Passkeys and eIDAS - the future of authentication.

September 12, 2022

Passkeys (soon available on Apple devices, and to be offered in the near future by Google and Microsoft as well) are a standard for more secure, passwordless, authentication. Great! Finally we will be able to get rid of these pesky passwords. But passkeys will also have consequences for eIDAS: the European identity wallet risks to be born in a world with a significant disadvantage.

How does passkey work?

When you register for a service that supports passkeys, it generates a new key pair, storing the private key locally on your Apple device, and sending the public key to the service. It uses different key pairs for each account on a service. Every time you want to access your account, a standard challenge-response protocol is run to prove to the service that you have the private key corresponding to the public key it stored earlier for your account when you registered. Apple cleverly uses its Keychain password manager to make the transition from passwords to passkeys seamless. (We wrote about this approach as well, almost 10 years ago.) For a user that has password auto-fill enabled nothing really changes: after agreeing to sign in using Touch ID or Face ID, under the hood (essentially invisible to the user) the challenge-response protocol is run instead of filling in your password.

Authentication in eIDAS

Last year, the European commission proposed to update the eIDAS regulation to create a European Digital Identity Framework. (I wrote about this proposal earlier here and here.) A core element of that framework is a digital identity wallet, a smartphone application storing identity-relevant information about you. According to this outline of the European Digital Identity Architecture and Reference Framework (a more technical description of the eIDAS architecture), authentication within eIDAS using this wallet is apparently based on a certified identity:

While secure authentication is a functionality of the EUDI Wallet, relying parties identifying users with a defined set of person identification data for the purposes of allowing access to online public and private services is a specific use case. For instance, private relying parties shall accept the use of EUDI Wallets where they are required to use strong user authentication for online identification.

This is in line with traditional ways of identification and authentication used by many national eID schemes (and also how ‘social’ logins using your Facebook or Google account work). When wishing to access an online government service you are redirected to the central government identity provider, where you are required to sign in. If successful, the identity provider redirects you back to the online service with a credential containing a signed, certified, statement about your identity (typically your social security number). Under eIDAS this credential is already stored in your wallet, so you no longer need to authenticate online to your national identity provider, but still the authentication to the service provider is based on your certified identity.

So what do passkeys have to with eIDAS?

Note how authentication with a certified identity is fundamentally different from how authentication using passkey works. Using a certified identity you prove your identity using a credential issued by someone else. The service provider verifies that this identity corresponds to the owner of the account. With passkeys, you prove possession of a private you generated yourself. The service provider verifies that the corresponding public key was registered by the owner of the account. Note how with certified identities the security of your accounts relies on correct behaviour of the identity provider (you trust it not to issue credentials for your identity to someone else, and you trust it is properly secured so no other malicious party con do this either). With passkeys this is not an issue: you generated the necessary keys yourself and as long as you keep them secure, you are safe.

The trans-national nature of eIDAS exacerbates this problem. Within a purely national context there is only one, national, issuer that you rely on for your account security. With eIDAS, each of the 27 member states has such an issuer, and unless it is strictly verified that member state A cannot issue certified identities for citizens of member state B, your account security relies on 27 issuers. (Such a check is not a given, and in fact not even easy, see e.g. electronic passports or web certificates.)

In other words: eIDAS is more secure than password based authentication, but at the same time it is fundamentally less secure than passkeys. And this creates a problem in the near future. Hopefully passkeys will, given the seamless integration expected in existing password managers offered by Apple, Google and Microsoft, soon be the dominant form of authentication online. (This is definitely not certain, as it requires the cooperation of service providers to integrate the passkey challenge response protocol at their end as well.) If that happens, eIDAS will no longer be a leap forward, but significant step backward. It risks being born into this world with a significant disadvantage.

This is also relevant given another peculiar provision in the eIDAS proposal that requires very large platform providers (thing Google, Facebook) to accept the European digital identity wallet. It is not entirely clear to me how to interpret this: it could mean that very large platform providers are required to accept the use of the European identity wallet to prove certain attributes (e.g. age, nationality) about yourself. But it could also be interpreted to mean that it should allow its identification and authentication mechanism based on certified identities to log in to your Google or Facebook account. Recital 28 appears to imply the latter:

Where very large online platforms […] require users to authenticate to access online services, those platforms should be mandated to accept the use of European Digital Identity Wallets upon voluntary request of the user. Users should be under no obligation to use the wallet to access private services, but if they wish to do so, large online platforms should accept the European Digital Identity Wallet for this purpose

Now there are several reasons why this is a bad idea anyway, but now the only potential advantage (authenticate using your wallet instead of a password) will soon disappear. In fact, with passkeys on the horizon the eIDAS proposal risks making the online world less secure for European citizens.

What to do?

The above discussion makes clear that it is important to be clear about the exact functionalities offered by the European eID wallet, and which of those functions should or should not be used in which particular use case. In particular, the need to establish the legal identity of someone (using certified identities) is really different from authenticating a returning account owner.

And perhaps, for the latter, the European identity wallet should implement passkeys as well.

In case you spot any errors on this page, please notify me!
Or, leave a comment.