The Identity Crisis. Security, Privacy and Usability Issues in Identity Management

This paper studies the current "identity crisis" caused by the substantial security, privacy and usability shortcomings encountered in existing systems for identity management. Some of these issues are well known, while others are much less understood. This paper brings them together in a single, comprehensive study and proposes recommendations to resolve or to mitigate the problems. Some of these problems cannot be solved without substantial research and development effort.

[1]  Chris J. Mitchell,et al.  Addressing privacy issues in CardSpace , 2007, Third International Symposium on Information Assurance and Security.

[2]  Siani Pearson,et al.  Taking account of privacy when designing cloud computing services , 2009, 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing.

[3]  Michael Koch,et al.  Global Identity Management to Boost Personalization , 2002 .

[4]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[5]  Laszlo Zsolnai,et al.  The rationality of trust20051Russell Hardin. The rationality of trustTrust and Trustworthiness. New York: Russell Sage Foundation 2002.: Trust and Trustworthiness , 2005 .

[6]  Audun Jøsang,et al.  Usability and Privacy in Identity Management Architectures , 2007, ACSW.

[7]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[8]  Rachna Dhamija,et al.  The Seven Flaws of Identity Management: Usability and Security Challenges , 2008, IEEE Security & Privacy.

[9]  Paul De Hert,et al.  Identity management of e-ID, privacy and security in Europe. A human rights view , 2008, Inf. Secur. Tech. Rep..

[10]  Audun Jøsang,et al.  Trust Requirements in Identity Management , 2005, ACSW.

[11]  Susan Landau,et al.  Achieving Privacy in a Federated Identity Management System , 2009, Financial Cryptography.

[12]  H. Laborit,et al.  [Experimental study]. , 1958, Bulletin mensuel - Societe de medecine militaire francaise.

[13]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[14]  Abhi Shelat,et al.  Privacy and identity management for everyone , 2005, DIM '05.

[15]  Alessandro Acquisti,et al.  The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study , 2011, WEIS.

[16]  Eve Maler,et al.  The Venn of Identity: Options and Issues in Federated Identity Management , 2008, IEEE Security & Privacy.

[17]  Giorgi Moniava,et al.  Extending DigiD to the Private Sector (DigiD-2) , 2008 .

[18]  K. O’Hara Trust: From Socrates to Spin , 2004 .

[19]  Jörg Schwenk,et al.  Risks of the CardSpace Protocol , 2009, ISC.

[20]  Nicholas Bohm,et al.  Identity and its verification , 2010, Comput. Law Secur. Rev..

[21]  Chris J. Mitchell,et al.  A Taxonomy of Single Sign-On Systems , 2003, ACISP.

[22]  Michael B. Jones,et al.  Design Rationale behind the Identity Metasystem Architecture , 2007, ISSE.

[23]  Andreas Pfitzmann,et al.  Lifelong Privacy: Privacy and Identity Management for Life , 2009, PrimeLife.

[24]  Thomas Daemen and Ira Rubinstein The Identity Metasystem: Towards a Privacy-Compliant Solution to the Challenges of Digital Identity , 2006 .

[25]  C. Joppke RUSSELL SAGE FOUNDATION , 2003 .

[26]  K. Cameron,et al.  The Laws of Identity , 2005 .

[27]  J. Turow,et al.  Open to Exploitation: America's Shoppers Online and Offline , 2005 .

[28]  Carl M. Ellison,et al.  The nature of a useable PKI , 1999, Comput. Networks.

[29]  Jan Camenisch,et al.  Design and implementation of the idemix anonymous credential system , 2002, CCS '02.

[30]  A. Pfitzmann,et al.  A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management , 2010 .