Digital Identity Ecosystems

Started in December 2021

A research on the impact of the upcoming European (digital) identity regulations on the financial sector.

The European Union is creating an eIDAS compatible European Self-Sovereign Identity Framework (ESSIF). The ESSIF makes use of decentralized identifiers (DIDs) and the European Blockchain Services Infrastructure (EBSI).
There is a lot of uncertainty in the upcoming EU regulations (eIDAS2). What kind of problems can we expect in the current and future way of working and how can we mitigate that? Which standards are needed to adhere to the new regulations? The financial sector has the opportunity to pro-actively influence infrastructure and regulation. TNO is working together with ABN AMRO and ING on this topic.

Self-Sovereign Identity (SSI)

Self-sovereign identity (SSI) is an approach to digital identity that gives individuals control of their digital identities. SSI addresses the difficulty of establishing trust in an interaction. In order to be trusted, one party in an interaction will present credentials to the other parties, and those relying parties can verify that the credentials came from an issuer that they trust. In this way, the verifier's trust in the issuer is transferred to the credential holder. This basic structure of SSI with three participants is sometimes called "the trust triangle".

In an SSI system, holders generate and control unique identifiers called decentralized identifiers. Most SSI systems are decentralized, where the credentials are managed using crypto wallets and verified using public-key cryptography anchored on a distributed ledger. The credentials may contain data from an issuer's database, a social media account, a history of transactions on an e-commerce site, or attestation from friends or colleagues.

Goals & Objectives

Currently banks develop their own apps for digital transactions. These include mitigating measures to reduce risks of illicit transactions. EU Regulations (eIDAS2) could result banks having to accept third party apps for digital transactions. Banks could lose control on risks they now mitigate in their proprietary apps.

Project results

Activities in the Proof of Concept phase

To keep the risk of using a third party a low as possible, the bank needs to be sure that the app is using the required systems to ensure it can be trusted with the user and bank information it processes.

In our proof-of-concept the app can show a SSI-credential (certificate) that verifies that the wallet app can be trusted by the bank. These certificates will be issued by an accredited auditor that tests the app if the technical agreements (“afsprakenstelsel”) are met. These agreements will be made in a governing authority where multiple banks are part of.

We will:

  • Build a PoC of the new way of working with measures to mitigate the new risks.
  • Determine the risk profile of the new way of working using the same methodology as the current way in order to compare to the current risk profile
  • Compare the risk profiles and determine the difference in risk on all possible attack vectors in order to quantify any changes 
  • Quantify the expected cost savings on the new way of working.
  • Analyse the trade-off with security and how they weigh up to the cost reduction on developing and maintaining a proprietary app. 
  • Determine whether the new way of working is fit enough to demand changes to the EU toolbox (and specify these changes)

This project is part of the trend

22 Opportunity and threat March 2022

Growing importance of identity and access management

There is a growing significance of managing identities within or across enterprises. Through identity and access management, businesses can record employee activity and moderate access to programs and applications, so denying unauthorized access and detecting suspicious patterns, transactions and patterns. Initiatives around password-less manners, controlling one's own attributes with SSI-technology or multi-factor authentication are increasingly more prevalent.