An EU Digital Identity eWallet - the Next Step After PSD2?
First published: 21/10/2021
Back in January, the CEO of Okay, Fabien Ignaccolo, wrote a post on our 2021 predictions for Strong Customer Authentication. Among the predictions was a future PSD3 enabling SCA for the non-banking industry, as well as an expectation for a renewed focus on Digital Identity. While PSD3 is still on the horizon, there has actually been more of a significant movement in the eID sphere. In this post, we take a look at how and why the EU is now requiring implementation of this new wallet identity service.
The EU Digital Identity Framework
In June, the EU Commission proposed a “trusted and secure Digital Identity for all Europeans'' in the form of a digital identity framework, designed to provide universally recognisable identities throughout Europe. This framework has already been a topic in some conversations we’ve had over the last few months. This is because larger banks are finally realising that they’ll be required to support identities provided through this framework, both for signing up new customers, and probably as an authentication source for customer authentication.
Here in the Nordics, we’ve had various forms of eID services for nearly two decades, and they’ve all become quite pervasive. In addition to interacting with the government, the digital identities are used for every kind of Know-Your-Customer (KYC) and sign-on requirement, including banking, renting a car or apartment, education enrolment, or even proving your age when visiting a fully automated tanning salon. Currently, the Norwegian bankID solution is used only for authentication with online services, but there is no limitation on the kind of service one wants authenticated. As an example, there is a competitive market out there for document signing services. (You can read more about some of the use cases for eID in the Nordics in our earlier posts.)
The previous version of the EU-wide digital identity framework mainly dealt with using certificates for identification, while the new revision is much more ambitious. As defined in Article 1:
(c) establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services, certificate services for website authentication, electronic archiving and electronic attestation of attributes, the management of remote electronic signature and seal creation devices, and electronic ledgers.
In practice, this extends the earlier eIDAS regulation to also cover document management and sharing, attribute sharing (education diplomas, licenses, and personal information), and electronic ledgers where transactions can be registered. It also helps enable a citizen of one country to more easily move to a new country in Europe, whether that’s signing up for (and potentially authenticating) a banking account, having their license electronically recognised, or renting an apartment. All of this is planned to be provided through app-based solutions, which should work both online and offline across Europe.
Challenges and Benefits
A couple of years after the initial eIDAS regulation came into force, we seriously considered implementing it in our own offering. After all, we were already using certificates for communication and proving the ownership of the device. But, because it was clear that eIDAS didn’t have much traction, we soon gave up.
Obviously, the new regulation is far better in the way it extends outside of the public sector, which can help drive the adoption of the regulation. An additional benefit is that it has the potential to help avoid fragmented eID implementations across Europe and stave off the “big tech” competitors in the space (such as Facebook, aka, Meta).
However, it is important to note that the revised framework is extremely ambitious from a system design point of view. Just being able to transfer and interpret attributes, such as an “education diploma”, is a difficult enough problem within a single country, not to mention across European borders.
On the other hand, if done correctly, the benefits can be similarly huge. The simple form of eID that we’ve had in the Nordic countries has had a strong positive impact, both on companies that can launch totally new services, and on its citizens who don’t have to go through cumbersome KYC procedures. Simply put, because the revised eIDAS directive is more ambitious, the impact it can have can be correspondingly larger.
What we’ve seen in the Nordics is that launching private services based on eID doesn’t work before a sufficient percentage of the population has been enrolled. In Norway, this took about 10 years, and the driver was that all the banks were using it as their preferred authentication method. Of course, having an eID that works with the public sector is also useful, but with tax returns being automatic, it doesn’t drive adoption to any high degree.
The real benefits for companies happen when eID is available for a large percentage of the population. It is not clear yet what the big driver will be for the revised eIDAS directive, but as it is planned to be launched in 2030, there is still some time to figure it out.
Will the eID Become Required for a Normal Life?
According to the EU commission, the digital identity wallet will always be “at the choice of the user”. Over the last few years, the Nordic countries have made eID a requirement for signing up. There are two reasons for this: First, many services, such as payment and loan services, can have high KYC costs. Second, for companies with very low margins, it can be worth it to limit the potential customer group only to those with a valid eID, as that makes it easier to automate the entire process.
Of course, other companies have built business models that only make sense if identifying the customer is cheap and immediate, such as the example of automated tanning salons above.
Some practical consequences of this is that by not having an eID, you limit access to commercial services, and losing access to your eID is incredibly inconvenient. It can be very problematic if you’re unable to log into your bank, do your taxes online, or use an app to park your car. In itself, this doesn’t have to be a big problem for most people, but it raises topics such as the right to be anonymous and the right of non-citizens to access services in Europe.
We in Okay are of course watching the development of eID initiatives closely, as it is very much related to Strong Customer Authentication. If you’re interested in this topic please reach out to us on LinkedIn, or sign up for our newsletter.