On Enabling Additional Natural Person and Domain-Specific Attributes in the eIDAS Network

Abstract

Within digital virtual space, secure and efficient user authentication and identification are essential to prevent identity theft and unauthorized access to sensitive information and services. The eIDAS network implementing the European Union (EU) Regulation 910/2014 links the electronic identity (eID) systems of EU countries to allow citizens’ access by authenticating with government eIDs. At authentication time, the eIDAS nodes transfer core personal attributes (i.e., name, surname, date of birth, and an identifier) to the service providers (SPs). Since long-term applications require more personal or domain-specific data to provide the service or to perform identity matching, the SPs must obtain such data in an alternative way, with additional costs and risks. Herein, we extend the eIDAS network to retrieve and transfer additional person and domain-specific attributes besides the core ones. This process introduces technical, usability, and privacy issues that we analyze. We exploit a logical AP Connector between the eIDAS node and the entities providing additional attributes. We implemented two AP Connectors, named AP-Proxy and AP-OAuth2, integrated with the Italian pre-production eIDAS node to get additional attributes from the Politecnico di Torino university backend. In an experimental campaign, 30 students have accessed academic services at three foreign universities with recognized Italian eIDs, and transferred additional attributes over the eIDAS network. Despite some usability and privacy concerns encountered, the user experience was positive. We believe our work is helpful in the implementation of the recently adopted European Digital Identity framework, which proposes to extend the person identification data set recognized cross border, and the creation of digital wallets linking different data sets or credentials.