eIDAS and the European Digital Identity Wallet: Context, status quo and why it will change the world.
In 2021 the European Commission announced the European digital identity wallet. This article explains the basic concepts, highlights the significance of this development and provides an overview of the status quo.
The vast majority of citizens regularly use the internet. According to statista, for 16–24-year-olds, the European average of daily internet users amounts to 95 per cent in 2020. Even for the age group of 55–64 years, the percentage of daily users is as high as 69 per cent on an EU average. Hence, access to digital services is expected. This includes services offered by governments and the private sector alike.
The difference between foundational and contextual identity
When speaking about “digital identity” we need to differentiate between a foundational and contextual identity. A foundational identity has a legal context and uniquely identifies a natural person. A contextual identity exists depending on a particular context and is not directly subject to government regulations. While a person generally only has one foundational identity, he or she can have hundreds of contextual identities.
Foundational Identities are also referred to as government-issued, eID, regulated-, foundational-, base-, or core identity.
Foundational or regulated identities are issued by an authoritative body of a government. A classic example is a passport. It grants rights and privileges in a global context and is subject to a highly regulated environment.
The Pan Canadian Trust Framework defines a foundational identity as followed: “A foundational identity is an identity that has been established or changed as a result of a foundational event (e.g., birth, person legal name change, immigration, legal residency, naturalized citizenship, death, organization legal name registration, organization legal name change, or bankruptcy)” PCTF V1.4.
Contextual identity: also referred to as non-regulated-, private- or pseudonymous identity.
The Pan Canadian Trust Framework defines a contextual identity as followed:
“A Contextual Identity is an identity that is used for a specific purpose within a specific identity context (e.g., banking, business permits, health services, drivers licensing, or social media). Depending on the identity context, a contextual identity may be tied to a foundational identity (e.g., a drivers licence) or may not be tied to a foundational identity (e.g., a social media profile)”.
Hence, one needs to know the context of the identity in question to understand who we are talking about. If we just say “follow @earthquakebot to get immediate information about earthquakes 5.0 or higher” you don’t know where to go and search for this bot. The context, which is missing is that the bot exists within the authoritative domain of the twitter platform. However, on other platforms, this name might already be taken or used for other purposes.
Identification and authentication
Before we dive deeper into the topic of the eIDAS regulation we want to explain two key concepts, which the regulation is aiming to improve: identification and authentication.
Identification asks: Who are you?
This implies the person or organisation you are interacting with doesn’t know you yet and has a legitimate reason or even the obligation to identify the natural person it’s interacting with.
Current means of identification include officially notified eID means as well as offerings from the private market such as postal service, video- or photo identification of your physical ID documents in combination with a photo or video of you. Currently, there are multiple eID implementations within Europe, however not every member state has notified an eID for cross border usage.
Authentication asks: Is it you again?
This implies that you had a previous interaction with the person or organisation you are interacting with so they already know you.
Current means of authentication include the username (mostly an email) in combination with a password or a single sign-on (SSO) service also referred to as “social login” provided by big technology companies.
Passwords are cumbersome to remember especially considering that users should use different passwords for different services. While “social logins” are more convenient and user-centric, they also come with critical drawbacks, since they lead to a high dependency on the “social login” provider and a lockin within their ecosystem. Interoperability is missing and oftentimes the business models of these providers are based on surveillance practices.
In the early stages of the web, we mainly used postal ident for identification and only passwords for authentication. In the second and current iteration of the web, we use photo- or video identification for the verification of regulated identities or notified eID means provided by the member state. For authentication, we use a combination of passwords and “social logins”. In the third iteration of the internet “WEB3”, we will use digital wallets for both identification and authentication.
A key differentiator is the control over identificators. Until now users were only able to choose an identificator within an authoritative domain, such as email addresses, usernames on social media platforms or telephone numbers. Ultimately the legal entity governing the domain, in which the identificator is used, has full control over the usage of these identificators. That’s different with decentralised identificators (DIDs), which are created and controlled by users.
The eIDAS regulation (electronic IDentification, Authentic and trust Services) instructs all relevant stakeholders regarding the use of electronic signatures, electronic transactions and their involved bodies as well as their embedding processes to provide a safe way for users to conduct business online. The first version of the European regulation came into effect in 2014. In June 2021 the European Commission proposed a revised version “eIDAS 2.0”, which is currently in draft.
This revision was initiated due to the current limitations as described in more detail in the impact assessment:
1) Optional eID notification for member states.
2) Limited option to exercise data protection rights.
3) Strong limitations to public services in practice.
4) No level playing field for trust service providers from different member states.
More information about the findings on the implementation and application of the revised eIDAS regulation was published by the European Parliamentary Research Service.
The European Digital Identity (EUDI) Wallet is an application for citizens running on a mobile device or a cloud environment, which can be used to receive and store digital credentials and interact with third parties to get access to digital services. The wallet will be provided to citizens by all member states. Its usage is optional for citizens.
The graphic above illustrates that there are multiple issuers of identity information. This information can be received, stored and presented by the EUDI Wallet. Entities requesting information from a citizen can be public institutions or representatives of those or commercial entities, which are required by law to identify their customers such as banks or airlines.
The wallet will enable:
1) both identification and authentication
2) the verification of third parties
3) the storage and presentation of verified identity data and
4) the creation of qualified electronic signatures
Currently, the intention for the EUID Wallet is to reach the level of assurance (LoA) “high”. The LoA represents the degree of an issuer’s confidence in a presented credential and its trustworthiness.
Similar to how the European General Data Protection Regulation (GDPR) forced the internet to recognise the data protection rights of users, the eIDAS regulation will set the foundation for digital identity and identity wallets on a global scale.
Very large platform providers will be mandated to accept the digital identity wallet. The digital markets act classifies a platform as such, once they reach 45 Million monthly active users in the European Union, which is equivalent to 10 per cent of the European citizens. This solves the initial problem of a two-sided market in which both issuers and consumers of identity data want the other party to be present before joining. It also expands the scope of the regulation from initially regulated identities only to also include contextual identities — at least the access to them via means of authentication.
While some European Member states such as Sweden or Estonia already have an advanced framework for digital identities, which is used by the majority of citizens, this isn’t the case for all member states. Those who lag behind have the opportunity to leapfrog existing infrastructure.
Furthermore, there is a massive opportunity for Europe as a whole to standardise user-centric processes for identification and authentication while preserving citizen control and privacy. This will facilitate access to digital services from the public and private market alike. The harmonisation of legislation and technology on a European level will enable public bodies and private market participants to better reach European consumers.
The regulation has the chance to significantly improve processes via automatisation, verified data, flexibility and availability of a common infrastructure. It furthermore has the potential to reintroduce organisations with a direct encrypted communication interface to consumers without an intermediary.
A shared infrastructure for all member states with easy access for private entities would also greatly facilitate information exchange between ecosystems, which are currently separated and fragmented. Infrastructure with a suitable legal framework would benefit all stakeholders by providing much-needed trust and security for digital interactions.
The European Commission has set itself a tough timeline by planning to mandate member states to offer a EUDI Wallet at the beginning of 2024. The next big milestone will be the
announcement of technical specifications as part of the eIDAS toolbox in October 2022. Hence, from the adoption of the legislation in early 2023 until the availability of the wallets there is only a one year period for member states to implement the wallet based on the defined standards.
These standards are defined in the eIDAS Toolbox. You can find more information about the timeline published by the German research team accompanying the Showcase Digital Identity projects in Germany.
The outline of the toolbox was published by the eIDAS expert group in February 2022. You can find it here.
Who is working on the eIDAS 2.0 toolbox?
The eIDAS regulation is revised by an expert group consisting of representatives from the 27 member states. The work of the eIDAS expert group is divided into four working groups (WG):
The WG Provision and exchange of identity attributes is concerned with the set, format and issuance and validity of personal identification data.
The WG Functionality and security of the wallets also takes into consideration the APIs and protocols for the communication between the stakeholders as well as the creation and usage of qualified electronic signatures.
The WG Reliance on the wallet/identity matching is concerned with the unique identification process, the authenticity of received credentials by the relying party and its authentication.
The WG Governance is concerned with the accreditation of certification bodies, the trusted lists, the list of certified European Digital Identity Wallets, security breaches as well as business models and fees structures.
What’s the status quo of the eIDAS toolbox?
The current outline of the toolbox contains information about the objectives of the EUDI Wallet, the roles of the actors of the ecosystem, the wallet’s functional and non-functional requirements as well as potential building blocks. However, it currently doesn’t provide any further information regarding a technical architecture and reference framework, common standards and technical specifications or common guidelines and best practices. These components will be added later.
There are multiple possible directions regarding the technological design of the EUDI Wallet. This primarily includes (de)centralized public key infrastructures, certificates such as X.509 certificates or verified credentials as well as communication protocols such as OpenID Connect or DIDComm. However, at this point, the final choice is still unclear.
The toolbox technical architecture will result in a single connection interface for relying parties as stated in the outline: “To ensure that the EUDI Wallet can be used in a seamless way by trust service providers and relying parties alike, a common authentication protocol shall be specified, ensuring interoperability (…).”
If you want to know more about how the toolbox process is defined, you can find a detailed description in the summary of the first meeting of the eIDAS expert group.
There will be at least four pilot implementations of the European digital identity wallet, which are funded by the European Commission as part of the Digital Europe Programme. Each pilot implementation should contain the use cases driver licence, diploma, payment authentication and eHealth as well as use cases in other areas such as digital travel credentials and social security. Such scenarios may also demonstrate the functionalities of the wallet for example qualified electronic signatures.
For one pilot implementation, at least three member states have to collaborate. While stakeholders from the private sector can also participate, the application must be submitted by the member states. The funding opportunity was announced in February 2022. With the application deadline of 17.05.2022, interested parties only have very limited time to form a consortia for a joint application.
The objectives of the call are as followed:
- Support the piloting of the European Digital Identity Wallet
- Promote the development of use cases
- Test the interoperability and scalability of use cases
- Trial user journey and collect feedback for updates
- Promote the opportunities of the EUDI Wallet
- Help build the necessary expertise and infrastructure
The announcement of the funding and tender opportunity can be found here.
In the following, we would like to summarise feedback from diverse experts and highlight the most important aspects, which need further attention. However, there are also other aspects, which need to be improved, which aren’t listed here.
Coercion is the practice of persuading someone to do something by using force or threats. Since there is a big imbalance of power between big corporations or governments and users/citizens, safeguards against abuses of this system for tracking, profiling or targeted advertising is of the utmost importance. When the only way to get access to a service is to surrender personal data to a third party, there isn’t much an individual can do against it. The regulation currently doesn’t address this issue adequately. Potential solutions could be to require information requests to have a non-repudiable digital signature from the verifier to prove inadequate requests as well as an anonymous complaint mechanism to report this bad behaviour as pointed out by Drummon Reed in the manning publication “Self-sovereign identity”.
There are very positive principles included in the current draft, such as the explicit prohibition for issuers of a European Digital Identity Wallet to collect more than the necessary minimum information about the user than required to provide the service. However, it also includes a unique and persistent identifier of a wallet/citizen. The European Data Protection Supervisor recommends alternative ways to replace the proposed unique and persistent identifier by stating: “This interference with the rights and liberties of the data subject is not necessarily trivial; in some Member States, unique identifiers have been considered unconstitutional in the past due to a violation of human dignity. Therefore, the EDPS recommends exploring alternative means to enhance the security of matching.”
Transparency of the Toolbox process:
Since the eIDAS expert group solely consists of representatives from the member states, security or privacy experts from the private sector have very limited options to participate in the legislative process. The current draft also includes 28 occasions of statutory instruments, which clarify further details at a later stage, making it impossible to conduct a holistic risk and privacy assessment according to an article by Epicenter.
Evernym, an Avast company, also points out that remote wallet deletion, the limitation of just holding credentials from qualified trust service providers as well as high barriers to entry for the private market can significantly stifle the positive impact of the regulation.
The revision of the eIDAS regulation brings major opportunities with it. The European Commission has clearly identified the need to act and provide a holistic solution for the digital identities of natural and legal entities within the European Union. The eIDAS framework has the potential to be a global vanguard in creating trusted relationships for all stakeholders while also preserving privacy, security and transparency for its citizens.
While going in the right direction the technical details are still unclear. Without further information about the potential technical implementations and their consequences, a concluding assessment isn’t possible. There is a high risk that the planned pilot projects will develop in different technical directions, making future interoperability much more difficult. It’s also necessary to address the coercion and privacy concerns explained above. The limited options of participation for data protection and social experts also stifle public trust in the process.
Given the global consequences of the GDPR, the eIDAS trust framework will likely have an even more severe impact on the daily lives of European citizens and beyond. Hence, it’s essential to get this right. Currently, it’s too early to draw conclusions. The publication of the final toolbox in October 2022 will include technical aspects and more detailed legal and business prerequisites. But one aspect is clear already: Wallets will be the future.
If you want to gain practical experience by implementing an ID-Wallet use case as a pilot right now reach out to us via our contact form.
Lissi provides convenient applications for companies and organisations to receive, organise and share trusted data from end users while respecting privacy and data sovereignty. This includes the Lissi Wallet as well as our applications for organisations. You can find more information on our Website.