Privacy and Security Risks when Authenticating on the Internet with European eID Cards

Whenever we use internet services, the first steps we take are usually identification (we input our names) and authentication (we prove that it is us). How we actually identify and authenticate ourselves depends on the security level of the application. The means used can vary from a simple combination of username and password, through a secret PIN, to a PIN generated by some external device or a smart card using cryptography. Smart cards are being used increasingly for authentication purposes. Many European identity cards now contain a smart-card chip, equipped with functionalities for online authentication. They are usually called 'electronic identity cards' (eID cards). This report focuses on authentication using smart cards and compares this approach with other common means of authentication.

Published
Authors
Ingo Naumann, European Network and Information Security Agency (ENISA), EU, Herbert Leitold, Zentrum für sichere Informationstechnologie (A-SIT), Austria, John Velissarios, Accenture, UK, Jens Bender, Federal Office for Information Security (BSI), Germany, Gregory Henwood, Home Office, UK, Andre Vasconcelos, Agency for Public Services Reform, Portugal, Giles Hogben, European Network and Information Security Agency (ENISA), EU, Jaan Priisalu, Swedbank, Estonia, Marc Stern, Approach Belgium, Belgium, Henning Daum, Giesecke & Devrient, Germany, Lorenzo Gaston, Gemalto, France, Arie Schilp, Rabobank, the Netherlands, Frank Zimmermann, Hewlett-Packard, Switzerland, Raul Sanchez-Reillo, Universidad Carlos III de Madrid, Spain
Language
English

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies