Building Identity Trust in Indonesia with Kartin1
Before 2011, it is possible for Indonesians to have more than one identity number¹. In fact, plenty of people were able to possess two or more identity card — hence, identity number — from different municipalities. The civil administration process were very bureaucratic and slow, people would just request a new identity card every time they moved to a new municipality. Some people would also get a new ID card just to be able to have a cool-looking vehicle registration number. This is definitely a huge problem for Indonesia’s civil administration.
Say hello to e-KTP — a chip-enabled, biometric-secured National Identity Card
The introduction of e-KTP in the year 2011 had shown a glimpse of hope to solving the multiple-identity problem. e-KTP features a chip containing various informations, such as the cardholder’s name and address, DoB, and fingerprint minutiae data. The chip is also secured with multiple levels of authentication and encryption², hence it is extremely difficult to counterfeit. Furthermore, the enrollment process of e-KTP utilizes fingerprint identification systems to prevent double enrollment³. The system will refuse to issue a new card if the scanned biometrics do not match the ones stored in the database.
The hopes and dreams of e-KTP
Equipped with sophisticated security features and complete information about the cardholder, e-KTP was destined to be more than just a piece of plastic. It was supposed to be the authentication method for citizens — stronger than ink signatures. In fact, BPPT has prototyped an e-voting device that utilizes e-KTP authentication⁴. The government hoped that with the widespread adoption of e-KTP, physically photocopying the card would no longer be required.
With various information about its citizens collected through the e-KTP system, the government was (supposedly be) able to build a thorough database of every single citizen. It is hoped that with such complete records, every organization — governmental and non-governmental — would have a single source of truth regarding citizenship records. Public services were expected to use the National Identity Number (NIK) for identification, and to authenticate citizens using their biometric records stored in e-KTP card.
Unfortunately, most of the hopes and dreams of e-KTP did not materialize — lots of organizations were still photocopying e-KTP cards, and did not successfully implement NIK as the primary identification number. It seems reasonable, though. The device used to electronically read e-KTP cards were simply too expensive, about Rp10 million each. Lots of people who had enrolled did not get the cards for a (very) long time, instead they were given an official letter stating that their cards were still being issued.
Kartin1, a completely different sibling of e-KTP
On March 31, 2017, right after the closing of the Tax Amnesty program, the Directorate General of Taxes of the Republic of Indonesia (DGT) launched Kartin1⁵ — a platform which enables the integration of various identity numbers, as well as authentication of the cardholder by using technologies like biometric IDs and digital certificates. At a glimpse, Kartin1 looked a lot like e-KTP, but it was actually not.
The first difference lies on the issuance process, which is much simpler than e-KTP. First, an e-KTP card is placed onto the device. Second, the cardholder scans his/her finger twice to authenticate. Third, a blank Kartin1 card is placed onto the reader and the process is completed. The simplicity is possible mainly because Kartin1 requires e-KTP to be issued. This solves the problem of people not getting e-KTP on time.
The second difference lies on who issues the cards. Kartin1 is actually distributed as a Java Card applet to third-parties, rather than a physical card⁶. This model allows cards issued by third parties (banks, organizations, etc.) to be used as Kartin1 card, while maintaining the security of the information contained in the applet⁷. This way, the government spends very little money on the project⁸.
The third and most fundamental difference, is that Kartin1 cards are easier to electronically read. While reading an e-KTP card requires expensive hardware, a Kartin1 card can be read using an Android smartphone⁹. This way, the adoption of the use of Kartin1 for authentication can be faster, easier, and less expensive, thus realizing the dream of e-KTP of being the authentication method.
Security of a Kartin1 card
The first layer of security comes from the fact that e-KTP is required to issue a Kartin1 card. As previously mentioned, e-KTP has a protection against double and unauthorized issuance. e-KTP is also able to authenticate the cardholder using biometrics. Basically, to have a Kartin1 card you would need to have e-KTP and to prove that the e-KTP belongs to you.
The second layer of security is the use of Personal Identification Number (PIN) stored locally in the card. A valid PIN is required to obtain some information about the cardholder, and the card locks itself after several failed attempts.
The third layer of security is the two fingerprint minutiae data stored locally in the card. Shall a strong authentication be required, the fingerprint template can be extracted from the card and be matched against the fingerprint being scanned on an authentication device.
Possible future of Kartin1: Kartin1 Online
Kartin1 card covers the usage in the physical world. It can be used to authenticate cardholder using biometrics, provide a reliable citizenship information, and integrate various identity numbers — all in a single card. Nowadays, however, lots of things are done via the internet. Commerce, banking, even government administrations, are harnessing the power of the web. Sadly, it seems that there is no secure and trusted way of authenticating yourself online as a citizen. Identity providers like Google and Facebook are secure enough for services like Spotify or Medium, but it certainly is not secure enough for governmental services. What if we build something like Google sign-in, but with Kartin1?
Having a single national identity provider (IdP) offers benefits. Firstly, citizens do not need to remember different credentials for different sites. Secondly, since the identity provided by Kartin1 is trusted, there is no need for the organizations to have a separate account registration process (for example, you would need to have two different registrations for tax filing and business permit). Thirdly, centralized IdP means the security of the infrastructure is also maintained centrally, allowing security patches to be implemented to all sites at once.
To maintain the security and trust of the account, the proposed registration process is as follows:
- To get yourself a Kartin1 Online account, you need to own a Kartin1 card first.
- During the registration process, you will be asked the Card Account Number (CAN) and your National ID Number (NIK).
- You will have to enter a One-Time Password (OTP) sent to the mobile number registered when you issue the Kartin1 card. Note that in order to register your mobile number, you would have to authenticate using biometrics.
- Once your data is confirmed, you will be asked for email address and password.
- A verification email is sent and your account is created.
Imagine logging in to a government online service, and instead of undergoing a series of bureaucratic registration process, you just have to click a button, type in your email and password, and in an instant, you’re logged in. That’s it. With the same credentials across government apps.
Going further with digital signatures
With a trusted root — which is e-KTP — Kartin1 Online can be used to prove who you are online with immense trust. This means that it is possible for citizens to digitally sign online documents. Imagine filing a passport request online and legally signing it with a click of a button. No hassle.
The signature would be in the form of a token containing the details of the document, the signer, and a cryptographic signature to maintain its authenticity and integrity.
To maintain the authenticity of the signature, the proposed process is as follows:
- You click on the Digitally Sign button.
- You will be asked for your email and password.
- Once your credential is verified, an OTP is sent to your mobile number registered when you issue the Kartin1 card. Note that in order to register your mobile number, you would have to authenticate using biometrics.
- You will be asked for an OTP.
- Once the OTP is verified, you are displayed a consent screen, showing the details of the document you are about to sign.
- Once you consent, a signature token containing the details of the document is generated.
- The signature token can be verified anytime using a public key.
Proposed Kartin1 Online digital signature trust model
Having e-KTP as the root of identity, Kartin1 Online should be able to deliver a secure and trusted authentication online. The proposed trust model diagram is as follows.
The diagram lays out the trust chain of a digital signature. It basically says that,
- To authorize a digital signature, both your login credentials (email and password) and an OTP are required.
- The login credentials can be obtained using a valid Card Account Number (CAN).
- A valid CAN is physically written in a Kartin1 card, which should be activated using your biometrics.
- The OTP can be obtain from a Trusted Device or delivered to a registered mobile number via SMS.
- To onboard a Trusted Device, an SMS OTP is required.
- To have an SMS OTP delivered to your mobile number, it must be registered.
- To register your mobile number, you’ll have to authenticate yourself using biometrics.
Notice that the chain leads up to using your biometrics. Essentially, as long as you keep your login credentials and your mobile number secured, only you can authorize your digital signature.
In short, the Kartin1 platform has plenty of potentials, if done right. Your online and offline identity, authenticated by a single, hassle-free service. Imagine waking up to a world where almost all government administration processes are accessible just clicks away.