EU cybersecurity agency issues biometrics, remote identity proofing guidance for eIDAS compliance
The European Union Agency for Cybersecurity (ENISA) has published a set of five technical guidance documents to recommend best practices for implementing compliant remote digital identity verification and biometric authentication.
Together, they address ‘Electronic Identification and Trust Services,’ and the eIDAS regulation more generally. Four of the reports provide technical guidance for Qualified Trust Service Providers (QTSP) and others on security frameworks, security recommendations for QTSPs based on standards, and guidelines on Conformity Assessment for Trust Service Providers.
In a video promoting its efforts, ENISA notes the rapid adoption of online digital services, and the ability to perform remote transactions quickly, safely and inexpensively.
The 87-page ‘Remote ID Proofing’ guidance document holds extensive advice for the use of biometrics in remote identity-proofing systems. The document defines the terms and roles involved in identity proofing, and the five steps of the process. In the fourth of those steps, binding and verification, ENISA notes that the how the binding step is carried out depends on the prior attribute collection and validation steps, with facial recognition, for instance, binding to the individual with biometric liveness detection. A live video confirmation by a human operator is suggested as an alternative.
ENISA points out the importance of existing standards, such as ISO/IEC 19795 for biometric engine performance and testing and ISO/IEC 30107 for biometric presentation attack detection (PAD), and that an additional challenge is posed in finding learning and evaluation datasets that are GDPR compliant.
Of the five identity proofing processes described, biometrics are a necessary part of binding for ‘remote automatic’ identity binding, and suggested if supported for ‘video with operator.’ Biometrics may also come in for the ‘electronic identification means’ process, which goes through an identity provider, as part of “Authentication based on credentials or identification means in possession of the applicant” on in the binding step, as well as in ‘certificate based’ processes in the signature validation or ‘trust anchor checks’ steps.
The agency also received feedback from identity providers to identify trends and state-of-the-art approaches, and based on that feedback makes several recommendations. Remote ID proofing should include a combination of methods to be truly reliable in what ENISA calls the “Best of breed method,” and if targeting several market segments must be flexible enough to meet different security and regulatory needs under a “Mix-and-match approach.”
The use of banks as identity providers and of money transfers for remote identification are also discussed.
ENISA provides an overview of the legal landscape and standards at different levels, including but not limited to eIDAS, and a country-by-country breakdown.
A section on risk management presents specific and practical guidelines for Trust Service Providers and Identity Providers on managing security risks, with video and SMS-based validation and selfie biometrics used as examples. Finally, ENISA addresses gaps in regulation, noting that eIDAS refers to the recognition of remote identity methods at the national level, leading to fragmentation, and makes recommendations.
The recommendations include cross-recognition for identity proofing methods, and the establishment of evaluation criteria and methodology for remote identity proofing solutions. Member states are also urged to support automatic and online verification of identity documents, such as with a database of documents issued, reported lost and stolen. Technical recommendations include allowing uniform access to government data, and an increased emphasis on testing.
ENISA is also planning further initiatives to support further economic integration through the use or remote identity proofing for cross-border access to online services.
biometric liveness detection | biometrics | cybersecurity | digital identity | eID | eIDAS | EU | facial recognition | identity verification | presentation attack detection | Qualified Trust Service Provider (QTSP) | remote authentication | remote identity proofing | secure transactions | standards