Skip to main content
Springer Nature Link
Log in

Enroll, and Authentication Will Follow

eID-Based Enrollment for a Customized, Secure, and Frictionless Authentication Experience

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12056))

Included in the following conference series:

Abstract

High-assurance user identification and credentials provisioning are crucial for accessing digital services. Usability, service customization, and security should be carefully balanced to offer an appropriate user experience. We propose an eID-based enrollment approach for tailoring authentication to the particular needs of the service provider and strike a good trade-off between usability and security via the registration of authenticators, artifacts providing identity proofs. We demonstrate the practicality of our approach in the case of patient access to Electronic Health Records (EHR) through an Android application: enrollment is done by using the Italian national eID card to register the mobile authenticator, unlocked by the user’s fingerprint, customized to interact with the identity and access management system of the EHR.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Digital onboarding for financial services. https://www2.deloitte.com/lu/en/pages/technology/articles/digital-onboarding-financial-services.html

  2. eID User Community: Overview of pre-notified and notified eID schemes under eIDAS. https://ec.europa.eu/cefdigital/wiki/display/EIDCOMMUNITY/Overview+of+pre-notified+and+notified+eID+schemes+under+eIDAS

  3. Android keystore documentation. https://developer.android.com/training/articles/keystore#UserAuthentication

  4. Armando, A., Carbone, R., Compagna, L., Cuéllar, J., Tobarra, L.: Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for Google apps, pp. 1–10 (2008). https://doi.org/10.1145/1456396.1456397

  5. BSI: Advanced security mechanisms for machine readable travel documents and eIDAS token (2015). https://www.bsi.bund.de/EN/Publications/TechnicalGuidelines/TR03110/BSITR03110

  6. Carta d’Identità Elettronica. https://www.cartaidentita.interno.gov.it/

  7. Deloitte: Value proposition of eIDAS-based eID - banking sector, July 2018. https://ec.europa.eu/cefdigital/wiki/display/EIDCOMMUNITY/Study+on+the+opportunities+and+challenges+of+eID+for+Banking

  8. EU: General data protection regulation (GDPR), May 2016. http://data.europa.eu/eli/reg/2016/679/2016-05-04

  9. European Parliament and Council: Directive 1999/93/EC on a community framework for electronic signatures. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31999L0093&from=EN

  10. European Parliament and Council: Directive 2015/2366 on payment services in the internal market. http://data.europa.eu/eli/dir/2015/2366/2015-12-23

  11. European Parliament and Council: Electronic identification, authentication and trust services (eIDAS). http://data.europa.eu/eli/reg/2014/910/oj

  12. FIDO. https://fidoalliance.org/what-is-fido/

  13. GIXEL: IAS ECC - Identification authentication signature European citizen card, European card for e-Services and National e-ID applications, February 2009

    Google Scholar 

  14. Grassi, P.A., Garcia, M.E., Fenton, J.L.: Digital identity guidelines. NIST, June 2017. https://doi.org/10.6028/NIST.SP.800-63-3

  15. Grimes, R.: 12 ways to hack MFA, March 2019. https://www.rsaconference.com/industry-topics/presentation/12-ways-to-hack-2fa

  16. Hyperledger fabric docs. https://hyperledger-fabric.readthedocs.io/

  17. Hu, V., et al.: Guide to attribute based access control (ABAC) definition and considerations. NIST, January 2014. https://doi.org/10.6028/NIST.SP.800-162

  18. Machine Readable Travel Documents (2015). https://www.icao.int/publications/pages/publication.aspx?docnum=9303

  19. IETF RFC 5280: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. https://tools.ietf.org/html/rfc5280

  20. Istituto poligrafico e zecca dello stato (IPZS). https://www.ipzs.it/

  21. Koeune, F., Standaert, F.-X.: A tutorial on physical security and side-channel attacks. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) FOSAD 2004-2005. LNCS, vol. 3655, pp. 78–108. Springer, Heidelberg (2005). https://doi.org/10.1007/11554578_3

    Chapter  MATH  Google Scholar 

  22. Kowalksi, B.: FIDO, strong authentication and eID in Germany. https://www.slideshare.net/FIDOAlliance/keynote-fido-strong-authentication-and-eld-in-germany

  23. Morelli, U., Ranise, S., Sartori, D., Sciarretta, G., Tomasi, A.: Audit-based access control with a distributed ledger: applications to healthcare organizations. In: Mauw, S., Conti, M. (eds.) STM 2019. LNCS, vol. 11738, pp. 19–35. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-31511-5_2

    Chapter  Google Scholar 

  24. PWC: Study on eID and digital on-boarding. https://doi.org/10.2759/94773

  25. Sistema Pubblico per la gestione dell’Identità Digitale (SPID). http://www.agid.gov.it/agenda-digitale/infrastrutture-architetture/spid

  26. W3C: Verifiable credentials data model. https://www.w3.org/TR/verifiable-claims-data-model/

  27. W3C: Web authentication: an API for accessing public key credentials level 2. https://www.w3.org/TR/webauthn-2/

Download references

Acknowledgements

This work has been partially supported by the activity 19184 API Assistant of the action line Digital Infrastructure of EIT Digital. In addition, the authors are grateful to Istituto Poligrafico e Zecca dello Stato Italiano (IPZS) for kindly providing a prototype Android SDK to interact with CIE 3.0.

Author information

Authors and Affiliations

  1. Security and Trust, Fondazione Bruno Kessler, Via Sommarive 18, 38123, Trento, Italy

    Silvio Ranise, Giada Sciarretta & Alessandro Tomasi

Authors
  1. Silvio Ranise
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Giada Sciarretta
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alessandro Tomasi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Giada Sciarretta .

Editor information

Editors and Affiliations

  1. Université Paul Sabatier (CNRS IRIT), Toulouse, France

    Abdelmalek Benzekri

  2. Carleton University, Ottawa, ON, Canada

    Michel Barbeau

  3. University of Waterloo, Waterloo, ON, Canada

    Guang Gong

  4. Université Paul Sabatier (CNRS IRIT), Toulouse, France

    Romain Laborde

  5. Telecom SudParis, IMT, Palaiseau, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ranise, S., Sciarretta, G., Tomasi, A. (2020). Enroll, and Authentication Will Follow. In: Benzekri, A., Barbeau, M., Gong, G., Laborde, R., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2019. Lecture Notes in Computer Science(), vol 12056. Springer, Cham. https://doi.org/10.1007/978-3-030-45371-8_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-45371-8_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-45370-1

  • Online ISBN: 978-3-030-45371-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics