Bar separates header body

What is Cl@ve?

Cl@ve is a system aimed at unifying and simplifying electronic access by citizens to public services. Its main purpose is to allow citizens to identify themselves before the Administration by means of fixed keys (username and password), to avoid the need to remember different keys for different services.

Cl@ve complements current access systems using electronic ID and digital certificate, offering at the same time the possibility to carry out  cloud-based signature operations  with personal certificates protected on remote servers.

It is a common platform for the identification, authentication and electronic signature, an interoperable, horizontal system which helps the General Government to avoid implementation and management of its own identification and signature systems, and citizens to use different identification methods to deal with Public Administrations electronically.

Cl@ve allows the electronic administration applications to set their quality assurance level of the authentication required, from the data they deal with and the security classification, following the recommendations of the National Security Framework (Royal Decree 3/2010, of 8 January, on the National Security Framework within the Electronic Government). Citizens using electronic administration services may then choose the identifier they wish to use among those available for the level of assurance required by the application.

The Cl@ve system was approved by  Resolution adopted by the Council of Ministers, on the meeting held on 19 September 2014, and its  terms and conditions of use  are established by the Directorate for Information and Communication Technologies.

Identification systems allowed

Cl@ve includes the use of identification systems based on fixed keys (username and password systems) as well as digital certificates (including electronic ID).

Regarding the fixed codes, Cl@ve accepts two possible uses:

  • Temporary Cl@ve ( PIN Cl@ve ): password system valid for a short period of time, intended for users who use the services sporadically; it corresponds to the PIN24H systems of the State Tax Administration Agency, AEAT.
  • Permanent Cl@ve : password system valid for a long, limited period of time, intended for regular users. It is designed for the access system by means of username and password, reinforced by one time keys sent by SMS, to the Social Security services. This system will also enable citizens' access to cloud-based signature .

To use these set keys and the cloud-based signature service, citizens must previously register in the system, providing certain personal information.

Additionally, Cl@ve is ready to incorporate in the future identification mechanisms from other EU countries, as they integrate into the cross-border recognition system of electronic identities set forth in European legislation.

System elements

The design of Cl@ve is based on a federated electronic identities system, which comprises different elements:

  • Electronic administration service providers (SP): Entities providing electronic services to citizens and using the platform for identification and authentication of same.
  • Identification and authentication service providers (IdP): Entities providing identification and authentication mechanisms of citizens to be used as common means by other entities.
  • Identification Gateway / Manager: Intermediation system which enables service providers to access different identification mechanisms and selection of same by the user.

According to this design, the service providers only need to integrate themselves into the Identification Manager, which is in charge of establishing the relevant relationships with different identification systems. To do so, trust and confidence relationships are established between the different actors, and they integrate with each other, supported by the exchange of digital certificates and sending of messages signed between them, all of which guarantees the secure transmission of information for the whole identification and authentication process.

System elements