Analysing security and privacy issues of using e-mail address as identity

Nowadays, many websites allow or require users to use their e-mail addresses either as identity or for other purposes. Although username-based identity problems resulting from users’ behaviours have been a research focus for quite some time, the serious issues of using e-mail address as identity and the associated online behaviours of users have not been well investigated. In this paper, we discuss and analyse security and privacy problems resulting from using e-mail address as identity via well-designed user behaviour survey and by investigating websites’ design schemes. Our results illustrate that using e-mail address as identity poses high security and privacy risks. This is mainly because of the multiple usages of e-mail addresses and users’ improper online habits. Moreover, we discuss drawbacks of existing solutions for e-mail address as identity and related password problems, and present potential solutions that may be used to secure online identity management systems in future.

[1]  Tadayoshi Kohno,et al.  A comprehensive study of frequency, interference, and training of multiple graphical passwords , 2009, CHI.

[2]  Cormac Herley,et al.  Do Strong Web Passwords Accomplish Anything? , 2007, HotSec.

[3]  Jan Camenisch,et al.  Design and implementation of the idemix anonymous credential system , 2002, CCS '02.

[4]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[5]  Serge Egelman,et al.  It's not what you know, but who you know: a social approach to last-resort authentication , 2009, CHI.

[6]  James L. Wayman,et al.  Biometrics in Identity Management Systems , 2008, IEEE Security & Privacy.

[7]  Wu He An Efficient One-time Password Authentication , 2003 .

[8]  Radia J. Perlman,et al.  2 . 3 Minimal Dependence on Third Parties , 2008 .

[9]  Wei-Hsun Lee,et al.  A One-Time Password Scheme with QR-Code Based on Mobile Phone , 2009, 2009 Fifth International Joint Conference on INC, IMS and IDC.

[10]  Hassan Takabi,et al.  Security and Privacy Risks of Using E-mail Address as an Identity , 2010, 2010 IEEE Second International Conference on Social Computing.

[11]  Mike Just,et al.  Personal choice and challenge questions: a security and usability assessment , 2009, SOUPS.

[12]  Lise Getoor,et al.  To join or not to join: the illusion of privacy in social networks with mixed public and private user profiles , 2009, WWW '09.

[13]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[14]  Brent Waters,et al.  A convenient method for securely managing passwords , 2005, WWW '05.

[15]  Krishna M. Sivalingam,et al.  An efficient One-Time Password authentication scheme using a smart card , 2009, Int. J. Secur. Networks.

[16]  Elisa Bertino,et al.  Privacy-preserving Digital Identity Management for Cloud Computing , 2009, IEEE Data Eng. Bull..