Digital Identity Spotlight: Portugal

Whether it’s Henry the Navigator leading The Age of Discovery or Cristiano Ronaldo nailing a mid-air pirouette on the football field, Portugal has long been home to game-changing innovation—and digital identity is no different. Like most nations grappling with a challenging new world of cyber threats, it’ll need all the modernization it can muster.

Over the past decade, this postcard-perfect republic on the Iberian Peninsula has combined its natural beauty and Old World charm with cutting-edge technology to mold itself into a digital phenom. Thanks in no small part to the Portuguese government’s ambitious digital transformation agenda, investments in telecom infrastructure have led to one of the highest mobile broadband penetration rates in Europe, with some of the fastest and highest-quality online and mobile connections on the Continent.

Hell, even the most remote, 200-year-old beachside villa sports state-of-the-art connectivity. So it’s no wonder Portugal has successfully expanded on its appeal as a beloved holiday hotspot to rank among the world’s top destinations for digital nomads—beating out Thailand, Spain, and others. Lisbon alone boasts a community of more than 16,000 digital nomads, with more arriving by the day. Unfortunately, cybercriminal networks got the memo.

Digital Identity: More Beach, Less Breach

In addition to its role as a leader in Instagram-worthy tourism and Fado, Portugal has been at the vanguard of the transition to digital identity for its 10 million citizens and foreign residents.

Building on the Portuguese national ID card scheme launched in 2007, the country’s eID program began providing a cryptographic means for citizens to access government and healthcare services in 2014. In 2019, it expanded the scheme to the private sector through an API-based platform. And earlier this year, officials announced the rollout of new, biometric-enabled ID cards that facilitate digital and physical access to public services without needing a card reader to verify the data on the card.

It’s a smart move. Identity verification and proofing have long played an essential role in civilized societies. But providing a means for individuals to prove their identity in person to make purchases, manage finances, or receive entitlements and services is one thing. Doing the same in digital channels through authentication based on the usernames and passwords that emerged to protect online accounts has been another thing altogether.

Today, the global cybercrime economy finds appalling new ways to swipe and monetize users’ login credentials. Non-stop phishing and spyware attacks harvest credentials, leading to corporate data breaches that have compromised over 24 billion login credentials and personal identity files in recent years. One recent study found 775 million logins available through underworld “access-as-a-service” offerings on the dark web.

Thieves and state-sponsored threat actors leverage automated technologies to exploit these logins in credential-stuffing attacks that can test more than 22 trillion password-and-username combinations in seconds. Once they’ve successfully pirated an account, these cyber-bandits can drain bank funds, steal personal identity information or corporate data to sell online, or impersonate account owners to defraud businesses and governments. More than US$20 billion stolen through this kind of fraud every day of the year.

For all of Portugal’s progress, its citizens’ identity information isn’t yet completely imperious to risk from ever-evolving cyberattacks. In just the past year, NATO documents of “extreme gravity” were exfiltrated from Portuguese government systems and put up for sale in underworld marketplaces. Meanwhile, credentials stuffing has been a factor in recent attacks targeting Portuguese banking customers. And stolen credentials played a part in hacks that led to the leak of 18 million documents involving embarrassing information about European football clubs and stars—including Portugal’s Ronaldo.

Portugal: A Head Start on Self-Sovereign Identity?

Typically issued by a national ID scheme, digital identity like Portugal’s is comprised of validated digital attributes and credentials designed for the digital world that are verified through cross-referencing government-issued physical world credentials—birth certificate, driver’s license, passport, etc.

One of the key benefits of Portugal’s eID system is that it combines several pieces of identity in one. Citizens can use the country’s physical ID or the ID.Gov.PT app for elections, health insurance, social security, and taxes without needing multiple usernames and passwords. In addition to authentication compliant with the European Union’s “Electronic Identification, Authentication, and Trust” (EIDAS) standards. More than 80% of the population uses the eID, making nearly 13 million authentications per year.

Users can access and manage the equivalent of personal identity documents within a digital wallet. By Portuguese law, none of this information can be saved on centralized servers, which puts the country in compliance with new EIDAS 2.0 standards that go into effect this fall and gives Portugal a head start on achieving Self-Sovereign Identity (SSI).

Generally speaking, SSI is predicated on distributed ledger technology to authenticate users without requiring personal data to be stored centrally on servers belonging to large public or private organizations where it can be hacked, ransomed, or otherwise exploited to commit fraud. Instead, individual users maintain full ownership and control of their digital identities without relying on a third party. And they can control what information they share, for what purpose, and for how long.

What Should Come Next

While there remains more to do, Portugal is heading in the right direction. The success of digital identity is predicated on the kinds of distributed models the country has been pioneering.

With distributed ledger-based systems, someone applying for a loan, for instance, can do so without revealing personal information or having a decision tied to outdated or inaccurate information stored on far-flung corporate servers. By leveraging immutable records of identity without storing them, financial services firms can comply with anti-money laundering (AML) laws and Know Your Customer (KYC) mandates without sacrificing privacy or security.

But according to a recent study from the Global Government Forum, distributed, user-centric digital identity must also be easy to use and give citizens’ full control over their personal information. To be practical, digital identity wallets like those being deployed in Portugal and elsewhere should also comply with NIST-, FIDO2-, and iBeta biometrics-based standards that leverage liveness tests capable of defeating virtually any attempt at identity spoofing or unauthorized access to accounts in a process that’s nearly effortless for users.

Far from a long-off vision, the architecture for this kind of digital identity is readily available today and is baked into 1Kosmos BlockID. In light of the non-stop threats to personal data and privacy, it’s the kind of protection anyone navigating the Digital Age would welcome, including Portugal’s citizens—and their favorite football star.

Interested in digital identity-based authentication but aren’t sure where the start? Learn more about 1Kosmos BlockID, the only NIST, FIDO2, and iBeta biometrics-certified platform—and schedule a free demo today.

Overcoming Resistance to Change on the Journey to Passwordless MFA

Read More