers (Attribute Authorities), i.e., all entities that have the power to certify qualifications, personal statuses, or powers of individuals, such as, for example, Professional Orders and Colleges, Bars, Chambers of Commerce, National Councils, and public administrations;
- define the procedures for delegation and, in particular, the management of delegated persons and “support administrators or guardians”;
- define guidelines for private R.A.O. in order to allow private subjects to carry out the identification of individuals, a preparatory activity for the release of the SPID digital identity by accredited Identity Providers.
In the meantime, it is already possible to start integrating remote FES or FEA electronic signature solutions with identification through SPID in order to optimize the signature processes and offer greater security guarantees related to the high level of robustness that the SPID digital identity offers.
Download now the whitepaper to find out the importance of digitalization of documents in sales process
