As part of the revision of the EU common identity framework regulation, also known as eIDAS 2.0, the EU Member States will all implement a new common structure for electronic credentials based on digital identity wallets. The revision is set to take effect everywhere in the EU sometime between 2025 and 2026. Over 250 private companies and government authorities across 25 EU Member States and Norway, Iceland, and Ukraine are participating in four large scale pilots to develop the underlying technology and test real-life use cases across the EU.
As opposed to the widespread use of federated identities, where cloud-based digital identity providers are the central points for users to access any number of online services, the EU Digital Identity (EUDI) wallet aims to offer a new approach where the user is in control of when and where their personal data is shared and with whom. User credentials and data will include things like driver’s licenses, insurance cards, work and student visa, travel documents, credit card data, educational credentials, digital medical prescriptions, etc.
Yubico has been invited to join as associate partner in EWC, one of the four EUDI wallet large scale pilots, and will formalize the membership later this year. The EWC project was co-founded by Swedish government agencies including DIGG (Agency for Digital Government), Bolagsverket (Companies Registration Office) and Vetenskapsrådet (Research Council) and Sunet (University Computer Network). Bolagsverket is together with the Finnish Ministry of Finance the coordinator of EWC.
The objective has been to demonstrate an ARF-compliant wallet architecture that is independent of major phone and platform providers, yet secure and easy to use. GUnet (Greek Universities Network) has developed an open source web based identity wallet. Yubico, along with GUnet and other research and education networks including Sunet in Sweden, have collaborated in adding support for FIDO-based authentication and encryption.
The importance of FIDO in securing digital wallets
FIDO is a global open standard for user authentication supported by all major web browsers on both desktop and mobile platforms, with free open source software – supporting competition and innovation. It combines an improved user experience with a high level of security, practically eliminating cybersecurity threats such as phishing and credential stuffing. Critical cryptographic operations can be delegated to dedicated hardware in the form of FIDO security keys, available from multiple vendors including Yubico. Users do not need a Smart Card reader to use FIDO security keys, and no client application is required to use them, other than a web browser.
Apart from user authentication, FIDO security keys can play a crucial role in securing identity wallets. A wallet’s contents can be encrypted and decrypted using cryptographic keys derived from secrets bound to the secure hardware of a FIDO security key. Additional security keys can be added to protect an individual’s wallet as a backup, or users sharing an organizational wallet can use their own FIDO security key to access that wallet.
By delegating as much as possible to a trusted external device, the wallet can be implemented as a web application that makes it independent from the mobile platform. This means citizens are truly in control of their own identity, without any dependencies on app store politics or vendor locks, much in line with the European Commission’s desire to reduce the market dominance of non-EU “Big Tech”.
Additionally, as opposed to traditional smart cards and service specific OTP-based authentication tokens for banking, FIDO security keys also work with hundreds of other leading consumer and enterprise online services and applications, without any user data being shared between the services. Thus far, some government services, including in the US and UK, have made FIDO login to their services. Millions of consumer and business users around the world have already adopted the technology and carry these keys in their keychains, which will automatically work with any web-based EUDI wallet.
The initial focus of Yubico’s efforts will be to assist EWC in producing a wallet that can be used for use cases that require shared control over a wallet – e.g. for companies and other legal entities. This is sometimes referred to as an “organizational wallet” or a legal person wallet. The goal is to then develop more use cases across government and commercial services where users cannot or do not want to rely on a mobile platform. By 2026, the EU Commission has a goal to enable all EU citizens with EUDI wallets, hosted by and interoperable with any number of government, financial, and other commercial services.
The working demo is at https://demo.wwwallet.org and the source is published under a BSD-2 license at https://github.com/wwWallet/wallet-frontend. The initial use case presented in the demo and in the video below is based on educational credentials which is covered by another of the large scale EUDI wallet pilots called dc4eu. The two projects have a very close collaboration and share the goal of building a scalable solution for all of Europe.
Next steps
In a few months, we plan to release an alpha version of the wwWallet software compatible with the latest version of the EU wallet Architecture Reference Framework (ARF) and we will be able to support at least one the following use-cases:
- The EU social security card
- Banking applications requiring multiple user control
- Use-cases involving power-of-attorney
- Educational credentials
As the FIDO security key pioneer and a leading contributor to FIDO authentication standards, the Yubico team is excited and honored to now help shape the next generation high secure, high privacy and easy to use wallet based identity solution. Once successfully proven to scale for European citizens, the architecture can be adopted by any country in the world, supporting our mission of making the internet safer for everyone.
