How will Europe make the EUDI secure: Cryptomathic weighs in
By the end of 2023, European countries have promised to offer their citizens the European Digital Identity Wallet (EUDI), an application available at the tap of your mobile phone that promises to store and share identification data, grant access and sign documents, and much more. But experts are warning that the digital ID project will also face security challenges – from malware and vulnerabilities to hacking.
At stake are millions of identities that will be used to access not only digital services but also digital travel credentials, driver’s licenses, university diplomas, and potentially personal information such as bank and medical records. While identity theft and data leaks could impact users, another consequence may be a loss of trust in service providers.
A major risk in the current version of EUDI is the liability derived from issuing and managing identities and ensuring they can be shared with third parties, says Guillaume Forget, executive vice president at Cryptomathic, a digital security solutions provider based in Denmark.
“Currently, I see very few people that actually would be able to take this level of liability,” says Forget, adding that the liability is likely to fall on large government organizations. “If you are to manage the identity of potentially millions of end users, and this has been compromised, then it’s fairly easy for a small company to get out of business.”
Forget explains that the EUDI Wallet has four stakeholder groups, the first one being the users, which are central to the solution. The second stakeholder is the source of trusted identities and trusted digital assets. And the third is the issuer of the European Digital Identity Wallet itself, or the operator of the ID Wallet scheme. The latter will rely on the framework that will be provided by the European Commission. The last group are relying parties, i.e. public and private companies that rely on the credentials or attestations that are being shared through the EUID Wallet to grant access to a product or service.
“Many institutions are strong in managing backends serving millions of users, and they have certain procedures in place to mitigate risks,” says Forget. “But when you look at the audit framework around managing a large-scale scheme based on mobile apps, except maybe for the banking industry, I do not know of any other sector that issues apps with this level of sensitivity.”
The threats surrounding the EUDI Wallet, a part of the eIDAS2 regulation aimed at offering a digital identity to all EU citizens, have been studied by offices such as the European Union Agency for Cybersecurity (ENISA). Although the deadline is approaching, challenges still exist, including achieving full interoperability and setting technical standards.
In a recent report, industry group DIGITALEUROPE highlighted issues such as fraud prevention, user accessibility, and implementation timeframes.
“We are concerned that time and procedural pressure could result in immature products being pushed to the market without adequate time for testing and development through large-scale projects. This would hurt security and healthy competition for vital EU infrastructure,” the group states in the report.
Forget notes, however, that if EUDI aims to be widely adopted and have high usage rates as the European government plans, it will need lessons learned from a live deployment of the technology. Companies that take too long to launch projects may find themselves overcome by large tech sectors.
“If you look at successful schemes in the past, they didn’t start with millions of users from day one,” says Forget. “They started and grew and adapted and they built on functionality.”
The EUDI wallet will have to work offline and store sensitive data like personal identity documents, cryptographic keys and other private information on a mobile platform exposing it to loss, hardware failures, malware, hackers and thieves.
According to Cryptomathic’s white paper ‘EUDI: Implementing Best Practice Security for a High Risk Asset,’ the wallet will face broadly two types of attacks: The first are those against the mobile app itself, including reverse engineering tools, exploiting device memory, altering the user interface or creating similar apps to confuse the user. The other type targets APIs and communication channels. Such attacks will focus on the interfaces between the EUDI wallet and the participants in the wallet ecosystem primarily to expose personal data.
Without mobile security, EUDI will not be able to stay ahead of the curve in terms of potential attacks, says Forget, whose company offers its own security solutions. New mobile app versions usually come out every three to six months because they are updated according to new OS versions, new settings, potential attacks and crypto libraries.
“If you come with a static framework, such as the one that was used for smartcards or back-end technology, where you make an evolution say, every 18 months, then you’re bound to fail or be under attack that won’t be able to mitigate,” says Forget.
A flexible, continually updated framework will be necessary, therefore, if the EUDI’s potential to ease air travel, online purchases and business-to-business interactions is to be realized.