November 4, 2022

A great deal of discussion on technical challenges and the importance of agreeing on appropriate standard was covered last week at the ENISA Trust Services Forum in Berlin. How can we move forward with the ambitious plans to launch EU-wide secure digital wallets? iProov’s CEO, Andrew Bud, presented on the evolving nature of the threat environment and the importance of a user-centric approach to building a digital wallet which is not only accessible and easy to use but is secure.

EU Digital Wallet 

There is a great prize available for Europe and the European economy if we, as the Digital Identity industry, together with consumer groups and policymakers, are able to collaborate successfully to build, roll-out, and adopt more convenient platforms for supporting secure and trusted digital transactions. A digital wallet has many potential uses and could be a way to make secure payments, to ease the process of replacing official documents, such as a driving license, and speed up the journey through border checks in airports and ports. For example, McKinsey estimates that users of Government services could save as much as 110bn hours by streamlining Government services securely online.

The EU is leading the world with an ambitious enabling legislative framework for a system of EU Digital Wallets. We are excited to be a part of the NOBID proposal for European Commission funding for a pilot digital wallet scheme. The NOBID proposal is well supported, professionally with experienced partners, and an attractive use case (payment services). However, our recently published research report on the EU Digital Wallet initiative highlights the significance of the barriers to take up. Large-scale enrollment, organizational take-up, and evidence of ongoing usage are essential if the benefits are to be realized.

Critically, the size of the prize, with a potential market of 447m users, will attract criminal attackers as well. 

The Threat and Role of Face Biometrics

To be acceptable, enrollment must protect against the full range of impersonation, presentation, and digital injection attacks, consistent with the sorts of patterns we have observed through our unique iSOC capability. Organizations must be certain that the user is who they claim to be and that they have the right to access the information on the wallet, that the user is a real person, and that the user is authenticating themselves in real-time.  

Criminals behind attacks are well-resourced, highly skilled, and operate strategically when they have identified a highly prized target. Our own experience is consistent with the advice we received from a European security agency that advised on the test & learn strategy of criminal attackers, who will attack a target, learn from the experience and then take that learning to adapt their technique before attacking their next target. 

Supplying sophisticated deepfakes is also an attractive business opportunity for those with AI capability. Europol recently reported the growth of deepfakes as a service, with one threat actor offering $16,000 for a deepfake presumably to be used for unlawful or harmful purposes. We are seeing here the evolution of Crime-As-A-Service.

Maintaining User Trust and Accessibility

How we tackle biometric threats matters if we are to retain user trust in digital wallets, and the cyber policy community has a critical role to play in making sure that our approach is not only technically robust and agile but that it follows user-centric design principles. 

It is critically important that we use the intelligence of attack methods we have and our understanding of users we have to ensure that the security policy framework which is being developed, whether that be the AI Act, the Cyber Resilience Act or NIS2 is built around the needs, vulnerabilities and capabilities of users. An approach built on an assumption that user education will address capability gaps will fail.  

At iProov, we are championing the principle of a user-centric approach to solution design, inspired by the work in this area by Professor Angela Strasse. ID verification & authentication services must be built around some simple, but critical, user-centric principles.  Compliance with WCAG 2.1 AA should be a minimum requirement. Nobody should be excluded – whether it be based on disabilities, or on the basis that they don’t have the latest smartphone or tablet. Users cannot be expected to face the inconvenience of re-enrollment whenever they change or replace their devices.  

We need to recognize that devices are a weak point in the vulnerability chain and avoid relying on them for security. Many of the smartphones in daily use are no longer being supported and their users are not necessarily installing the latest security patches which are available.  

What Should the Policy Aim to Achieve?

  • Inclusion through user choice: No imposition or requirement for special device hardware or sensors. Ability to securely authenticate on any device with a user-facing camera.
  • Inclusion through accessibility: Device & platform agnosticism to include all users; robust performance and bias monitoring; cloud-based delivery.
  • Robust choice pathways: Non-biometric enrollment option must be equally secure… even if convenience is sacrificed.
  • Device risk mitigation: No reliance on users’ devices for security. Mitigate risk from synthetic or compromised devices.
  • Identity recovery: Users should not be required to re-enroll when devices are changed or replaced.
  • Verification integrity: Use inaccessible processing to prevent reverse engineering by attackers. Mitigate the threat of adversarial attacks.
  • Relieve users of the burden of responsibility: Implementation of new detection algorithms must not rely on or compel the user to update their personal device.
  • Agile response: Ongoing threat intelligence to evolve defenses.

As operators, we must accept a duty of care for users and take responsibility for their security onto our shoulders wherever possible.

ENISA Cyber Security Policy - Biometric Face Verification