By the end of 2026, all EU Member States will have to make an EU Digital Identity Wallet available to their citizens free of charge. Provided for by the eIDAS 2.0 regulation, the European digital identity wallet will have to be interoperable and recognised throughout Europe. Citizens will be able to store identification data (surname, first name, date of birth, etc.) and official documents in digital format (diploma, driving licence, etc.). This digital wallet can be used to authenticate on public or private services throughout the European Union.
As a developer and provider of electronic wallets, iDAKTO offers secure, certified and used bricks within the France Identité application, officially recognized as a “high” level digital identity. We have therefore set important milestones for the security of the applications and the platform behind what will soon be the French implementation of the European digital identity wallet.
While the implementing acts of the eIDAS 2.0 regulation should soon specify the security requirements of the future European portfolio, iDAKTO is already working on the drafting of the standards within ETSI, CEN and OpenID Foundation.
Andreea Prian, Head of Standardization at iDAKTO and eIDAS compliance expert, takes stock of 5 major security issues around the European digital identity wallet, the questions that arise and the solutions envisaged to answer them.
1. The protection of personal data, a non-negotiable building block of the future EUDI Wallet
Citizens’ trust in the European digital identity depends on the transparency of all the actors involved in the system and on the protection of personal data. However, the certificates issued and stored in the future European wallet will contain metadata – such as the expiry date of the certificate or the cryptographic signature – and technical data that could make it possible to track users when these certificates are shared with third parties. Users could therefore be traceable, since in two different presentations, a cross-check would make it possible to deduce that it is the same person.
Avoiding user tracing could be done through the issuance of single-use certificates, but this solution is actually not very scalable and would place a significant burden on the issuer of certificates.
Another solution could be the use of advanced cryptographic techniques, such as Zero Knowledge Proof, which provide evidence about a user’s data without disclosing its exact value. Signature randomization via cryptographic algorithms and signature schemes of the BBS+ type or offering at least equivalent properties could also be considered.
Such solutions still need to be further developed and tested for possible use in the context of the creation of a digital identity. New “Large Scale Pilots” will be launched in 2025, in order to specify the contours and use cases of the future European identity portfolio. The study of user data protection via these techniques should therefore be an integral part of their roadmap.
2. Anticipating post-quantum threats
The creation of the European Digital Identity Wallet brings to the forefront the security issues around the electronic signature. Many elements that will pass through the wallet will be signed to guarantee the authenticity of the data (stored certificates, presentations of certificates made to the user parties, etc.). However, the post-quantum era is approaching and threatening the asymmetric cryptography currently used for electronic signatures. Quantum computing will be able to reproduce signatures that appear legitimate, making it impossible to distinguish between what is authentic and what is not.
To date, there are no officially recommended post-quantum algorithms in France.Si the first algorithms have already been standardized by NIST, they are not unanimous in terms of their maturity and their ability to guarantee data security on their own.
The use of flexible and scalable protocols, which are not tied to a single cryptographic technique, could be considered. In order to anticipate the threats related to post-quantum, the ANSSI already recommends hybridization, i.e. the simultaneous use of two algorithms, one of which is resistant to post-quantum and the other pre-quantum, sufficiently studied and recognized. If hybridization appears to be a recommended solution, it must still be allowed, for example by the format of the certificates. It is therefore crucial that standardization bodies look into the topic of hybridization integration.
3. Establish a framework of trust
The issue of trust is at the heart of the project to create the European digital identity wallet. The creation of a strong trust framework is necessary in the field of digital identity, in particular for the identification and authentication of certificate issuers, certified wallet providers and especially service providers – public and private – of which there are expected to be many users of the future European wallet. Sensitive data such as health data, stored in the wallet, will require strict regulation.
Many service providers will want to use the EUDI Wallet, which is easy to adopt and interoperable across Europe. They will therefore have to register on “trusted lists” whose criteria have not yet been specified. Leaving it up to the Member States to define their own criteria for registering service providers on the “trusted lists” would risk creating too great disparities, and therefore compromising the security of the future European digital identity wallet.
A strict and transparent registration of legitimate entities on the “trusted lists” is necessary, in order to assure the user that the service he wishes to use is indeed entitled to request information contained in his wallet. The declarative registration (on the basis of a form, for example) will not be sufficient to guarantee confidence in the system. The application of the principles of the GDPR will include a strict condition: companies (third parties) will only have to request from the user the data that is necessary for the purposes for which it will be processed. The European Commission is expected to provide more details regarding the processes for registering on the “trusted lists”.
4. Place the EUDI Wallet under the exclusive control of the user
The use of the European wallet, and in particular the management and sharing of data, must be “under the exclusive control of the user”. Theoretically neutral from a technological point of view, its first implementations will take place in the form of a mobile application (especially in France). In this case, the user will authenticate via their mobile device, in particular via biometrics, which is the means of authentication with the least user friction.
However, the security of authentication varies with the diversity of devices and the lack of guarantees they offer regarding the implementations of biometric solutions. Authentication is a key aspect of data protection. This situation raises the question of trust in these devices that remain beyond the control of the user itself.
It will likely be necessary to strengthen the authentication process for attestations requiring a high level of assurance. The use of an electronic identity card with a PIN code could be a solution, in order to avoid having to resort to biometrics, even if this solution may make the user experience less fluid.
5. Comply with a minimum set of security rules in the absence of a European certification scheme
To date, there is no unified certification scheme at the European Union level indicating how to certify the entire portfolio and its components (back-end, application, hardware cryptographic component, etc.). However, future wallets will have to be certified, and even reach the high level of assurance for electronic identity. The purpose of a certification scheme would be to describe the prerequisites necessary to secure the various components of the portfolio with a view to its certification.
The European countries concerned by the implementation of the future European digital identity wallet have quite heterogeneous levels of cybersecurity. This is therefore likely to create security disparities in different states, with some certifying versions of the wallet that others may consider insufficiently secure.
A minimum set of security rules should be complied with by all Member States in order to ensure a homogeneous and harmonised level of security. This pillar would guarantee all citizens the possibility of using a secure solution on the basis of a certain number of common security rules, regardless of the country.
Security, trust and regulatory requirements around the future EUDI Wallet: the elements to remember
1. Respect for privacy is an essential building block to preserve citizens’ trust in the European Digital Identity and encourage the adoption of the future wallet. The digital wallet will be free and not mandatory for European citizens.
2. It is already necessary to anticipate the threats related to post-quantum, in particular through the simultaneous use of two algorithms, one of which would be resistant to post-quantum.
3. The registration of service providers on “trusted lists” must be carried out in a strict and transparent manner.
4. The authentication process for certificates requiring a high level of assurance should be strengthened (e.g. through the use of an electronic identity card with a PIN code).
5. In the absence of a European certification scheme, the various States will have to develop their own national certification schemes. It is desirable that the Member States work on harmonising the security rules relating to the different components of the European digital identity wallet.
iDAKTO will closely follow the publication of the implementing acts of the eIDAS 2.0 regulation and will continue to be involved in the work of the “Large Scale Pilots” in order to contribute to the development of a fully secure European digital identity wallet.