eIDAS update sets up harmonized remote ID verification, privacy protection
European stakeholders are finalizing the details of how the EU Digital Identity Wallet will work under eIDAS 2.0, and showed their work at the recent 15th CA-Day, the day after the Trust Services and eID Forum in Vienna, Austria.
Among the standout presentations were talks on remote identity verification, privacy-preserving attribute attestation and selective disclosure.
Signicat Product Manager and Tribe Lead for Signing and Trust Services Jon Olnes gave a presentation on how remote verification works under eIDAS.
The system has not progressed very far from the chaos of national rules that preceded eIDAS, Olnes says, but harmonization is finally on the way for qualified certificates, digital IDs and financial services. Olnes reviewed the “infamous” Article 24.1 from the original eIDAS legislation, and the steps towards harmonization included in its update.
The elimination of “other means” accepted by states is one example of progress, according to Olnes.
He believes there are some problems that come along with raising the bar on the assurance level for the identity verification needed to issue a qualified certificate or attribute attestation, from substantial to high. Qualified certificates will be decreased, with for instance Italy’s SPID able to serve the identity verification function to the “substantial” level, but not yet meeting the new “high” bar.
Some requirements are being added to the physical presence version of identity verification for QC issuance to clarify what kind of places meet the standard and which do not.
The “high level of confidence” does not exactly align with the “eID high,” Olnes says, so further coordination is needed. The “high level of confidence” also shows up in Article 44, on qualified electronic registered delivery services. The sender must be identified to that level, but the receiver must simply be identified.
The “minimum technical specifications” required in Article 24.1, however, will suit most EY member states, according to Olnes, and result in substantial harmonization. AML rules are also coming together, with a new regulation reaching EU common law, hopefully by 2025. That law, or the implementing acts, are expected to set common requirements for identity proofing and onboarding. The European Banking Authority’s guidelines on remote customer onboarding do not establish requirements in law, but give direction to work on those laws, Olnes says.
For eIDs, things are less clear.
The EU Digital Identity Wallet will be issued at assurance level high, either with a digital ID that already meets the threshold, or an as-yet unspecified substantial-plus process. Identity documents are not explicitly mentioned in relation to remote onboarding with the EUDI Wallet. Given the low number of digital IDs held by Europeans today that meet the “high” threshold, Olnes anticipates that identity documents will be widely used for EUDI Wallet onboarding.
The ETSI standard provides a common reference for harmonization, and revisions could bring in attribute attestations and establish an “extended” level above “baseline.”
CEN, the European Committee for Standardization, includes biometrics requirements in its CEN TC 224 standard, and biometric data injection attack detection is being built into the new draft. The working groups are also crafting guidelines for onboarding the personal identification data of users within the EUDI Wallet. ENISA’s reports on identity proofing are also contributing to the standards, Olnes says, while ISO/IEC standards provide guidance on biometrics.
Olnes reviewed the considerations for biometric presentations and injection attacks, either of identity documents or selfie videos. Future challenges may include deepfakes indistinguishable from genuine videos, and real-time deepfakes which could potentially defeat the challenges of active liveness detection systems. Possible defenses could include signatures proving a video is produced by a certain camera, and NFC scanning for ID documents.
Fully automated onboarding to EUDI Wallets will be necessary to avoid the cost of staffing manual checks for 215 million digital wallets in the next 15 years, based on the goal of issuing them to 80 percent of the EU population. This likely means NFC scanning and selfie biometrics.
Christian Seegebarth of D-Trust and the IDunion consortium delivered a presentation on the self-sovereign identity (SSI) and public key infrastructure (PKI) potential for enabling attribute attestations under eIDAS 2.0.
New business models, like qualified electronic seals, expand the scope of the regulation, but will also take some legislative change at the state level. Qualified electronic attribute attestation will take until the end of 2026 or 2027, Seegebarth estimates.
He suggests that in the meantime, qualified seals can be applied to verifiable credentials (VCs) to raise the bar for the current trust model.
Seegebarth presented the different types of attribute attestations currently available, including with sealed VCs, and IDunion’s roadmap towards eIDAS 2.0 based on the reference architecture framework (RAF).
The traditional SSI triangle model of the credential issuer, holder and relying party gets an addition, with the issuer buying a qualified sealed certificate from the trust services provider.
An example of a login to a website through the EUDI Wallet on this model includes the user entering an email address for identification, the website presenting a QR code secured with a certificate which the wallet can validate. The user enters a PIN, and in the background an attestation key verifies that the wallet is real, so the credential can be issued. The seal, in this case, can be provided by a smart card operated by the issuer, a sealing server, or a remote sealing service offered by a qualified trust service provider.
IDnow Senior Architect Sebastian Elfors spoke about selective disclosure in the following presentation. (IDnow joined IDunion in 2021.)
Elfors began with the basics of selective disclosure, unlinkability and zero-knowledge proofs, and the relevant legal definitions in eIDAS 2. Technical definitions are presented in the RAF, but ETSI TR 119 476, published in August, goes much further in describing selective disclosure and ZKP.
Four selective disclosure schemes are outlined: Atomic QEAAs, multi-message signature schemes, salted attribute hashes and proofs for arithmetic circuits.
An example of the first is the combination of an automobile registration, civil registry and payment attestations to present a verifiable parking pass from the EUDI Wallet.
Multi-message schemes generate “multiple proofs over subsets of an originally signed message.” This provides both unlinkability and predicates, which is a mechanism for restricting information, by design, Elfors says.
Salted hashes involve sending all of the hashed information from a given credential to a relying party, which only has the cryptographic keys to read the relevant items.
Proofs for arithmetic circuits have different characteristics, based on the specific proof used, but do not have credentials, and can only be used for checking statements, Elfors explains.
He also notes that the ISO 18013-5 standard for mobile driver’s licenses makes use of the Mobile Security Object concept, which is based on salted hashes, for selective disclosure.
Selective disclosure in eIDAS 2 is based on the ISO mDL and W3C VC PID (Person Identification Data) formats, as specified in the RAF for EUDI Wallet Type 1 configurations. Type 2 configurations can use multi-message signature schemes and proofs for arithmetic circuits.
Meanwhile the ETSI TR 119 476 standard is currently being revised, Elfors says, and the working groups have 100 pages of feedback to go through to inform the next step.