Konsentus Powering Trust in Open Ecosystems

eIDAS Certificate Checking

What is eIDAS?

Electronic identification, authentication, and trust services (eIDAS) commonly refers to regulation which was implemented by the EU to support online identification and the authenticity of documents. The EU regulation 910/2014 sets the standards for electronic identification (eID), electronic transactions, qualified certificates, time stamps, electronic signatures, and other online authentication services.

Before eIDAS, a user had to be physically present in a Registration Entity to verify their identity and obtain a certificate. The ability to verify identities online revolutionised the ecosystem, evolving the EU’s Digital Trust Services Market, enabling organisations to onboard customers digitally at any point.

The regulation has been instrumental in the development of open banking, regulated by the second Payments Services Directive (PSD2). The intention was for financial institutions and third parties to interact with each other easily and securely. As EU-wide regulation, eIDAS allowed parties to trust each other within the Access to Account (XS2A) transaction chain even if the transaction was cross-border.

 

What are QTSPs?

The eIDAS regulation applies to Trust Service Providers (TSPs), commercial organisations which provide digital services. TSPs specialise in trust services through mechanisms which secure information and protect it from tampering, such as cryptographic signatures and digital certificates. This allows users to ‘trust’ the received information – an essential part of online communications.

TSPs can become qualified through a written ‘Conformity Assessment’ from their regulator. Under eIDAS, Qualified Trust Service Providers (QTSPs) receive national accreditation and therefore must be compliant to a standard of quality in areas such as security and interoperability. QTSPs are regulated by their respective EU country, under an appointed Member State Supervisory Body (MSSB).

 

What is an eIDAS Certificate?

In the world of open banking, eIDAS certificates are used by third parties as identity credentials when interacting with financial institutions. They are used as a way for the financial institutions to identify the third parties, with a view to carrying out account information or payment initiation transactions on behalf of the customer.

QTSPs are responsible for providing eIDAS certificates in Europe, after carrying out a series of checks on the third party.

 

What Does an eIDAS Certificate Contain?

eIDAS certificates contain several information points, including:

  • Subject name, including the name, address and country code of the company
  • Issuer name, including the name, country code, and serial number of the QTSP which issued the certificate
  • Public key information, including the public key of the company and the certificate’s signature
  • Fingerprints, which consist of hash values used to identify the eIDAS certificate

In the implementation stage, there are two types of eIDAS certificates:

  • Qualified Website Authentication Certificates (QWACs), which are used to authenticate the identity of a third party at the transport layer
  • Qualified Electronic Seal Certificates (QSealC), which validate the identity of the sender and protect transaction information at the application layer

PSD2 eIDAS QWACs and QSealCs also contain an entity’s authorisation number, their PSD2 roles, and the name of their home National Competent Authority (NCA).

 

What are the problems with just checking eIDAS certificates?

There are three steps to verifying an open banking transaction – identification, authentication, and authorisation. eIDAS certificates are useful tools for the first step, but financial institutions also need to be certain that the third party is authorised to carry out the transaction at the time of the request.

As laid out in the Regulatory Technical Standards (RTS) on strong customer authentication and secure communication, eIDAS certificates are to be used “for the purpose of identification” (Article 34(1)). eIDAS certificates are only issued with a lifespan of one to  two years and so cannot be relied upon to provide authorisation status, as the information can quickly become outdated if a TPP is   In addition, eIDAS certificates contain no information on passporting and so it is not clear whether the TPP is authorised to operate in that country.

Unfortunately, several financial institutions still solely rely on eIDAS certificates for identification and authorisation, which exposes them to additional risk.

 

What does Konsentus check in the eIDAS Certificate?

Konsentus Verify carries out a two-step process to validate the identity and authorisation status of a TPP. The first step involves checking the eIDAS certificate for the following data points:

  • Valid QTSP check, which verifies that the QTSP has the authority to issue a valid eIDAS certificate
  • Valid signature check, which ensures that the certificate has not been tampered with
  • Not expired check, which checks that the certificate has not expired
  • Not revoked check, which checks that the certificate has not been revoked by the QTSP
  • Payment services check, which uses the authorisation number from the certificate to verify what payment services the TPP is authorised to provide in both its home Member State and in the host Member State, if it is passporting its services to another jurisdiction
 

How does Konsentus Verify check authorisation status?

After confirming the identity of the TPP, Konsentus carries out an instant, real-time check of the relevant institutions among 70+ trust service providers  and 31 NCAs (which maintain over 115 registers containing regulatory information).

This ensures that a financial institution only ever approves a transaction with a third party that is authorised for the appropriate service in that country at that time. Konsentus Verify protects customer data from any unauthorised or fraudulent use, upholding the reputation of financial institutions and shielding them from compliance fines and the costs of managing disputes.

Why Partner With Us?

What We Offer You

we can do it together

Konsentus Rebrand Button - Konsentus Dot-23-23

Find out how our technology can protect your customers within open ecosystems.

Name(Required)

Opt-in

On completion of this form you will be sharing your personal data with Konsentus Ltd (company number 1115059) (“Konsentus”/”we”/”us”). We will process such information for the purposes of sending you the requested information. We may also send you marketing communications and information which we consider may be of interest to you from time to time. This may include sending information by email, or us contacting you by telephone, where relevant details are provided. We rely on our legitimate interests as the lawful basis for processing your data in this way. Under certain circumstances, you have rights under data protection laws in relation to your personal data, including the right to receive a copy of the data we hold about you. You also have the right to opt out of marketing communications at any time using the details in an email sent to you or by contacting us at insights@konsentus.com.

Login to your account