Increasingly more European member states welcome eIDAS. By now, the national eID solutions of Estonia, Italy, Luxembourg, Spain and Croatia have been reviewed by other member states. Belgium and Portugal have applied for peer review as well. Germany was positively reviewed and has been notified. Because of this, the German ID card has to be accepted by the Dutch governmental services as a valid login credential, from September 28th onwards. If all goes well the same will happen in over a year for the other five countries.
Provided all goes well, since some of the newly applied eID solutions are quite interesting. Firstly Estonia, that amongst others wants to notify the e-Residency card on the highest level of assurance. This solution can, in principle, be obtained by anyone in the world. One applies for an e-Residency card, visits the Estonian embassy, shows one’s passport, and subsequently receives the means of authentication that potentially will enable logging into any and all European governmental services by next year. The reliability of the identification process can be questioned; how well can the identity of the applicant be ascertained by the embassy employee, how reliably can he or she validate the authenticity of the passport, and how certain can one be that the shown passport hasn’t been reported stolen or lost?
Italy too brings something new: identification based on an online video session with the applicant, on level eIDAS High. The eIDAS regulation allows for this. In the Netherlands we allow for this too, within the eHerkenning and Idensys systems, but only for the eIDAS Substantial level. The reasons behind this are: the authenticity of the shown passport cannot be properly checked via video (while this is a hard demand for eIDAS High), the reliability of the identification based on the face image in the passport leaves much to be desired, and video images can be manipulated to alter the look of the shown passport or even the face of the applicant. Without further measures to mitigate these risks, this solution is on the level of eIDAS Substantial rather than High. Many European member states share this vision, as becomes apparent from Italy’s peer review. Possible improvements could be using NFC to verify the authenticity of the passport, utilizing the face image read from the chip for identification purposes, deploying biometric identification solutions, and using technologies to detect the manipulation of video images.
We’ll have to wait and see which authentication means will be recognized on which level of assurance. But their arrival is a fact. Many member states choose to notify their eID means for eIDAS. Remarkably, they all apply a means on level High.
Are the Netherlands ready? The outlook is positive. We’re the first country ready to handle authentication requests from German citizens conform eIDAS. Starting today! Have a look at RVO’s website here.
Good for the Germans, but what use it is to Dutch citizens? In other words, what about the Dutch plans for notification? The plans exist, as does the willingness to notify, but it is still unclear which means this regards. DigiD High is still in the pilot phase and therefore isn’t ready yet. Too bad, because many other member states are notifying on this level. DigiD Substantial is the obvious candidate, but not without its own challenges. Since BSN (our national personal number) by law isn’t allowed to be used abroad, adaptations will be needed. In any case, DigiD Substantial cannot be deployed by private service providers abroad.
How about the private alternatives to DigiD? Their status is uncertain and dependent upon the ‘Wet Digitale Overheid’ (digital government law), that admittedly has been passed by the Council of Ministers, but not by the States General. Only after that, a tender process can follow. The seemingly inevitable winner of this is iDIN. And I suspect banks will want to handle eIDAS authentications, but not without charge – as the regulation poses. Will the Dutch government compensate the banks for this? On the other hand, how about eHerkenning? Possibly, but it only encompasses the business domain, which thus far has been largely neglected in eIDAS and by many other EU member states. Only Italy provides a solution for this as well. Should we brush up Idensys and put it in the European eIDAS spotlight after all?