EU digital wallet: the race is on for pilot funding, tech supremacy, hearts and minds
eIDAS 2.0 is fast approaching. By September 2023, European Union citizens will have the right to download and populate a digital identity wallet on a smart device. In less than 18 months, Europeans may no longer need physical credentials to travel, work and live anywhere else in the bloc. But are they ready?
A consortium is forming to bid for large pilot projects, Thales has released a white paper to prime governments, citizens and businesses for the change, and explain how its ready-to-go products can help.
Digital wallet payment capabilities are already being demonstrated and the Digidentity CTO speaks about his predictions for EU digital ID wallets.
EU Digital Identity Wallet Consortium eyes €37M pilot funding
A group led by a selection of EU member states is forming the EU Digital Identity Wallet Consortium (or EUDI Wallet Consortium) to create multiple use cases in a bid to qualify for up to €37 million (US$41.1 million) of large-scale, multi-country pilots for eIDAS 2.0.
According to a LinkedIn post by Avast’s Andrew Tobin, who has been working to get the group up and running, the Consortium is led by Sweden, Spain and Finland. The Consortium is taking membership applications from interested parties whether public or private.
“By working on multiple intersecting use cases, the Consortium will demonstrate how eIDAS 2.0 will provide the basis for solving many of the privacy, security and user experience problems experiences by citizens in their digital lives,” reads the website.
The Digital Europe Programme (DIGITAL) funding is at a 50 percent contribution rate, meaning the Consortium members must also put forward 50 percent of their project costs.
“The consortium is a response from both private and public sector stakeholders to the call to leverage innovative solutions for the purpose of exchanging digital attestations of attributes and credentials by means of a digital wallet that puts the user in full control over their online identity and data.”
The Consortium must submit proposals to the EU by 17 May 2022. The Consortium’s overall approach will be divided into “vertical use case work packages” including education, mobile driving licences (mDL), digital travel credentials (DTCs), payments and identities for organizations.
“Horizontal capability work packages” will tackle wallet issuance, ecosystem governance, assessment, interoperability and credential lifecycle.
Avast has been positioning itself for a major role in the digital identity ecosystem with its recent acquisitions of Evernym and SecureKey.
Thales explains and positions itself within the opportunity 2.0
French digital identity giant Thales is positioning itself as a thought leader for eIDAS with a white paper to explain the changes the eIDAS 2.0 will bring to citizens’ lives, government and businesses.
“Welcoming the Wallet” sets out what is changing and when with a timeline for the whole European project as staggered requirements for acceptance mean large organizations must be ready by launch date while smaller ones will have longer.
Sixty percent of the EU population has access to digital ID but “today only 14 percent of key public services across all EU Member States allow cross-border authentication with eID,” states the white paper. This means a huge amount of work is needed over the next 17 months for governments to be ready to issue eID, citizens to know how to register and businesses be in a position to accept eID from across the bloc.
Welcoming the Wallet introduces the legal compatibility issues alongside the technical: “While this could be an inconvenience anywhere in the world, in the EU it’s essential to the objective of giving equal rights to citizens across the Single Market. The EU is all about making cross-border business smooth, secure and efficient, so there’s an added urgency to the search for solutions.”
By September 2022, a Toolbox European Digital Identity Framework is expected from the EU Commission. EU states will then have 12 months to prepare their versions of wallets built to common standards.
“The wallet probably won’t equate to a digital version of a physical card, so it won’t necessarily replace ID documents in everyday use immediately,” notes Thales. “However, for online transactions, including applications for public services, the wallet should provide acceptable cross-border ID.”
Private companies hoping to issue digital wallets will have to abide by the same strict privacy standards and will not be able to charge the end users
Focus on payments and our different identities: the eWallet Network
A group of European identity and payment experts called the eWallet Network has built a prototype EUDI wallet to demonstrate payments capabilities and even central bank digital currency integration, as demonstrated by Michael Adams of mobile app developer Quali-Sign in a presentation at the latest OIX event in London.
Adams also explained a little-explored area of individuals having multiple identities – or roles in life – such as personal and workplace, as well as having to administer identity related issues of family members in their care. Within the digital ID wallet, they will be able to shift between such profiles.
Adams discussed the roles of Identity Service Providers in issuing identity profiles and Attribute Service Providers which will make wallets increasingly useful as the bring services such as electronic car keys or hotel room passes. The Relying Party is the consumer of the attributes.
He said that the ISPs and ASPs will not be able to see what other services a user has accessed and as all the attributes are held on the device, there is no need for a GDPR data controller. The wallet acts directly with the Relying Party.
Adams believes customer due diligence (CDD) by financial institutions will be one of the main drivers behind demand for EUDI wallets.
Demonstrations involving QR codes showed how a user could open a bank account in a different EU member state. The bank would list all the CDD attributes it needs, and then the user would be able to give permission for these to be shared in the process, and further permission for any additional attributes.
The wallet communicates with the bank and downloads an eID request signed by the bank. The walled verifies the signature to authenticate the bank as an institution and then presents the request to the wallet holder.
In the example, the user agrees to supplying the attributes with a biometric marker, in this case a fingerprint.
Adams also demonstrated offline payments, a requirement for eIDAS 2.0. This could be the wallet or terminal or both being offline. Devices must be capable of other means such as Bluetooth and NFC to communicate and authenticate.
The only difference is that offline payments do not contain the real-time certificate revocation status of each certificate in the transaction, something Adams labels a compromise.
The demo included a vending machine for alcoholic drinks which in the offline mode can still authenticate the wallet holder’s age, with the holder not needing to offer any further information.
Adams sees the next step being the addition of central bank digital currencies (CBDCs) as an enhancement to digital wallets. While these transactions will require the exchange of identity to meet anti-money laundering (AML) requirements, the technology will allow for the instant transfer of “digital cash” without needing to pass through any clearing mechanisms.
He believes that while the EU may have one standard for interoperability, the UK may adopt multiple standards such as that of the U.S.
Digidentity on the next steps for eIDAS 2.0
“There will be interoperability between Europe and the U.S., Canada and Australia, of course. So I think in two years’ time, we are making a big jump forward. We were already waiting for the last 10 years. It’s really going to happen now. That’s my feeling,” said Marcel Wendt, CTO and founder of Digidentity as he discussed his predictions for eIDAS 2.0 in Liminal’s State of Identity podcast with host Cameron D’Ambrosi, managing director at Liminal.
Netherlands-based Digidentity now has 100 staff and has recently partnered with a bank outside the country which is using the firm’s qualified signature technology in its app, an area the CTO is expecting to grow rapidly, in part due to COVID-19. Making qualified electronic signatures easier to handle for third parties will accelerate the whole digital identity sector.
While eIDAS 1.0 may have made some parts of life easier for people living in border areas of the EU, the infrastructure around eIDAS 2.0 will be completely different, in part because of the easier integration of the private sector, according to Wendt.
“So today, the UK and the Dutch frameworks you can use in the private sector, but with a lot of hurdles and especially with the 2.0 version of eIDAS, it’s much easier to use it in in the private sector space and then companies like Amazon, Bol.com — the Dutch Amazon — and that kind of companies will be more interested to use these identities as well, and that will make complete our business case in this ecosystem.”
Today’s companies that specialize in scanning credentials may not have much of a future once everyone has persistent digital credentials in a trusted digital wallet, argues Wendt: “The model needs to be changed rapidly.”
Digidentity’s work in the Netherlands and UK, where they onboard 8,000 users a day, reveals issues of people with thin files, meaning inclusion is going to become a critical issue in the move to digital identity.
Wendt predicts sectors coming together as combined relying parties for areas such as housing, pensions and insurance.
Digital ID needs to be a marketplace, with different providers using different tech, explains Wendt: “I like blockchain, but I’m not a real fan of blockchain-only identities because we’ve seen also a lot of fraud. And every year we see around a couple of 10,000 users trying to commit fraud, and we can see that because it’s centralized.
“If decentralized, you can’t track this fraud. So you need to have measures in place where you can detect that. It will be mixing technology between blockchain and centralized to keep it really safe for everybody. So it will be a mixed landscape and also mixed technology there.”
Wendt sees opportunities for providers of niche services. Things should change rapidly, in part due to technologies coming into use during COVID. Digidentity is also exploring links between GAIN and the eIDAS wallet.
Avast | biometrics | credentials | Digidentity | digital ID | digital identity | digital travel credentials | digital wallet | eID | eIDAS | Europe | interoperability | Liminal | Open Identity Exchange (OIX) | standards | Thales