Cryptographers warn about EUDI Wallet privacy

The European digital identity project, which aims to give each EU resident a digital wallet by 2026, is seeing more trials and apps come to life. But despite ambitious plans to digitize identification, authentication and personal data transfers, some security experts warn that the European Digital Identity (EUDI) Wallet could fall short of privacy requirements.

Security concerns related to the digital ID project could also mean that the November 2026 deadline for member states to issue the EUDI Wallet may be unrealistic, according to Thomas Lohninger, a member of digital rights group Epicenter.works.

“The whole security concept is based on certification,” says Lohninger. “The same member state that will issue the wallet will also certify its security. You can see why that’s wrong.”

Lohinger spoke last week at the Chaos Computer Club (CCC)’s 38th Chaos Communication in Hamburg alongside Anja Lehmann, a professor of cryptography at the Hasso-Plattner-Institute, University of Potsdam. Both experts are jury members at the German government competition to create a national EUDI Wallet prototype.

The duo presented a paper published by a group of cryptographers providing feedback on the EUDI Wallet Architecture and Reference Framework (ARF), a document providing guidance on security, privacy by design, and user control over personal data. The research, published in June this year, concludes that a larger redesign is in order, proposing a cryptographic mechanism called anonymous credentials, specifically the BBS family of anonymous credentials.

During the presentation, Lohinger and Lehmann analyzed issues mentioned in the paper alongside drawbacks of the eIDAS regulation when it comes to privacy.

“Digital identity systems are either extremely respectful to our privacy and do the utmost to protect it, or they shouldn’t exist because their harm probably outweighs the benefit,” says Lohninger.

Yubico enters German digital ID competition finals

While cryptographers are expressing doubts, companies are moving forward with digital ID projects.

Biometric security hardware firm Yubico has been selected as a finalist for the German national competition to create an EUDI Wallet prototype.

The 13-month prototype competition is organized by the German Federal Agency for Leap Innovation (SPRIND) on behalf of the Federal Ministry of the Interior and Community (BMI). The competition invited six companies to participate with state funding and another five companies within the non-funding track.

Yubico has been competing within the non-funding track as part of the wwWallet open standards identity project which also includes Sunet (Swedish University Computer Network) and GUnet (Greek Universities Network). The group demonstrated how a wallet can provision credentials from the German national eID (the Neue Personalausweis Smart Card), testing it within a Large-Scale Pilot with other relying parties.

The project involved Yubico’s hardware authentication devices YubiKeys for logging into and encrypting the wallet.

“The open standards nature of the wwWallet project is making interoperable and safe solutions for all users – all backed by the phishing-resistant, hardware-based security of YubiKeys which gives the ability to seamlessly use digital identity wallets in the ways that matter most,” says Yubico’s architect John Bradley.

Among other companies competing in SPRIND’s EUDI Wallet competition are Google, Samsung and German digital ID wallet maker Lissi, which also announced it has qualified for the final phase.

Article Topics

Chaos Computer Club  |  digital ID  |  digital wallets  |  EU Digital Identity Wallet  |  SPRIND  |  wwWallet  |  Yubico