FB pixel

EU cybersecurity agency issues biometrics, remote identity proofing guidance for eIDAS compliance

 

identity document and smartphone

The European Union Agency for Cybersecurity (ENISA) has published a set of five technical guidance documents to recommend best practices for implementing compliant remote digital identity verification and biometric authentication.

Together, they address ‘Electronic Identification and Trust Services,’ and the eIDAS regulation more generally. Four of the reports provide technical guidance for Qualified Trust Service Providers (QTSP) and others on security frameworks, security recommendations for QTSPs based on standards, and guidelines on Conformity Assessment for Trust Service Providers.

In a video promoting its efforts, ENISA notes the rapid adoption of online digital services, and the ability to perform remote transactions quickly, safely and inexpensively.

The 87-page ‘Remote ID Proofing’ guidance document holds extensive advice for the use of biometrics in remote identity-proofing systems. The document defines the terms and roles involved in identity proofing, and the five steps of the process. In the fourth of those steps, binding and verification, ENISA notes that the how the binding step is carried out depends on the prior attribute collection and validation steps, with facial recognition, for instance, binding to the individual with biometric liveness detection. A live video confirmation by a human operator is suggested as an alternative.

ENISA points out the importance of existing standards, such as ISO/IEC 19795 for biometric engine performance and testing and ISO/IEC 30107 for biometric presentation attack detection (PAD), and that an additional challenge is posed in finding learning and evaluation datasets that are GDPR compliant.

Of the five identity proofing processes described, biometrics are a necessary part of binding for ‘remote automatic’ identity binding, and suggested if supported for ‘video with operator.’ Biometrics may also come in for the ‘electronic identification means’ process, which goes through an identity provider, as part of “Authentication based on credentials or identification means in possession of the applicant” on in the binding step, as well as in ‘certificate based’ processes in the signature validation or ‘trust anchor checks’ steps.

The agency also received feedback from identity providers to identify trends and state-of-the-art approaches, and based on that feedback makes several recommendations. Remote ID proofing should include a combination of methods to be truly reliable in what ENISA calls the “Best of breed method,” and if targeting several market segments must be flexible enough to meet different security and regulatory needs under a “Mix-and-match approach.”

The use of banks as identity providers and of money transfers for remote identification are also discussed.

ENISA provides an overview of the legal landscape and standards at different levels, including but not limited to eIDAS, and a country-by-country breakdown.

A section on risk management presents specific and practical guidelines for Trust Service Providers and Identity Providers on managing security risks, with video and SMS-based validation and selfie biometrics used as examples. Finally, ENISA addresses gaps in regulation, noting that eIDAS refers to the recognition of remote identity methods at the national level, leading to fragmentation, and makes recommendations.

The recommendations include cross-recognition for identity proofing methods, and the establishment of evaluation criteria and methodology for remote identity proofing solutions. Member states are also urged to support automatic and online verification of identity documents, such as with a database of documents issued, reported lost and stolen. Technical recommendations include allowing uniform access to government data, and an increased emphasis on testing.

ENISA is also planning further initiatives to support further economic integration through the use or remote identity proofing for cross-border access to online services.

Article Topics

 |   |   |   |   |   |   |   |   |   |   |   |   |   | 

Latest Biometrics News

 

Biometrics and injection detection for deepfake defense a rising priority

Biometrics integrations with injection attack detection to defend the latest front in the global battle against fraud, deepfakes, is the…

 

Biometric Update Podcast looks at the road to a global standard for age assurance

Episode 2 of the Biometric Update Podcast is a dispatch from the 2025 Global Age Assurance Standards Summit, held from…

 

WEF launches new DPI initiative focused on emerging tech, including biometrics

Global Digital Public Infrastructure (DPI) initiatives are lagging behind emerging technologies such as AI, which could lead to inefficiencies, bottlenecks…

 

Odds are good for biometrics firms in the global gambling sector

Gambling has always been a vice associated with certain kinds of criminal activity, but the development of the online gambling…

 

New Zealand issues tender for digital ID services accreditation infrastructure

New Zealand’s accredited digital identity services regulator, the Trust Framework Authority (TFA), has published a request for information (RFI) for…

 

Pindrop surpasses $100M in annual recurring revenue, kicks off BU podcast

A release from Atlanta-based voice biometrics firm Pindrop celebrates a milestone: the firm has surpassed US$100 million in Annual Recurring…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Market Analysis

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events