Last month ENISA, the European Agency for Cybersecurity, published its revised good practices for remote ID proofing. A lot has changed since the 2022 version: the eIDAS 2.0 regulation has now been approved and requires more secure digital identities for wallets, and at the same time the threat of generative AI has grown exponentially as the tools have become omnipresent.
Not surprisingly, the larger part of the ENISA report discusses presentation attacks, injection attacks, and how to prevent them. Interesting stuff to read. Particularly biometric verification providers face serious challenges to protect the different components in their solution whilst trying to distinguish real from fraudulent identities.
The identity document attack part is short. For electronic identity documents it simply states that “Public key infrastructure is used to authenticate the data in the chip, making it impossible to forge with the current technologies when all security mechanisms are fully and correctly implemented.” (p. 29) We could not agree more. For non-chipped documents they state that “… the maturity of PAD and IAD (Injection Attack Detection) methods applicable to identity documents is somewhat lower than those applicable to biometric attack of the human face.” (p. 30). Or as we would put it: you cannot trust what you see.
“Public key infrastructure is used to authenticate the data in the chip, making it impossible to forge with the current technologies (…)” - ENISA Remote ID Proofing Good Practices
The logical conclusion for ENISA is that NFC chip reading is the way forward for remote identity proofing, in combination with the best face verification possible, which can always have a residual risk in it. ENISA also sees added value of NFC w.r.t. face verification: “Additionally, the biometric digital photograph contained in the chip can be used for face matching with a higher accuracy level.” They also mention the downside of this in the European context, as legislation on the use of the chip in passports and identity cards (or identity documents) is still not allowed in every member state: “This could potentially give attackers the opportunity to perform impersonation attacks with higher success, targeting Member States where NFC-reading by private TSPs and RIDP (remote identity proofing) providers is not legally permitted.” In other words, member states that have outdated legislation preventing the use of NFC reading create vulnerabilities to fraud for their citizens. A logical conclusion given the fact that all other forms of remote document verification can be breached, as the ENISA report clearly points out. ENISA also mentions that lost/stolen document lookups may not be permitted consistently among trust service providers, hampering this first line of defence.
It is fortunately only a small number of EU member states that currently restrict the use of NFC reading to prevent identity fraud. Germany and France are examples thereof, but even there the restricted use of NFC is under pressure. The German Federal Office for Information Security (BSI) together with French ANSSI paves the way for NFC reading in Germany in their joint release of December 2023. They state that “chip reading is the most secure way which should be used to acquire the information from an identity document” and that under the eIDAS 2.0 regulation national legislations should be harmonised. The ENISA report follows a similar line of reasoning.
Some member states use privacy concerns as a reason to prohibit the use of NFC. We, however, would like to emphasise that the restriction of chip access leads to the use of sub-optimal, intrusive, and privacy invading identity verification methods: video verification is intrusive, and as it can be spoofed it should be complemented with data-driven mitigating measures. This can only be done via data sharing, whereas the identity document itself can be seen as a decentralised identity in the truest sense: no access to (personal) data is needed to validate a chipped identity document but for the (public) country certificates. Privacy by Design in line with GDPR! Furthermore, the ICAO (International Civil Aviation Organisation) 9303 standard for identity documents gives a pan-European (and even globally accepted) standard for secure identity document verification. With ReadID we have proven that this can be used in a secure and user-friendly way in many use cases, including EU ID Wallets.
“Depriving your citizens the right to use NFC encourages fraudsters to attack citizens of that member state, according to ENISA.”
Depriving your citizens of the right to use NFC - truly privacy-friendly, secure identity verification that makes AI-based attacks irrelevant - is a bad judgment based on old technological conceptions. Even worse, it encourages fraudsters to attack citizens of that member state, according to ENISA. The European Commission should create a safe and secure level playing field for this under eIDAS 2.0, promoting the use of NFC-based identity verification.
