EUDI Wallet onboarding can’t wait for biometrics security standards completion

Standards for ensuring the integrity of biometric data and harmonized testing to ensure systems are compliant with them are needed to secure remote onboarding with EU Digital Identity (EUDI) Wallets, say French and German authorities in a newly published report.

ANSSI and BSI’s “Remote Identity Proofing for EUDI Wallet Onboarding: Strengthening Assurance Against Evolving Threats” follows a release on remote identity proofing published in late-2023 as part of an annual series of papers from the partners. The 2023 report focussed on general threat models. Over 12 pages, the new report revisits those threats, discusses progress made in the interim, and identifies security gaps that could make video-based remote identity proofing less reliable.

The paper reflects the two agencies’ harmonized stances on eIDAS 2, according to the announcement.

Onboarding to EUDI Wallets has to meet Level of Assurance (LoA) High. This is easy when being performed with a national digital ID that already meets that threshold. Using other credentials with face biometrics and ID document verification could be more convenient, but “it also introduces serious technical and security challenges,” the report says.

To mitigate those challenges, EUDI Wallet onboarding systems must include presentation attack detection (PAD) and injection attack detection (IAD), and also randomized challenge-response mechanisms to detect replays, and tamper detection features for the video stream.

ANSSI and BSI also warn that optical character recognition (OCR) can be sensitive to lighting, focus and image distortion, introducing a risk of data collection errors. Reading the ID documents’ electronic chip is more secure, they say, but restricted by law in some countries.

Standards unready

The report identifies the unfinished work on standards for addressing the threat from biometric presentation and injection attacks as the major issue standing in the way of LoA High onboarding.

“Standardisation efforts have intensified, yet several issues remain unresolved,” the agencies say.

“Furthermore, current phrasings of requirements leave room for interpretation during audits or evaluations, which hinders trust comparability, and mapping them to LoA levels remains incomplete.”

The ETSI TS 119 461 remote identity proofing standard is abstract and needs to be more clearly mapped against LoA High. European injection attack standard CEN/TS 18099 needs technical specificity for implementation validation. ETSI TS 119 461 refers to both CEN TS 18099 and ISO/IEC 19989-3 for security testing and evaluation, but the test specifications are not widely available or harmonized across Europe, ANSSI and BSI say.

EDUI Wallet onboarding standard CEN/TS 18098 is still being crafted by CEN TC 224 WG20, and lacks detailed guidance on conformance. And the same committee’s WG18 is still working on the standard for biometric security product requirements.

As the standards are completed, “temporary approaches are necessary,” the national authorities say. They propose the development of harmonized evaluation and test criteria, and mandating biometric PAD and IAD testing as soon as possible. Gaps in identity document verification must also be addressed, by establishing test criteria, enabling sufficient tests by conformity assessment bodies, and prioritizing chip reading.

Article Topics

biometric data  |  CEN/TS 18098  |  ETSI TS 119 461  |  EU Digital Identity Wallet  |  injection attacks  |  Level of Assurance (LoA)  |  onboarding  |  presentation attack detection  |  remote identity proofing  |  standards