FB pixel

EU cybersecurity agency outlines good practices for remote identity proofing

Threat landscape continues to churn and time is now for organized response, says report
EU cybersecurity agency outlines good practices for remote identity proofing

The European Union Agency for Cybersecurity, ENISA, has released a report outlining good practices for remote identity proofing (RIDP), as the EU proceeds with a digital transformation that will rely heavily on biometrics, digital identity and reliable remote identity verification services.

The report, sensibly titled “Remote ID Proofing Good Practices,” points to a general shift toward digitization across European society and the economy, which was accelerated by the sudden need for remote identity verification during pandemic-related restrictions, resulting in “a period of intense transformation.” Lockdowns and other public health security measures, it says, “highlighted the significance of well-regulated and standardized remote identification processes, along with trustworthy digital identities on which public and private sector organizations may rely.”

With eIDAS 2.0 on the horizon, promising to provide all EU citizens with safe, transparent access to the EU Digital Identity Wallet (EUDIW) and other digital services, Europe is well on its way to goals set for 2030, and the European Commission’s goal of setting concrete targets for a “secure, safe, sustainable and people-centric digital transformation.” According to ENISA, this facilitates the need for “secure and reliable identity proofing services, deployable quickly, at scale and in a cost-efficient manner,” which is “a key enabler for electronic transactions in the Single Digital Market.”

In a world beset by deepfakes and injection attacks, all of this comes with a dark cloud of criminal potential. ENISA says recent developments in the attack landscape motivated its report. Fraud techniques can make RIDP methods unreliable, it says, and stakeholders want to know how to mount an effective digital defense based firmly in established good practices. In a concise expression of the core problem across the board, ENISA notes how “the rate of changes in technology and threat landscape outperforms the legislative cadence.”

To that end, the report identifies key objectives: to increase stakeholder awareness, assist in risk analysis practices in a rapidly changing threat landscape, and contribute to the development of stronger RIDP countermeasures.

New threats emerge amid a tangled web of digital ID regulation

The report builds on previous guidelines, “in an effort to bring novel types of threats and wider ecosystem concerns to the foreground.” Information and data analysis zeroes in on which novel threats, in particular, it wishes to expose. The first is biometric presentation and injection attacks against a human subject’s face. The second, presentation and injection attacks against an identity document. Per the report, “consideration was given to the nature and developments relating to deepfake attacks and related approaches in offensive and defensive aspects.” (The study limits its focus to face biometrics, excluding other modalities such as voice or fingerprint.)

“The rate and sophistication of novel threats require a revised mindset of defense, incorporating preventive and detective approaches,” says the report. The emergence of new types of attacks such as high-quality deepfakes, and the availability of computational resources and tools which allow scaling and automation, make a framework for response more important than ever.

ENISA’s titular good practices deal with the domains of environmental, procedural, organizational and technical controls. Pertaining specifically to “attacks relating to identity documents that take place during the evidence validation and information binding phase of RIDP,” it states that “the two most prominent good practices for defending identity documents were the status lookups in various identity document registries and the scanning of the near-field communication (NFC) chip (where available).”

It recognizes that there are obstacles to realization. There are complex issues of interoperability and the lack of a central identity document registry, and with the legality of the NFC chip method for private entities in the EU. “The inconsistent state of NFC-reading can be thought of as a part of the wider scattered regulatory landscape across the EU relating to the recognition of the remote nature of identity proofing and the assurance level it can provide,” it says.

Biometric injection attacks, deepfakes trigger alarm

The report contains a comprehensive overview of the types of instruments, methods and tactics used in biometric presentation attacks and data injection attacks. Its finding that “deepfake presentation and injection attacks were the top two biometric attack types considered hardest to mitigate” portends further developments in blurred reality and potentially more effective deepfake attack paths, such as “disentanglement”, which “decouples the facial identity generation process from the pose controlling process, both performed by a generative adversarial network (GAN), allowing to generate results that are customizable and fully controllable, photorealistic to a high degree of quality and natural in facial movement.”

With the ability to maintain liveness features and thus go undetected by traditional anti-spoofing methods, GANs, says the ENISA report, “are the next step in deep learning-based synthesis.” In other words, it would be unwise to let one’s guard down, just as the other side is gearing up to new levels of technological and criminal capability.

The answer, in summation, echoes the old Beatles song: come together – on policy and regulation, standardization, data centralization, threat detection and defense. “The need to minimize polyphony and set a uniform baseline of requirements and permitted RIDP methods at the European level, taking into consideration the recent advancements of technology, becomes more evident than ever before,” says ENISA.

Furthermore, it advises, stay loose. “Technology-neutral approaches that avoid describing specific technical requirements or solutions, but rather set the specific performance criteria, would lead to more flexible, adjustable and resilient standards published with longer lifetimes and remaining up to date with the current state of the technological and threat landscape at every moment.”

Related Posts

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News


Biometrics cutting the line of in-person payments innovations: Mastercard

Mastercard sees biometrics for in-store payments as a part of a broader shift towards seamless interactions of all kinds, as…


New South Wales’ government is investing millions in digital identity

New South Wales’ decentralized digital identity program is getting a cash infusion from the Premier Chris Minns’ government, which has…


Innovatrics cuts fingerprint error rate by 20%, upgrades SmartFace platform

Innovatrics has reported its best-yet scores in NIST’s fingerprint biometrics testing, and added a new feature to its facial recognition…


Canadian cruise terminal gets Pangiam face biometrics for ID verification

The Vancouver Fraser Port Authority and U.S. Customs and Border Protection (CBP) have joined forces to implement face biometrics for…


Atlantic Council stresses importance of DPI, data for stronger digital economies

The Atlantic Council has highlighted the importance of digital identity and digital public infrastructure (DPI) in birthing and growing strong,…


Sri Lanka extends bid deadline for national digital ID project

The Government of Sri Lanka has extended the deadline for the submission of bids for the procurement of a Master…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events