EU cybersecurity agency outlines good practices for remote identity proofing

The European Union Agency for Cybersecurity, ENISA, has released a report outlining good practices for remote identity proofing (RIDP), as the EU proceeds with a digital transformation that will rely heavily on biometrics, digital identity and reliable remote identity verification services.

The report, sensibly titled “Remote ID Proofing Good Practices,” points to a general shift toward digitization across European society and the economy, which was accelerated by the sudden need for remote identity verification during pandemic-related restrictions, resulting in “a period of intense transformation.” Lockdowns and other public health security measures, it says, “highlighted the significance of well-regulated and standardized remote identification processes, along with trustworthy digital identities on which public and private sector organizations may rely.”

With eIDAS 2.0 on the horizon, promising to provide all EU citizens with safe, transparent access to the EU Digital Identity Wallet (EUDIW) and other digital services, Europe is well on its way to goals set for 2030, and the European Commission’s goal of setting concrete targets for a “secure, safe, sustainable and people-centric digital transformation.” According to ENISA, this facilitates the need for “secure and reliable identity proofing services, deployable quickly, at scale and in a cost-efficient manner,” which is “a key enabler for electronic transactions in the Single Digital Market.”

In a world beset by deepfakes and injection attacks, all of this comes with a dark cloud of criminal potential. ENISA says recent developments in the attack landscape motivated its report. Fraud techniques can make RIDP methods unreliable, it says, and stakeholders want to know how to mount an effective digital defense based firmly in established good practices. In a concise expression of the core problem across the board, ENISA notes how “the rate of changes in technology and threat landscape outperforms the legislative cadence.”

To that end, the report identifies key objectives: to increase stakeholder awareness, assist in risk analysis practices in a rapidly changing threat landscape, and contribute to the development of stronger RIDP countermeasures.

New threats emerge amid a tangled web of digital ID regulation

The report builds on previous guidelines, “in an effort to bring novel types of threats and wider ecosystem concerns to the foreground.” Information and data analysis zeroes in on which novel threats, in particular, it wishes to expose. The first is biometric presentation and injection attacks against a human subject’s face. The second, presentation and injection attacks against an identity document. Per the report, “consideration was given to the nature and developments relating to deepfake attacks and related approaches in offensive and defensive aspects.” (The study limits its focus to face biometrics, excluding other modalities such as voice or fingerprint.)

“The rate and sophistication of novel threats require a revised mindset of defense, incorporating preventive and detective approaches,” says the report. The emergence of new types of attacks such as high-quality deepfakes, and the availability of computational resources and tools which allow scaling and automation, make a framework for response more important than ever.

ENISA’s titular good practices deal with the domains of environmental, procedural, organizational and technical controls. Pertaining specifically to “attacks relating to identity documents that take place during the evidence validation and information binding phase of RIDP,” it states that “the two most prominent good practices for defending identity documents were the status lookups in various identity document registries and the scanning of the near-field communication (NFC) chip (where available).”

It recognizes that there are obstacles to realization. There are complex issues of interoperability and the lack of a central identity document registry, and with the legality of the NFC chip method for private entities in the EU. “The inconsistent state of NFC-reading can be thought of as a part of the wider scattered regulatory landscape across the EU relating to the recognition of the remote nature of identity proofing and the assurance level it can provide,” it says.

Biometric injection attacks, deepfakes trigger alarm

The report contains a comprehensive overview of the types of instruments, methods and tactics used in biometric presentation attacks and data injection attacks. Its finding that “deepfake presentation and injection attacks were the top two biometric attack types considered hardest to mitigate” portends further developments in blurred reality and potentially more effective deepfake attack paths, such as “disentanglement”, which “decouples the facial identity generation process from the pose controlling process, both performed by a generative adversarial network (GAN), allowing to generate results that are customizable and fully controllable, photorealistic to a high degree of quality and natural in facial movement.”

With the ability to maintain liveness features and thus go undetected by traditional anti-spoofing methods, GANs, says the ENISA report, “are the next step in deep learning-based synthesis.” In other words, it would be unwise to let one’s guard down, just as the other side is gearing up to new levels of technological and criminal capability.

The answer, in summation, echoes the old Beatles song: come together – on policy and regulation, standardization, data centralization, threat detection and defense. “The need to minimize polyphony and set a uniform baseline of requirements and permitted RIDP methods at the European level, taking into consideration the recent advancements of technology, becomes more evident than ever before,” says ENISA.

Furthermore, it advises, stay loose. “Technology-neutral approaches that avoid describing specific technical requirements or solutions, but rather set the specific performance criteria, would lead to more flexible, adjustable and resilient standards published with longer lifetimes and remaining up to date with the current state of the technological and threat landscape at every moment.”

Article Topics

biometrics  |  digital ID  |  ENISA  |  face biometrics  |  injection attacks  |  presentation attack detection  |  remote identity proofing