Master Thesis Analysis and comparison of identification and authentication systems under the eIDAS regulation Author: Floris Roelofs Institute for Computing and Infor- S1029871 mation Sciences, Radboud University, Supervisor: Toernooiveld 212, 6525 EC Nijmegen, Prof. Dr. Eric Verheul NL Second evaluator: Prof. Dr. Bart Jacobs October 13, 2019 CONTENTS Contents 1 Introduction 3 1.1 Background.........................................3 1.2 Goal.............................................3 1.3 Scope............................................3 1.4 Research questions.....................................4 2 Methods 5 2.1 Criteria pre-analysis....................................5 2.2 Description of systems...................................5 2.3 Selection of criteria.....................................5 2.4 Comparisons and insights.................................6 3 Context 7 3.1 eIDAS - electronic IDentification Authentication and trust Services..........7 3.1.1 European law....................................7 3.1.2 Interoperability...................................7 3.1.3 Notification and assurance levels.........................7 3.2 Authentication.......................................8 3.2.1 Federated versus non-federated authentication.................9 3.2.2 Supporting standards...............................9 3.3 PKI - Public Key Infrastructure.............................9 4 Description of systems 11 4.1 Belgium........................................... 11 4.1.1 Belgian eID Scheme FAS / eCards........................ 11 4.1.2 Itsme R ....................................... 12 4.2 Germany.......................................... 13 4.2.1 German eID based on Extended Access Control................. 13 4.3 Luxembourg......................................... 15 4.3.1 Luxembourg national identity card (eID card).................. 15 4.3.2 Luxtrust - alternative methods.......................... 16 4.4 Estonia........................................... 18 4.4.1 Estonian eID Scheme: ID card / RP Card / Digi-ID / e Residency Digi-ID / Diplomatic Identity Card............................. 18 4.4.2 Mobiil-ID...................................... 19 4.5 Spain............................................ 20 4.5.1 Documento Nacional de Identidad electr´onico(DNIe)............. 20 4.5.2 Cl@ve........................................ 21 4.6 Italy............................................. 22 4.6.1 SPID - Public System of Digital Identity..................... 22 4.6.2 Italian eID based on National ID card (CIE).................. 24 4.7 Croatia........................................... 25 4.7.1 National Identification and Authentication System (NIAS).......... 25 4.7.2 NIAS - alternative authentication means..................... 26 4.8 The Netherlands...................................... 27 4.8.1 DigiD........................................ 27 4.8.2 DigiD Hoog..................................... 28 5 Criteria for comparison 30 5.1 Usability - service provider................................ 30 5.1.1 Federation...................................... 30 5.1.2 Usage with private service providers....................... 30 5.2 Usability - user....................................... 30 1 CONTENTS 5.2.1 Authentication methods.............................. 30 5.2.2 Single-sign-on.................................... 30 5.2.3 Availability of other qualified trust services................... 31 5.2.4 Accessing past authentication information.................... 31 5.3 Privacy........................................... 31 5.3.1 Privacy hotspots.................................. 31 5.3.2 Pseudonyms..................................... 32 5.4 Security........................................... 32 5.4.1 Security of Communication............................ 32 5.4.2 Vulnerability to `Man in the browser' attacks.................. 33 6 Comparison 34 6.1 Federation.......................................... 35 6.2 Usage with private service providers........................... 36 6.3 Authentication methods.................................. 37 6.4 Single-sign-on........................................ 38 6.5 Availability of other trust services............................ 39 6.6 Accessing past authentication information........................ 40 6.7 Privacy hotspots...................................... 41 6.8 Pseudonyms......................................... 42 6.9 Security of communication................................. 43 6.10 Vulnerability to `Man in the browser' attacks...................... 44 7 Insights 45 7.1 Chapter outline....................................... 45 7.2 Insights per criterion.................................... 45 7.2.1 Federation...................................... 45 7.2.2 Usage with private service providers....................... 45 7.2.3 Authentication methods.............................. 45 7.2.4 Single-sign-on.................................... 45 7.2.5 Availability of other trust services........................ 46 7.2.6 Accessing past authentication information.................... 46 7.2.7 Privacy hotspots.................................. 46 7.2.8 Pseudonyms..................................... 46 7.2.9 Security of communication............................ 46 7.2.10 Vulnerability to `Man in the browser' attacks.................. 47 8 Discussion & Conclusion 48 8.1 Conclusions......................................... 48 8.2 Limitations......................................... 49 8.3 Further research...................................... 49 2 1. INTRODUCTION 1 Introduction 1.1 Background Throughout Europe governments are in the process of making themselves digitally available to their citizens. In 2014 the European Union passed Regulation 910/2014, also known as the eIDAS regulation, which set the goal for all digital governmental services to be interoperable and usable by citizens of other member states. In order to achieve this, the Union has requested the member states to create their systems individually, and created a framework that will link all these systems. This has resulted in some vastly different methods of creating such systems, which has created hurdles in the way of reaching interoperability, such as differing levels of security required for using the systems. An example of such an aspect that the varying implementations differ in, which causes difficulties in the interoperability of the systems, is whether the system is federated or direct. Federated being that there is a usually centralised system which handles the identification and authentication, and direct meaning that there is no such party between the user and the organisation to which they are identifying. The reason for choosing a direct system is that there is no single actor that can know about all the authentication actions of a user. If one entity were to handle all authentications for everything from contact with a municipality to handling medical information, this entity could have control over an extremely privacy-sensitive data set, if no other measures against this are in place. For this reason some European countries, such as Germany, have chosen for a direct authentication model. On the other hand, a federated system is much simpler to use for service providers, as they do not need to worry about the authentication and all overhead that comes with it. Belgium is among states that have chosen for a federated model. Of course, even among countries that have made the same choice, federated or direct, there can still be vast differences in structure. 1.2 Goal This will be an exploratory research into the many differences between the implementations of the identification and authentication systems of various European member states. Based on these differences a comparison of the systems will be made, and the reasons that led to these differences will be discussed. The focus will be on three aspects of the systems; privacy of the user, security of the system and usability for both citizens and the service providers, what these aspects entail regarding this research will be described in chapter five. The results of this comparison and the analysis of the differences will lead to possible recommendations for future implementations and improvements to identification and authentication systems. 1.3 Scope Throughout the Union countries are in various states of production of their systems. Once a member state has finished developing their system they can ask the Union to review the system and assess it on quality and security requirements laid out by the eIDAS regulation. Once a system has been reviewed and deemed acceptable the Union is ‘notified’ of the system, meaning other member states need to ensure their government services are available through that system within twelve months. The systems are reviewed and accepted through a peer review process performed by other member states, coordinated by what is called the `Cooperation Network'. For this review we will be focused on systems that allow at least citizen to government authentication, systems that are only meant for businesses to government or citizen to business authentication will be deemed out of scope. Included in the research will be all systems from countries that have completed notification of at least one system at the start of this research, on February 1st 2019 [13]. This will include all notified and non-notified systems of member states, as long as the member state 3 1. INTRODUCTION had at least one system notified on the cut-off date. Non-notified systems from the selected states are