BSI and ANSSI warn against VideoIdent for the EU digital wallet

With the regulation for a European electronic identity (EUid), the EU states have committed to providing their citizens with digital wallets for their online ID by the beginning of 2027. This should enable users to use their driving licenses or certificates digitally with various online services in the future. Before such a wallet can be used for the European Digital Identity (EUDI), it must be linked to the user and provided with their identity features. One possible technology for this so-called onboarding is video-based remote identification (VideoIdent). Experts warn of inadequate security here.

In order to ensure trust and security, the onboarding procedures for all existing and future services and applications relating to the EUDI wallet must have a high level of trust in accordance with the requirements of the revised eIDAS Regulation. This is emphasized by the German Federal Office for Information Security (BSI) and its French authority ANSSI in a recently published joint handout. The methods discussed include "evaluated and certified procedures for remote identity verification".

According to the two authorities, such approaches, which are familiar from SIM activation or account opening, are popular as they can be used flexibly, regardless of location and at any time. However, the use of video-based methods with the help of biometric features in particular "also brings with it considerable technical and security-related challenges". For example, identities could be generated with the help of AI, presented documents could be forged or attackers could even gain "complete control over transmitted information".

Hackers could easily undermine the VideoIdent process

Video-based identity verification is "fundamentally susceptible to repeatable, scalable and invisible attacks such as presentation and injection threats", the authors explain. In addition, electronic data from ID documents may not yet be legally read by service providers in many countries. If stored photographs could be used as a reference for biometric matching – and other verifiable data such as name, date of validity and date of birth –, this would offer considerable advantages for the security of such procedures.

BSI and ANSSI therefore emphasize the need for "a comprehensive and Europe-wide approach to testing, certification and standardization" in this area. This is the only way to ensure a high level of security in onboarding processes, interoperability between national systems and sustainable trust among users and supervisory authorities. According to the two security agencies, they are currently working on adapting existing standards for video identification and developing new ones in European standardization committees.

Members of the Chaos Computer Club (CCC) managed to circumvent the video identification procedures of six providers using simple means as early as mid-2022. Despite this, German authorities approved a further evaluation phase for the use of this technology to apply for a qualified certificate for digital signatures at the end of 2023.

(nen)