Federated electronic identity systems are increasingly used in commercial and public services to let users share their electronic identities (eIDs) across countries and providers. In Europe, the eIDAS Regulation and its implementation-the eIDAS Network-allowing mutual recognition of citizen’s eIDs in various countries, is now in action. We discuss authorization (before authentication), named also authorize-then-authenticate (AtA), in services exploiting the eIDAS Network. In the eIDAS Network, each European country runs a national eIDAS Node, which transfers in other Member State countries, via the eIDAS protocol, some personal attributes, upon successful authentication of a person in his home country. Service Providers in foreign countries typically use these attributes to implement authorization decisions for the requested service. We present a scenario where AtA is required, namely Wi-Fi access, in which the service provider has to implement access control decisions before the person is authenticated through the eIDAS Network with his/her national eID. The Wi-Fi access service is highly required in public and private places (e.g. shops, hotels, a.s.o.), but its use typically involves users’ registration at service providers and is still subject to security attacks. The eIDAS Network supports different authentication assurance levels, thus it might be exploited for a more secure and widely available Wi-Fi access service to the citizens with no prior registration, by exploiting their national eIDs. We propose first a model that discusses AtA in eIDAS-based services, and we consider different possible implementation choices. We describe next the implementation of AtA in an eIDAS-based Wi-Fi access service leveraging the eIDAS Network and a Zeroshell captive portal supporting the eIDAS protocol. We discuss the problems encountered and the deploy-ment issues that may impact on the service acceptance by the users and its exploitation on large scale.

Supporting authorize-then-authenticate for wi-fi access based on an electronic identity infrastructure / Berbecaru, D.; Lioy, A.; Cameroni, C.. - In: JOURNAL OF WIRELESS MOBILE NETWORKS, UBIQUITOUS COMPUTING AND DEPENDABLE APPLICATIONS. - ISSN 2093-5374. - 11:2(2020), pp. 34-54. [10.22667/JOWUA.2020.06.30.034]

Supporting authorize-then-authenticate for wi-fi access based on an electronic identity infrastructure

Berbecaru D.;Lioy A.;Cameroni C.
2020

Abstract

Federated electronic identity systems are increasingly used in commercial and public services to let users share their electronic identities (eIDs) across countries and providers. In Europe, the eIDAS Regulation and its implementation-the eIDAS Network-allowing mutual recognition of citizen’s eIDs in various countries, is now in action. We discuss authorization (before authentication), named also authorize-then-authenticate (AtA), in services exploiting the eIDAS Network. In the eIDAS Network, each European country runs a national eIDAS Node, which transfers in other Member State countries, via the eIDAS protocol, some personal attributes, upon successful authentication of a person in his home country. Service Providers in foreign countries typically use these attributes to implement authorization decisions for the requested service. We present a scenario where AtA is required, namely Wi-Fi access, in which the service provider has to implement access control decisions before the person is authenticated through the eIDAS Network with his/her national eID. The Wi-Fi access service is highly required in public and private places (e.g. shops, hotels, a.s.o.), but its use typically involves users’ registration at service providers and is still subject to security attacks. The eIDAS Network supports different authentication assurance levels, thus it might be exploited for a more secure and widely available Wi-Fi access service to the citizens with no prior registration, by exploiting their national eIDs. We propose first a model that discusses AtA in eIDAS-based services, and we consider different possible implementation choices. We describe next the implementation of AtA in an eIDAS-based Wi-Fi access service leveraging the eIDAS Network and a Zeroshell captive portal supporting the eIDAS protocol. We discuss the problems encountered and the deploy-ment issues that may impact on the service acceptance by the users and its exploitation on large scale.
File in questo prodotto:
File Dimensione Formato  
jowua-v11n2-4.pdf

accesso aperto

Tipologia: 2a Post-print versione editoriale / Version of Record
Licenza: Pubblico - Tutti i diritti riservati
Dimensione 1.35 MB
Formato Adobe PDF
1.35 MB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11583/2845864