EU Digital Identity Wallet pilots pull in big names, but questions emerge
More companies announce their commitment to working together on pilots to test use-cases of the EU Digital Identity Wallet. Meanwhile, others question the overall timeline of the project and whether differing requirements around levels of assurance from country to country, and for private versus public identity issuers, could lead to fragmentation of digital identity, rather than – or in some cases because of – the hoped-for interoperability.
Visa, Idemia and Thales (x2) announce EU digital wallet consortium membership
After the European Commission awarded the large-scale pilots to four consortia in December 2022, various companies have come forward as being members. Some are in more than one. The legislative process that will deliver the overall ambition of eIDAS 2 – for all Europeans to have a digital ID in a digital wallet should they want one – is still underway as the pilots go live.
Visa Europe is one of the 60 organizations that make up the EU Digital Identity Wallet Consortium (EWC), announced the company’s head of Digital Identity, Marie Austenaa in a LinkedIn post. The EWC was granted large-scale pilots by the Commission for travel, plus payments and organizational digital identity. Other members include Digidentity, Amadeus and Finnair.
The Potential Consortium which has been selected for pilots in Electronic Government services, Account opening, SIM registration, Mobile Driving Licence, Remote Qualified Electronic Signature, and Electronic Prescription.
NOBID is made up of Iceland, Norway, Denmark, Latvia, Germany and Italy and has partner organizations such as biometrics firm iProov and banking-based identity provider BankID. It will run pilot schemes to leverage existing payment infrastructure to enable instant payments, payment issuance and payment acceptance online and offline.
Pilots run while standards, references, legislation still under development
There are still several challenges for the overall project as well as pilots.
Legislation is still being developed at the same time as the pilots are running, plus there are a further two streams happening in parallel: the reference implementation and the writing of standards, said Kuhlmey.
These elements are interdependent as “the standards need to comply with the law, the reference implementation needs to implement the standards and the pilots should use the reference implementation.”
The Potential Consortium expects its pilots to begin in May 2023. Speaking about the timeline, Kuhlmey says, “The commission has taken an approach which is a bit aggressive, but agile.”
Feedback will be gathered throughout as the Commission works on the legislative file (“the defining text,” says Kuhlmey) which should be ready by the end of year.
Levels of assurance, levels of fragmentation
Digital identity schemes already exist across Europe. These schemes reach different levels of assurance as per eIDAS: low, substantial and high. But the aim is for all EU digital ID wallets to reach “high.”
When asked about discrepancies between security levels, such as France struggling to increase its assurance level, Kuhlmey said, “It’s not completely resolved yet. What’s clear is the wallet will be at the high level of assurance to have mutual recognition across member states.”
For countries with broader digital identity projects at the substantial level, he said, “There is going to be a path to upgrade the substantial level of assurance to the high level of assurance… to leverage any existing wallets that are already out there.”
Another controversial aspect of the EU digital identity scheme or “hot topic” in Kuhlmey’s words, is the unique identifier: “It’s a bit contradictory with the actual motivation of the wallet because the wallet is designed to protect the citizen’s privacy.”
The overall idea had been to avoid central databases by locating users’ data on their devices and giving them control over how it is accessed. New workarounds are being developed: “solutions where we have sector-based unique identifiers or the possibility to regularly renew your unique identifier so there is no trackability of the user.”
Uwe Stelzig, managing director of Identity Trust Management and also at IDnow, has outlined issues around eIDAS levels of assurance for a piece in CIO entitled “European digital market threatened with further fragmentation.” He believes eIDAS 2.0 regulation is in fact pushing digital identity for European citizens further out of reach and fragmentation, particularly in Germany, seems “pre-programmed.”
Stelzig holds that proposals will differently affect onboarding for EU wallets as in some countries only use of the state eID or offline procedures would be accepted. In Germany an eID card would be needed along with an NFC-enabled smartphone to create a digital identity with the highest level of assurance.
“In Italy, on the other hand, onboarding into the EUDI wallet via online video identification would be possible, since the Italian authorities – at the national level – certify the security level of this procedure as ‘high’,” writes Stelzig.
The differences will continue into eIDAS 2.0 and could potentially lead to the “next fragmentation in the EU, namely between sovereign (state) and private-sector applications.”
Most business use cases only require the substantial level, others such as age verification only low. Interacting with authorities and health may require high. Stelzig argues that processes requiring substantial, such as car rental, bank account opening, could all happen with video-based identification. Yet Germany still requires the government-issued eID cards to set up the wallet.
The issue could be compounded in countries like Germany as providers of transport and hospitality will benefit from customers using wallets, and these companies will favor private providers. These will either correspond to substantial levels of assurance or be imported from another EU country where a high level can be gained via other identification methods, states Stelzig.
Going back to the comparison between German and Italian approaches, Stelzig argues that Germans could import a wallet from Italy and undergo video authentication rather than eID.
German identity providers would be put at a disadvantage and lead to fragmentation.