I was delighted to be asked to present a keynote at the FIDO Authenticate Summit and chose to focus on digital identity governance, which is something of a hot topic at the moment. Little did I know that the day before my session was recorded the European Commission would propose a monumental change to eIDAS, the Europe Union’s digital identity framework – one of the main examples I was planning to refer to. I hastily skimmed the proposed new regulation before the recording but have since had the time to take a more detailed look.
Why is the change monumental?
In a word: Wallets.
The word “wallet” appears in the proposal 132 times. This is not a minor update to the regulation, it is a massive change in direction. The Self-Sovereign Identity community are naturally very excited about this. At face value the proposals appear to align very closely with their approach.
There are some reasons why this won’t be self-sovereign identity in its truest sense, however.
- Users will not have complete freedom over which wallet to use. Only wallets recognised by member states will be permitted. And this could lead to some variation in the quality of service offered to citizens. The EU is proposing to build a toolkit of standards and guidelines but ultimately it will be down to the individual member states to decide what is right for their citizens. And some member states will be better positioned to do this than others.
- Users will not have complete freedom over where they can use their wallets. Or to put it another way, relying parties wishing to rely on information provided by the wallets will be regulated. That is no bad thing, serving to protect citizens from inadvertently sharing information with untrustworthy parties.
- These wallets will only be usable within the EU. The whole purpose of eIDAS is to facilitate the EU digital economy. The regulations have provisions to allow the EU to recognise third countries that conform to its standards but until such countries become recognised, the wallets will only work in the EU (or possibly the European Economic Area). Furthermore, should a member state decide to leave the EU, then potentially the wallets issued to its citizens would cease to work in the EU.
- The EU is not doing away with the existing notified eID schemes. Quite the opposite in fact. The proposed regulation will require all member states to have at least one such notified scheme (today it is optional). How the eIDs and wallets will interact is not completely clear. From my reading, it appears that eIDs will continue to be available for public sector use cases as they are today but wallets will support both public and private sector. So perhaps this suggests a roadmap towards a wallet-only based future.
eIDAS in its current form has struggled to take off, so the EU had to do something. And this is a bold step for sure. Not only that, the timeframes laid out in the regulation are eye watering, especially when you consider the time it has taken to get where we are with eIDAS today. The proposals say that within 6 months of adoption of the regulation, technical standards will be complete and after another 6 months member states must have their wallets ready. That seems like a very tall order to me.
And there is more
Article 12b of the proposed regulation includes the statement:
“Where very large online platforms … require users to authenticate to access online services, they shall also accept the use of European Digital Identity Wallets…”.
It’s not completely clear what “authenticate” means in this context – whether they are referring to onboarding or logon or both. What is clear is who this is aimed at. The EU defines very large online platforms to be those with 45 million or more users. There is clearly a desire to make sure the EU doesn’t lose control of digital identity to the large internet platforms, which they probably would do if progress continued at the pace of eIDAS so far.
It’s interesting then that just a few days later Apple announced that its wallet will soon support US driver’s licences and state ID cards. Surely this is just the beginning of Apple making a broader digital identity wallet play.