12. The Peculiar Case of Identity Digital Wallets
How Digital Wallets have evolved to the concept of Identity Digital Wallets and why this is somewhat peculiar.
For Identity, 2023 is the year of Identity Digital Wallets, Verified Credentials, and Passkeys. These are all hot topics, important, and worthy of at least a newsletter each. In this newsletter I’ll consider Identity Digital Wallets – what they are and the inherent challenges in implementing them for Identity.
But why the title “The Peculiar Case of Identity Digital Wallets”? Well, because while they are a great idea, the very people promoting them have highlighted some massive implementation issues. That sounds peculiar to me!
Digital Wallet Functions
Before I delve into Identity Digital Wallets (IDWs), I’ll consider Digital Wallets (DWs). DW is a general term that applies to many types of app. So categorizing them is not easy, but in this first attempt I’ll focus on the functions that DWs support.
The most obvious function is Card Support. Just like a wallet, the DW stores cards which can be then made digitally available. The Google Wallet and Apple Pay are the most well-known examples:
Note the card types supported are more than just payment cards. As per the Google example above, a Covid card, a transit card, and a membership card are all be supported.
Solutions that purely focus on storing identity cards in a wallet are EIDs. The abbreviation EID (sometimes written eID) originally described identity cards which had a chip and hence were electronic. Now, in Identity, EID is used to describe the storing of such identity cards in a smartphone wallet. Current examples of EIDs are the initiatives in the USA to store drivers’ licenses using Apple Pay.
I include within EIDs Identity Hubs such as Yoti, which have since 2014 utilised their own DW to build a user base and become an Identity Hub. But while they have gone beyond storing cards to storing other documents such as passports, they still function in a limited fashion. So, while they may claim to be full identity solutions (and IDWs as per my definition below), they are simply creating a digital version of physical IDs, thereby eliminating the need to carry all those plastic cards and documents.
One of the earliest and most successful wallet functions is the purse. Strange to think that a purse fits into a wallet, but some wallets do have pockets for coins, so I guess the analogy holds ok. Alipay and WeChat started as payments enablers by holding cash on the customers behalf.
And then we have the add-ons! I struggle to find a better word than this, but the challenge is that once you have a ‘killer function’ to bring in the punters, such as a purse, you can then ‘add-on’ all sorts of functions. Look at the main Alipay screen below:
My expertise in Chinese script is very limited, but clearly there is a bit more functionality and interactivity going on than occurs in my physical wallet. There seem to be many financial and transport services that go beyond storing and presenting a simple card to actually executing transactions within the DW.
New Zealand has its own DW. Dosh is an example that provides a purse and supports its own payment card. It is a relatively easy-to-use app that supports person to person payments and other general payment functions. But it is not yet ubiquitous – there is more to a DW than being good technology!
And, now, we have Identity. The Identity solutions proposed are a lot more than a card stored in an app – they are full ecosystems. I describe the approaches and what is happening in the next section.
So, in summary, DWs have many functions which I categorize as:
card support
EID
purse
add-ons
identity
They are relatively easy to build but need scale to be successful. The Chinese DWs, Alipay and WeChat, with user bases in the billions, show what success can be like. But, of course, reaching such lofty heights is not so easy!
Identity Digital Wallets (IDWs)
The concept of an Identity Digital Wallet (IDW) as a full Identity ecosystem has now emerged in the European Union (EU). This goes way beyond the concept of an EID DW. I’ll discuss the both initiative’s aims and the published issues with the security.
EU eIDAS 2.0
Initially, in 2014, the EU eIDAS (Electronic Identification, Authentication and Trust Services Regulation) focused on identification and authentication. Now, in its latest version, eIDAS 2.0 creates a regulatory framework for cross-border digital identity. A key part of this is the European Digital Identity Wallet, but in line with my terminology I’ll call this an IDW. The EU’s IDW aims to provide all the functions of Identity (the model below is from my newsletter 2):
As the EU states on their website:
"The EU Digital Identity Wallet will provide a secure and convenient way for European citizens and business to share identity data needed for accessing digital services such as checking in at the airport, renting a car, opening a bank account, or when logging in to their accounts on large online platforms. With a click of a button on their phone they will be able to securely share information stored in digital versions of their driving licence, professional or educational credentials, and medical prescriptions."
Clearly the EU IDW aims to support 2-party and 3-party identity transactions in multiple environments of in-person and on-line, for multiple types of transactions, and in multiple countries. This is a hugely ambitious project!
Being the EU, this initiative requires a pilot. The EU, being the EU, has four pilots being run by four huge consortia with a cast of thousands. I suppose the rationale is that one of the consortia must be successful, but it is hard not to be a little sceptical about their chances (check out the long lists of participants and the pilots are schedule to be running in 2025).
The little issue of security
So there are large expectations for this IDW and much activity. But the EU’s own documentation highlights a security issue that is both conceptually and practically impossible to resolve!
In the EU’s design document, “The Common Union Toolbox for a Coordinated Approach Towards a European Digital Identity Framework, The European Digital Identity Wallet Architecture and Reference Framework, January 2023 Version 1.0.0.”, pages 28-29, it states:
“Where an EUDI Wallet Solution has an application running on a mobile device, there may be a need for additional trusted components which are not part of that application but are nevertheless part of the EUDI Wallet. Such a need may arise for reasons:
Security: e.g., if a particular device does not have sufficiently secure hardware like a secure element, external hardware components like smartcards may be needed”
In other words, the EU IDW will be secured through hardware and this may be an external device. How are we going to make that work? Does anyone in the EU understand the impossibility of the EU population all having homogeneous smartphone security hardware? It is problematic getting two smartphones from the same manufacturer to operate the same but, if we want a ubiquitous IDW solution for all citizens, we will need all smartphones in use, from different manufacturers with multiple models and versions, to somehow operate the same way!
We tried this strategy in New Zealand in a SEMBLE, an initiative to create a payments card DW. The complexity of using the security hardware in current smartphones from just one manufacturer was highly problematic and the project failed (https://www.stuff.co.nz/business/82147557/developers-of-semble-mobile-wallet-app-refocusing). Think of doing this for all smartphone manufacturers and all common smartphone models still being used!
Well, one EU body recognizes the problem. The European Union Agency for Cybersecurity (ENISA) is the “Union’s agency dedicated to achieving a high common level of cybersecurity across Europe”. In their report “Digital Identity Standards, Analysis of standardisation requirements in support of cybersecurity policy, July 2023” they consider standards in the light of eIDAS 2.0 and come up with several recommendations, including (my bolding):
“In the context of the EU Digital Identity Wallet, EU policymakers should make use of the new Digital Markets Act to provide direct access from the Mobile Application to the security anchor provided by EU CC certified secure elements available on smartphones. This direct assessment will help create a Trusted Mobile EU Digital Identity. This recommendation should be complemented by a new standardisation request to the European Standardisation Organisations, to develop a unique API from the mobile application to the security anchor provided by the secure element certified by the EU cybersecurity certification scheme. This is crucial for the provision of full interoperability by various smartphone manufacturers.”
So, ENISA recommends that we need a common security API for ALL smartphones. This recognizes the need for a common way of accessing some standard security technology. But that does not solve the problem. There is no magic wand to turn a technology base of thousands of different devices into a standards-based environment.
Summary
So I have described Digital Wallets (DWs) and Identity Digital Wallets (IDWs).
The wallets that concern Identity are EID DWs and IDWs. EID DWs, such as a drivers license stored in a wallet, have utility but limited functionality. IDWs, if successful, will be the most significant Identity ecosystems on the planet even surpassing passports.
But while EU IDW project has a huge amount of participation it seems most peculiar in that it has already identified major challenges without having any inkling of how to solve the security challenge in practice.
Maybe, just maybe, the reason we do not yet have a fully functioning IDW is because it is almost impossible to make it a reality. Maybe, just maybe, trying to legislate an IDW into existence is more about keeping the good news story going rather than being a well thought out strategy. Maybe, just maybe, we need to think this through a bit more.
All the best,
Alan