Project Coordinator (EU) :
SICPA SPAIN S.L.Country of the EU Coordinator :
SpainOrganisation Type :
SMEProject participants :
SICPA
Fabian Torres, Role: Project Coordinator
Catherine Fankhauser, Role: Internal & external partnerships coordinator
Laurent Loup, Role : Responsible of ICT Documentation
Xavier Vila, Role: Tech solution coordination
Victor Martinez, Role: Software developer - solution architect
Matteo Marangoni, Role: Software developer
iRespond
Peter Simpson, Role: Executive director
Alan Cameron, Role: Director of Programs and Operations
State of US partner :
WashingtonStarting date :
Inclusive verification of cross-border and level of assurance-dependent digital credentials
Experiment description
Nowadays, cross-border identity-based transactions are mainly performed manually, cumbersome and require digital-savvy users.
Re-use of credentials often requires copies of poorly protected papers and manually verified documents, which leads to potential fraud and impersonation. Until recently, many governments have implemented some forms of digital identity within their own country. The model varies from siloes, centralized to federated approaches and is often led by the private sector (consortium of banks, telecom operators, etc...), where open standard is not a common pattern. The mostly used secure factor of people verification for electronic document on a global scale, is the ICAO-recommended RFID chip implemented in e-passports. RFID has limited data capacity, supports only read-only mode, requires special devices (e.g., dedicated readers or NFC enabled mobile phone) which limit the types of transactions, documents used and is not inclusive. Consequently, to have a seamless journey, and/or transact smoothly digitally, additional tools such as mobile digital wallets are needed to manage efficiently different credentials. Even though there is an increasing offer of a variety of digital wallets, several issues linked to this building brick can be observed such as:
- Lack of inclusivity - as mobile and Smartphones are needed
- Incompatibility with different version of Smartphones and operating systems (iOS vs Android)
- Battery issues preventing access to data
- Lost or broken mobile device
- Not easy credentials backup or recovery (e.g., new phone or wallet)
- Context specific application (e.g., bank, assurance, etc.)
- Cumbersome identification (login, password, etc.)
In the digital world, verification of the legitimate owner of the credentials using multi-source of information is needed to avoid impersonation issues and guarantee correct transactions. The rise of self-sovereign identity technology and trust framework is a big opportunity, as it allows infinite combination of claims and additional layers to increase the level of assurance. It solves those issues on a global scale and offer the world endless and cross-border digital applications.
hus, the objectives of our concept of “Inclusive verification of cross-border and Level of Assurance-dependent digital credentials” is to delegate access to verifiable credentials and identity to trusted third parties (e.g. university, government, banks, accredited ID providers...) based on reliable identification factors (e.g. decentralized identifiers, eIDAS electronic seal, biometrics, ... ) while preserving privacy and meet the data-protection regulations (e.g. data minimization, purpose limitation, transparency and confidentiality).
Implementation plan :
In this experiment is expected to replace mobile phones by a cloud agent for the storage of verifiable credentials rendering this digital identity more inclusive. The access to this latest will be triggered by secure factors of authentication that citizens will have to demonstrate control over at the point of verification. The verification mechanism should be secure, seamless, preserving data-privacy, inclusive and meet different levels of assurance requirements.
The solution is designed to be distributed, scalable and secure:
• ACA-Py agency is running in multi-tenancy mode and provisioned on AWS cloud.
• ACA-Py agency is running with automatic processing of connections, credentials and proofs disabled.
• ACA-Py agency can be scaled with multiple instances.
• Each traveler will have their own wallet.
• Each kiosk can have their own wallet.
For simplicity, the solution demonstration will use:
• All wallets are created in a single instance of ACA-Py.
• ACA-Py uses the Sovrin test ledger.
• All kiosks will use the same wallet.
• Kiosk uses iRespond Windows 10 application. There is not a SDK available to integrate iRespond with another app, so the user will need to paste the UNique IDentifyer (UNiD) generated by iRespond into the kiosk web application.
The experiment will be starting with a laboratory set-up to be classified as TRL 4 and it will be moving quickly on to a TRL 5 simulation of a real-world setting.
Impacts :
Impact 1: Enhanced EU – US cooperation in Next Generation Internet, including policy cooperation.
By interconnecting both eIDAS bridge and iRespond digital identity solution to SICPA and iRespond SSI platforms, we will be able to support governmental agencies and NGI developers to experiment the benefits of SSI for their digital transformation with a strong accent in inclusivity and interoperability.
The benefits of such a concept are to allow Europe and USA to rely on digital credentials issued by one of the two governments, without having necessarily aligned regulations, data-privacy policies, common identity infrastructure or similar security and level of assurance requirements.
Impact 2: Reinforced collaboration and increased synergies between the Next Generation Internet and the Tomorrow's Internet programmes.
Other key benefits of the experiment are to facilitate the digital transformation of the society, to boost the local economy thanks to trustworthy online transactions and to contribute to the globalization of trust that will enable governments to reuse trusted credentials and to issue new credentials.
Impact 3: Developing interoperable solutions and joint demonstrators, contributions to standards.
With this experiment we are proving how opensource technologies can be deployed and integrated together with other commercial platforms, thus fostering interoperability in the SSI ecosystem
Impact 4: An EU - US ecosystem of top researchers, hi-tech start-ups / SMEs and Internet- related communities collaborating on the evolution of the Internet
Together, we are demonstrating how timely and important is that companies with such a different background and expertise come together to solve challenges that by them alone they couldn’t
Results :
The aim of this use case is to demonstrate how different identification factors like verifiable credentials, eIDAS electronic seals or biometry (UNiD) can serve various use cases and levels of identification.
The key objectives are to:
• Demonstrate cross-jurisdiction interoperability between two countries with different data privacy regulations, legal and trust frameworks.
• Ease of use for citizens and provide autonomy and privacy for managing their data.
• Operational viability of the different components integrated: the scanner, the kiosk, the remote wallet.
An additional objective is to:
• Assess compatibility with the eIDAS framework in order to remain in line with current European legislation.
Success will be demonstrated by a traveler being onboarded at the departure kiosk, and being verified at the departure and arrival kiosks.
Future Plan :
This project has focused on 2 main aspects: how to authenticate using privacy-preserving biometrics systems and how we could rely on cloud wallets to manage our identity and thus supporting more inclusive SSI solutions.
Benefits of such an approach are an improvement of user experience, improved level of assurance on authentication and the possibility to rely on certified trusted providers to handle recovery and accountability issues on digital identity scenarios.
However, the benefits of biometrics are not automatic, and they do not come without trade- offs. Care must be taken to design workflows that provide the necessary guarantees, and frame use into governance that formalizes rights and responsibilities of everyone in the ecosystem.
In line of some of the work already initiated about Biometric Service Providers in by the Linux Foundation in ARIES project (https://github.com/hyperledger/aries- rfcs/blob/main/concepts/0231-biometric-service-provider/README.md), this could be further developed to work towards standardisation efforts to include Biometrics as one of the Trust Services regulated under eIDAS.
This would indeed foster its adoption as well as lay the groundwork to a more interoperable ecosystem of solutions based on biometrics that could indeed benefit from it.
For instance, this experiment opens the door to the implementation of European Digital Identity Wallets as distributed systems, where the Trust Service Providers could manage the citizens’ keys that could be triggered by the use of biometrics like in this experiment or in other devices like mobile phones.
Indeed, further development of Cloud Wallet Providers could be based on Technical Specifications for cloud-based digital signatures (ETSI TS 119 431-1, ETSI TS 119 431-2 and ETSI TS 119 432). These standards support the creation of digital signatures in the cloud, facilitating digital signature deployment by avoiding the need for specialized user software and secure devices.
Future work will include the further exploration of the alternatives presented (e.g. adding a 2FA to the biometrics using PIN codes), exploring architectures for high volume use and production-ready deployments, full integration with iRespond devices and alignment with GDPR and related data-protection regulations.