An eIDAS-certified national federative online authentication (“I am who I say I am”) and validation (“My characteristics like age or my address are correct”) infrastructure needs to come into existence in all individual EU countries. The infrastructure should involve governmental databases, commercial databases, and not-for-profit databases, all with various eIDAS security levels.
The federative infrastructure encompasses validation checks at multiple, hermetically separated databases. Pre-defined business rules decide which databases with which eIDAS security levels are to be involved in which types of authentication and validation. A leading principle in the checking process is the redundancy of databases to be checked to contain the effects of potential hacks.
In no instance data is provided to a third party. What is provided is feedback on the validity of concrete information entered as input in authentication and validation queries. Green lights are returned for valid information inputs and red lights for invalid information inputs. For instance if an age check is implemented the statement “This person is aged 16 or older” is evaluated, based on database checks, either as valid (“Yes, this person is aged 16 or older”) or not valid (“No, this person is not aged 16 or older”). No additional information, for instance in the form of a concrete date of birth. is provided. Ideally, database checks need to be performed for every individual authentication and validation query.
No authentication and validation query is to be performed without the clear, verifiable informed consent of the individual whom the query concerns. Every authentication and validation request first needs to be directed to the person involved. But, for reasons of convenience end-users are to be able to present general business rules concerning their consent.
At a minimum, the infrastructure will provide the means for adults with parental responsibilities to give or authorise revocable consent for their child’s online activities, as well as the means for adult and child authentication, the validation of the child-adult relationship, and for age verification.