In search of a passport grade Digital Identity
By the end of 2026 The European Commission will introduce the European Digital Identity Wallet (EDIW). The objective of the EU is twofold: to open up the European digital market and as step towards digital sovereignty. The introduction of the EDIW will have great benefits for individuals and businesses in Europe. To name a few: it should open up the currently localized market for digital services in the EU, and it should enable individuals to interact fully digitally with organisations, replacing the current hybrid form where information with high assurances has to be supported with physical evidence (passports, qualifications, etc.). Furthermore, institutions should receive verified information about their customers, which will enable them to further digitalize processes, saving on operational costs and improving customer satisfaction. The EDIW should make it possible, for example, to purchase a financial product in one step without unnecessary or privacy-sensitive information being shared, while the bank can demonstrably comply with AML/CFT regulations.
To achieve this, we need to be able to trust digital data as much as physical documents. The Architectural Reference Framework (ARF) delves into how trust is incorporated into data, creating a framework for technical interoperability and trust across the European Union. Despite its thorough efforts, the ARF and its national implementations also raises concerns for companies compelled to adopt it. Will it provide sufficient trust to facilitate the next phase of digitalization? Based on the current status, it appears not—perhaps even exacerbating the current situation.
The primary reason for these concerns is that the binding between digital data and its subject is inadequately addressed. It remains possible for someone to impersonate or collude with another individual to present digitally trusted data that does not pertain to the presenter. We need to tackle these problems and look from the perspective of a fraudster: how can we make the EdIW a difficult means to commit fraud with? The answer: we need a Passport Grade Identity.
In passports we trust
What makes a passport so reliable to trust upon? Of course, there are the difficult to forge security features as the embedded holograms, watermarks and tangible ink. But there is an additional feature to a passport: it contains biometrics. Even two of them: a picture of the subject of the passport and their fingerprints. This contributes to the reliability and security of the document since it is always possible to verify whether the presenter of the document coincides with the subject of the document.
If we look at the ARF the concept of a base identification is included. This is called the Personal Identification Data (PID). If we compare a PID to a passport we find that the security features seem to be addressed: Device binding probably ensures that the PID or any other attestation cannot be copied or replayed from another device by trusting upon the keys in the Wallet Secure Cryptographic Device (WSCD). User binding is tackled in a similar technical fashion, making use of the mechanisms implemented by the Wallet instance and the WSCD. Unfortunately, these mechanisms will never be strong enough to prevent fraudsters to make misuse of a wallet owners identity. A person still can be coerced in eighter handing over their identity and keys to operate the wallet. Or two individuals can collude to combine attestations of each other in a single wallet, presenting combinations of the attestations as if they belong to one individual. In short: additional means are needed to really ensure user binding.
We could make it much harder for fraudsters to practice these forms of fraud by incorporating biometrics into the PID, similar to how it’s done in passports. Fortunately, the ARF has foreseen the use of biometrics and includes the use of them for user binding in proximity cases (show me your photo) or to use liveness detection in case of unsupervised or remote use cases. The bad news is: biometrics are optional to include in the PID. Not all countries, including the Netherlands, have foreseen to incorporate them. This will lead to a situation where some national EDIWs will be in favour of fraudsters. Not something the Dutch (or any) Government should pursue.
Safe biometrics
Of course, there are good reasons to be careful with biometric data. The leaking of biometrics is the worst form of data breach. But they also serve a good cause: preventing your identity to be misused. Could we find a way to use biometrics for user binding without having to ever share them? The good news is: Yes, there is. A biometric credential can be stored (hashed) on a device and used locally to verify whether the user of the wallet corresponds to the individual who activated the wallet. A Zero Knowledge Proof (ZKP) of this result can be shared to issuing or relying parties ensuring the user is handling the device without having to present the biometrics to that party. In order for this to work, two changes need to be made to the ARF: The possibility for users to add biometrics the PID should be mandatory and the ZKP schemas must be added to the following version of the ARF..
More bindings will build on safe biometrics
Making use of safe biometrics will be a first and important step to ensure user binding. But there are still many other bindings that need proper addressing. Mandates are until now out of scope of the ARF but imperative to implement. Otherwise, we are unable to properly support legal entity wallets or get rid of the current situation where it’s tacitly allowed for someone (such as a street coach or family administrator) to have unsupervised control over multiple digital identities. Furthermore, we should expand the function of user binding to subjects by allowing relying parties to verify whether the subject of presented attestations aligns with the user or if the user is mandated to act on behalf of the subject. And it should be possible to correlate the presented attestations to the same subject which identity can be matched to the identity present in the CRM system of the relying party (when necessary and with consent of the user) to further prevent collusion without harming the principles of unlinkabiltiy. All these types of binding will be possible once user binding is established with the use of safe biometrics.
How will safe biometrics protect us?
If we all were able to protect our digital identity with safe biometrics, we would make it a lot more difficult for fraudsters to collude and commit identity fraud. A bona fide individual would have his biometrics matched to the one stored in the PID before retrieving or presenting an attestation. This simple step would happen upon giving consent to the transaction. The fraudster, however, would not be able to present or receive attestations using the wallet of somebody else since the biometrics wouldn’t match. Relying parties can rely on the liveness detection / presentation attack detection present in the wallet but will not receive any biometrics of a user, preventing leakage of these sensitive credentials. Safe biometrics acts as the rising tide that lifts all boats, except for the fraudster vessel. It ensures the protection of digital identities for individuals and the entities they represent. Issuing parties can confidently place attestations in the right hands, preventing misuse. Meanwhile, relying parties can trust that presented attestations belong to the subject without needing a backup paper trail.
Conclusion
The EDIW introduced by the revision of the eIDAS regulation offers vast potential in better user experience, privacy and cost saving for both organisations and their customers. However, in order to make this resilient to collusion attacks and device takeover, society needs more assurance on binding. We suggest making the possibility for users to add biometrics protecting their wallet and attestations to the PID mandatory for member state implementations and incorporate proven ZKP schemas in the following version of the ARF. Sharing biometrics must be made impossible for remote and unsupervised use cases, since only the proof of user binding suffices. This will be the first step in establishing a passport grade identity for the EDIW and a means where other forms of binding can rely upon in a safe and privacy preserving fashion.
Author: Alexander van den Wall Bake - PCSI
Share this page