eID: German version of the EUDI wallet with cloud-based key storage

The President of the German Federal Office for Information Security (BSI), Claudia Plattner, presented a local prototype for an e-wallet based on the European Digital Identity Act (EUid) at the re:publica internet conference in Berlin on Tuesday. The app is currently called EUDI (European Digital Identity). After opening the application, it showed: "My ID is in there", as Plattner explained. Names, birthdays, addresses and other personal data are also stored in the wallet.

As a usage scenario, the BSI boss demonstrated the opening of a bank account. To do this, she identifies herself with her online ID, enters her address and releases the required information after being prompted to do so and entering a six-digit PIN. The details of the transfer can be displayed to the user. And the account is created.

"We do the same thing for paying parking tickets," said Plattner, giving another example. The list of potential applications is endless. The aim is to integrate a driver's license, vehicle, police clearance certificate or registration certificate into the official wallet. Ultimately, citizens should be able to handle all interactions with the state "on the side on the sofa". The functions would be constantly expanded: for example, "a bank should also have to identify itself to me". Trust and interoperability in Europe are crucial for acceptance, so that citizens can also identify themselves in France or Portugal, for example.

Foundation for more digital sovereignty

Security is an issue that distinguishes the EUDI wallet from commercial providers and "we are really good at this", the mathematician emphasized. One reason for this: "We understand the issue of data protection." Plattner was convinced that she had also achieved the best possible user-friendliness. The wallet is ultimately the "perfect foundation" for more digital sovereignty in parts of the IT value chain, such as an operating system for cell phones.

Torsten Lodderstedt, EUDI Wallet project manager at the Federal Agency for Spring Innovation (Sprind), told heise online that the project is on schedule. The institution is not only running an innovation competition to develop prototypes, but is also responsible for the overall project in cooperation with the Federal Ministry of the Interior, the Department for Digitization and State Modernization, the BSI, the Fraunhofer Institute for Applied and Integrated Security (Aisec), Bundesdruckerei and PwC. The competition is currently in its final stage and the results will be presented in Berlin in mid-October.

According to Lodderstedt, the cooperation partners started developing the app in summer 2024. A cloud-based key storage system is envisaged with a high level of trust. The CDU/CSU parliamentary group in the German Bundestag had previously brought such a variant with a hardware security module (HSM) into play alongside the "frequently referenced solution" based around a hardware component such as a secure element or the eSIM.

Security and consumer protection peripheral?

The basic product will go into test operation at the end of the year, Lodderstedt explained. It should be available to end users a year later. The regulation obliges EU member states to provide their citizens with an EUDI wallet by 2027. Unlike the ID Wallet project for the e-driver's license and a virtual wallet, which was widely publicized but quickly declared a failure due to security flaws, Sprind will go live with the new solution step by step. Various usage scenarios are being tested to ensure "that the whole thing works". The ID, verification and signature functions are currently being implemented, and a payment solution will be added next.

Parliamentary Digital State Secretary Thomas Jarzombek (CDU) described the offline function as a "killer feature". Internet will not necessarily be required to use the EUDI wallet, "but you should have electricity". It is an open source platform, so the politician can imagine using it to inspire the annual meeting of the Chaos Computer Club (CCC).

However, it is not only in the hacker community that there are still major reservations about the project. IT security expert Lilith Wittmann, who had already scrutinized the ID Wallet and found what she was looking for, recently complained that even in the ongoing development process, security issues were being dealt with peripherally at best. It is apparently only about "creating an official marketplace for guaranteed genuine personal data". Elementary issues such as liability if documents are stolen from the wallet and used for fraud are being left out. Civil rights activists are also complaining that the EU Commission wants to soften consumer protection and open back doors for over-identification.

(akn)