The European Commission promotes the European Digital Identity wallet (EUDI wallet) as part of its effort to digitize the economy and help foster trust services. In practice, this means that from the end of 2023 each EU Member State will gradually offer a mobile-based wallet to their citizens, residents and businesses to identify and authenticate online. Here we look at the scope of the EUDI and some of the security challenges for the app.
Combining physical and digital credentials
In today's world, it is important to be able to prove our identities with physical credentials such as ID cards, health cards and driving licenses. We now need to be able to do this online too. Mobile ID is a great way of authenticating our digital identity but even then there still needs to be a connection between the digital and physical worlds. This is where the Digital ID wallet comes in - it provides citizens with a reliable platform for securely holding their digital and physical credentials together.
By linking the physical and digital worlds together, the European Digital ID wallet grants users full control over their data and opens up exciting possibilities for more innovative user-focused ID initiatives. Not only will this enable users to access services quickly while protecting their personal information, but also enable institutions such as government agencies and healthcare providers to develop better-tailored services for citizens. All in all, the Digital ID Wallet provides an important means of improving both safety and convenience when managing personal data.
EUDI scope and framework
The scope of this wallet app is described in some detail in The Common Union Toolbox for a Coordinated Approach Towards a European Digital Identity Framework. The Toolbox, adopted by the eIDAS Expert Group in January 2023, includes The European Digital Identity Wallet Architecture and Reference Framework (ARF). While still work in progress and non-mandatory, it is expected to be replaced by the European Digital Identity Framework Regulation which will be mandatory.
The EUDI wallet, part of the eIDAS 2.0 proposal, enables users to securely store and access identification data derived from their national eIDs within an app, on a local or remote basis upon request, with full control over their data. This covers attestations of attributes such as ePassports, driver’s licenses, university diplomas, and personal information like medical records or banking details. The wallet should also allow them to access a variety of online private and public services and sign documents with qualified electronic signatures and seals (QES).
On an international scale, the ISO/IEC 18013–5 standard describes the interface and related requirements to facilitate ISO-compliant driving license functionality on a mobile device, paving the way for the mobile driving license (mDL) as the future of licensing and proof of identity. On a wider scope, the just-published ISO/IEC 23220-1 standard describes the building blocks for mobile eID system infrastructures and standardizes interfaces and services for mobile document (mdoc) apps and mobile verification applications.
Logical access to and protection of the sensitive data in the digital wallet requires a fundamental change to the current approach for unconnected devices such as eID cards or ePassports. Currently, as mandated by Regulation (EU) 2019/1157, the main technical standard used to secure such data is the ICAO 9303 standard. When inspecting eID documents, the implementation supports the Basic Access Control protocol to access chip data. In short, the protocol enforces a proof of possession where the inspector reads data in a special machine-readable zone (MRZ) to derive a 3DES symmetric key used to access the eID chip data over the NFC interface (ICAO 9303, part 11).
Addressing the mobile security challenges for the EUDI wallet app
Shifting to a mobile device creates security challenges reflected in a complex threat model and a significant increase in attack vectors due to the change in form factor, increase in features and expanded eco-system. The EUDI wallet must offer a sufficient level of protection against attacks from adjacent malware that may have been installed by naïve users, and against professional and dedicated attacks on an emulated or rooted platform. The attack could also target the communication channel between the EUDI wallet app and the back-end services or the back-end itself.
Exploits of vulnerabilities in the ecosystem could result in forged identities or false claim assertions, in particular:
identity theft: by cloning an app or harvesting local data, an attacker could imitate the victim and make false claims online or offline, as well as gaining access to sensitive online services; and
data leakage: illegitimate or unauthorized access to citizen data is a direct breach of GDPR.
Indeed, the scope and complexity of adequately securing a mobile application is reflected by the 152 recommended security measures across 13 domains contained in the Smartphone Guidelines Tool issued by the European Union Agency for Cybersecurity (ENISA).
Issuance of the EUDI wallet is up to each Member State, but eventually the EUDI wallet is to be used across Member States. The proposal for amendment of the eIDAS regulation foresees that the issuer of the EUDI wallet may be the Member State itself, directly or through a mandate, or an independent party recognized by a Member State. In all cases, issuing an EUDI wallet comes with a huge liability and a high risk for reputational damage, both for the issuer and the Member State. Upon breakage or compromise of an EUDI wallet, the issuing Member State shall, without delay, suspend the issuance and revoke the validity of the European Digital Identity wallet and inform the other Member States and the Commission accordingly. One can easily anticipate the media coverage in hypothetical cases such as:
Terrorists break into the Belgian identity wallet and are able to present seemingly valid travel documents at Charles de Gaulle airport to enter the EU.
A Swedish minister presents a counterfeited diploma using her EUDI wallet during the due diligence process prior to her official appointment.
A security weakness within one type of EUDI wallet is exploited by an unknown attacker resulting in the leakage of confidential data for 3 million Danish citizens.
Hacktivists exploit the Spanish EUDI wallet to obtain social health benefits for 3000 migrants.
The European Commission intends to release an open-source software development kit (SDK) for the EUDI wallet to help ensure interoperability and foster usage. Nonetheless, the reliability for the security of the wallet remains to the issuer and the issuing country.
While the EUDI wallet will implement a number of security features which may include an embedded crypto interface and interfaces to a Trusted Execution Environment (TEE) and native Secure Elements (SE), the SDK will not be in a position to mitigate security risks such as reverse engineering, nor will it provide strong device and API assurance. EUDI wallet issuers will need to further harden the app and run penetration tests to pass certification. It is strongly recommended to use a third-party library to address current threats related to the EUDI wallet and rely on an evolutionary security design to be able to securely navigate and defend itself in the ubiquitous mobile ecosystem and its evolving threat landscape.
Cryptomathic is a pioneer in providing secure mobile solutions for apps that require the strongest level of protection against attacks. The Cryptomathic Mobile App Security Core (MASC) provides comprehensive data protection and proactive defense mechanisms with multiple, mutually reinforcing security layers. MASC’s security framework consists of self-defending mechanisms, application hardening, secure connectivity, secure storage and device & API protection.
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52021PC0281 Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity COM(2021) 281 final