Stakeholder Perspectives on Biometrics-Based Multi-Factor Authentication for eIDAS Levels of Assurance: Insights on Usability, Security, and Privacy

AHFE International

Accelerating Open Access Science in Human Factors Engineering and Human-Centered Computing

Stakeholder Perspectives on Biometrics-Based Multi-Factor Authentication for eIDAS Levels of Assurance: Insights on Usability, Security, and Privacy

Open Access

Article

Conference Proceedings

Authors: Bian Yang

Abstract: Adopting biometrics to an electronic identification (eID) means for online authentication, in addition to its currently popular use for personal device access control, seems a promising solution to achieving both security and convenience of day-to-day online logins. However, the varied ways to implementing biometrics in MFA may raise different concerns of inclusivity, usability, privacy, and regulatory compliance (e.g., the EU’s eIDAS Levels of Assurance Substantial and High). This study explores how stakeholders (users and experts) perceive biometrics-based Multi-Factor Authentication (MFA), focusing on accessibility, privacy, security, and trustworthiness. Eight key questions guided the work, addressing issues such as remote and mobile biometrics, factors’ combination in MFA, biometric data storage, and secret key management, under the context of eIDAS-related standards and guidelines (e.g., BSI TR-03166, ETSI TS 119 461). We surveyed 413 users (Norwegian and English) and interviewed 26 experts across six stakeholder groups: service providers, individual users, academia, eID and biometric technology providers, and authorities / consultants. Results show most users prefer storing biometric data in secure device over cloud services, and oppose shared biometric access (e.g., FaceID) on multi-user devices. Security and privacy were prioritized over convenience by almost two-third of the surveyed participants. Most of them favored MFA combinations adaptive to users’ need. For compliance to LoA High, experts emphasized unique device-user pairing, limited shared access, and the need for multiple factors. They also warned of risks from AI-generated fakes and regulatory uncertainty. Overall, the findings confirmed tensions between usability, inclusivity, and privacy, highlighting the need for flexible, transparent, and accessible biometric MFA designs. Future systems, including the EU Digital Identity Wallet, should ensure privacy-preserving biometrics that meet regulatory assurance levels while remaining usable for all, including elderly and disabled users.

Keywords: Biometrics, eIDAS, Multi-Factor Authentication, Usability, Privacy, Security, Stakeholder Perspectives

DOI: 10.54941/ahfe1006854

Cite this paper:

Downloads

11

Visits

48