Jelle Millenaar

Of late, the benefits of Self-Sovereign Identity (SSI) have also been trending in business-to-business (B2B) use cases, namely in the world of trade and finance. This is largely to establish the identity of an organization however, organizational identification has not yet made its way to the European Identity Wallet. Used correctly, European Identity Wallets can restore trust within our digital spaces to help combat fraud and scams and instill trust amongst parties. Let’s explore how this works.

Webshop Scams

In 2023, the Landelijk Meldpunt Internetoplichting (LMIO) took down 1.000 fake webshops in the Netherlands alone, an increase of 30% over 2022. The average damage has gone up by 20% to €350,- per victim, this may only be the tip of the iceberg as 40% of Dutch people believe there is a taboo when telling people they have been scammed online. Unfortunately, recognizing a maleficent website isn’t easy and requires users to perform a set of manual steps. The Dutch police, consumer protection agencies, and webshop branch organizations advise people to do the following checks:

1. Check the website URL and its domain registration date

2. Verify certificates such as from Thuiswinkel.org by clicking on them

3. Inspect the Chamber of Commerce registration at a government portal

ScamCheck is an external website that performs most of the recommended checks for the user but requires shoppers to visit their page and input the URL. These checks are therefore rarely taken as they take place outside the shopping experience and disrupt the user journey.

Trusting the Customer

Under the new eIDAS 2.0 regulations in Europe, users will be able to log in to any compliant website using their European Identity Wallet without having to create an account or password. In addition, users can provide the website with more verifiable information such as an address, email, age, and phone number, all crucial data points in the eCommerce sector. Instead of having to fill out repetitive forms of data, the European Identity Wallet allows the user to simply share all necessary information with the click of a button. This alone reduces customer friction and provides an enhanced customer experience. The benefit of this new user journey is that it is not one-sided, the mutual authentication aspect of the new login experience for a user can be utilized to establish trust for the user as well.

Trusting the Business

In a recent Proof-of-Concept project, UniMe, an Identity Wallet developed by Impierce Technologies that aims to be certified as a European Identity Wallet, has had its login flow updated to instill trust in the Webshop for the user. The user is presented with domain verification, which validates that the identity they are authenticating against also controls the website domain and the age of the domain. This simply means that if the user sees the correct website listed with a green checkmark, they can trust they are logging in at the correct place. Secondly, we show a Thuiswinkel Waarborg, a certificate displayed by most webshops in the Netherlands that validates their authenticity by the Thuiswinkel.org branch organization. This certificate can only be authenticated if it has a genuine digital signature from Thuiswinkel.org. Lastly, we showcase the Chamber of Commerce registration of the entity, including the age of the company. This is verifiably tied to the identity of the webshop, which means it cannot be forged.

In UniMe, all of this information is displayed to users as evidence during the login process in a seamless and non-disruptive manner. While we don’t expect every user to fact-check all the information, we do provide the information to do so, while also condensing the information in a more simple format which communicates either a feeling of trust or distrust depending on how many checks are verified. We have recently become aware of a browser plug-in from identinet, which can also display the same evidence directly in the browser, providing an alternative method to access the same information.

On the 1st of July, Impierce Technologies presented the PoC of webshop authentication at the Dutch Blockchain Coalition Conference. With support from the Dutch Chamber of Commerce, Dutch Tax Authorities, and Thuiswinkel.org, we showed how users could log in to a webshop and see its domain verification, thuiswinkel.org certificate, and Chamber of Commerce registration. The project is set to continue with the same parties, and more, to pilot the idea for a wider audience, together with real webshops. If you are in the eCommerce sector and are interested in participating, reach out to us!

B2B Mutual Authentication

The challenges faced by Webshops are not unique to them. In many other cases, it is important to establish trust between a user and a website, or directly with the business. Even more crucially, trust is inherently very important for B2B scenarios as well. Fraudulent invoices, scam emails, social media accounts, and websites plague the internet. Don’t trust but verify. Through the eIDAS 2.0 regulation and with the introduction of the European Identity Wallet we foresee a future where trust can be established again. Where every company has the right tools to protect their users, customers, and clients from fraud. Impierce Technologies develops the core technology components to enable businesses to plug into this ecosystem of trusted information exchange.

Tech Deepdive

The solution uses W3C’s Decentralized Identifiers (DIDs) to create a unique identifier for a company and associate one or several keypairs with them. This can be either blockchainless using `did:web`, or can be published to a blockchain like EBSI or IOTA to increase the trust in the identity.

Attached to this identity, we utilize the DID configuration Domain Linkage Assertion, to link a domain. This is bi-directionly linked so that the DID Document links to a domain, and the domain, on a `.well-known` endpoint, links back to the DID. This can only be done if the same entity controls the domain and the DID, which proves they are linked.

Next, we used the DIF Linked VP standard to attach verifiable presentations that provide more information about the organization. This can be (ISO) certificates, company registration, proof of address, Trust pilot score, and much more. In our case, we published a Thuiswinkel.org certificate as they are widely used in the Dutch eCommerce sector to establish trust.

Lastly, we added the Chamber of Commerce registration number to the DID Document. At the Dutch Chamber of Commerce, companies can register a domain. We already established that the DID and the domain are controlled by the same entity, therefore, we can establish the same regarding the bi-directional link between the Chamber of Commerce registry and the DID Document.

All of these standards fit easily into the eIDAS 2.0 regulation and the Architecture Reference Framework (ARF). We hope to inspire more to implement the same standards and make it easier for the people that browse the internet, to identify a scam website compared to a real website.