Topic R- Authentication of the User to the device

[phin10]

Description
Requirements and guidance need to be provided to address the authentication methods available on modern mobile devices, such as PIN codes, swipe patterns, and biometrics (e.g., face or fingerprint recognition).

Planned publication discussion paper
3 September 2025

Link to discussion paper
Link

Discussion close
Three weeks later.

[OBIvision]

Smartphones cannot - ever - provide a secure platform for Wallets as control is inherently linked to BigTech smartphone platforms. The very real risk is that EU feed control to BigTech through bad security design of the wallet.

One alternate mechanisms to to upgrade dedicated smartcards with biometrics and move control from the Smartphone to the Smartcard.

It is, however, not a simple question as there are many parallel requirements.

The core agenda must be support of Qualified Unlinkable Signatures as the key alignment mechanism across Eu regulations.

[tmielnicki]

Hello, thank you for your comments. Do you have any specific changes to HLRs in mind?

[sander]

Thank you for sharing Discussion Paper R v0.1. The analyses in § 2 and § 3 are problematic. This causes issues with certification and recognition. If implemented in the wrong way, it increases risk of identity fraud.

In the § 3 introduction, the description of authentication factors needs improvement. The PID-protecting WSCD is a valid possession factor only if the user has physical possession of the PID-protecting WSCD. If the PID-protecting WSCD is remote, the user needs to have a different possession factor for authentication towards the associated WSCA.

The ARF concept of activation is confusing due to the overloading it with both “WU activation” and “PID activation“. Instead, (EU) 2015/1502 refers to “eID means activation”, where “activation” is the process whereby the whole eID means is made ready for use. The WP is responsible for activation and the PIDP needs to verify this before PID issuance. Depending on the solution architecture, the activation process may or may not involve comparison with the registered wallet user’s identity. See:

• Weak eID means activation #589

The problematic analyses makes it hard to judge whether the requirements suffice. With regard to Question 1, seems that OS-level authentication can only suffice for the activation process if it is verifiable to the PIDP.

[tmielnicki]

Hi Sander, thank you for your comment. As described in ARF, the PID activation relies on Wallet instance activation and WUA, and there is no need for additional activation process as "eID means activation". PIDP will be thus able to verify by WUA verification.
Ultimately, a Wallet Solution needs to be certified to confirm security and robustness of (among others) authentication mechanisms design.
In any case, if you see any need to change HLRs or add new ones, feel free to propose.

[sander]

Re: Question 2. The formulation of WIAM_14 is problematic:

1. “this WSCA/WSCD SHALL be certified” goes beyond the legislation. Certification applies to the wallet solution and requires WSCA/WSCD evaluation, which may or may not be evidenced using certification.
2. “the EUDI Wallet eID means” seems to imply the eID means is in the EUDI Wallet, instead of equal to it.
3. It is unclear what it means for a WSCA/WSCD to meet applicable (EU) 2015/1502 section 2.2.1 requirements, and how this relates to WIAM_17.

Regarding the third point, the PID-protecting WSCA/WSCD must verify the user’s control of two authentication factors before asserting this authentication to the PIDP or RP. The WSCA/WSCD can only use OS-level authentication if the OS provides a capability for verification, meeting the characteristics and design requirements in section 2.2.1.

[tmielnicki]

Hi Sander, regarding the first and the second point we will review the wording.
Regarding the third one, this is the task of the Wallet Solution Provider to ensure the proper user authentication, using o.s.-level or external mechanisms. For instance mobile operating systems do provide information about the result of User authentication to the device (screen unlock). But anyway, it is up to the Wallet solution to choose the design, and then the solution have to be evaluated to confirm meeting compliance and security requirements.
BTW WSCA/WSCD have to be able to authenticate the user in accordance with CIR 2015/1502, but does not mean that always at LoA High.