Europe's eID Wallet: What are the five pillars of success?
If current timelines remain on track, EU member states will begin piloting their EU Digital Identity (EUDI) Wallet apps as early as next year, with the ambition to have 80% of citizens using an eID solution by 2030. Following on from his blog, which introduced the opportunities and challenges for EUDI, Jean-Daniel Aussel, Chair of the GlobalPlatform eID Wallet Task Force, outlines five key pillars that are fundamental for the success of EUDI Wallet deployments.
1. Security and privacy
It will come as no surprise that security and privacy are top considerations. For the EUDI Wallet to fulfil its ambition of making cross-border eID a reality, it must be trusted by people, businesses and governments to store personal data. What’s more, solutions must be capable of only displaying the data that the individual needs and wants to share for a particular use case.
The EU Commission outlined citizens being able to “control and protect their identity, personal data and digital assets" as one of the cornerstones of the EUDI project.
To ensure EUDI Wallet solutions offer security and privacy, there are a number of different factors to take into consideration. Lifecycle management for devices can be complex, as various software upgrades need to be made to ensure a device remains secure. EUDI Wallet applications are no different and so must be remotely maintained and even decommissioned securely. A diverse mobile phone ecosystem, with different manufacturers and operating systems, risks fragmentation, further complicating EUDI security.
Therefore, the EU must define an entire scheme for security and conformity to the required security levels, which may take over two years to come to fruition. The best approach here is through collaboration, drawing on the expertise of industry bodies to ensure that all stakeholders, like chip makers, device makers and service providers, are involved in the process to ensure end-to-end protection for users.
Security is complex. To define the security of evaluated products, the European Cybersecurity Act sets out three assurance levels for certification schemes – high, substantial, and basic. The secure storage of sensitive wallet data, as well as the storage and execution of cryptographic material, will most likely require a high level of assurance.
The first step in this case is to evaluate what is already available, and what technologies need to be developed to support EUDI in meeting a high level of security. GlobalPlatform Secure Elements (SEs) for example are already certified under the common criteria methodology, that will evolve very soon to the EU Cybersecurity Certification (EUCC) scheme, in both cases offering a high level of security assurance. SEs have also demonstrated their capabilities in several scenarios involving the use of private data, such as contact and contactless payment transactions, SIM cards and biometric authentication.
The important consideration here is to ensure the scheme is able to incorporate both existing and newly developed technologies to ensure all solutions are interoperable.
2. Interoperability and consistency
There are 27 EU member states, each of which may choose to implement its own EUDI Wallet solution. Similarly, private vendors are also working on individual solutions and services for eID which could add complexity. During a GlobalPlatform eID Wallet seminar, the EU Commission outlined its key objectives for EUDI rollouts, one of which was that they should be accepted everywhere in the EU where authentication is needed.
Interoperability needs to be the first consideration before deployments to avoid a scenario where there are hundreds of competitors all creating proprietary solutions. This could cause fragmentation which would make the goal of having EUDI solutions accepted across all use cases and member states, difficult to achieve.
GlobalPlatform technologies are developed with interoperability in mind and are readily available across the vast majority of mobile phones. These technologies provide the foundations of trust, regardless of the underlying wallet attribute or data model.
3. Inclusivity and useability
All EU citizens and businesses may use the EUDI free on a voluntary basis. This was also outlined by the EU Commission as one of the three cornerstones of the European digital identity.
Although member states have the autonomy to design and deploy their own EUDI Wallets, they must be accessible across the EU for citizens to authenticate transactions and provide identification for wide-ranging and evolving use cases.
Several implementations for EUDI Wallets are possible to widen the scope of devices on which the solutions can be made available.
- Embedded Secure Element (eSE) – offers high security but may not be implemented by some Original Equipment Manufacturers (OEMs). Currently, eSE’s are more common in high-end devices.
- Embedded SIM (eSIM) – the number of providers offering commercial eSIM services for smartphones has doubled in the past two years, so this is an inclusive technology and will be more so in the future if current trends continue. Developments with Secure Application for Mobile (SAM) will offer both security and sovereignty of eSIM, but requires legislation to ensure fair access to the eSIM, as well as a clear governance on which bodies can control the management of EUDI applications on the eSIM, making it a long-term option rather than a readily available solution.
- Hardware Security Module (HSM) – this model faces challenges with flexibility and security to ensure the user has sole control through strong authentication; something the EU Commission is keen to uphold as part of its objectives for EUDI Wallets. HSMs are located on the cloud and do not require hardware on devices. It is seen as a short-term compromise for quick deployment of EUDI in less demanding use cases, however still requires strong authentication of the user.
The use cases for EUDI are largely smartphone-based, so components and applications must be readily available on the majority of devices, offering consistent amounts of protection. Although more and more smartphones have an embedded secure element for use cases such as payment or digital key, other secure elements such as the eSIM must also support the EUDI Wallet to ensure the largest possible inclusivity. This again must be taken into consideration when defining the scheme and regulations around EUDI.
4. Flexible business models
As with any new government solution, the current regulations are likely to evolve and change, and the business models for solution providers to monetize their services are still to be discovered. At this stage it is important for businesses to be flexible in how they monetize solutions to ensure they can react and adapt to emerging regulations.
Payment schemes provide a good model for how to achieve monetization by remaining flexible in the face of evolving regulations. Like payments, access to government-mandated identification is something all citizens should be able to access for free, as outlined by the EU Commission as an objective of the rollout. The payment schemes have been flexible enough to adapt over the years to changing regulations and emerging technologies such as mobile payments, and EUDI Wallet providers may need to be so as well.
5. Regulation and certification
As EUDI Wallets develop, regulations need to evolve with them to ensure that solutions are deployed in a consistent way, ensuring security, inclusivity and interoperability. There are still major elements of the governance to be defined, such as responsibilities of relying parties, and financial liabilities.
ENISA, the body responsible for defining the EU Cybersecurity Act, does not yet have a mandate to define a scheme for EUDI, and will likely take a phased approach with a transition model based on aspects of the EUCC scheme. The final scheme may rely on work being done around EU5G.
Another of the EU Commission’s objectives for EUDI Wallets was that they should be compliant with privacy regulations. To meet regulations, and uphold the pillars of security, interoperability and accessibility, requires extensive evaluation of solutions and demonstration of capabilities through certification.
GlobalPlatform also manages the Security Evaluation Standard for IoT Platforms (SESIP) evaluation methodology, which can provide the basis for certification by composition of complex applications such as the EUDI Wallet. Read more about how SESIP can support EUDI deployments.
Although there is no silver bullet to meet all of the EUDI Wallet’s security, convenience and inclusivity requirements,
GlobalPlatform technology does provide a foundation for secure services and is deployed on the vast majority of devices. Its standards and certification schemes have met the highest levels of assurance for the security schemes of different market segments such as payments and telecommunications, and can surely provide the trust architecture needed to bring the highest assurance to the EUDI Wallet.
Discover more about GlobalPlatform’s work on eID through its eID Wallet Task Force.