Abstract
High-assurance user identification and credentials provisioning are crucial for accessing digital services. Usability, service customization, and security should be carefully balanced to offer an appropriate user experience. We propose an eID-based enrollment approach for tailoring authentication to the particular needs of the service provider and strike a good trade-off between usability and security via the registration of authenticators, artifacts providing identity proofs. We demonstrate the practicality of our approach in the case of patient access to Electronic Health Records (EHR) through an Android application: enrollment is done by using the Italian national eID card to register the mobile authenticator, unlocked by the user’s fingerprint, customized to interact with the identity and access management system of the EHR.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Digital onboarding for financial services. https://www2.deloitte.com/lu/en/pages/technology/articles/digital-onboarding-financial-services.html
eID User Community: Overview of pre-notified and notified eID schemes under eIDAS. https://ec.europa.eu/cefdigital/wiki/display/EIDCOMMUNITY/Overview+of+pre-notified+and+notified+eID+schemes+under+eIDAS
Android keystore documentation. https://developer.android.com/training/articles/keystore#UserAuthentication
Armando, A., Carbone, R., Compagna, L., Cuéllar, J., Tobarra, L.: Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for Google apps, pp. 1–10 (2008). https://doi.org/10.1145/1456396.1456397
BSI: Advanced security mechanisms for machine readable travel documents and eIDAS token (2015). https://www.bsi.bund.de/EN/Publications/TechnicalGuidelines/TR03110/BSITR03110
Carta d’Identità Elettronica. https://www.cartaidentita.interno.gov.it/
Deloitte: Value proposition of eIDAS-based eID - banking sector, July 2018. https://ec.europa.eu/cefdigital/wiki/display/EIDCOMMUNITY/Study+on+the+opportunities+and+challenges+of+eID+for+Banking
EU: General data protection regulation (GDPR), May 2016. http://data.europa.eu/eli/reg/2016/679/2016-05-04
European Parliament and Council: Directive 1999/93/EC on a community framework for electronic signatures. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31999L0093&from=EN
European Parliament and Council: Directive 2015/2366 on payment services in the internal market. http://data.europa.eu/eli/dir/2015/2366/2015-12-23
European Parliament and Council: Electronic identification, authentication and trust services (eIDAS). http://data.europa.eu/eli/reg/2014/910/oj
GIXEL: IAS ECC - Identification authentication signature European citizen card, European card for e-Services and National e-ID applications, February 2009
Grassi, P.A., Garcia, M.E., Fenton, J.L.: Digital identity guidelines. NIST, June 2017. https://doi.org/10.6028/NIST.SP.800-63-3
Grimes, R.: 12 ways to hack MFA, March 2019. https://www.rsaconference.com/industry-topics/presentation/12-ways-to-hack-2fa
Hyperledger fabric docs. https://hyperledger-fabric.readthedocs.io/
Hu, V., et al.: Guide to attribute based access control (ABAC) definition and considerations. NIST, January 2014. https://doi.org/10.6028/NIST.SP.800-162
Machine Readable Travel Documents (2015). https://www.icao.int/publications/pages/publication.aspx?docnum=9303
IETF RFC 5280: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. https://tools.ietf.org/html/rfc5280
Istituto poligrafico e zecca dello stato (IPZS). https://www.ipzs.it/
Koeune, F., Standaert, F.-X.: A tutorial on physical security and side-channel attacks. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) FOSAD 2004-2005. LNCS, vol. 3655, pp. 78–108. Springer, Heidelberg (2005). https://doi.org/10.1007/11554578_3
Kowalksi, B.: FIDO, strong authentication and eID in Germany. https://www.slideshare.net/FIDOAlliance/keynote-fido-strong-authentication-and-eld-in-germany
Morelli, U., Ranise, S., Sartori, D., Sciarretta, G., Tomasi, A.: Audit-based access control with a distributed ledger: applications to healthcare organizations. In: Mauw, S., Conti, M. (eds.) STM 2019. LNCS, vol. 11738, pp. 19–35. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-31511-5_2
PWC: Study on eID and digital on-boarding. https://doi.org/10.2759/94773
Sistema Pubblico per la gestione dell’Identità Digitale (SPID). http://www.agid.gov.it/agenda-digitale/infrastrutture-architetture/spid
W3C: Verifiable credentials data model. https://www.w3.org/TR/verifiable-claims-data-model/
W3C: Web authentication: an API for accessing public key credentials level 2. https://www.w3.org/TR/webauthn-2/
Acknowledgements
This work has been partially supported by the activity 19184 API Assistant of the action line Digital Infrastructure of EIT Digital. In addition, the authors are grateful to Istituto Poligrafico e Zecca dello Stato Italiano (IPZS) for kindly providing a prototype Android SDK to interact with CIE 3.0.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Ranise, S., Sciarretta, G., Tomasi, A. (2020). Enroll, and Authentication Will Follow. In: Benzekri, A., Barbeau, M., Gong, G., Laborde, R., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2019. Lecture Notes in Computer Science(), vol 12056. Springer, Cham. https://doi.org/10.1007/978-3-030-45371-8_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-45371-8_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-45370-1
Online ISBN: 978-3-030-45371-8
eBook Packages: Computer ScienceComputer Science (R0)