Privacy and Security Risks when Authenticating on the Internet with European eID Cards

Whenever people use internet services, the first steps they take are usually identification (they input their names) and authentication (they prove that it is them). How they actually identify and authenticate themselves depends on the security level of the application. The means used can vary from a simple combination of username and password, through a secret PIN, to a PIN generated by some external device or a smart card using cryptography.

Smart cards are being used increasingly for authentication purposes. Many European identity cards now contain a smart-card chip, equipped with functionalities for online authentication. They are usually called 'electronic identity cards' (eID cards). This report focuses on authentication using smart cards and compares this approach with other common means of authentication.

The requirements for differing online applications exhibit a wide variety; whereas for some services a high level of security is required, in other areas the protection of the card holder's privacy is the first priority. The main purpose of this paper is to help define a comprehensive list of requirements for national ID cards in order to ensure that they are as flexible and as multi-purpose as possible.

In the last section of this report several conclusions are drawn, which were reached with the help of a thorough risk assessment of smart-card based authentication on the basis of two use-cases: online banking and social networking. The assets for these two use-cases will be defined, the vulnerabilities will be identified, and threats and risks will be derived in order to draw conclusions. This risk assessment will follow the methodologies of the ENISA 'Emerging and Future Risk' (EFR) Framework.

The main conclusions of the discussion are:

electronic identity cards offer secure, reliable electronic authentication to internet services, and
a privacy-protecting universally applicable eID card is technologically feasible.