1,720,960 research outputs found
Integrating Security by Design and Automated Security Analysis for Digital Identity Management
No full textIn the last few years, our society underwent an unprecedented wave of digital transformation, which required a shift from traditional to digital identity models. Although this transition brings many advantages from a usability perspective, it also introduces significant security challenges, particularly concerning the core processes of enrollment and authentication. Designing secure protocols for these processes is inherently complex, as it involves heterogeneous considerations that must be balanced: providing a suitable level of security; keeping protocols as usable as possible; complying with mandatory requirements connected with the scenario. In light of these complexities, security architects should be able to assess the security and risk levels associated with their protocols, to identify the most suitable configuration in a quick and reliable way.
In this thesis, we address these needs by providing strategies to foster the secure and risk-aware design of identity management protocols. In particular, we introduce a multi-layered methodology for the evaluation of the security and risk associated with identity management protocols. As the methodology can enable a secure by design approach, we demonstrate its integration within the context of national collaborations, particularly in the development of cutting-edge enrollment and authentication protocols. Beyond discussing the security and risk results for the proposed protocols, we emphasize the fundamental role of security mitigations in achieving an optimal trade-off between security and usability. Finally, we contextualise our methodology in a comprehensive, automatable approach to evaluate identity management protocols and provide detailed information on their security, risk and compliance posture through a structured report in output, which enables auditability. The approach also allows for what-if analyses, consisting in repeatedly changing the set of security controls to consider and evaluate their effects on the protocol; this way, it is possible to find the best configuration depending on the requirements. To align with international bodies, the structure of the approach takes inspiration from a report recently published by the European Union Agency for Cybersecurity
Proceedings of the 3rd International Workshop on Trends in Digital Identity (TDI 2025)
No full textDigital identity is increasingly recognized as a fundamental building block in the development and deployment of digital infrastructures and services across a wide range of sectors, including e-commerce, e-government, healthcare, and finance. As the adoption of digital technologies accelerates, the need for secure and reliable identity management solutions grows significantly and becomes the cornerstone of other security services, such as access control. However, this increased demand presents numerous challenges, including technical issues like security, interoperability, and usability, as well as legal and regulatory concerns related to data protection, privacy, and compliance.
To effectively address these challenges, collaboration among researchers and practitioners from various fields is essential. This workshop seeks to bring together representatives from academia, research institutions, industry, public administrations, and standardization bodies to discuss the evolving landscape of digital identity management. The objective is to drive a transformation process that ensures security guarantees, robust data protection, compliance, and a foundation of trust in digital services. By fostering these discussions, the workshop provides a unique opportunity for interdisciplinary collaboration, with the aim of shaping the future of digital identity
An Automated Multi-Layered Methodology to Assist the Secure and Risk-Aware Design of Multi-Factor Authentication Protocols
Full text linkAuthentication protocols represent the entry point to online services, so they must be sturdily designed in order to allow only authorized users to access the underlying data. However, designing authentication protocols is a complex process: security designers should carefully select the technologies to involve and integrate them properly in order to prevent potential vulnerabilities. In addition, these choices are usually restricted by further factors, such as the requirements associated with the scenario, the regulatory framework, the dimensions to balance (e.g., security vs. usability), and the standards to rely on. We come to the rescue by presenting an automated multi-layered methodology we have developed to assist security designers in this phase: by repeatedly evaluating their protocols, they can select the security mitigations to consider until they reach the desired security level, thus enabling a security-by-design approach. For concreteness, we also show how we have applied our methodology to a real use case scenario in the context of a collaboration with the Italian Government Printing Office and Mint
Beyond Screens: Investigating Identity Proofing for the Metaverse Through Cross-Device Flows
No full textThis paper presents a secure identity proofing flow for metaverse-based applications, enabling the validation of authoritative identity evidence (such as electronic passports and identity cards) to support sensitive or legally binding operations performed through virtual reality (VR) headsets. These use cases, common in business environments, require users' credentials to be strongly linked to verified real-world identities, ensuring compliance with regulatory standards. The solution involves a cross-device flow where users first verify their identity on a mobile device by presenting valid identity evidence. This verified identity is then transferred to the VR headset, where users can register and activate credentials for future authentication. Beyond providing key security considerations and defining a taxonomy of possible attacks, we discuss how our design choices enhance the security of the flow
A Framework for Security and Risk Analysis of Enrollment Procedures: Application to Fully-remote Solutions based on eDocuments
No full textMore and more online services are characterised by the need for strongly verifying the real-world identity of end users, especially when sensitive operations have to be carried out: just imagine a fully-remote signature of a contract, and what could happen whether someone managed to perform it by using another person’s name. For this reason, the identity management lifecycle contains specific procedures – called enrollment or onboarding – providing a certain level of assurance on digital users’ real identities. These procedures must be as secure as possible to prevent frauds and identity thefts. In this paper, we present a framework composed of a specification language, a security analysis methodology and a risk analysis methodology for enrollment solutions. For concreteness, we apply our framework to a real use case (i.e., fully-remote solutions relying on electronic documents as identity evidence) in the context of a collaboration with an Italian FinTech startup. Beyond validating the framework, we analyse and highlight the essential role of mitigations on the overall security of enrollment procedures
Towards a Fine-Grained Threat Model for Video-Based Remote Identity Proofing
No full textThe attack landscape against video-based face verification is rapidly evolving, thus leading to increased opportunities of impersonation and identity theft within remote identity proofing processes. To support reliable security and risk analyses, we provide an extended threat model composed of threats and security controls for the face acquisition phase. Special emphasis is devoted to recent advancements in video synthesis and physical rendering, as well as diversified approaches for liveness detection
The Good, the Bad and the (Not So) Ugly of Out-of-Band Authentication with eID Cards and Push Notifications: Design, Formal and Risk Analysis
No full textEveryday life is permeated by new technologies allowing people to perform almost any kind of operation from their smart devices. Although this is amazing from a convenience perspective, it may result in several security issues concerning the need for authenticating users in a proper and secure way. Electronic identity cards (also called eID cards) play a very important role in this regard, due to the high level of assurance they provide in identification and authentication processes. However, authentication solutions relying on them are still uncommon and suffer from many usability limitations. In this paper, we thus present the design and implementation of a novel passwordless, multi-factor authentication protocol based on eID cards. To reduce known usability issues while keeping a high level of security, our protocol leverages push notifications and mobile devices equipped with NFC, which can be used to interact with eID cards. In addition, we evaluate the security of the protocol through a formal security analysis and a risk analysis, whose results emphasize the acceptable level of security
Going Beyond Counting First Authors in Author Co-citation Analysis
Full text linkThe present study examines one of the fundamental aspects of author co-citation analysis (ACA) - the way co-citation
counts are defined. Co-citation counting provides the data on which all subsequent statistical analyses and mappings
are based, and we compare ACA results based on two different types of co-citation counting - the traditional type that
only counts the first one among a cited work's authors on the one hand and a non-traditional type that takes into
account the first 5 authors of a cited work on the other hand. Results indicate that the picture produced through this non-traditional author co-citation counting contains more coherent author groups and is therefore considerably clearer. However, this picture represents fewer specialties in the research field being studied than that produced through the traditional first-author co-citation counting when the same number of top-ranked authors is selected and analyzed. Reasons for these effects are discussed
Variations on the Author
Full text link“Variations on the Author” discusses two of Eduardo Coutinho’s recent films (Um Dia na Vida, from 2010, and Últimas Conversas, posthumously released in 2015) and their contribution to the general question of documentary authorship. The director’s filmography is characterized by a consistent yet self-effacing form of authorial self-inscription: Coutinho often features as an interviewer that rather than express opinions propels discourses; an interviewer that is good at listening. This mode of self-inscription characterizes him as an author who is not expressive but who is nonetheless markedly present on the screen. In Um Dia na Vida, however, Coutinho is completely absent form the image, while Últimas Conversas, on the contrary, includes a confessional prologue that moves the director from the margins to the center of his films. This article examines the ways in which these works stand out in the filmography of a director who offers new insights into the notion of cinematic authorship
- …
