EU Digital ID Wallet Onboarding Delayed by Biometric Gaps

Published Date : 7/7/2025 

French and German authorities highlight the urgent need for biometric security standards to secure EU Digital Identity (EUDI) Wallet onboarding, emphasizing unresolved gaps in threat mitigation and testing protocols. 

The French and German cybersecurity agencies, ANSSI and BSI, have issued a critical report warning that the EU Digital Identity (EUDI) Wallet onboarding process cannot proceed without robust biometric security standards. Their findings, published in a joint paper titled 'Remote Identity Proofing for EUDI Wallet Onboarding: Strengthening Assurance Against Evolving Threats,' underscore the risks of incomplete protocols and the lack of harmonized testing frameworks. The report, part of an annual series, revisits earlier threat models and highlights progress made since 2023, but also points to persistent vulnerabilities in remote identity verification. n nThe EUDI Wallet, designed to streamline digital identity management across the EU, requires a Level of Assurance (LoA) High for onboarding. While traditional national digital IDs meet this threshold, alternative credentials involving face biometrics and ID document verification introduce significant technical and security challenges. The report stresses that without standardized measures, these methods could compromise the integrity of remote onboarding. Key recommendations include implementing presentation attack detection (PAD), injection attack detection (IAD), and randomized challenge-response mechanisms to prevent replay attacks and tampering. n nA major concern is the reliance on optical character recognition (OCR) for ID document processing. The agencies note that OCR is susceptible to errors caused by lighting, focus, and image distortion, which could lead to data collection inaccuracies. Reading electronic chips on ID documents is more secure but faces legal restrictions in some countries. This creates a dilemma for developers aiming to balance convenience with security in the EUDI Wallet framework. n nThe report also identifies a critical gap in the standardization of biometric security protocols. While efforts by organizations like ETSI and CEN have intensified, several issues remain unresolved. For instance, the ETSI TS 119 461 standard, which outlines requirements for remote identity proofing, lacks clear alignment with LoA High. Similarly, the CEN/TS 18099 standard for injection attacks requires more technical specificity to ensure consistent implementation. These shortcomings hinder trust comparability and complicate the mapping of security measures to compliance levels. n nThe EUDI Wallet onboarding standard CEN/TS 18098, currently under development by CEN TC 224 WG20, lacks detailed guidance on conformance. This ambiguity leaves room for interpretation during audits, undermining the reliability of security assessments. The report calls for temporary measures, such as harmonized evaluation criteria and mandatory PAD/IAD testing, to bridge the gap until full standards are finalized. It also emphasizes the need to address identity document verification gaps by establishing rigorous test criteria and prioritizing chip-based verification. n nANSSI and BSI’s findings reflect a broader challenge in the EU’s digital identity ecosystem. As the EUDI Wallet aims to replace fragmented national systems, the lack of unified security standards could delay its adoption. The agencies warn that without immediate action, the risk of fraud and data breaches will increase, eroding user confidence in the platform. n nThe report’s publication follows a series of updates on remote identity proofing, with the 2023 edition focusing on general threat models. This year’s paper builds on that foundation, analyzing how evolving threats have shaped the need for stricter protocols. It also highlights the importance of collaboration between regulators, developers, and standardization bodies to ensure the EUDI Wallet meets the highest security benchmarks. n nAs the EU moves forward with its digital identity initiatives, the call for biometric security standards is more urgent than ever. The ANSSI and BSI report serves as a wake-up call, emphasizing that the success of the EUDI Wallet hinges on addressing these gaps. With the right frameworks in place, the platform could revolutionize digital identity management while safeguarding users against emerging threats. n nThe EUDI Wallet’s future depends on the timely completion of standards like ETSI TS 119 461, CEN/TS 18099, and CEN/TS 18098. Until these are finalized, temporary measures must be implemented to maintain security. The agencies’ recommendations provide a roadmap for achieving this, but their success will require coordinated efforts across the EU’s digital infrastructure. 

Frequently Asked Questions (FAQS): 

Q: What are the main security challenges for EUDI Wallet onboarding?

A: The primary challenges include incomplete biometric standards, risks from OCR errors, and vulnerabilities in remote identity verification. Without harmonized protocols, the system could be compromised by presentation or injection attacks.

Q: Why are biometric standards important for the EUDI Wallet?

A: Biometric standards ensure the integrity of data and compliance with security requirements. They mitigate risks like fraud and data breaches, which are critical for maintaining user trust in the EUDI Wallet.

Q: What are the key recommendations from the report?

A: The report recommends implementing PAD/IAD, randomized challenge-response mechanisms, and prioritizing chip-based ID verification. It also calls for harmonized testing criteria and temporary measures until full standards are finalized.

Q: How do current standards fall short?

A: Standards like ETSI TS 119 461 and CEN/TS 18099 lack clarity and technical specificity. This creates ambiguity in audits and hinders consistent implementation, leaving security gaps in remote onboarding processes.

Q: What role do ANSSI and BSI play in this issue?

A: ANSSI and BSI are leading the push for stricter biometric security protocols. Their joint report highlights the urgency of completing standards and provides actionable steps to address vulnerabilities in the EUDI Wallet framework. 

More Related Topics :