Hurdles to protecting your Identity
Earlier this summer, the Digital Delta works team highlighted the need for a passport-grade Digital Identity and the potential use of biometrics to safeguard against identity misuse. We realize that biometrics do not provide complete protection, but security is significantly higher with biometrics than without.
These elements should be included in the eIDAS revision, which aims to enable all EU citizens to activate a wallet for exchanging attestations in both the public and private sectors. Unfortunately, the regulation’s details fall short in protecting one’s identity from misuse: The proposed Personal Identification Data (PID), detailed in the annex of the implementing act “Personal Identification Data and Electronic Attestations of Attributes”, lacks the requirements to make it a passport-grade identity document. For example, optional.. Additionally, the possibility of using liveness detection for remote use cases, mentioned in the Architecture and Reference Framework, has not been fully elaborated. Since biometrics are not a mandatory available attribute in the PID, it is expected that liveness detection will also not be mandatory in wallets.
This situation leaves identities vulnerable to theft or misuse, as it is easy to lose or lend out a device along with its access codes. This risk needs to be mitigated to protect citizens, similar how physical identity proofs, such as passports, are safeguarded. Due to this vulnerability, sectors that require strong user authentication by law, such as the financial sector, cannot fully trust these digital means, even though they are mandated to accept them. Therefore, there is a dual interest in enhancing the concept of user binding ensuring that the user of the device is the subject of the PID and the intended holder of any other attestations in the European Digital Identity Wallet (EDIW):
- To protect citizens’ identities against manipulation and theft.
- To protect relying parties from identity fraud.
Solve it with current technology.
Current technology can mitigate the risks of identity theft and help protect relying parties from identity fraud by using facial biometrics. We have expanded the Digital Deltaworks team with technology providers who already offer parts of the solution on the market. Our next goal is to integrate these components into a Proof of Concept (PoC) to illustrate our findings. The PoC will demonstrate the following flow, which consists of two parts: an initial setup that only needs to be performed once, and a verification process that can be repeated as needed. This PoC outlines the Happy Flow. We understand that there will be instances where this flow may not be successful. Therefore, it is crucial to have an alternative process in place that offers the same level of assurance.
Initial Setup
- Bob has a wallet installed on his phone, cryptographically bound to the device.
- Bob retrieves a PID without biometrics, which is cryptographically bound to the wallet instance.
- To prove Bob is the one using the device with the bound wallet and PID, and not someone who has gained control over his device, Bob scans his ID document. The relevant information to match the ID document to the PID and photo are retrieved. If the information matches, Bob can continue.[1] When the biometrics are already included during the issuance of the PID, the process is stronger because no mismatch can occur.
Verification process
- Bob is asked to record a selfie movie[2] to prove he is actually using the device and is a real, living person, not an AI-generated imposter. The selfie video is matched with the photo retrieved from the document.
- If the matching is successful, Bob receives a “proof of user” in the form of a short-lived (Q)EAA generated by the QTSP, stating that the person wielding the device is the same as the subject of the PID, and the time the statement was generated. This proof of user is bound to the wallet (which is bound to the device), and the PID.
- Bob can present this proof of user to a relying party, along with any other required presentations, to start a transaction.
Legal complexity and the weakest link
Facial biometrics can provide a strong form of user binding, but also has an Achilles heel: if biometric data is compromised, it can be exploited to misuse ones identity. This risk is increasingly evident with the widespread use of deepfake technology. Thit is one of the reasons the GDPR by default prohibits the automated processing of biometrics for identification purposes. There are a couple of exceptions: biometrics can be used for domestic identification (e.g., unlocking your phone or app), and under the less elegant legal basis of explicit informed consent. While some argue that identification involves recognizing an individual within a group, and this process is more of a one-on-one verification, legal experts assisting the Digital Deltaworks team assert that specific legal grounds must be formulated for this processing. Even Article 29 of the UAVG is considered insufficient, which states that the ban on the use of biometrics for identification is not applicable if the processing is necessary for authentication or security purposes. Currently, banks process biometrics under explicit user consent, offering an alternative route for customers who do not consent. However, this is a laborious solution.
Matching a Dutch PID to an ID document is a weak link. An identifier is needed to establish the relationship, but the proposed Dutch PID includes only the first name, last name, and date of birth, which does not guarantee a unique match. Consequently, it is possible to match an ID document and corresponding biometrics to a PID of someone else with the same names and date of birth. Incorporating the government-issued identifier (BSN) into the Dutch PID could ensure the necessary uniqueness, but this would make the PID useless for most private sector applications due to the stringent restrictions on the use of this identifier by private entities. This issue could be addressed with technologies such as Attribute Based Encryption but no such advanced protection mechanisms are currently integrated into the ARF.
Perspective matters
While current technology can establish strong user binding, the perspective from which it is implemented is crucial. There is a dual interest in enhancing user binding: protecting citizens’ identities against theft and protecting relying parties from identity fraud.
From a relying party’s perspective, the biometric check could be controlled by the relying party. This would involve the relying party receiving the (encrypted) biometrics and engaging technology providers for matching. However, this compromises user privacy, as biometrics must be shared with the relying party, and the technology provider for matching becomes aware of the relationship between the user and the relying party.
From a citizen’s perspective, all functionality to match identity to biometrics should be present in the wallet. The proof of user could then be generated within the wallet, preventing unauthorized presentations. Biometrics would never need to be shared, and if a relying party requires user binding, only the proof of user would be shared. However, this approach is not currently on the roadmap for the EDIW developed by the Dutch government.
Path forward for User Binding
We believe that the citizen’s perspective is the wiser approach for implementing user binding. Allowing citizens to protect their identity with biometrics should be a mandatory feature of any EDIW. The use of biometrics for this purpose must have a firm legal basis, but making use of it should always remain an individual choice.
Therefore, we suggest the following ideas be incorporated into the implementation acts:
- It should be mandatory for PID providers to include biometrics in the PID if the subject desires this.
- EDIW implementations should be required to add liveness detection to the wallet to generate proof of user presence, but using this functionality should always be voluntary.
- EDIW implementations must support technologies like Attribute-Based Encryption to enable the use of sensitive information, such as government-issued identifiers, while protecting it against leakage and misuse.
[1] This technology is now used by QTSPs and financial institutions. Inverid has offered to integrate their solution in our PoC
[2] This technology is now used by financial institutions in combination with ID scan technology. iProov has offered to integrate their solution in our PoC.
Share this page