KPN Security takes important step in fight against identity fraud

KPN to stop selling eHerkenning login means at level 2, login only with multifactor authentication.

On August 1, 2021, KPN will stop selling eHerkenning (digital recognition) login means at assurance level 2 (EH2). From that date, the security supplier will provide only eHerkenning login means that work with multifactor authentication (MFA). KPN will thereby take an important step in the fight against identity fraud. Although KPN will no longer sell login means at level EH2, level 2 authorizations will still be supported. With eHerkenning entrepreneurs can log into more than 450 organizations and manage their affairs online. It is the digital key that gives entrepreneurs access to the online services of – principally – the government. For example, they can use it to apply for permits, grants or insurance.

The form that this “key” takes depends on the assurance level at which the service is accessed. Until recently, EH1 was the lowest level. At this level entrepreneurs could log in with just a username and password. At the highest level (EH4) a certificate is also required that is issued after the user’s identity has been checked physically. The higher the assurance level, the more certainty the service provider gets about the user’s online identity.

Tabel e herkenning

EH2 is no longer sufficient
The recognized suppliers of eHerkenning – including KPN – and the Ministry of Internal Affairs are among those that decided earlier to stop using EH1. The application procedure and logging in with just a username and password offered inadequate certainty about the user’s identity. The risk of identity fraud was therefore ever-present.

Because of the security risks, KPN will also stop selling EH2 with effect from August 1, 2021. At this level too, the user’s identity is not checked physically, and the entrepreneur logs in with just a username and a (strong) password.

MFA will be the norm
By offering login means for only EH2+, EH3 and EH4 KPN is making MFA the norm. From level EH2+ onwards, entrepreneurs have to log in with something they know (a password) and something they have, such as an SMS verification code or a digital certificate. That makes it significantly harder to commit fraud. A criminal would have to get hold of the SMS verification code, for example.

Furthermore, from level EH3 onwards, the user’s identity is checked on the basis of an original identity document. This gives greater certainty about the identity of a person who logs in online.

EH2 login means still available
Customers who purchase new eHerkenning login means from KPN after August 1 are automatically enabled to log in using MFA. Nothing changes for KPN customers who already have EH2 login means. They can continue using EH2. However, we recommend that they switch to a higher level, preferably EH3.

After August 1 it will also still be possible to use 2+ login means or higher to log into an online service with EH2 as assurance level. This is not the case for EH1, which is being discontinued entirely. EH1 login means will no longer be usable.