Will Europe’s digital wallet become a honeypot? Seminar warns of security risks
Will the European Digital Identity (EUDI) Wallet become a honeypot for attackers? As the 2023 deadline approaches for offering European citizens a digital wallet that can store identification data, sign documents and even travel and buy products, experts are convening to discuss the hidden dangers of the project.
Last week, technical standards organization GlobalPlatform hosted a seminar in Brussels on the security of eID wallet schemes, featuring speakers from companies and organizations such as HID Global, Itsme, the Secure Identity Alliance (SIA), Thales, NXP Semiconductors, ENISA, Deutsche Telekom and more.
“It is a very interesting target for a lot of attacks, so we need to design it in a proper way,” says NXP Semiconductors’ security certification expert Fabien Deboyser during a panel dedicated to certification. This goal will have to be achieved under a time constraint, he adds.
Creators of EUDI schemes will have to balance many aspects to create successful products that are also secure. They will have to be simple enough for users and seamless enough so that users do not have to be educated for each and every feature, according to Chiara Casoni, head of business development and partnerships at decentralized identity technology provider Gataca.
“Not less important are the privacy and security aspects of things,” says Casoni who participated in a panel for EUDI wallet service providers.
Privacy means ensuring that the wallet and credential and verification service providers cannot track what is being done with that wallet while offering the user transparency to see where they shared their credentials. Security means making sure the wallet is unhackable as it can be and making sure that the wallet holder can prove their identity in a manner that does not create roadblocks for mass adoption. Finally, there is also the challenge of interoperability.
“It’s not only between different technology stacks but also across sectors,” says Casoni. “I think we should try to minimize as much as possible the specific wallet for a specific sector type of scenario, because that’s just going to create a more siloed experience.”
The European Union adopted the regulation on the European Digital Identity, the eIDAS 2, in June 2021. The regulation stipulates that each of the twenty-seven member states will have to issue a digital identity wallet with a scheme recognized and accepted by the other member states, built on common technical standards and with early pilots in 2024.
As the deadline approaches wallet creators are tackling many challenges, including achieving full interoperability, setting technical standards and certifications.
“There are a huge amount of use cases for one wallet,” says Oscar Leurs, director of business development at SGS Brightsight. “What we see in certification is that currently, we have for different use cases separate schemes or several separate sets of standards that we can evaluate against. I think that is indeed the biggest challenge to get these things together”
From a technical perspective, the wallet is a combination of hardware and software components, cloud applications but also processes and services that support the security of the wallet. One of the issues is assessing the security of each of those components, according to Alban Feraud, vice-president of digital security industry organization Eurosmart.
“It’s really a bundle, a mix of various technologies, various items, products, services, and processes,” says Feraud. One of the key issues is the ability to “glue” together all those components and processes that may have been assessed and certified individually. “I think common criteria is no golden bullet,” says Feraud.
There is also a risk of fragmentation: National governments have a natural tendency to introduce fragmentation in the certifications, especially in terms of data protection which could hamper the certification process by introducing national requirements, he adds.
Finally, panelists touched upon the risks that surround the use of biometrics in the EUDI wallet for applications that require the highest levels of assurance and what additional steps should be introduced for certain phases.
“It remains a challenge to provide the highest level of security given the deep fakes that you could inject into the system,” says Jean-Karim Zinzindohoué, CTO of France Identité during one of the panels dedicated to security. “I don’t think for the enrollment [phase] the facial recognition has been removed from discussions but there was a question about adding additional processes which would add friction. So in the end, the question is, could we do completely remote onboarding or not?”
Article Topics
cybersecurity | data privacy | digital wallets | EU Digital Identity Wallet | GlobalPlatform | standards
Comments