论文信息 - A Framework for Security and Risk Analysis of Enrollment Procedures: Application to Fully-remote Solutions based on eDocuments

A Framework for Security and Risk Analysis of Enrollment Procedures: Application to Fully-remote Solutions based on eDocuments

More and more online services are characterised by the need for strongly verifying the real-world identity of end users, especially when sensitive operations have to be carried out: just imagine a fully-remote signature of a contract, and what could happen whether someone managed to perform it by using another person’s name. For this reason, the identity management lifecycle contains specific procedures – called enrollment or onboarding – providing a certain level of assurance on digital users’ real identities. These procedures must be as secure as possible to prevent frauds and identity thefts. In this paper, we present a framework composed of a specification language, a security analysis methodology and a risk analysis methodology for enrollment solutions. For concreteness, we apply our framework to a real use case (i.e., fully-remote solutions relying on electronic documents as identity evidence) in the context of a collaboration with an Italian FinTech startup. Beyond validating the framework, we analyse and highlight the essential role of mitigations on the overall security of enrollment procedures.

Silvio Ranise | Giada Sciarretta | Marco Pernpruner

[1] Ralf Küsters,et al. A Comprehensive Formal Security Analysis of OAuth 2.0 , 2016, CCS.

[2] D. Kaufman,et al. Identify , 2021, Encyclopedia of the UN Sustainable Development Goals.

[3] Steve Kremer,et al. An Extensive Formal Analysis of Multi-factor Authentication Protocols , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[4] Thomas Higgins. Opening an Account , 2014 .

[5] Alessandro Armando,et al. Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications , 2016, NDSS.

[6] Silvio Ranise,et al. The Good, the Bad and the (Not So) Ugly of Out-of-Band Authentication with eID Cards and Push Notifications: Design, Formal and Risk Analysis , 2020, CODASPY.

[7] Hui Li,et al. A Formal Analysis of the FIDO UAF Protocol , 2021, NDSS.

[8] Ray A. Perlner,et al. Digital Identity Guidelines: Authentication and Lifecycle Management , 2017 .

[9] Tianyu Liu,et al. Signing into One Billion Mobile App Accounts Effortlessly with OAuth 2 . 0 , 2016 .

[10] Yee-Yin Choong,et al. Digital Identity Guidelines: Enrollment and Identity Proofing , 2017 .