Within the framework of the Secure Identity Lab, we work on user-oriented identities. Our work covers two aspects: Authentication of identities and architectures for so-called self-sovereign identities.
Username/password is still the dominant method for authenticating digital identities. Other well-known methods such as fingerprint, facial recognition, smartcard are rarely used on the internet and require additional hardware.
We use smartphones, wearables and other devices for implicit continuous authentication. These devices come with all kinds of sensors that can detect the behaviour of the user. This behaviour-based authentication allows the owner to be recognised automatically. This allows these devices to lock the computer/workstation if the behaviour deviates from the known pattern - or unlock it if the behaviour matches the pattern again. The best known and most researched feature for behaviour is walking. However, there are also other characteristics such as typing behaviour on normal PC or smartphone keyboards.
Our special focus in research is on the highest possible data protection in all procedures, as the data required for this are very sensitive.
The current identity landscape on the internet is dominated by a few large identity providers such as Facebook or Google and, as an alternative to these single sign-on providers, the silo approach in which each individual service creates its own new digital identity. However, the process remains service- or identity provider-centric and leaves the data sovereignty to these providers. In a self-sovereign identity system, on the other hand, users have sovereignty over their data and manage it themselves in the form of assertions and corresponding attestations. With the help of trusted data registries, identities can be created securely in a decentralised manner and identity data can be reliably verified and managed. In this context we investigate security and privacy aspects of peer-to-peer networks.
Challenges here are aspects of trust between different stakeholders in the system as well as questions of privacy when using public blockchains. However, the user-friendliness of such a system is essential for its acceptance by the general public, specifically we are exploring the concept of self-sovereign identities in the context of digital academic credential systems.