Organizer: CROSSING / Prof. Matthias Hollick
With e-commerce now exceeding 1 trillion € per annum and the emergence of Internet of Things, the need for reliable and user-friendly authentication mechanisms is more pressing than ever. A European research project entitled “ReCRED: From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control”, try to address the problems of password-based access control: a) password overload, referring to the inability of users to remember different secure passwords for each one of their accounts; b) identity fragmentation, stemming from the fact that independent identity providers (email, social networks, etc.) create disjoint identity realms, making it difficult for end users to prove joint ownership of accounts, e.g., for reputation transfer or to fend off impersonation attacks; and c) lack of support for attribute-based access control (ABAC), which facilitates account-less access through verified identity attributes (e.g., age or location).
ReCRED moves the burden of authentication from the user to the device itself, taking full advantage of smartphones’ inherent capabilities. Smartphones evolve into authentication proxies, where every user account can be securely kept and managed on the device, following the most contemporary technological standards that leverage the benefits of asymmetric cryptography (e.g., FIDO Alliance). Users can be authenticated by their mobile devices, locally, using fingerprint, face recognition, how they walk, type, move around the city, etc. ReCRED also offers two additional innovations: a) the consolidation and management of online user identities and accounts, and b) the issuance of anonymous credentials that verify specific attributes or properties of the users, while guaranteeing the latters’ anonymity.