During the past years, FIDO has continued its expansion as an authentication standard among eIDAS compliant identification solutions across the EU. Back in 2020, FIDO was deployed as part of an eID scheme by the Czech domain register CZ.NIC’s identity provider MojeID, and FIDO’s eID scheme was recognized as LoA Substantial and High by the Czech ministry of interior. The year after, the Norwegian trust service provider Buypass deployed FIDO2 as an authentication standard for an eIDAS eID scheme of LoA Substantial and High; this solution has been accredited by the Norwegian digitalization agency and is now being rolled out in the Norwegian healthcare sector. In April 2023, the FIDO Alliance published a white paper that describes how FIDO can be used for the EUDI Wallet under the proposed eIDAS2 regulation. So FIDO is currently gaining momentum as an authentication standard in the EU.
On top of these success stories, the FIDO standards have recently been referenced by two of the most respected EU organizations within cybersecurity and standardization: ENISA (the EU Cybersecurity Agency) and ETSI (the European Telecommunications Standards Institute).
In July 2023, ENISA published the report “Digital Identity Standards”. The report provides a comprehensive overview of digital identity standards, standardization organizations, and authentication protocols. More specifically, the report describes the FIDO Alliance as “an open industry association launched in February 2013 whose stated mission is to develop and promote authentication standards that ‘help reduce the world’s over-reliance on passwords”. Furthermore, the ENISA report describes the FIDO standard suite FIDO2, FIDO U2F and FIDO UAF in technical detail. The ENISA report also explains the concepts of FIDO Authenticators, FIDO Metadata Service, assertions with Relying Parties, and the WebAuthn and CTAP2 APIs. ENISA concludes that the maturity of the FIDO standards is high. This ENISA report re-iterates and emphasizes the recommendation to use FIDO for two-factor authentication, which was published in 2022 in the joint publication “Boosting your Organisation’s Cyber Resilience” issued in cooperation by EU-CERT and ENISA.
Next, ETSI published the technical report ETSI TR 119 476 called “Analysis of selective disclosure and zero-knowledge proofs applied to Electronic Attestation of Attributes”. The ETSI report analyzes cryptographic schemes for selective disclosure and their potential application for Electronic Attestation Attributes in line with the proposed eIDAS2 regulation. The purpose is to allow the users of the EUDI Wallets to select what attributes they want to share with a verifier. For example, a user may only want to disclose that she is over 18 years old at a restaurant, but no more personal information than that. The ETSI report includes a description of the VC-FIDO solution, which has been invented by David Chadwick at the Kent University. The ETSI report states:
“The VC-FIDO integration is based on the W3C WebAuthn protocol in the FIDO2 standard. The WebAuthn stack is extended with a W3C Verifiable Credentials enrollment protocol, resulting in a client that can enroll for multiple atomic short-lived W3C Verifiable Credentials based on W3C Credential templates. These atomic short-lived W3C Verifiable Credentials can then be (temporarily) stored in an EUDI Wallet, and be combined into a Verifiable Presentation that is presented to the relying party (verifier). Selective disclosure is achieved since the user can enroll for the atomic attributes it needs for a specific use case, and present only those atomic (Q)EAAs to a Relying Party.”
These prominent references in the ENISA and ETSI reports demonstrate that FIDO has achieved a firm position as a viable authentication standard for eIDAS2 and regulated use cases in the EU. It will be interesting to follow the continued development of the EUDI Wallet implementations and the related Large Scale Pilots – it is quite likely that FIDO will be deployed in such solutions across the EU.
Author: Sebastian Elfors, senior architect at IDnow