The European Union Agency for Cybersecurity (ENISA) has released a pair of new reports that could influence the development of digital identity technologies in EU member states. One of the reports addresses some of the concerns with facial recognition technology, while the other details the potential for self-sovereign identities (SSI).
With regards to the former, ENISA noted that COVID-19 has created a need for technologies that can verify someone’s identity online. Facial recognition has helped meet that demand, and has been used to facilitate everything from financial transactions to citizen interactions with various government agencies.
The problem, according to the ENISA report, is that facial recognition is still vulnerable to spoofing. The report lists photos, video replays, masks, and deepfakes as the primary methods of attack, and recommends some steps that organizations can take to guard against those threats. Most notably, the report encourages organizations to set a minimum video quality for face checks, and to implement presentation attack detection systems that can gauge depth and spot some of the inconsistencies found in deepfakes. It also advises organizations to cross-reference identity documents with lists of lost, stolen, and expired IDs, and to adhere to industry standards and best practices when implementing an authentication system.
ENISA’s SSI report, meanwhile, could inform the creation of a broader European Digital Identity scheme. The digital IDs would be available to all EU citizens, and would theoretically serve as a trusted digital identity that could be used for a range of cross-border interactions.
ENISA noted that a good SSI should give individuals more control over their personal information, allowing them to choose what and when to share when proving their identity. Priorities for SSI include data minimization, accuracy, and consent, as well as utility more generally. Once completed, citizens will be able to store a European Digital Identity in a wallet on a mobile phone, and share information by clicking an icon when accessing online services.
In doing so, citizens would only need to share enough information to complete a transaction, which allows people to do business with a greater degree of anonymity. The two reports are part of ENISA’s ongoing efforts to support the EU’s eIDAS Regulation, which seeks to create an interoperable standard for electronic interactions in Europe. ENISA has previously advocated for the use of passwordless FIDO2 authentication technologies.
January 24, 2022 – by Eric Weiss