Contributed by Sebastian Elfors, Senior Solutions Architect, Yubico
Recognition of the value of FIDO in European digital identity systems and eIDAS continues to grow. This month has featured two new updates in Europe on the FIDO front: the release of a landmark ENISA report that discusses the role FIDO2 plays in eIDAS, and the accreditation by the Czech government of a new eID solution using FIDO2.
In March 2021, the EU Cybersecurity Agency (ENISA) issued the report Remote ID Proofing, which describes the current regulatory landscape and supporting standards for the European countries’ remote identity proofing laws, regulations and practices. ENISA’s report is based on the ETSI TR 119 460 and ETSI TS 119 461 documents, which describe the policies and practices for remote identity proofing among trust service providers in the EU. Especially the eIDAS regulation, the AMLD5 directive to prevent money laundering, and EU directives on issuing ID-cards and exchanging identity information have been taken into account from a legal perspective.
Several methods for remote identification are proposed in the ENISA report: video recorded sessions, identification based on eID schemes or electronic signatures, bank identification, scanning of existing ID-cards, or a combination of several methods. In particular the option to identify a user with an eID scheme is of interest from a FIDO perspective. The following statement is written in section “2.2.4 Electronic identification means” of the ENISA report:
“A protocol used by several electronic identity means providers is OpenID connect. It is an authentication layer on top of OAuth 2.0 and is specified by the OpenID foundation. This protocol allows to verify the identity of the applicant based on the authentication performed by an Authorization Server, and by obtaining basic information about the applicant. Another technology that can be used in eID solutions is FIDO2. The FIDO Alliance explains in a whitepaper how FIDO2 can be used for eID means corresponding to eIDAS article 8.”
In the very same month, the Czech ministry of interior issued eIDAS accreditation for the Czech domain registry CZ.NIC, meaning that their identity provider mojeID can deploy FIDO2 as an eID scheme at eIDAS level of assurance High under the following conditions:
- The FIDO2 authenticator is FIDO certified at Level 2 (or higher)
- The FIDO2 authenticator is based on a secure element that is certified at FIPS 140-2 Level 3 or Common Criteria EAL4 + AVA_VAN.5
- The FIDO2 authenticator has a PIN set and the PIN is required for all transactions at level of assurance High
- Username and password are used in conjunction with FIDO2
Both ENISA’s report on remote identity proofing and the official approval of CZ.NIC’s FIDO-based eID scheme are great examples of how FIDO has been recognized as a viable authentication protocol for eIDAS compliant eID schemes in the EU.