Protect the European Digital Identity Wallet with a Biometric Lock

With great benefits comes great risks 

Fraudsters have been exploiting the digital realm for a considerable time, and current estimates are alarming. It is reported that 16% of individuals have been subjected to fraud, 42% have experienced an attempt at fraud, and the total fraud in the Netherlands is estimated to yearly amount to 2.75 billion euros, according to research conducted by the University of Twente. Fraudsters often attempt to assume your identity and take extensive measures to do so. Obtaining access to your eIDAS wallet is highly advantageous for them. They could conduct transactions with a high level of assurance, sign contracts, collect your prescribed medication, and gain access to the financial system that is being actively purged of criminal activity through AML/CFT initiatives. 

Onboarding to an eIDAS wallet is stringent to ensure a high assurance level for the root of your identity: your Personal Identification Data (PID). The PID will be firmly linked to your wallet and device and is not easy to compromise. However, during both the onboarding process and subsequent use of the wallet, it must be verified that the individual associated with the PID is the actual person operating the wallet. Herein lie our concerns. Fraudsters may exploit familiar tactics like shoulder surfing for your eIDAS wallet pin, pickpocketing your device, using mules for their fraudulent activities, or colluding with others to mix and match credentials. These methods aim to take control of your identity, which is relatively easy if it is just protected with something you own (your phone) and something you know (your access pin). In the event that your eIDAS Wallet is stolen, it is imperative to immediately block both your phone and wallet. Timing is crucial in such situations. You must first become aware that your phone is missing, typically spending some time searching for it before realizing it has been lost. Subsequently, you need to remember how to report the loss without access to your phone. By this point, significant damage may have already occurred as fraudsters quickly exploit their newly acquired assets. Couldn’t  we enhance the robustness of this system by introducing an additional factor that is less susceptible to sharing, thereby making fraudulent use of eIDAS wallets significantly more difficult? 

Biometrics could serve as a third factor for identity protection. We should enable everybody to protect their identity with a biometric lock. With biometrics you could prevent unauthorised access to your information and prove control over the device to issuing and relying parties. This biometric lock should be stronger than the current biometrics available on your device, which can be easily compromised by fraudsters. To protect your EIDAS wallet, such biometrics themselves need to be bound to the PID in the wallet. Fortunately, advanced remote biometric solutions are available which can be used in a privacy preserving manner to generate a Proof of Presence. 

A biometric lock. Will that be possible? 

Not only are there many biometric verification solutions available, the Architecture and Reference Framework  (ARF) includes these services as optional security features. Initially, ARF focused on proximity use, but since version 1.5, it explicitly mentions biometric verification for remote use cases. A verified portrait should be present in the wallet, either added during onboarding or later by a QTSP using a physical ID document with a chip (Passport, ID card). Governments, including the Dutch National Government, are considering adding portraits to the PID for proximity and remote use.  

Despite the functionality provided by the eIDAS framework, there remains a barrier to its use. The GDPR restricts the use of biometrics in automated processes unless there is explicit and informed user consent. For a biometric lock, this would not be an issue as users would knowingly activate this added security feature. However, both issuers and relying parties may require further assurance that they are issuing or receiving attestations to the correct user. The use of this functionality has been outlined in the ARF from a relying party perspective. 

In our previous blog we explained how a Proof of Presence (PoP) can be generated. This method shares biometrics only with the QTSP generating the PoP attestation. The issuing or relying party receives confirmation that the QTSP has verified the user's presence matching the PID subject at a specific time. Although this significantly reduces biometric sharing compared to current processes, it still requires a solid legal foundation. 

The General Data Protection Regulation (GDPR) permits biometric verification solely with explicit user consent or in situations where no other alternative exists to safeguard the public interest. One could argue that combating fraud is in the general public interest. However this ground is insufficient because in these cases only a small group of people undergo biometric verification to protect societal interests. If biometric verification is used to combat fraud, it subjects more individuals to such measures. Upon consultation with legal experts from our partners, we have concluded that it is necessary to anchor legal grounds for biometric verification to combat fraud in law. By analogy the Aliens Act the Netherlands 2000 has recently been amended to facilitate biometric verification at self-service passport control  and now awaits approval by the Dutch senate.  

When biometric verification is incorporated into the EU wallet implementation and has established legal grounds in all nation states, it is important to ensure that there is no dependency on a specific vendor of biometric verification. Standardisation of the Proof of Presence (PoP) attestation could help achieve this. 

If a Proof of Presence attestation adheres to a standard defined in a Rulebook, such as the one developed for the PID any QTSP with biometric verification capabilities could issue an PoP attestation. Therefore, the function to generate a Proof of Presence should be part of any wallet, but the choice of party generating the PoP will be up to the user. The Deltaworks team has created a first version of such a rule book, using open standards for maximum interoperability. Professionals in this field are encouraged to use the rule book in their implementation and provide feedback for improvement. The first pilot will likely be within the ecosystem of Company Passport.  

Trust in the digital realm

eIDAS will enable all EU citizens to navigate the digital realm with the same confidence as the physical world. Proving your identity and associated attestations can facilitate a seamless and borderless digital journey while enhancing efficiency and reducing fraud. However, the core of your identity must be indisputable. If the root of your identity is compromised and a malicious actor impersonates you, trust in the digital realm will crumble. 

Therefore, it is essential to protect one’s identity at the highest possible level. The safeguards should include not only something you own and something you know but also something you are.  An anonymous PoP attestation confirms that the individual holding the device matches the subject in the PID at a specific time. This will protect your wallet from malicious activity, ensuring that issuing and relying parties can trust that the wallet remains under the control of its rightful owner.  

We urge all EU member states to incorporate functionality for privacy-preserving biometric verification into their EUDI wallet implementations. This should be done using a standard for Proof of Presence to prevent vendor lock-in and ensure the protection of one's identity is legally grounded for biometric use. Let us outsmart fraudsters and make identities uncompromisable! 

Partners of the Digital Deltaworks

This project is backed by five of our core partners: ABN AMRO, ING, Belastingdienst, Achmea and TNO.  
Three liaison partners contributed in kind with their expertise and development capability: iProov, Inverid and Itsme