Cited By
View all- Pöhn DHommel W(2023)Towards an Improved Taxonomy of Attacks Related to Digital Identities and Identity Management SystemsSecurity and Communication Networks10.1155/2023/55733102023Online publication date: 1-Jan-2023
SoK: A Survey on Technological Trends for (pre)Notified eIDAS Electronic Identity Schemes
Authors: 
Amir Sharif, Matteo Ranzi, Roberto Carbone, Giada Sciarretta, Silvio RaniseAuthors Info & Claims
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security
Article No.: 85, Pages 1 - 10
Abstract
The eIDAS Regulation aims to provide an interoperable European framework to enable EU citizens to authenticate and communicate with services of other Member States by using their national electronic identity. While a set of high-level requirements (e.g., related to privacy and security) are established to make interoperability among Member States possible, the eIDAS Regulation does not explicitly specify the technologies that can be adopted during the development phase to meet the requirements as mentioned earlier. This paper considers the technological trends of (pre)notified eIDAS electronic identity schemes used by Member States, and they satisfy the eIDAS regulation requirements. We do this by defining a set of research questions that allow us to investigate the correlations between different design dimensions such as security, privacy, and usability. Based on these findings, we provide a set of lessons learned that can be used by the security community to protect interoperable national digital identities more efficiently.
References
[1]
FIDO Alliance. 2016. Specifications overview. online]. Retrieved from: https://fidoalliance. org/specifications/overview (2016).
[2]
AMA. 2021. AUTHENTICATION.GOV- Authentication Provider of the Portuguese Public Administrator. https://www.autenticacao.gov.pt/documents/20126/115760/Manual+de+Integração+do+Fornecedor+de+Autenticação+v1.5.7.pdf.
[3]
BelgianMobileID. 2022. Itsme developer documentation - Authentication Service documentation. https://belgianmobileid.github.io/slate/login.html.
[4]
Bosa. 2017. Technical specifications handbook related to the royal decree of recognition of partner’s electronic identification services. https://bosa.belgium.be/en/file/185/download?token=PS0NGRUf.
[5]
BSI. 2017. German eID - Overview of the German eID system. https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/EIDAS/German_eID_Whitepaper.pdf?__blob=publicationFile&v=1.
[6]
S Cantor. 2012. SAML Version 2.0 Errata 05. Retrieved March 18(2012), 2015.
[7]
Eric Y Chen, Yutong Pei, Shuo Chen, Yuan Tian, Robert Kotcher, and Patrick Tague. 2014. Oauth demystified for mobile application developers. In Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. 892–903.
[8]
European Commission. 2021. Overview of Member States’ eID strategies v3.0. https://ec.europa.eu/cefdigital/wiki/download/attachments/364643428/eID_Strategies_v4.0.pdf.
[9]
CzechGovernment. 2019. Czech Republic eCitizen. https://info.identitaobcana.cz/eop/.
[10]
eHerkening. 2019. Eherkenning Supplier overview. https://www.eherkenning.nl/leveranciersoverzicht.
[11]
ENISA. 2020. eIDAS Compliant eID Solutions: Security considerations and the role of ENISA. https://www.enisa.europa.eu/publications/eidas-compliant-eid-solutions/view/++widget++form.widgets.fullReport/@@download/ENISA+Report+-+eIDAS+Compliant+eID+Solution.pdf.
[12]
European Commission. 2015. European Banking Authority: Directive 2015/2366 of the European Parliament and of the Council on payment services in the internal market (PSD2) (2015). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L2366&qid=1653045761540&from=EN.
[13]
EuropeanCommission. 2019. Overview of pre-notified and notified eID schemes under eIDAS. https://ec.europa.eu/cefdigital/wiki/display/EIDCOMMUNITY/Overview+of+pre-notified+and+notified+eID+schemes+under+eIDAS.
[14]
Thomas Fox-Brewster. 2016. Watch as hackers hijack whatsapp accounts via critical telecoms flaws. Forbes (2016).
[15]
FranceConnect. 2021. Franceconnect Documentation. https://www.eherkenning.nl/leveranciersoverzicht.
[16]
FutureTrust. 2017. Overview of eID Services. https://ec.europa.eu/research/participants/documents/downloadPublic?documentIds=080166e5b52e19d7&appId=PPGMS.
[17]
Paul A Grassi, Michael E Garcia, and James L Fenton. 2017. Digital Identity Guidelines. NIST special publication 800 (2017), 63–3.
[18]
GSMA. 2021. Mobile Connect Universal Log-in Profile. https://mobileconnect.io/specifications/.
[19]
ISO/IEC. 2013. Information technology—security techniques—entity authentication assurance framework. https://www.iso.org/standard/45138.html.
[20]
Kevin Lee, Benjamin Kaiser, Jonathan Mayer, and Arvind Narayanan. 2020. An Empirical Study of Wireless Carrier Authentication for {SIM} Swaps. In Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020). 61–79.
[21]
LithuanianGov. 2019. Lithuania Identity card and electronic signature. https://www.nsc.vrm.lt/.
[22]
NemID. 2019. NemID eID Solution. https://www.nemid.nu/dk-en/get_started/index.html.
[23]
OWASP. 2020. QRLJacking - A New Social Engineering Attack Vector. https://github.com/OWASP/QRLJacking.
[24]
Floris Roelofs, Eric Verheul, and Bart Jacobs. 2019. Analysis and comparison of identification and authentication systems under the eIDAS regulation.
[25]
Nat Sakimura, John Bradley, Mike Jones, Breno De Medeiros, and Chuck Mortimore. 2014. OpenID Connect Core 1.0 incorporating errata set 1. The OpenID Foundation, specification 335 (2014).
[26]
Amir Sharif, Roberto Carbone, Silvio Ranise, and Giada Sciarretta. 2019. A wizard-based approach for secure code generation of single sign-on and access delegation solutions for mobile native apps. In 16th International Joint Conference on e-Business and Telecommunications-SECRYPT, Vol. 2. 268–275.
[27]
Amir Sharif, Roberto Carbone, Giada Sciarretta, and Silvio Ranise. 2022. Best current practices for OAuth/OIDC Native Apps: A study of their adoption in popular providers and top-ranked Android clients. Journal of Information Security and Applications 65 (2022), 103097.
[28]
Federico Sinigaglia, Roberto Carbone, Gabriele Costa, and Silvio Ranise. 2019. Mufasa: A tool for high-level specification and analysis of multi-factor authentication protocols. In International Workshop on Emerging Technologies for Authorization and Authentication. Springer, 138–155.
[29]
SlovacianGovernment. 2019. Slovakia eID card. https://www.slovensko.sk/sk/eid/_eid-karta/.
[30]
SmartID. 2021. Smart ID Solution. https://www.smart-id.com/about-smart-id/.
[31]
Security standards council. 2017. information supplement - multi- factor authentication. https://www.pcisecuritystandards.org/pdfs/ Multi- Factor- Authentication- Guidance- v1.pdf.
[32]
European Union. 2014. Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market and Repealing Directive 1999/93/EC.Official Journal of the European Union L 257 (2014).
[33]
European Union. 2015. Council regulation (EU) no 1501/2015 on the interoperability framework pursuant to article 12(8) of regulation (eu) no 910/2014 of the european parliament and of the council on electronic identification and trust services for electronic transactions in the internal market. Official Journal of the European Union L(2015).
[34]
European Union. 2015. Council regulation (EU) no 1502/2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to article 8(3) of regulation (eu) no 910/2014 of the european parliament and of the council on electronic identification and trust services for electronic transactions in the internal market. Official Journal of the European Union L(2015).
[35]
European Union. 2021. REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity. Official Journal of the European Union L(2021).
[36]
Edgar A Whitley. 2018. Trusted digital identity provision: GOV. UK Verify’s federated approach. (2018).
[37]
Kristina Yasuda and Michael Jones. 2022. Self-Issued OpenID Provider v2. https://openid.net/specs/openid-connect-self-issued-v2-1_0.html.
[38]
Kelvin SC Yong, Kang Leng Chiew, and Choon Lin Tan. 2019. A survey of the QR code phishing: the current attacks and countermeasures. In 2019 7th International Conference on Smart Computing & Communications (ICSCC). IEEE, 1–5.
Index Terms
- SoK: A Survey on Technological Trends for (pre)Notified eIDAS Electronic Identity Schemes
Recommendations
Re-Shaping the EU Digital Identity Framework
dg.o '22: Proceedings of the 23rd Annual International Conference on Digital Government ResearchElectronic authentication and digital signature are the base components of the European Union (EU) Digital Single Market. The area is regulated by the eIDAS (electronic identification and trust services for electronic transactions in the internal market)...
Identity assurance in the UK: technical implementation and legal implications under the eIDAS regulation
WebSci '16: Proceedings of the 8th ACM Conference on Web ScienceThe UK Government has been designing a new Electronic Identity Management (eIDM) system that, once rolled--out, will take over how citizens authenticate against online public services. This system, Gov.UK Verify, has been promoted as a state--of--the--...
Privacy in Digital Identity Systems: Models, Assessment, and User Adoption
Electronic GovernmentAbstractThe use of privacy protection measures is of particular importance for existing and upcoming users’ digital identities. Thus, the recently adopted EU Regulation on Electronic identification and trust services (eIDAS) explicitly allows the use of ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
August 2022
1371 pages
ISBN:9781450396707
DOI:10.1145/3538969
Copyright © 2022 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 23 August 2022
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- Futuro & Conoscenza S.r.l.
Conference
ARES 2022
ARES 2022: The 17th International Conference on Availability, Reliability and Security
August 23 - 26, 2022
Vienna, Austria
Acceptance Rates
Overall Acceptance Rate 228 of 451 submissions, 51%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 149Total Downloads
- Downloads (Last 12 months)54
- Downloads (Last 6 weeks)4
Reflects downloads up to 03 Oct 2024
Other Metrics
Citations
Cited By
View all- Pöhn DHommel W(2023)Towards an Improved Taxonomy of Attacks Related to Digital Identities and Identity Management SystemsSecurity and Communication Networks10.1155/2023/55733102023Online publication date: 1-Jan-2023
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format