France Identity & Cybersecurity

The “digitalization” of our identity documents, which is booming, aims to simplify and secure the authentication of citizens, while offering new services and adapting to digital requirements.

France is in turn adapting to this “digitalization” of our lives, thanks to France Identity, an application which aims to centralize our identity documents and documents.

This application, until now in Beta in certain departments of France, opened to all of France in February 2024.

What is France Identity?

France Identity is an ambitious program of the French government which aims to modernize and secure the digital identity of its citizens and foreigners in a legal situation.

This program is made up of two complementary pillars:

1. The new national identity card (CNI)

• Bank card format: Adopting a compact and practical format similar to a bank card, the new CNI fits easily into your wallet.
• Reinforced security: Equipped with an electronic chip and biometric data (fingerprints and ID photo), the CNI offers optimal protection against fraud and identity theft.
• Gradual replacement: The new CNI has gradually replaced the old paper identity card since August 2021. You can request your new CNI at the town hall or online.

2. The France Identity application

• Easy and secure authentication: The France Identity application allows you to prove your identity online in a simple and secure way, without having to remember multiple identifiers and passwords.
• Accessible on all media: Available on smartphone and tablet, the application adapts to your needs and accompanies you wherever you go.
• Control of personal data: You maintain control of your identity data and can choose the information you wish to share during your online procedures.
• Access to a multitude of services: The France Identity application gives you access to more than 1,400 online services, such as taxes, CAF, social security, administrative procedures, etc.

Concrete examples of use of France Identity

1. Online public services

• Taxes: Access your personal space on impots.gouv.fr to consult your tax notice, pay your taxes online and make declarations.
• CAF: Connect to your CAF account to consult your rights, make service requests and monitor your files.
• Social security: Access your ameli.fr account to view your reimbursements, download your certificates and follow your procedures.
• Ministry of the Interior: Request for identity card, passport, registration document, etc.
• Justice: Access the litigant portal to consult your procedures online and take steps.

2. Administrative procedures

• Registration on the electoral lists.
• Scholarship application.
• Pre-registration at university.
• Request for RSA.
• Demand for social housing.

Other Procedures

“Experiments have already been launched with numerous services in France (SNCF, La Poste, etc.), before generalization. For airports, the subject is more sensitive, because it requires international cooperation. Work is underway” explained on X, Guillaume Rozier, advisor to President Macron.

What does France Identity cover?

Today, it is possible to enter information in the France Identity application:

• Your National Identity Card (CNI), version 2021. It is also mandatory to create an account in this application.
• Their driving license, whatever its version, the pink one made up of 3 sections, or the one in the format of a bank card, similar to the new CNI.

Why fill out your driving license?

• No more need to present your physical driving license during roadside checks, vehicle rentals or online procedures.
• You can prove your right to drive easily, without having to worry about losing or forgetting your license.
• The digital driving license is secure and tamper-proof.
• It helps fight against fraud and identity theft.

The other pieces that will complete France Identity

• Digital passport: The digital passport will allow citizens to store a digital version of their passport on their smartphone.
• Registration Certificate / Registration Card: The integration of the registration document into the France Identity application is in progress and will be effective at the end of 2024, according to the government Road Safety website.
• Vitale Card: There is doubt regarding the Vitale card. Several projects are being considered according to French leaders. To begin with, the e-Carte Vitale, an application which will be in its own right, can be used at any healthcare professional or pharmacy that accepts the current Carte Vitale; it is currently in the testing phase in 8 French departments. On the other hand, in 2023, the government announced that it was considering merging the vital card into the new CNI.
• Student card: Like the registration certificate, the state has announced that the student card is planned to be integrated into France Identity by the end of 2024.
• Proof of address: Proof of address is also planned for the end of 2024.
• Residence permit: The government is considering integrating the residence permit into France Identity to facilitate administrative procedures for foreigners in a legal situation.

France Identity therefore aims to become an application bringing together all the documents as well as the identity proofs of fellow French citizens. Such an important application must have very good IT security in view of confidential and personal documents being entered.

France Identity & Cybersecurity

France Identity was designed with paramount importance to IT security. The system relies on a multitude of pillars to guarantee the protection of user data.

IT security taken seriously

During its beta of the France Identity application, France Identity launched a public bug bounty program in June 2022. This program aims to encourage the community of IT security researchers to identify and report possible security vulnerabilities in the the application and its back-end.

1. Robust security architecture

• Secure hosting: France Identity data is hosted in HDS (Health Data Hosting) and ISO 27001 certified data centers in France. This double certification guarantees a high level of security in terms of data protection.
• Strict access control: Access to data is governed by a granular access control system. Only authorized users, after strong authentication, can access the data they need to carry out their missions.
• Regular security testing: Rigorous security testing, conducted by internal and external experts, is regularly carried out to identify and fix possible vulnerabilities.

2. Cutting-edge technologies

• End-to-end encryption: User data is encrypted both during transmission and when stored. This guarantees their confidentiality and integrity, even in the event of interception.
• Strong multi-factor authentication: Access to France Identity data and services is protected by strong multi-factor authentication. Users must combine multiple authentication factors, such as a password, PIN, or fingerprint, to log in.
• Biometrics: Biometrics via fingerprint provides an additional level of security for user authentication. This technology ensures that the user is who they say they are.

3. Solid legal and regulatory framework

• Law relating to the Digital Republic: This law governs the creation and use of France Identity, by setting the rules relating to the protection of personal data and the security of information systems.
• General Data Protection Regulation (GDPR): France Identity is in compliance with the GDPR, which guarantees users increased control over their personal data and reinforces their rights.
• National Information Systems Security Agency (ANSSI): ANSSI, the national authority for IT security, guarantees the security of the France Identity system. It ensures the implementation of the technical and organizational measures necessary to protect user data.

Where is the data stored?

Data appearing on identity documents

The data on identity documents is stored in the title chip.

Data processed by the France Identity application

The data processed by the France Identity application is stored on the phone. These data are:

• Identity document data.
• Contact data.
• Transaction history.
• Data allowing the identification of the phone.

Data processed by the Digital Identity Guarantee System (SGIN) server

The data processed by the Digital Identity Guarantee System (SGIN) server are:

• Identity data from the identity document.
• Contact data.
• Data allowing the identification of the phone.
• Data relating to the identity document (title number, address, etc.).
• Data from the identity proof usage framework entered by the user.
• Visual activation and authentication session codes.

Data processed by France Identity

The data processed by France Identity, which are stored on the SGIN server and associated with the user account, are:

• The identity document number.
• The technical identifier of the application instance allowing the identification of the phone.
• Contact data: the email address which allows account deletion.

France Identity’s IT security risks

Despite the significant efforts made to guarantee its security, France Identité is not exempt from potential risks in terms of IT security.

As recent news has shown with the cyberattacks on Viamedis and Almerys, two service providers working with social security, it is crucial to have reinforced IT security. To learn more about the Viamedis and Almerys cyberattacks, you can consult our dedicated blog article. 

Here is a detailed analysis of the main IT security risks associated with France Identity:

1. Risks related to system architecture

• Centralization of data: Centralizing identity data in a single system can be an attractive target for hackers. If the system is compromised, the personal data of millions of users could be exposed.
• Complexity of the system: The complexity inherent in a large-scale system like France Identity can increase the attack surface and multiply the potential entry points for cybercriminals.

2. Risks linked to the technologies used

• Attacks against authentication mechanisms: Hackers may attempt to bypass strong authentication mechanisms, for example by using phishing or social engineering techniques to obtain user credentials.
• Biometric data leaks: Compromise of biometric data, although unlikely, could have serious consequences for users, as this data cannot be modified if stolen.

3. Risks linked to developments

• Developments in the legal framework: The legal and regulatory framework relating to the protection of personal data is constantly evolving. France Identity will have to adapt to these changes to ensure compliance and minimize legal risks.
• Constantly evolving cybercrime: The techniques and tools used by cybercriminals are evolving rapidly. France Idité will have to constantly update itself to counter new threats.

4. Risks linked to user behavior

• Poor security practices: Choosing weak passwords, reusing credentials across multiple sites, or neglecting security updates can expose users to increased risks.
• Lack of vigilance against cyberattacks: Users may fall victim to phishing, social engineering, or other manipulation techniques to leak their personal information or infect their devices.

Despite these risks, it is important to emphasize that France Idété integrates numerous security measures to minimize them. It is also essential that users adopt responsible IT security practices to enhance the protection of their personal data.