Identity is the key task of banks and insurers. Digital identity is the next big step. And here too, banks and insurers will score points if they think beyond transactions and online banking. Verimi managing director Roland Adrian answers the questions of identity expert Rudolf Linsenbarth in an interview.
Mr. Adrian, what customer problems with digital identity should be solved with Verimi?
Verimi is the data safe of the users. The user stores his digital identity and retrieves it conveniently anytime and anywhere: to open a new account or securities account, to digitally sign contracts, to sign up for car sharing or to access digital management services - all with one account, without having to verify himself again and again with Post-Ident, eID, Video-Ident or Photo-Ident or even wait for access PIN letters. New offerings are much more accessible to customers, we lower entry barriers and improve the overall customer experience.
How does Verimi record the identity of its users?
We offer users in the respective Use Case of our partners to store their just verified identity data".
Because that's exactly where the user realizes how tiring the process is and how good it would be to simply get ahead with just one click next time. We store identities from all ident methods, from eID to video ident to photo ident. Users can also transfer their already digitally stored identity data, e.g. from a bank or insurance company, to their Verimi account. Users can do all this on verimi.de even without a Use Case in stock.
The procedures you describe have different levels of confidence, can the client use any service offered by Verimi at any level? If not, how will he be informed of the level he has reached and what is missing?
We first store the confidence level from the partner's respective use case. The reuse is done at the same or a compatible lower level. If the new Use Case requires a higher level, we guide the user through an appropriate upgrade process. After all, the user just wants 'just pure', it only makes limited sense to explain different technical levels to him. But we are currently developing a simple orientation logic for the user.
Verimi has connected a whole range of identity platforms. Some of them are platforms themselves and offer a Verimi identity. Whoever is a cook or waiter in the identity market seems to be dissolving?
Verimi is an open identity platform - open to all identity sources, all identity documents, all identity data and open to all industries. We are the only provider where customers can store their identity data in a self-determined way and retrieve it at any time. To be able to offer this added value to as many customers as possible in many companies and public authorities, we work together with several partners.
The fact is: it can only work together, because interoperability is the key to a true digital identity".
Just recently we have entered into a cooperation with identityTM so that all identityTM partners can immediately use the Verimi-Ident and the storage at Verimi.
You are talking about the fact that, in addition to ID cards and passports, you basically want to store all kinds of documents/identities at Verimi. This could range from fishing licenses to dentist's stamp booklets. Is there already a digital standard for everything?
This is exactly the vision. Today, it is essentially identity card, passport and driving licence. In addition, the digital identity naturally includes verified data such as the e-mail address, mobile phone number, bank details, tax number, etc. Other documents will soon follow, so for many certificates of competence there are central registers with which the verification can be mirrored. Likewise, biometric data are becoming increasingly important as a component of digital identity".
Are there discussions within the circle of shareholders when tasks that could actually be performed by the founding members are outsourced? I am thinking, for example, of the topic of qualified signatures, where the Italian InfoCert won the race instead of D-Trust (a subsidiary of Bundesdruckerei).
Verimi is an independent company with currently 13 shareholders and the number of shareholders will grow. We work with partners who best fit into our value chain, and there is no dependence on individual shareholders.
What about the commitment of the shareholders to the products? Springer Verlag has at least a two-track approach with NetID and ignores Verimi, just like Telekom.
The shareholders are investing strategically in Verimi in order to build a European platform for verified digital identity and secure authentication - and to be independent of global big tech players in this future segment. We launched our Ident product this spring, integration projects are currently underway with some of the shareholders, other use cases are being strategically developed. Verimi is clearly positioned on the verified digital identity and the associated value-added processes. We do not offer infrastructure or standards to profile user data or to use it for advertising purposes. Of course, Verimi itself does not do this either, all user data is encrypted with private keys. The netID offers another product, a login solution for targeted advertising, which is of course also independently chosen by our shareholders.
How agile Verimi is actually. Some developments seem to proceed only extremely slowly. Since autumn last year, the identity card can be read on the iPhone, but Verimi has not yet arrived.
Verimi works completely agile. At the same time, we operate in a regulated and security- relevant environment, which sets the framework for agility. With our ZAG license we are a BaFin-regulated institute. After an intensive examination by the BSI, the BMI has approved us as the first company ever for the critical eIDAS confidence level 'substantial'. We feel very committed to these standards.
The reading of the eID function of the identity card has been working on Android devices for a long time, also with Verimi. The provision of the necessary SDK for reading the eID on iOS phones actually took until June 2020 after the opening of the interface on the service provider side. We are currently integrating the SDK as soon as possible.
Verimi still relies on passwords! Wouldn't it be better for a modern system to do without them completely? What about technologies like FIDO2?
As a user-centric company, we offer the options that the user wants and uses. Most users still use their password instead of our passwordless option. Technologies like FIDO2 are interesting and we are looking into it. But at the moment it is not yet widespread enough.
At Deutsche Bank and Postbank, Verimi can also be used for login. Can you give some figures on how this is assumed? When can customers also release bank transactions with Verimi?
Verimi Log-in fully complies with the SCA requirements of PSD2 and is a popular alternative to Photo-TAN at Deutsche Bank Group. Transaction release with Verimi will also be possible soon.
In the future, Verimi will be able to bundle all of the banks' Photo-TAN apps in just one Authenticator app, which would be a great advantage for users in multi-banking, for example".
Here the potential of verified identity as a basis for secure authentication becomes clear. We generally do not name individual user numbers of our partners, so I ask for your understanding.
The signature function in Verimi for any PDF document is a useful feature. However, new signatures can only be purchased by direct debit and the corresponding bank details must be confirmed with a PSD2 account information service. In my case this only worked with the 3rd bank account. Wouldn't it make sense to include other payment methods as well?
We are also considering integrating other payment methods, currently we offer the first 100 signatures free of charge. Much more important for us is that we integrate our QES offer "inline", i.e. integrated into the workflows of our partners - which of course is free of charge for private users. Then I can use Verimi directly in the application line for identification and signing. We have just launched this in the Volkswagen dealerships.
Should the registered bank account be extended for further payment functions?
The payment function at Verimi is always a complement to the digital identity, we are not planning a new pay direct".
For example, in our partnership with Buhl Data, we have combined identification with convenient express payment via Verimi for tax returns using the WISO tax software.
Verimi is a project partner in Optimos 2.0, the new platform for secure identities on smartphones. Isn't this a competitive event for your company and how do you see further development in the identity market?
Verimi is closely involved in the Optimos project and the main consortium partners Bundesdruckerei, Giesecke & Devrient, T-Systems and Samsung are our shareholders.
Optimos is an infrastructure, not an ID solution."
The aim is to store digital identity data in a standardized way on the secure element of smartphones. This is visionary; today there are less than a handful of end devices that support this solution. In Verimi, Optimos can be a component, the Verimi app already uses the Secure Element Standard as far as available on the user's smartphone. Otherwise, Verimi uses a security architecture approved by the BSI to substantially secure access to the cloud-based Verimi account via the smartphone up to eIDAS. For the user the result is completely identical.
It is important for the future that we in Germany do not lose touch with reality through technically centred discussions and many laboratory projects".
To identify themselves with their smartphone, citizens want a simple solution that is widely accepted in business and administration - as quickly as possible. If we in
Germany and Europe can't do this ourselves, then very soon others will solve the problem for us - as they have already done with payment.