digital identity is a set of attributes of a person or company in a specific domain. an entity has...
TRANSCRIPT
Digital Identity is a set of attributes of a person or company in a specific domain. An entity has multiple Digital Identities.
Identity is a set of attributes related to an entity (individual / company)
in a given domain
An entity can have multiple identities, such as:• Email account (private and corporate)• Social network accounts (i.e. Facebook,Twitter, LinkedIn…)• E-Commerce identities (i.e. Amazon, eBay)• Banking identity• Account to purchase flights or trains• SIM phone• E-Passport• Health cards• National service card
Identity is a set of attributes related to an entity (individual / company)
in a given domain
An entity can have multiple identities, such as:• Email account (private and corporate)• Social network accounts (i.e. Facebook,Twitter, LinkedIn…)• E-Commerce identities (i.e. Amazon, eBay)• Banking identity• Account to purchase flights or trains• SIM phone• E-Passport• Health cards• National service card
ID for c/c online
ID for c/c online
ID to request certificates
ID to request certificates
ID to purchase flights
ID to purchase flights
ID for online magazines
ID for online magazines
E-Commerce ID
E-Commerce ID
ID for social network
ID for social network
ExamplesDigital Identity
The use of Digital Identities is subject to several risks
• Identity theft• Impersonation• Bank fraud (i.e. unauthorized transfers of
money, through mobile banking, ATM and POS)• Credit card fraud (i.e. unauthorized withdrawals
on Internet, from ATM and POS)• Mail identity theft• Fraud to the State (i.e. to take advantage of
special benefits even if you don’t have the
rights)
• Unauthorized withdrawal of money• Reputation damage for misappropriation of
identity• Economic and reputation damage for the
organization that manages the identity• Defamation• Attribution of responsibility• Loss of confidential information• Violation of electronic correspondence• Computer intrusion• Violation of privacy
Risks Consequences
• 2012: Hackers steal data of 1.5 million Visa and MasterCard customers in North America1
• 2011: Theft of credit card details of up to 77 million Sony users2 with estimated damage for 172 mln $3
• 2010: Bank tellers, retail workers, waiters and alleged criminals steals data from credit cards to a value of 13 mln $4
• 2009: Data robbery of more than 130 million credit and debit card numbers5 to Hannaford Brothers, 7-Eleven and
two other companies
Some cases and consequences
1) www.globalpaymentsinc.com; 2) www.stampa.it; 3) www.latimes.com; 4) www.lastampa.it ; 5) www.csoonline.com
The assurance level of identity is characterized by registration process and by authentication process
Authentication is the verification process of the attributes associated with identity 1
Authentication is the verification process of the attributes associated with identity 1
1-factor authentication
2-factor authentication
3-factor authentication
Self-assertion
Third party verification
Direct verification
Detailed direct verification
The user makes a self-assertion of identity and there are no checks
Verification of identity is direct and detailed (i.e. for e-passport)
Verification of identity is direct (i.e. background check of clients)
Verification is left to third party (i.e. phone number)
Registration is the process that makes known entity in a given domain 1
Registration is the process that makes known entity in a given domain 1
1) ISO/IEC 24760
Strong Digital Identities are characterized by a process of registration and authentication that is able to ensure the verification of the data provided by the individual and the secure authentication to its user profile
Soft Digital Identities, although sometimes they are used for commercial transactions (i.e. Amazon), do not require registration and authentication processes with high security levels
+
-
Level of trust
The authentication is done through something that you know, or you have (i.e. password)
The authentication is done through something that you know and you have (i.e. token and PIN)
The authentication is done through something that you know, you are and you have (i.e. token, PIN, biometric)
There are different types of Digital Identities that, depending on the use and the level of security required, we can divide into two categories: soft and strong
• Social Networks• (Private ed Corporate) Email accounts• Identities for the eCommerce• Online magazine subscription• Accounts for Blogs and Forums• …
Soft Identity
• National ID card
• Digital Sign
• Electronic Passport
• Secure card of Payment
• …
Strong Identity
Soft identities are used by online operators to access to digital services that are not considered critical in a
more or less secure way
These soft identities normally consist of a user name and a password plus several attributes needed to use
the specific services
Strong identities are released with procedures that involve a de visu user recognition
Specific technologies are usedto ensure a secure authentication process (i.e. smart
cards, tokens, biometrics)
The attention of legislators is currently focused on
strong identity
There isn’t a regulation about Digital Identity on Internet. There are only some technical standards (ISO) and guidelines (US NISTC or OCSE)
There are not international legislations or policies dealing with Digital Identity topics
Regulations and legislations are concerned only with technical standard facing single aspects such as
authentication, data management, privacy (i.e. ISO), principles and guidelines (NIST, OECD) or
standards de facto (OpenID, Persona, OneID)
The result of this “legislation/regulation” heterogeneity is transferred in the heterogeneity of the
implemented solutions and in the difficulties to create interoperability systems between existing
infrastructures
• ISO/IEC 24760, A framework for identity management• ISO/IEC 29115, Entity authentication assurance framework• ISO/IEC 9798, Entity Authentication• ISO/IEC 29100, Privacy Framework• OECD Recommendation on Electronic Authentication and OECD Guidance for Electronic
Authentication• NIST Recommendations for establishing an identity ecosystem governance structure
The Digital Identities related to financial systems (i.e. Credit/Debit Cards) are ruled by operators’ consortium such as EMV and PCI
Financial systems are strongly ruled by operators’ consortiums or standardization bodies that have
defined standard and technical procedures to guarantee interoperability and security. These standards
defer in the application between traditional use (POS/ATM) and online (Card Not Present)
The adopted security countermeasures for the security of cards, such as EMV, are not useful for online
services (absence of card readers), for that reason the PCI/DSS standard has been defined by credit
card operators. The NO Compliance bring to sanctions and reimbursement duties to end users, in case
of fraud online
At European level, European Directives have been published (95/46/CE27 e 2002/58/CE28). They
define a legal framework for personal data treatment during a payment transaction and the directive on
payment services (2007/64/CE), that provide a legal framework on payment topics and has a strong
impact on Digital Identity
• EMV standard on interoperability (defined by Europay, Visa, MasterCard) between smart card, POS and ATM define a secure authentication procedure of cc/bancomat
• SecureCode/Verified by Visa, standard on online security• PCI/DSS, standard applied to any subjects dealing with the PAN of cards delivered by Visa,
Mastercard, American Express, JCB o Discovery• SEPA-Single Euro Payments Area (CE)• EU Directives ( 2007/64/CE, 95/46/CE27, 2002/58/CE28)
At the moment, major focus is on eGovernment for the adoption of "Electronic ID", although use of soft identity for access and identification through Internet is raising (i.e. INPS).
presence in some Countries of strategic guidelines to define standards and regulations
of trusted digital identities both for public and private sectors
presence of operative projects in some small realities, started as Governments initiatives but open to
private services too (i.e. Estonia, Portugal)
presence at European level of strategic guidelines where digital identity is a driver
(i.e. Europa 2020 and European Digital Agenda)
presence at European level of regulations initiatives on eSignature and eAuthentication.
• “National strategy for Trusted Identities in Cyberspace” (USA)• “National Identity Security Strategy” (AU)• “Digital Identity Management” – OECD Report
Considering the current risk scenario and the fragmented approach of International Institutions, Member States could adopt a short term programme to guarantee security and interoperability of Digital Identity
Involvement policy for Identity Service Provider
Functioning and Control Regulations
Possibility of Digital Identity Federation in
international and commercial environment
Identity Service Provider must be involved in a working group together with Public Institutions delivering online services in order to regulate Digital Identity topics
Identity Service Provider must be involved in a working group together with Public Institutions delivering online services in order to regulate Digital Identity topics
It is strongly suggested that at national level a series of regulations should be defined to manage Digital Identities. Moreover, control mechanism should be defined in order to
guarantee minimum operational parameters such as 24h access to Digital Identity, minimum levels of security,…
It is strongly suggested that at national level a series of regulations should be defined to manage Digital Identities. Moreover, control mechanism should be defined in order to
guarantee minimum operational parameters such as 24h access to Digital Identity, minimum levels of security,…
The Identity Service Provicer should give the possibility to federate the system both in national and International level. That means a starting architecture that allows trust and
federation mechanism with other platforms
The Identity Service Provicer should give the possibility to federate the system both in national and International level. That means a starting architecture that allows trust and
federation mechanism with other platforms
Awareness of Commercial providers on minimum security levels to protect personal data and to manage Digital
Identity
It’s necessary to make aware commercial providers to guarantee secure services and data protection to the end users. For that reason a national information campaign should be
targeted to Identity providers
It’s necessary to make aware commercial providers to guarantee secure services and data protection to the end users. For that reason a national information campaign should be
targeted to Identity providers
eCo
mm
erce
eGo
vern
men
t
Description
Some initiatives could be taken in order to improve the framework for Digital Identities
Proposals for EU
Define EU common framework, standard and regulation on Digital Identity (soft
and strong) mutually recognized in all Member States
Define also a set of minimal security requirements that Identity Service
Providers must be compliant with
Create public awareness on importance to secure Digital Identity in order to
mitigate threats and vulnerabilities