Driven by the proposed revised eIDAS regulation for electronic identification, many European initiatives are currently developing digital identity wallets. These wallets are typically mobile applications that can be used by EU citizens to login to public and private services and to share personal identity data and attestations in a controlled manner.
Prerequisite for such an identity wallet to function as an electronic identification means is that it can be ‘loaded’ with verified, authentic personal identity data, such as name, date of birth, nationality, gender, and a unique identifier. Moreover, the binding of the wallet to the user should be at the highest eIDAS assurance level. There are several potential solutions to inject the foreseen wallets with verified personal identity data.
A first alternative is to use a notified eIDAS eID means at level high to login to a provider of personal data. After login in, this provider can transfer the data to the wallet. A drawback of this solution is that not all member states have a notified eID means at level High, let alone that they are widely used. Moreover, a European wallet provider will have to implement all interfaces with national personal data providers across Europe which are not standardised. Finally, the solution is based on centralised infrastructures and may require additional and often complex privacy controls to prevent negative big brother kind of vibes.
A second alternative would be to physically identify the user at the registration desk of the wallet provider. After the identification, the personal data becomes available to the wallet. Basically, this mimics the current process for the issuance of level high eID means. A process that is not very user friendly, does not scale, and is expensive. Also keep in mind that a similar process would be required for other use case scenarios such as re-installation of the wallet on a new mobile phone or for resetting a forgotten password or PIN authentication credential. For the adoption of wallets this is killing; people have become accustomed to trusted digital processes and this would be a step back into the past.
Both alternatives have important downsides. There is a third existing and proven alternative that caters for remote identity proofing and onboarding using NFC-reading and verification of chips of identity documents plus biometrics-based face verification. Both pieces of functionality can be easily integrated in the mobile wallet app and can operate at the highest assurance level. Moreover, they leverage the existing reliable ICAO-standardised passport and identity card ecosystem to the advantage of the citizen. As a consequence, it provides a universal, decentralised, and privacy-friendly solution for wallet providers to inject personal identity data of all European citizens into their wallets.
NFC-based data injection is fully automated and thus scalable and cost effective as well. For the wallet users it is a friendly real-time solution and that can easily be executed for re-identification use cases as well. Please note that optical verification of identity documents should not be used: this may be convenient for data retrieval (OCR) but is easy to tamper with. Optical data injection would open the door to widescale use of fake identities.
“NFC-reading of identity documents provides a universal, standardised, and decentralised privacy-friendly solution for the verified personal data injection into eIDAS-wallets”
By adoption NFC-based verified data injection Europe can instantly implement a standardised, truly privacy and user-friendly solution for the loading of personal identity data and that will drive the adoption and success of digital identity wallets. There is no need to wait for member states to implement APIs to their sensitive identity infrastructure for this, nor is there a need to scale up services desks at town halls throughout Europe. European passports, identity cards and residence permits all fulfil the requirements for verified data injection already. Let’s stop discussing and start implementing things before big tech parties start ruling the identity market here as well!
Verified Data Injection and the ARF
The European Commission recently published the “European Digital Identity Wallet Architecture and Reference Framework (ARF)”. The ARF contains a set of the specifications needed to develop interoperable European wallets based on common standards and practices. A simplified version of the architecture is shown below. On top of the architecture is visualised how verified data injection based on identity documents and ReadID NFC could be implemented.