Wallets & Authentication
Combined Session
Friday, June 07, 2024 11:30—12:30
Location: A 03-04
Friday, June 07, 2024 11:30—12:30
Location: A 03-04
Digital wallets are applications used to receive, store, and share identity attributes in a standards-based [preferably], secure, privacy enhancing fashion. To prove that the legitimate, natural person is receiving, in possession of, or sharing these identity attributes a means to bind them to the natural person is needed.
In 1995, for example, the International Civil Aviation Organization (ICAO) clearly recognized the desirability of pursuing the use of biometrics in travel documents as the single best way to link the document and its rightful “owner.”
In this example the issuing authority binds the identity attributes to the authorized holder by including biometric data in the cryptographically signed logical data structure. When the holder makes an identity claim the relying party (verifier) can determine the authenticity and integrity of the identity attributes and, through biometric recognition, determine if the authorized holder is presenting the information. This works well for the intended use case: in-person identity verification by government authorities for cross border travel.
The EU, for another example, specifies three assurance levels for electronic identification (low, superior, and high) which involve different levels of rigor in the identity proofing process and in the binding process itself, from:
The binding has been established on the basis of nationally recognised procedures.
to
The binding has been verified on the basis of a unique identifier representing the legal person used in the national context; and on the basis of information uniquely representing the natural person from an authoritative source.
Here the EU defines authoritative source as:
any source irrespective of its form that can be relied upon to provide accurate data, information and/or evidence that can be used to prove identity;
The goal of digital wallets in general, and the EU digital wallet in particular, is to be able to prove identity claims to a certain level of assurance both in-person (like an ICAO ePassport or ISO 18013-5 mDL) and on-line (like an ISO 18013-7 mDL).
This session will discuss how authentication may rely on the digital wallet to bind the holder to identity claims and what the associated challenges as influenced by varying levels of assurance.
OpenID Connect (OIDC) has become the go-to method for user authentication due to its seamless integration. Transitioning towards the more privacy-preserving Self-Issued OpenID Connect Provider (SIOPv2) will be a complex endeavor.
To simplify this shift, Impierce Technologies has created an open-source OIDC - SIOPv2 Bridge. This bridge can run alongside an Identity Provider, allowing seamless interaction with SIOPv2 Identity Wallets. The Relying Party (RP) continues to enjoy the ease of integration that OIDC provides, while the user can utilize their Identity Wallet to authenticate themselves. Through the inclusion of the OpenID4VP standard, users can also include Digital Credentials such as Verifiable Presentation in order to share (verifiable) attributes.
The bridge is an intermediary solution that provides a straightforward way to boost the adoption of SIOPv2-enabled Identity Wallets with minimal integration effort, bringing RPs closer to eIDAS 2.0 compliance and following Self-Sovereign Identity (SSI) principles.
We will explore how we bridged the 2 standards, showcase the results, and explore further opportunities with this concept.
Providing a product or service across markets internationally can come with significant technical and regulatory overhead. The challenge of such overhead might seem to reduce itself in the current market development in Europe with the soon to be standardized eIDAS architecture and unified wallet interaction protocols that seem to streamline identity integration requirements across 27 countries. In practice though, moving beyond the EU context will still require significant adaptation and often parallel implementation of identity standards and protocols, this is true for the Swiss market as much as it is true for the US or even Japanese market. While all these markets move towards the digital identity wallet paradigm as a new identity model, their technical approach differs significantly.
Abstracting this complexity for companies that simply want to provide their product or service across markets is a tough challenge. Solution providers need to consistently monitor changing specifications, requirements, and regulation, while making sure that their own technological platform is ready to support the variety at hand. Many incumbent solutions and platforms do not handle such diversity well since they were developed for a concrete market environment and then updated on a sub optimal path of evolution towards ever more complexity.
As a Swiss provider of digital identity core technologies, Procivis had to naturally tackle the challenge of a future proof technology solution that is capable of handling complexity since day one. Our home market is too small to justify a solution built for only that environment, so we had to get creative and build a product that can naturally handle complexity and interoperability without compromise.
This presentation will tell the story of our journey to rethink product development in times of uncertainty. It will describe how we learned to radically build for adaptability and extensibility. After the initial instinct to resist uncertainty, we learned to embrace it and I will talk about our company's journey to this new state of consciousness.
