eiDAS, solving PSD2’s identity problems.
Photo by [Sara Kurfeß](https://unsplash.com/@stereophototyp?utm_source=medium&utm_medium=referral) on [Unsplash](https://unsplash.com?utm_source=medium&utm_medium=referral)
One of the biggest problems in Open Banking is identity. In the start, most financial institutes harboured and hosted their own trust anchor where third parties enrolled. This model doesn’t scale when third parties have many financial institutes(FI) to enrol and re-certify with each and every FI, making the process slow and complex.
As now you may understand this model is counter-intuitive towards PSD2’s goal of increasing pan-europian competition in this financial services sector. If you are interested in knowing more about PSD2 and Open Banking, check out the following article.
Enter eIDAS into the picture
eIDAS is a form eID (electronic identification) and AS (Trust Services). Backed by the European Union directive No 910/2014 on electronic identification and trust services for electronic transactions.
eIDAS Regulation brings in one framework for eID and AS allowing straightforward operation of businesses with mutual trust throughout the EU. Shown below are some of the services provided by eIDAS to accomplish this task. The beauty of this unified framework allows most real-life transactions to take place electronically with security, integrity and traceability.
Source : [eIDAS guidebook](https://ec.europa.eu/digital-single-market/en/eidas-smes)
In the current context, we’ll discuss two of the methods, QWACs and eSe as these are important for eIDAS for PSD2.
QWAC — Quality Web Authentication Certificate.
QWAC ensures a client the authenticity and confidentiality when communicating information through a channel. QWAC increases consumer trust and makes possible to avoid attacks such as impersonation/phishing.
eSe — eSeal
eSeal is used to guarantee the legal origin and integrity of a document, Using eSeal, businesses are able to present information that is certified by the origin and also is a measure against non-repudiation.
eIDAS for Payment Services
PSD2 Regulatory Technical Standards permits the use of eIDAS certificates for authentication in open banking contexts. With Europian Banking Authority (EBA) published an Opinion on using eIDAS certificates for PSD2 uses, it was bought further attention.
‘for the purpose of identification, as referred to in Article 30(1)(a), payment service providers shall rely on qualified certificates for electronic seals as referred to in Article 3(30) of Regulation (EU) No 910/2014 or for website authentication as referred to in Article 3(39) of that Regulation’.
— Article 34(1) PSD2 RTS
With the freedom for using eIDAS certificates by FI’s and third parties, it is possible to maintain a single identity entity throughout the EU.
Electronic Signatures and Infrastructures (ESI) Specification
ETSI’s technical specification allows PSD2 specifics to be integrated into eIDAS thus allowing the use of eIDAS in the financial domain. The specification also states requirements for Trust Service Provider(TSP) where details are given on topics such as certificate revocation. Two extended certificate types are given which are PSD2 ready.
- QWAC — as defined in the previous section, QWAC ensures authenticity and confidentiality in communication.
- QsealC — This certificate will be used to produce eSeals that will ensure the integrity and origin of information,
EBA’s recommendation for adopting eIDAS certificate profiles
EBA’s recommendation as follows for adopting these certificate profiles for PSD2.
- Parallel use of QWACs and QSealCs — This will allow third parties to identify themselves to FIs and ensure the confidentiality and origin of the information sent.
- Use of QWACs only — Third parties will be communicating in confidentiality but cannot provide evidence that data submitted originated from the third party.
- Use of QSealCs with additional communication security — Third-party submission will be ensured of its integrity with the eSeal but an additional communication security method should be put in place to enforce the confidentiality of communication as to comply with Article 35(1) of the RTS.
As you might understand now having a single trust anchor within the EU allows communication between different open banking specifications with a single identity thus relieving the hurdle of enrolling with different trust anchors or FIs.