A proposal for developing open strong authentication methods that protect privacy and can be independently evaluated has been released for the consultation organized by the French Digital Council (CNNUm) as part of the debate on data, records and algorithms
In an increasingly digital world, authentication represents a fundamental act. It is what we do to connect to our cloud or digital vault to access personal information. It is what we do to access our bank account online or to make a payment. The act of authentication goes well beyond a simple choice in technology: it structures how we access everyday services and our digital life. It entails a commitment, so must allow users to express consent but remain simple enough that the majority of us can do it. Authentication, originally just a point of access, has become a way for service providers to set themselves apart. Offering the simplest and most universal method of authentication means “winning” clients by providing a unique service-delivery experience or even a one-stop shop. Authentication is indeed a master technology, unlocking the door for us to access the digital world. But in this arena, certain internet giants, including Google, Apple, Facebook and Amazon, have imposed their own rules, technologies, security designs and ideas of privacy protection (for example, even the procedures for contributing to this site adhere to their ideas). It therefore seems essential to foster the development of strong authentication methods that are:
- Open (for example, based on specifications available to all manufacturers).
- Part of an evaluation and certification scheme (as for instance the one developed by the Biometrics Alliance Initiative), and approved based on testing by independent laboratories.
- Compatible with services requiring strong authentication and the many digital identity initiatives (e.g. France Connect, EidAS).
- Able to securely protect authentication data.
- Compliant with recommendations issued by regulatory bodies (e.g. banks, data protection and privacy commissioners).
Purpose of this Privacy Oriented Strong Authentication Methods
This proposal aims to:
- Address the growing need for a simple, universal, secure authentication method.
- Facilitate the development of superior European technologies in a field where most online technologies (e.g. terminals, OSs, search tools) are designed and used outside of Europe.
- Promote and enhance personal data protection practices (e.g. Privacy by Design, Privacy by Default, Privacy Rules).
- Establish mutual trust between service providers and users.
- Support the establishment of a European ecosystem of value-added services built on strong user authentication.
The original version of the document is available on the site of the consultation.