What is identity proofing?
Traditionally, proofing an individual’s identity consists in physically providing evidence of an individual’s identity, by presenting a government issued ID. Remote identify proofing methods are a way to identify individuals, without relying on physical presence. Remote identity proofing has received a lot of attention recently, due to the COVID-19 pandemic.
Remote identity proofing is usually done over a webcam or a customer’s mobile phone, where the customers show themselves along with their government issued document – an identity card or passport. ENISA will soon publish a report focusing on remote face presentation attacks, where someone attempts to impersonate someone else, or create a fake identity.
Remote identity proofing can be used in a variety of contexts where trust in the identity of a natural or legal person is essential – such as financial services, e commerce, travel industry, human resources, matching platforms (including delivery and ride-hailing services), public administrations, online gambling and many other sectors.
Why a workshop on remote identity proofing attacks?
With the remote identity proofing methods used today in the EU, you can remotely create a bank account or obtain a qualified electronic signature and sign legal documents. However, resorting to these solutions make it necessary to understand and analyse the different possible attacks. The workshop presented and discussed technologically enhanced deluding attacks and explored the countermeasures, to finally peek into the future and anticipate challenges to come.
The workshop was also intended to validate the analysis and key elements of the upcoming report “Remote Identity Proofing Practices: Attack Scenarios” which ENISA expects to publish in October.
What did the workshop focus on?
The first part of the workshop was dedicated to the threat landscape and included a presentation of the desktop research results and preliminary findings. The attack scenarios explored consisted of:
- deepfake video injection;
- high-quality 3D silicone masks;
- video manipulation of an identity document.
Participants were also asked to identify a deepfake participant hidden among workshop panellists.
The second part focused on the emerging threats and the future of spoofs.
Each part included a question and answer session to allow for an interactive discussion between participants and panellists.
Nowadays, most of remote ID attacks are low tech, with attackers presenting fake IDs or presenting someone else’s face on a display (so-called replay attack). However, deepfake attacks are expected to become more frequent and harder to detect.
As a consequence, countermeasures will need to evolve as well. Both active (i.e. asking the user to read random set of numbers) and passive (i.e. face texture analysis) security controls will play their role in the future, and synergies between AI and human operators will need to be further developed in order to spot the fakes.
With over 180 participants, the interactive sessions made it an engaging and positively received workshop.
Who was the workshop intended for?
- Industry – EU companies and other public or academic organisations with a focus on EU remote identity technology providers;
- National governments and other relevant public bodies, academia and other interested parties;
- Trust service providers and identity providers;
- Conformity assessment bodies and supervisory bodies;
- Security researchers and the wider security community.
Electronic identification under the eIDAS regulation constitutes a digital solution designed to provide proof of identity for citizens or organisations, in order to access online services or perform online transactions.
The EU Agency for Cybersecurity has been at the forefront of the developments in the eIDAS regulation since 2013. The Agency has been supporting the Commission and the Member States in the area of trust services in many ways, including but without being limited to the following:
- security recommendations for the implementation of trust services;
- mapping technical and regulatory requirements;
- promoting the deployment of qualified trust services across Europe;
- raising awareness for relying parties and end-users.
The EU Cybersecurity Act of 2019 strengthened the Agency’s role is supporting the implementation of eIDAS.
The European Digital Identity is intended to be available to all EU citizens, residents and businesses in order to identify themselves or provide confirmation of personal information. Its purpose is to facilitate access to public and private digital services across the European Union.
Last year ENISA mapped the full landscape of remote identity proofing methods and countermeasures in a report publish in March of this year:
The Agency continues to engage in such work which is expected to develop in the future.
Event announcement – save the date for the Trust Services Forum 2021
Together with the European Commission, ENISA will organise the Trust Service Forum on 21st September 2021. This edition takes place for the 7th year in 2021 following its inception in 2015. Collocated with D-TRUST/TUVIT CA Day on 22 September 2021, the event is to take place in Berlin, Germany, provided that the current travelling and gathering restrictions will be lifted by then.
For questions related to the press and interviews, please contact press(at)enisa.europa.eu
Stay updated – subscribe to RSS feeds of both ENISA news items & press releases!