Aivo Kalu, Lead Security Engineer: addressing the issues around eIDAS2 and EUDI wallet

Aivo Kalu

Lead Security Engineer

Lead Security Engineer Aivo Kalu

“At Cybernetica, we believe there are better and quicker ways of working towards an eID wallet and we are working on these solutions.”

Aivo Kalu

eIDAS1 is an EU legislation (Regulation (EU) No. 910/2014), which sets common, yet voluntary rules for electronic identification, authentication and electronic signatures. Estonia and Cybernetica use it as the standard in our daily activities – the regulation and all its related implementation acts and ETSI and CEN standards. In fact, we have worked hard to develop a technology (see SplitKey), which enables level of assurance “high” authentication and qualified electronic signatures for 3 million active users in Estonia, Latvia and Lithuania every day. Furthermore, over the years we have secured the whole Estonian eID ecosystem providing consultancy to the Estonian Information Systems Authority.

eIDAS2 is an update, which promises to bring mandatory eID means to every citizen of the EU, in the form of a digital identity wallet. This initiative has been in the making since the end of 2020 (first proposal was published June 2021). Cybernetica, especially it’s Digital Identity Technologies team, has been observing the development of the new legislation and the discussions and developments around it closely.

An EU Digital Identity wallet (EUDI) is a step in the right direction regarding digital Identity for citizens and member states. It will allow every member state citizen to get personal identification “means” (PID) from the government authorities and also attested attributes (in other words, documents and licenses and certificates and data). Citizens can present all those credentials to relying parties in the ecosystem across public and private services. The solution will work in your mobile phone, in online situations and in proximity situations. Commercial entities can also take advantage of a EUDI wallet by issuing their own documents/licenses/attributes and they can ask a citizen to present a PID or other attributes to them. Think of a way you present your boarding pass today, except it will be also possible with the driver’s licenses, residence permits, loyalty cards and much more. Imagine strong authentication and seamless eKYC and transfers, payments and easier interactions with public services. The economic impacts, improved user experience and efficiency that such capabilities could bring to public and private sector are considerable.

But it is not happening, at least not in the near future for many…

Why? Because, first of all, it has been in the making for almost 3 years already and the best we have so far are large scale pilots (LSPs) that will, perhaps, start soon. In fact, several kick-off meetings were planned for beginning of April, but no real work is likely to start before June 2023, the outcomes of which still need to be implemented in the reference wallet toolkit for member states. With optimistic roadmaps, the first EUDI wallets, legally in production, are promised sometime in 2024 or 2025.

Another reason for the delay is that the EU’s efforts require new policies and technical solutions in order for the ecosystem to function. It certainly takes lot of effort and numerous discussions to figure out a common identity framework for all the member states, plus the European Commission. Furthermore, noting that eIDAS1 was voluntary – even today some of the member states haven’t fully jumped on the digital identity bandwagon. So, all in all, perhaps it is a small miracle that we have even reached the current state of affairs with the regulation, but there is still a long way to go to meet the current projections of 2024/2025 and issues to address.

Another reason, with technical nuances, pertains to the classical paradigm that specialised secure hardware, such as smart-cards, SIM-cards, eUICC, and other embedded secure elements are absolutely required for secure authentication and qualified signatures. In order to cater for national digital identity and wallet requirements, GSMA has proposed a certification scheme for eSIMs and eUICCs, which is now being picked up by industry, but is still pending official recognition by EU CyberSecurity Certification scheme. However, only recent and updated chips are able to follow the requirements and get evaluated. Only few of them are known at the moment.

This creates a limiting factor to uptake and acceptance. It should not be expected that end-users require the latest generation of flagship phones to utilise the benefits of a digital identity wallet. Sure, over time this might not be an issue, but having to buy a new phone in the next 2 years to enter the ecosystem increases the division of the “haves” and “have nots” and is not in the spirit of providing an inclusive solution for digital identity. It is also worth a serious consideration that member states’ digital identity solutions will potentially rely on non-EU companies’ phones and chip manufacturers, which presents security and sovereignty concerns.

Chip based solutions also bring another caveat for consideration, supply chain and country of origin issues that can impact the availability and strategic security of digital identity. The world has already seen issues with chip supply over the Covid period and more recently with supply chain issues stemming from the Russian war in Ukraine and associated sanctions. Reliance on materials and manufacturing that involve China, Russia and Ukraine raise concerns around availability of chips in the future, have serious security concerns depending on where they are manufactured and where raw materials are sourced from. Another issue that needs to be addressed is if a trusted and ethical solution can be provided that relies entirely on chips manufactured outside of the EU.

At Cybernetica, we believe there are better and quicker ways of working towards an eID wallet and we are working on these solutions.

With advanced cryptography, like secure multi-party computation, threshold cryptography schemes and other solutions, it is possible to run an EUDI wallet app on common and existing mobile hardware today, with a comparable security level to hardware-based solutions. It is also possible to certify such software-based solutions with existing evaluation standards, such as Common Criteria and remote QSCD protection profiles. It is not a coincidence that right now, a US government agency, the National Institute of Standards and Technology (NIST), is planning to do a standardisation call for such multi-party threshold schemes. Comments to the public draft are due 10th of April. Nor is it a coincidence that similar authentication and signing services exist and are in use in Estonia since 2017.

The future could be today. Your EUDI wallet could be in production in 6 months!