In cooperation with Bundesdruckerei we are working on user-oriented identities in the Secure Identity Lab. Our work covers two aspects:
- Authentification of Digital Identities
- Architectures for Self-Sovereign Identities
Authentification of Digital Identities
To authenticate digital identities username and password is still the dominant procedure. Other approaches like fingerprint, face recognition or smartcards are very rarely used for web authentication and require additional hardware most of the time.
We use smartphones, wearables and further devices for implicit continuous authentification. These devices are equipped with many sensors that can sample a user's behavior. This behaviour-based authentication can be deployed to continuously verify the current owner's identity. Because of that, any attacker can be detected immediately if the detected behaviour is different to the enrolled templates of the benign user. As a result, a phone may be locked, the user gets logged out from the websites or a silent alarm is sent somewhere. Apart from the human walking behaviour (gait), typing on hardware keyboards or touch screens are typical behaviours considered for behavioral authentication.
In our research, we specifically focus on data privacy. One of our main principles is thus to keep all biometric data on the devices itself.
Architectures for Self-Sovereign Identities
The current identity landscape is dominated by identity providers such as Facebook and Google and as alternative to these Single-Sign On providers the silo approach where each service provider creates their own digital identity for its users. These solutions all remain fairly service- or identity provider-centric and give up the user's control over their data to the providers. In contrast to this a Self-Sovereign Identitysystem on the other hand allows the user a greater degree of choice and the possibility to manage their data in form of claims and attestations on their own. Using Blockchain technology identities can be created securely and in a decentralised fassion while the identity attributes can be reliably verified.
Challenges in this area include aspects of trust between different stakeholders in the system as well as questions of privacy in the use of public blockchains. Especially the usability of such a system however is essential to ensure adoption in the general public.