Applying FIDO standards to EUDI wallet

The collaboration between FIDO standards and EUDI Wallet, within the framework of the powerful eIDAS2 regulations, offers a robust and secure solution to enhance online authentication and promote trust in digital transactions. Providing attractive benefits to individuals and businesses in the field of digital identity, FIDO and EUDI Wallet complement each other.

E

nhancing online security 

Let’s set the context. FIDO, which stands for Fast Identity Online, is a set of open standards developed by the FIDO Alliance. Its aim is to improve security in online authentication and reduce dependence on traditional passwords. FIDO advocates for and develops more secure methods, such as biometrics and passkeys, to authenticate users online quickly and conveniently. 

FIDO has addressed the usability and security shortcomings of outdated Multifactor Authentication (MFA) tools and provided advanced digital identity solutions. 

Leading companies in sectors such as banking, healthcare, telecommunications, and technology have leveraged FIDO’s open and interoperable proposals and implemented solutions based on these standards. Based on FIDO principles, governments worldwide, including Taiwan, South Korea, Thailand, the United Kingdom, and the United States, have announced or developed plans in recent years to modernize their citizen digital identity schemes. 

Currently nearly 900 products and technological solutions have obtained FIDO certification. Additionally, almost all smartphones and laptops available in the market incorporate support for FIDO authentication. There is also native support for browsers, eliminating the need for clients or providers to rely on other technologies to enable MFA options. 

FIDO is recognized as part of the Electronic Identification (eIDAS) schemes in the EU for high-security levels. Part of its work involves educational efforts through webinars and publications and requires collaboration with institutions and policymakers to ensure constant updates. 

The necessary regulatory framework for digital transactions 

In April 2020, the conditions describing how FIDO can operate according to eIDAS (Electronic Identification, Authentication and Trust Services) were deployed. eIDAS is a European Union regulatory framework that establishes standards for electronic identification systems, guaranteeing their authenticity and security. Although formally established in 2014, this regulatory framework originated from guidelines that have been attempting to unify the vast and scattered number of regulations on identification and electronic signatures since the early 1990s. One of the most important contributions of eIDAS is the introduction of the terms “Trust Service Providers” (TSP) and “Qualified Trust Service Providers” (QTSP). These providers are supervised and accredited to offer a range of trusted services, including signature validation, timestamping, registered document delivery, and preservation. 

Its goal has always been to facilitate secure and cross-border digital transactions within the EU. The eIDAS2 regulation is an update to this framework that adds a notable improvement, the launch of the European Digital Wallet: EUDI wallet. This new chapter in the life of eIDAS proposes that member states have an obligation to provide the digital wallet free of charge to all their citizens. Private entities will also have the option to be accredited as EUDI wallet providers. 

According to the official project schedule, the framework will be fully implemented by June 2024. 

A project to drive digital transformation 

EUDI Wallet, the European Digital Wallet, is an ambitious joint project between the European Commission and Member States. It will allow both businesses and citizens to identify themselves in the most practical and reliable way to access digital services. 

One of its main goals is to give citizens full control over their electronic identities, while protecting privacy by selectively disclosing and tracking the attributes contained and shared in any given situation. 

By facilitating this access, the aim is to promote the adoption of digital services and foster trust in online transactions. On the other hand, EUDI wallet would foster digital transformation in the European industrial sector, providing support to businesses adopting digital technologies, improving their efficiency and competitiveness, and adapting to new business models. 

These two complementary strategies aim to promote digital transformation in different areas: secure access to digital services and driving the industry towards digitalization. In doing so, the project seeks to strengthen the digital economy and improve the quality of life for European citizens in this era. 

The collaboration between the FIDO alliance and EUDI Wallet 

To ensure transparency in the implementation of the European digital wallet, eIDAS2 establishes specific rules that must be followed. This is where FIDO comes into play. 

FIDO acts as a key to access EUDI Wallet. By using FIDO, the user’s identity can be verified when they need to access different online services or make payments. For example, FIDO would help securely display a driver’s license when necessary. The combination of FIDO and EUDI Wallet within the eIDAS2 framework ensures more secure and reliable online transactions. As mentioned at the beginning of this article, FIDO offers an additional layer of security by replacing traditional passwords with stronger and more convenient authentication methods. 

The Alliance explains that the various use cases aim to support passwordless digital environments, with full information and accountability. 

Using FIDO for transactions with EUDI Wallet 

Within the EUDI Wallet ecosystem, FIDO can be applied as an authentication standard in various forms, serving as a gateway to different needs and services. 

• It facilitates the acquisition of identifications that will be stored in EUDI Wallet. This includes issuing special certificates and temporary tags for specific identifications.
• It allows access to cloud-hosted wallets. This means that users can access their digital wallets and manage their transactions from any internet-connected device. 
• It acts as a bridge in the pre-authentication process before accessing services in hospitals, airports, banks, and others. 
• It can be used as an authentication standard to access remote QSCDs (Qualified Signature Creation Devices). These devices are designed to generate trusted electronic signatures, ensuring the integrity and authenticity of the signatures while protecting the information and identity of the signer. 
• It serves as a link between EUDI Wallet and digital identity providers. It eases communication and interoperability between digital wallets and these providers, strengthening authentication. 

Striving for a balance to avoid associated risks 

As the deadline approaches for all member states of the European Union to have their architecture and access to their wallets ready, potential risks or vulnerabilities may arise. A project of this magnitude and with so many aspects must be undertaken with a full understanding of the consequences of a cyberattack or vague limits on government intervention. It is essential to address these dangers through technical and regulatory design. 

Although it may seem obvious at this point, member states must be careful with user privacy and deploy EUDI Wallet with transparency, providing detailed information on the range of use for each credential and avoiding tracking. The decisions made by those managing digital identities will have an impact on the reputation of technology providers, so this is not a minor issue. 

Alban Feraud, vice president of the industrial organization Eurosmart, explains that the wallet is actually a combination of technologies, services, and processes. The success of the strategy depends on the ability to combine and balance all these elements that may have been individually evaluated and certified. 

The EUDI program is at risk of suffering attacks against the application itself, including alteration of the user interface or the creation of similar applications to confuse citizens, as well as attacks against ecosystem participants such as FIDO solutions, as they manage access to personal data. 

FIDO standards have revolutionized online authentication by establishing technical specifications that enable interoperability and leverage cryptography, complying with all current eIDAS regulations, and they already have a solid foundation to support their principles and expand their use cases with eIDAS2. Their notable impact in both the public and private sectors and their formal certification have been widely recognized. Their implementation within the EUDI Wallet ecosystem can only foresee a future in which digital identity management becomes increasingly seamless and robust, as long as the risks are understood, and actions are taken with honesty, information, and public service in mind.