EUDI Wallet Launch Slowed by Biometric Security Issues

Published Date : 7/7/2025 

French and German authorities highlight the urgent need for standardized biometric security protocols to ensure secure EUDI Wallet onboarding. The report emphasizes gaps in current standards and the risks of unverified identity verification methods. 

The EU Digital Identity (EUDI) Wallet initiative aims to revolutionize digital identity management across Europe, but its onboarding process is facing significant hurdles. A recent report by France's ANSSI and Germany's BSI underscores the critical need for robust biometric security standards to prevent fraud and ensure compliance with Level of Assurance (LoA) High requirements. Without these, the system's reliability remains in question, even as the demand for secure digital identity solutions grows. n nThe report, titled 'Remote Identity Proofing for EUDI Wallet Onboarding: Strengthening Assurance Against Evolving Threats,' builds on previous work from 2023. It revisits existing threats, highlights progress, and identifies key security gaps. The authors stress that while biometric authentication offers convenience, it introduces complex technical challenges that require immediate attention. For instance, using face biometrics and ID document verification for onboarding is practical but risks data breaches if not properly secured. n nOne of the primary concerns is the lack of standardized testing for biometric data integrity. ANSSI and BSI warn that current frameworks leave room for interpretation, making it difficult to assess compliance. This ambiguity undermines trust in the system and complicates efforts to map security measures to LoA High, which is essential for high-stakes applications like financial services or government portals. n nThe report also points to the limitations of optical character recognition (OCR) in reading ID documents. While OCR is widely used, it can fail due to poor lighting, focus issues, or image distortion. Reading the electronic chip on ID documents is more secure, but legal restrictions in some countries hinder its adoption. These gaps create vulnerabilities that malicious actors could exploit, particularly in video-based onboarding scenarios. n nTo address these challenges, the agencies recommend implementing advanced security features. Presentation attack detection (PAD) and injection attack detection (IAD) are critical for identifying fake biometric data or tampered video streams. Additionally, randomized challenge-response mechanisms can prevent replay attacks, where attackers use recorded data to impersonate users. However, the report notes that these technologies are not yet universally adopted, leaving systems exposed to evolving threats. n nA major roadblock is the incomplete development of security standards. The ETSI TS 119 461 framework, which governs remote identity proofing, lacks clear guidelines for mapping security requirements to LoA High. Similarly, the CEN/TS 18099 standard for injection attacks requires more technical specificity to ensure effective implementation. These gaps mean that even well-designed systems may fail to meet the necessary security thresholds. n nThe report also highlights the ongoing work on CEN/TS 18098, the EUDI Wallet onboarding standard. While progress is being made, the document still lacks detailed conformance guidance. This absence of clarity creates uncertainty for developers and regulators alike. Without standardized test specifications, it’s difficult to ensure that systems are interoperable or secure across different European countries. n nIn the absence of finalized standards, the authors propose temporary measures. They suggest harmonizing evaluation criteria and mandating biometric PAD and IAD testing as soon as possible. Addressing gaps in identity document verification is also crucial, requiring test criteria that conformity assessment bodies can use to validate systems. Prioritizing chip reading over OCR could further enhance security, but legal barriers must be addressed to enable widespread adoption. n nThe implications of these delays are significant. As more services shift online, the EUDI Wallet’s success depends on its ability to balance convenience with security. If biometric standards are not finalized soon, the system could face resistance from users and organizations wary of potential risks. This could slow the adoption of digital identity solutions, undermining the EU’s broader goals for digital sovereignty and user empowerment. n nFor now, the focus remains on collaboration between regulators, technologists, and industry stakeholders. The ANSSI and BSI report serves as a call to action, urging policymakers to accelerate standardization efforts. Without this, the EUDI Wallet’s promise of a seamless, secure digital identity experience may remain unfulfilled. 

Frequently Asked Questions (FAQS): 

Q: What are the main security challenges for EUDI Wallet onboarding?

A: The primary challenges include gaps in biometric data standards, vulnerabilities in OCR technology, and the lack of harmonized testing for security features like PAD and IAD. These issues risk compromising the integrity of remote identity verification.

Q: Why are security standards critical for the EUDI Wallet?

A: Standards ensure consistency, interoperability, and trust in the system. Without them, it’s difficult to verify compliance with LoA High requirements, which are essential for high-security applications.

Q: What are PAD and IAD, and why are they important?

A: Presentation attack detection (PAD) identifies fake biometric data, while injection attack detection (IAD) prevents malicious data from being injected into systems. Both are vital for preventing fraud in biometric authentication.

Q: How do OCR and chip reading differ in security?

A: OCR is prone to errors from environmental factors, while chip reading is more secure but restricted by laws in some countries. Chip reading is preferred for critical applications, but legal barriers limit its use.

Q: What temporary measures are suggested to address gaps?

A: The report recommends harmonizing evaluation criteria, mandating PAD and IAD testing, and prioritizing chip reading over OCR. These steps aim to mitigate risks until comprehensive standards are finalized. 

More Related Topics :