Abstract
People around the world stay in contact with their families, friends, and colleagues by exchanging text and multimedia data online. This would not be possible without digital identities, which in turn necessitates Identity and Access Management (I&AM). Each natural person, legal entity, and device can have several digital identities with different associated information, such as the credentials used for authentication. During the past 15 years, Federated Identity Management (FIM) has gained traction as it enables the use of one organization’s identities to access other organizations’ services, e.g. in business-to-business cooperation. It turned out to be a double-edged sword, as it improves the user experience and reduces the attack vector of password reuse on the one hand, but it comes with data quality issues and a larger impact of compromised accounts on the other hand. More recently, the privacy-by-design approach of user-centric identity management, which puts each user in full control over its digital identity data, finds a new home in Self-Sovereign Identity (SSI) management based on distributed ledger technology, also known as blockchain. This chapter gives an insight into the exciting world of digital human identities, time-tested as well as recent approaches to their professional management from a security perspective, and discusses closely related governance and compliance topics such as data protection and levels of assurance.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Lee, S. (2003). An introduction to identity management.
Identity Defined Security Alliance. (2020). Identity security: A work in progress. Retrieved June 8, 2021, from https://www.idsalliance.org/identity-security-a-work-in-progress/
Haber, M. J., & Rolls, D. (2020). Identity attack vectors. New York: Apress.
FIDO Alliance. (2020). FIDO alliance - open authentication standards more secure than passwords. Retrieved June 8, 2021, from https://fidoalliance.org
Srinivas, S., Balfanz, D., Tiffany, E., & Czeskis, A. (2017). Universal 2nd factor (U2F) overview - proposed standard 11. FIDO Specification, FIDO Alliance.
Machani, S., Philpott, R., Srinivas, S., Kemp, J., & Hodges, J. (2017). FIDO UAF architecture overview - proposed standard 02. FIDO Specification, FIDO Alliance.
FIDO Alliance. (2020). newblock FIDO2: WebAuthn & CTAP. Retrieved June 8, 2021, from https://fidoalliance.org/fido2/
Balfanz, D., Czeskis, A., Hodges, J., Jones, J. C., Jones, M. B., Kumar, A., et al. (2019). Web authentication: An API for accessing public key credentials - level 1. W3C Specification, W3C.
Brand, C., Czeskis, A., Ehrensvärd, J., Jones, M. B., Kumar, A., Liao, A., et al. (2019). Client to authenticator protocol (CTAP) - Proposed standard. FIDO Specification, FIDO Alliance.
GÉANT. (2020). eduGAIN membership status. Retrieved June 8, 2021, from https://technical.edugain.org/status.php
Engelbertz, N., Erinola, N., Herring, D., Somorovsky, J., Mladenov, V., & Schwenk, J. (2018). Security analysis of eIDAS - the cross-country authentication scheme in Europe. In Proceedings of the 12th USENIX Conference on Offensive Technologies, WOOT’18 (p. 15). Berkeley: USENIX Association.
Joinup. (2020). SSI eIDAS bridge. Retrieved June 8, 2021, from https://joinup.ec.europa.eu/collection/ssi-eidas-bridge
Odette. (2009). ODETTE SESAM specification for building up federated single-sign-on (SSO) scenarios between companies in the automotive sector – Draft of 15.07.2009. Technical report, Odette.
Grassi, P. A., Garcia, M. E., & Fenton, J. L. (2017). NIST special publication 800-63-3 – digital identity guideline. Technical report, National Institute of Standards and Technology, U.S. Department of Commerce.
Kantara Initiative. (2020). Identity assurance framework. Retrieved June 8, 2021, from https://kantarainitiative.org/identity-assurance-framework/
IAWG. (2020). Kantara identity assurance framework: KIAF-1050 – glossary and overview. Kantara Specification, Kantara Initiative.
Richer, J., & Johansson, L. (2018). Vectors of trust, internet requests for comments, RFC 8485., RFC Editor.
Johansson, L. (2012). An IANA registry for level of assurance (LoA) profiles. RFC 6711, RFC Editor.
ISO/IEC. (2013). ISO/IEC 29115:2013 – entity authentication assurance framework. Technical report, ISO/IEC.
Berbecaru, D., Lioy, A., & Cameroni, C. (2019). Electronic identification for universities: Building cross-border services based on the eIDAS infrastructure. Information, 10(6). https://www.mdpi.com/2078-2489/10/6/210. https://doi.org/10.3390/info10060210
CEF Digital. (2019). eIDAS eID profile. Retrieved June 8, 2021, from https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eIDAS+eID+Profile/
Pöhn, D., & Hommel, W. (2020). An overview of limitations and approaches in identity management. In Proceedings of the 15th International Conference on Availability, Reliability and Security, ARES’20. New York: Association for Computing Machinery.
Ragouzis, N., Hughes, J., Philpott, R., & Maler, E. (2008). Security assertion markup language (SAML) V2.0 technical overview. Technical report, OASIS.
Cantor, S., Kemp, J., Philpott, R., & Maler, E. (2005). Assertions and protocols for the OASIS security assertion markup language (SAML) V2.0. Technical report, OASIS.
Cantor, S., Hirsch, F., Kemp, J., Philpott, R., & Maler, E. (2005). Bindings for the OASIS security assertion markup language (SAML) V2.0. Technical report, OASIS.
Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, P., Philpott, R., et al. (2005). Profiles for the OASIS security assertion markup language (SAML) V2.0. Technical report, OASIS.
Cantor, S., Moreh, J., Philpott, R., & Maler, E. (2005). Metadata for the OASIS security assertion markup language (SAML) V2.0. Technical report, OASIS.
Kemp, J., Cantor, S., Mishra, P., Philpott, R., & Maler, E. (2005). Authentication context for the OASIS security assertion markup language (SAML) V2.0. Technical report, OASIS.
Shibboleth. (2015). Shibboleth. Retrieved June 8, 2021, from http://shibboleth.net/
UNINETT. (2020). SimpleSAMLphp. Retrieved June 8, 2021, from http://simplesamlphp.org/
Hedberg, R. (2011). Configuration of pySAML2 entities. Documentation, Roland Hedberg.
Microsoft. (2017). Understanding Key AD FS Concepts. Retrieved June 8, 2021, from https://docs.microsoft.com/de-de/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts
Hirsch, F., Philpott, R., & Maler, E. (2005). Security and privacy considerations for the OASIS security assertion markup language (SAML) V2.0. Technical report, OASIS.
Klingenstein, N., Hardjono, T., Bob Morgan, R. L., Madsen, P., & Cantor, S. (2010). SAML V2.0 identity assurance profiles version 1.0. Technical report, OASIS.
Hardt, D. (2012). The oauth 2.0 authorization framework. RFC 6749, RFC Editor.
Jones, M. B., & Hardt, D. (2012). The oauth 2.0 authorization framework: Bearer token usage. RFC 6750, RFC Editor.
OAuth. (2020). Code – OAuth. Retrieved June 8, 2021, from https://oauth.net/code/
rcFederation. (2020). SAML, WS-Federation and OAuth tracer. Retrieved June 8, 2021, from https://www.rcfed.com/Browser/Tracer
Parecki, A. (2018). IndieAuth. Specification, W3C.
Lodderstedt, T., McGloin, M., & Hunt, P. (2013). OAuth 2.0 threat model and security considerations. RFC 6819, RFC Editor.
Lodderstedt, T., Bradley, J., Labunets, A., & Fett, D. (2020). OAuth 2.0 security best current practice. Internet-Draft draft-ietf-oauth-security-topics-16, IETF Secretariat. http://www.ietf.org/internet-drafts/draft-ietf-oauth-security-topics-16.txt
Fett, D., Küsters, R., & Schmitz, G. (2016). A comprehensive formal security analysis of OAuth 2.0. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS’16 (pp. 1204–1215). New York: Association for Computing Machinery.
Fett, D. (2020). Mix-up, revisited. Retrieved June 8, 2021, from https://danielfett.de/2020/05/04/mix-up-revisited/
Hammer, E. (2012). OAuth 2.0 and the road to hell. Retrieved June 8, 2021, from https://web.archive.org/web/20130116102852/http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
Hardt, D., Parecki, A., & Lodderstedt, T. (2020). The oauth 2.1 authorization framework. Internet-Draft draft-ietf-oauth-v2-1-00, IETF Secretariat. http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-1-00.txt.
Richer, J. (2020). Grant negotiation and authorization protocol. Internet-Draft draft-ietf-gnap-core-protocol-00, IETF Secretariat. http://www.ietf.org/internet-drafts/draft-ietf-gnap-core-protocol-00.txt.
Richer, J. (2020). Grant negotiation and authorization protocol. Internet-Draft draft-richer-transactional-authz-14, IETF Secretariat. http://www.ietf.org/internet-drafts/draft-richer-transactional-authz-14.txt.
Hardt, D. (2020). The grant negotiation and authorization protocol. Internet-Draft draft-hardt-xauth-protocol-14, IETF Secretariat. http://www.ietf.org/internet-drafts/draft-hardt-xauth-protocol-14.txt.
Sakimura, N., Bradley, J., Jones, M. B., de Medeiros, B., & Mortimore, C. (2014). OpenID connect core 1.0. Technical report, OpenID Foundation.
de Medeiros, B., Scurtescu, M., Tarjan, P., & Jones, M. (2014). OAuth 2.0 multiple response type encoding practices. OpenID Specification.
Sakimura, N., Bradley, J., Jones, M. B., & Jay, E. (2014). OpenID connect discovery 1.0. OpenID Specification.
Jones, P. E., Salgueiro, G., Jones, M. B., & Smarr, J. (2013). Webfinger. RFC 7033, RFC Editor.
Hedberg, R., Jones, M. B., Solberg, A., Gulliksson, S., & Bradley, J. (2020). OpenID connect federation 1.0 - draft 12. Openid specification.
Mladenov, V., & Mainka, C. (2017). OpenID connect – security considerations. Technical report, Ruhr Universität Bochum.
Mainka, C., Mladenov, V., Schwenk, J., & Wich, T. (2017). SoK: Single sign-on security — An evaluation of OpenID connect. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P) (pp. 251–266).
Hedberg, R. (2020). otest. Retrieved June 8, 2021, from https://github.com/rohe/otest
Hedberg, R. (2014). SAML2test. Retrieved June 8, 2021, from https://github.com/rohe/saml2test
Kobayashi, F., & Talburt, J. R. (2014). Decoupling identity resolution from the maintenance of identity information. In 2014 11th International Conference on Information Technology: New Generations (pp. 349–354).
Machulak, M. P., Maler, E. L., Catalano, D., & van Moorsel, A. (2010). User-managed access to web resources. In Proceedings of the 6th ACM Workshop on Digital Identity Management, DIM 10 (pp. 35–44). New York: Association for Computing Machinery.
Maler, E. (2015). Extending the power of consent with user-managed access: A standard architecture for asynchronous, centralizable, internet-scalable consent. In 2015 IEEE Security and Privacy Workshops (pp. 175–179).
Maler, E., Machulak, M., & Richer, J. (2018). User-managed access (UMA) 2.0 grant for OAuth 2.0 authorization. Kantara Specification.
Schwartz, M. (2013). Recipe for a reverse proxy using SAML and UMA. Retrieved June 8, 2021, from https://www.gluu.org/blog/recipe-for-a-reverse-proxy-using-saml-and-uma/
Cruz-Piris, L., Rivera, D., Marsa-Maestre, I., De la Hoz, E., & Velasco, J. R. (2018). Access control mechanism for IoT environments based on modelling communication procedures as resources. Sensors, 18(3), 917.
Maler, E., Machulak, M., & Richer, J. (2017). Federated authorization for user-managed access (UMA 2.0). Kantara Specification.
Kantara Initiative. (2020). UMA telecon 2020-05-14. Retrieved June 8, 2021, from https://kantarainitiative.org/confluence/display/uma/UMA+telecon+2020-05-14
Toth, K., & Anderson-Priddy, A. (2019). Self-sovereign digital identity: A paradigm shift for identity. IEEE Security Privacy, 17(3), 17–27.
Laborde, R., Oglaza, A., Wazan, S., Barrere, F., Benzekri, A., Chadwick, D. W. et al. (2020). A user-centric identity management framework based on the W3C verifiable credentials and the FIDO universal authentication framework. In 2020 IEEE 17th Annual Consumer Communications Networking Conference (CCNC) (pp. 1–8).
Friebe, S., Sobik, I., & Zitterbart, M. (2018). DecentID: Decentralized and privacy-preserving identity storage system using smart contracts. In 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing And Communications/12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE) (pp. 37–42).
Schanzenbach, M., & Banse, C. (2016). Managing and presenting user attributes over a decentralized secure name system. In Data Privacy Management and Security Assurance. 11th International Workshop, DPM 2016 and 5th International Workshop, QASA 2016 (pp. 213–220). Heraklion, Crete: European Symposium on Research in Computer Security.
Kraft, D. (2016). Namecoin + OpenID = NameID!. Retrieved June 8, 2021, from https://nameid.org
Schanzenbach, M., Bramm, G., & Schütte, J. (2018). reclaimID: Secure, self-sovereign identities using name systems and attribute-based encryption. In 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/12th IEEE International Conference on Big Data Science And Engineering (TrustCom/BigDataSE) (pp. 946–957).
Tobin, A., & Reed, D. (2017). The inevitable rise of self-sovereign identity. Retrieved June 8, 2021, from https://sovrin.org/wp-content/uploads/2018/03/The-Inevitable-Rise-of-Self-Sovereign-Identity.pdf
Sovrin. (2020). Sovrin steward validator preparation guide. Retrieved June 8, 2021, from https://docs.google.com/document/d/18MNB7nEKerlcyZKof5AvGMy0 GP9T82c4SWaxZkPzya4/edit
Grabatin, M., Hommel, W., & Steinke, M. (2019). Policy-based network and security management in federated service infrastructures with permissioned blockchains. In S. M. Thampi, S. Madria, G. Wang, D. B. Rawat, & J. M. Alcaraz Calero (Eds.), Security in Computing and Communications (pp. 145–156). Singapore: Springer.
Identity Foundation. (2020). Self-issued OpenID connect provider DID profile v0.1. Identity Foundation Specification.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Pöhn, D., Hommel, W. (2021). Proven and Modern Approaches to Identity Management. In: Daimi, K., Peoples, C. (eds) Advances in Cybersecurity Management. Springer, Cham. https://doi.org/10.1007/978-3-030-71381-2_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-71381-2_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-71380-5
Online ISBN: 978-3-030-71381-2
eBook Packages: Computer ScienceComputer Science (R0)