eIDAS: Private Identity Verification in the European Union

Author: Ali Ayaz

Introduction

Imagine a bank teller with a photographic memory. If only just once, it was required of you to prove your identity through an identity card to that bank teller, your private information would be ingrained in their memory. Ready to pull out any bits and pieces of information at their leisure to make judgements about your character. All this because it was necessary to prove one small part of your identity. Consumers are subjected to this kind of invasion of privacy on every platform they use in addition to the consistent need to verify the same information to different institutions resulting in multiple accounts, cards, passwords and phone numbers. In contrast, companies also have to contend with constantly changing privacy laws, data storage and dwindling trust with their consumers because of this. 

To a large degree OAuth and OpenID - The ‘Sign in with Google’ buttons - were developed to deal with that exact problem. They allowed for a smooth and blind transaction between two unrelated parties, which is how an e-commerce website can get your name and profile picture from your Google account without having to provide them yourself. However, this new approach came with its own limitations. Primarily, the consumer depends on a few service providers; Google, Facebook and occasionally Github, to authenticate themselves rapidly online, with the added caveat that only those companies get to keep user data.

However, the extent of these authentication systems today remain quite limited. Although our Google verification does carry a legitimate weight in the internet today, it bears no weight in governmental and financial bureaucracies. Yet, the practicality of providing minimal information and effort to verify oneself in any context is a welcome addition. With European Union regulation in mind, this article will explore the options for simple universal authentication and how EU governing bodies have already begun their implementation to streamline trade and consumer experiences.

Multi-Factor Authentication

One approach for a digital authentication, with some degree of validity, is Multi-Factor Authentication, most commonly encountered as Two-Factor Authentication. At heart, the idea is that a password can be stolen, so there should be another layer of access control before authentication is completed. Primarily, this uses a phone number, but in more government oriented systems, a smart-card or biometric data can be used as another layer of authentication. 

Although this seems like it’s primarily a security measure, the extent to which these methods are used are not limited to that basic mechanism. For example, Google using 2FA provides them with another layer of verification that you are indeed who you claim to be. This can be primarily done due to the fact that often, especially in the EU, phone numbers are paired with an identification number or some descriptive detail about the owner.

Similarly, biometrics can only happen if there is a database in which your biological data is paired with your identity.  Additionally, payment cards are used online to verify that a person is of legal age, as well as in cases of trial software. This poses an unnecessary divulsion of data from the user’s end for the sake of gain in assuredness and legal safety for the platform. Smart cards also come with the downside of another card, more pins to remember and technology that does not integrate well with current consumer trends. A new approach is necessary.

Identity Verification

As it is today, the only universally agreed upon identification mechanism is the identity card which each EU citizen carries. Alongside their shortcomings - bulky, replicable and old - identity cards today function as the primary evidence of a person’s claim of identity and serve as an easy to lose item in times of importance, and an easy to steal item or even counterfeit. The many ways an identity card can be used for authorization allows for creative ways to bypass the security mechanisms put in place using them.

For example, a pub has a different usage for an identity card than a bank, and a bank different to the governmental body which issued it. Different institutions have different needs, yet, when it comes to cards, birth dates, social security information, pictures and a host of other data is shown for anyone to see at an equal right. That can pose a real issue with, say a bank teller with a photographic memory, or a scanner which saves your card in its entirety for the bank’s needs. However, the bank, pub or grocery store does not really need more than evidence that you are who or how old you claim to be.

This leaves consumers and businesses in a difficult position alike. Businesses, banks and organizations are obliged to store massive amounts of sensitive consumer data which they have to protect consistently against malicious actors from outside the organization and from within. Consumers do not know what part of their data is being used when they share important official documents and they have no other choice but to participate. Pair that with the additional layers of security and verification required in an international context - with minimal coordination between parties - and a costly bureaucracy is born. Not only is this approach privacy insensitive, it’s not cost effective either. New approaches are consistently being proposed and often there are new developments. 

eIDAS - Electronic Identification And Trust Services

As our lives and the digital world have grown intertwined, a need for more than service providers’ involvement has become necessary and this is one of the issues that the European Union is keenly focused on. Since 2014 regulations and frameworks have been continuously developed in anticipation of an eventual mandatory digital form of identification for citizens and businesses. Eventually, a project was launched by the European Union to bolster the sovereignty and autonomy of consumers over their data and the interoperability of these private and secure forms of identification. The current initiative is active in six European member states; Croatia, Estonia, Germany, Italy, Luxembourg and Spain.

In the hopes of bolstering the European single market by providing a robust digital infrastructure for it to operate in. New technologies are being introduced to support the desire for a more fluid and private flow of identity information between businesses and consumers. The notion is simple; Allow for a free flowing and smooth transition of personal information between participants of the European single market. To a large extent, this is currently made possible by large expensive bureaucracies that make current European Union identification cards verifiable. However, that only fulfills one of the criteria - fluid flow of information, but not private. The balance had to be struck between interoperability and privacy because the available technologies could not solve both limitations at once.

Today this is changing rapidly, new technologies come with the promise of privacy, interoperability and transparency. Currently, the European Union is investing in several projects along with member states supporting projects that deliver these demands. An Electronic ID that carries with it the verification power of what we now use paper, signatures and official stamps for is on the horizon. In an interconnected and more united Europe the simplified travel of information and verification are becoming a necessity.

Conclusion

Currently, the eIDAS framework is of great interest for small and medium enterprises, as the development of any further technologies could be hampered by future regulations and sudden changes in the market. Not only because it’s best to anticipate legal changes and adapt to them before they occur, but because these regulations and frameworks have a validity in what they can offer businesses. Primarily, less responsibility towards consumer information and less cost towards validating and housing the verification material required to provide the service. 

This is a signal of change in the way we develop platforms and software. It also comes with the added benefit of less boundaries for entry for many new-comers. Currently, either human verification or Artificial Intelligence models - usually both - are required to validate incoming consumers if any government identification is required. This approach is burdensome on both users and platforms. The first, because it’s an unnecessary divulgence of personal information to participate on a platform and the latter, because of the responsibility of housing, knowing and the safety of that private information.

For more information and Webinars on eIDAS, please visit this website.

Continue reading