loading page

FIDO for User Sole Contol in the EUDI Wallet
  • +1
  • Benjamin Fehrensen,
  • Alain Hiltgen,
  • Petros Kavassalis,
  • Nikos Tiantafyllou
Benjamin Fehrensen
Berner Fachhochschule Technik und Informatik

Corresponding Author:benajmin.fehrensen@bfh.ch

Author Profile
Alain Hiltgen
UBS AG
Author Profile
Petros Kavassalis
University of the Aegean
Author Profile
Nikos Tiantafyllou
University of the Aegean
Author Profile

Abstract

The European Digital Identity Wallet (EUDI Wallet) is the flagship initiative under the novel eIDAS1 regulation, aiming at enhancing digital identification by providing all EU citizens with a universal and secure digital ID. This ID will facilitate a wide range of activities, including travel, work, cross-border education, access to online services, payments, document signing, and more. Current efforts concentrate on specifications for Person Identification Data (PID) and other attribute attestations via Verifiable Credentials (VC) and the requirements for PID Providers, Qualified and Electronic Attribute Authorities (QAA and EAA), EUDI Wallet Providers, Relying Parties, and other actors within the EUDI Wallet ecosystem. This paper delves into further essential requirements of the eIDAS 2.01 regulation and proposes the FIDO framework as a solution for central aspects such as strong customer authentication, user sole control and device attestation. FIDO is not only an efficient framework for Strong User Authentication (SUA), but has also been recognized by the EU Cybersecurity Agency (ENISA)2 and the ETSI TR 119 460 report3 as compliant with eIDAS eID schemes. In this paper, we first briefly state the requirements of the EUDI Wallet Architecture and Reference Framework (ARF) for online and proximity identification and authentication, and propose leveraging the FIDO framework for authentication in the EUDI Wallet (section 1). Next, we highlight the potential complementarity of the current ARF design effort and the FIDO framework, explaining how the use of FIDO can achieve economies of standardization and accelerate the adoption of the EUDI Wallet by service providers that rely on additional security guarantees for LoA High, such as financial institutions and critical infrastructure operators (section 2). In section 3 we outline the technical details for seamlessly integrating a FIDO authenticator into the EUDI Wallet architecture. Finally, we introduce the need for protected confirmation, as a means to enable EUDI Wallet users to “reliably control what they confirm on their device”, and recommend to also leverage protected confirmation for selective disclosure (section 4).
17 Jul 2024Submitted to Security and Privacy
18 Jul 2024Submission Checks Completed
18 Jul 2024Assigned to Editor
18 Jul 2024Review(s) Completed, Editorial Evaluation Pending
19 Jul 2024Reviewer(s) Assigned