Within digital virtual space, secure and efficient user authentication and identification are essential to prevent identity theft and unauthorized access to sensitive information and services. The eIDAS network implementing the European (EU) Regulation 910/2014 links the electronic identity (eID) systems of EU countries to allow citizens to access services by authenticating with government eIDs. At authentication time, the eIDAS nodes transfer core personal attributes to the service providers (SPs), i.e. name, surname, date of birth, and an identifier. Since long-term applications require more personal or domain-specific data, e.g., to perform identity matching, the SPs must obtain them securely afterward in addition to the eIDAS attributes, with additional costs and risks. Herein, we extend the eIDAS network to retrieve and transfer additional person and domain-specific attributes besides the core ones. This process introduces technical, usability, and privacy issues that we analyze. We exploit a logical AP Connector acting between the eIDAS node and the local entities providing additional attributes. We implemented two AP Connectors, named AP-Proxy and AP-OAuth2, allowing the Italian pre-production eIDAS node to get additional attributes from the Politecnico di Torino university backend. In an experimental campaign, about 30 students have accessed academic services at three foreign universities with Italian eIDs and transferred additional attributes over the eIDAS network. Regardless of some usability and privacy concerns encountered, the user experience was positive. We believe our work is helpful in the implementation of the recently adopted European Digital Identity framework, which proposes to extend the person identification data set recognized cross border and the creation of digital wallets that link different data sets or credentials.

On enabling additional natural person and domain-specific attributes in the eIDAS network / Berbecaru, Diana Gratiela; Lioy, Antonio; Cameroni, Cesare. - In: IEEE ACCESS. - ISSN 2169-3536. - ELETTRONICO. - 9:(2021), pp. 134096-134121. [10.1109/ACCESS.2021.3115853]

On enabling additional natural person and domain-specific attributes in the eIDAS network

Berbecaru, Diana Gratiela;Lioy, Antonio;Cameroni, Cesare
2021

Abstract

Within digital virtual space, secure and efficient user authentication and identification are essential to prevent identity theft and unauthorized access to sensitive information and services. The eIDAS network implementing the European (EU) Regulation 910/2014 links the electronic identity (eID) systems of EU countries to allow citizens to access services by authenticating with government eIDs. At authentication time, the eIDAS nodes transfer core personal attributes to the service providers (SPs), i.e. name, surname, date of birth, and an identifier. Since long-term applications require more personal or domain-specific data, e.g., to perform identity matching, the SPs must obtain them securely afterward in addition to the eIDAS attributes, with additional costs and risks. Herein, we extend the eIDAS network to retrieve and transfer additional person and domain-specific attributes besides the core ones. This process introduces technical, usability, and privacy issues that we analyze. We exploit a logical AP Connector acting between the eIDAS node and the local entities providing additional attributes. We implemented two AP Connectors, named AP-Proxy and AP-OAuth2, allowing the Italian pre-production eIDAS node to get additional attributes from the Politecnico di Torino university backend. In an experimental campaign, about 30 students have accessed academic services at three foreign universities with Italian eIDs and transferred additional attributes over the eIDAS network. Regardless of some usability and privacy concerns encountered, the user experience was positive. We believe our work is helpful in the implementation of the recently adopted European Digital Identity framework, which proposes to extend the person identification data set recognized cross border and the creation of digital wallets that link different data sets or credentials.
File in questo prodotto:
File Dimensione Formato  
On_Enabling_Additional_Natural_Person_and_Domain-Specific_Attributes_in_the_eIDAS_Network.pdf

accesso aperto

Descrizione: Full paper
Tipologia: 2a Post-print versione editoriale / Version of Record
Licenza: Creative commons
Dimensione 7.86 MB
Formato Adobe PDF
7.86 MB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

Caricamento pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11583/2928792