ENISA (the European Network and Information Security Agency), the EU’s cyber security agency, has presented its new position paper on authentication risks with European eID Cards. It analysed 7 vulnerabilities, identified 15 threats and offered security recommendations.
Major European eID interoperability projects, such as STORK and its successor ELSA are aiming at a European-wide take-up of new technologies. In this context, ENISA has taken an independent look at the security risks related to online banking authentication by comparing smart eID cards with other authentication means in its latest position paper.
According to the paper, as more and more internet applications require authentication, more standardized approaches to user identification and authentication are needed. In Europe, several states have already rolled out electronic ID cards. The first steps in the internet services are usually to identify users by names and then authenticate.
The security levels can vary from a simple combination of username, password, through a secret PIN, to credentials generated by some external device or a smart card using cryptography. Smart cards are increasingly being used for authentication purposes. Many European identity cards contain a smart-card chip, with functionalities for online authentication.
The ENISA Position Paper defined a list of requirements for national ID cards to ensure that they become as flexible and as multi-purpose as possible.
Udo Helmbrecht, executive director of ENISA, said: “Electronic identity cards offer secure, reliable electronic authentication to internet services, but banks and governments must cooperate better to be able to use national eID cards for banking purposes.”
