You are here: Home Contents V9 N1 V9N1_Alpar.html
Personal tools

The Identity Crisis - Security, Privacy and Usability Issues in Identity Management



Full text

Journal of Information Systems Security
Volume 9, Number 1 (2013)
Pages 2353
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Gergely Alpár — Radboud University Nijmegen, The Netherlands
Jaap-Henk Hoepman — Radboud University Nijmegen, The Netherlands
Johanneke Siljee — TNO, The Netherlands
Information Institute Publishing, Washington DC, USA




This paper studies the current ‘identity crisis’ caused by the substantial security, privacy and usability shortcomings encountered in existing systems for identity management. Some of these issues are well known, while others are much less understood. This paper first introduces the reader to the area of identity management. Next, it brings the fundamental, security, privacy and usability problems in the design of current identity management systems together in a single, comprehensive study. Finally, the paper gives recommendations to resolve or to mitigate these problems. In some cases these problems cannot be solved without substantial research and development effort. We therefore end this paper with an overview of recommendations for future work that will resolve the current identity crisis. 




Identity Management, Usability and Security, Privacy




Alrodhan, W. A., & Mitchell, C. J. (2007). Addressing privacy issues in CardSpace. In IAS (pp. 285–291). 

Anderson, R. J. (2008). Security engineering – a guide to building dependable distributed systems (2. ed.). John Wiley & Sons. 

Belanger, F., & Crossler, R. E. (2011). Privacy in the Digital Age: A Review of Information Privacy Research in Information Systems. MIS Quarterly, 35(4), 1017–1041. 

Bertocci, V., Serack, G., & Baker, C. (2008). Understanding Windows CardSpace. Addison-Wesley. 

Bohm, N., & Mason, S. (2010). Identity and its verification. Computer Law & Security Review, 26(1), 43–51. 

Brands, S. (2000). Rethinking Public Key Infrastructures and Digital Certificates; Building in Privacy (1st ed.). MIT Press. 

Camenisch, J., & Herreweghen, E. V. (2002). Design and implementation of the ıt Idemix anonymous credential system. In ACM Conference on Computer and Communications Security (pp. 21–30). 

Camenisch, J., & Lysyanskaya, A. (2001). An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation. In EUROCRYPT (pp. 93–118). 

Camenisch, J., Sommer, D., Fischer-Hübner, S., Hansen, M., Krasemann, H., & Leenes, R. (2005). Privacy and Identity Management for Everyone. In Proceedings of the 2005 Workshop on Digital Identity Management (pp. 20–27). ACM Press. 

Cameron, K. (2005). Laws of Identity. 

Cameron, K., & Jones, M. B. (2006). Design rationale behind the identity metasystem architecture. Microsoft Corporation. 

Cameron, K., Posch, R., & Rannenberg, K. (2009). Proposal for a Common Identity Framework: A User-Centric Identity Metasystem. In K. Rannenberg, D. Royer, & A. Deuker (Eds.), The Future of Identity in the Information Society (pp. 477–500). Springer. 

Carpenter, P., & Perkins, E. (2010). Magic Quadrant for User Provisioning. Gartner. 

Cavoukian, A. (2006). 7 Laws of Identity - The Case for Privacy-Embedded Laws of Identity in the Digital Age. Ontaria, Canada: Office of the Information and Privacy Commissioner. 

Daemen, T., & Rubinstein, I. (2006). The Identity Metasystem: Towards a Privacy-Compliant Solution to the Challenges of Digital Identity (White paper). Microsoft Corporation. 

De Hert, P. (2008). Identity management of e-ID, privacy and security in Europe. A human rights view. Inf. Secur. Tech. Rep., 13(2), 71–75. 

Dhamija, R., & Dusseault, L. (2008). The Seven Flaws of Identity Management: Usability and Security Challenges. IEEE Security & Privacy, 6(2), 24–29. 

Ellison, C. M. (1999). The nature of a usable PKI. Computer Networks, 31, 823–830. 

Gajek, S., Schwenk, J., Steiner, M., & Xuan, C. (2009). Risks of the CardSpace Protocol. In ISC (pp. 278–293). 

Hardin, R. (2002). Trust & Trustworthiness. New York: Russell Sage Foundation. 

ISO/IEC. (2005). WD 24760-3 A framework for identity management. 

Joosten, R., Whitehouse, D., & Duquenoy, P. (2008). Towards a Meta Model for Identity Terminology. In Pre-proceedings of the IFIP/FIDIS Internet Security & Privacy Summer School (pp. 141–146). Masaryk University, Brno, Czech Republic, September 1–7, 2008. 

Jøsang, A., Fabre, J., Hay, B., Dalziel, J., & Pope, S. (2005). Trust Requirements in Identity Management. In In: ACSW Frontiers ’05: Proceedings of the 2005 Australasian workshop on Grid computing and e-research, Darlinghurst, Australia, Australian Computer Society, Inc. (pp. 99–108). 

Jøsang, A., Zomai, M. A., & Suriadi, S. (2007). Usability and Privacy in Identity Management Architectures. In ACSW Frontiers (pp. 143–152). 

Koch, M. (2002). Global Identity Management to Boost Personalization. In P. Schubert & U. Leimstoll (Eds.), Proc. 9th Research Symp. on Emerging Electronic Markets (pp. 137–147). Basel. 

Lampson, B. W. (1971). Protection. In Proceedings of the 5th Princeton Symposium on Information Sciences and Systems. 

Landau, S., Gông, H. L. V., & Wilton, R. (2009). Achieving Privacy in a Federated Identity Management System. In Financial Cryptography (pp. 51–70). 

Maler, E., & Reed, D. (2008). The Venn of Identity: Options and Issues in Federated Identity Management. IEEE Security & Privacy, 6(2), 16–23. 

Malinen, J. (2006). Windows CardSpace. Helsinki University of Technology. 

Matthias Bauer, Martin Meints, M. H. (2005). D3.1: Structured Overview on Prototypes and Concepts of Identity Management Systems. FIDIS. 

Moniava, G. (2008). Extending DigiD to the Private Sector (DigiD-2). Department of Mathematics and Computing Science, Eindhoven University of Technology. 

Nissenbaum, H. (2004). Privacy as Contextual Integrity. Washington Law Review, 79, 119–158. 

O’Hara, K. (2004). Trust: From Socrates to Spin. Cambridge: Icon Books. 

Pashalidis, A., & Mitchell, C. J. (2003). A Taxonomy of Single Sign-On Systems. In ACISP (pp. 249–264). 

Pearson, S. (2009). Taking account of privacy when designing cloud computing services. In CLOUD ’09: Proceedings of the 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing (pp. 44–52). Washington, DC, USA: IEEE Computer Society. 

Pfitzmann, A., & Borcea-Pfitzmann, K. (2010). Lifelong Privacy – Privacy and Identity Management for Life. In Privacy and Identity Management for Life, 5th IFIP/PrimeLife, International Summer School (pp. 1–17). Springer. 

Pfitzmann, A., & Hansen, M. (2010). A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management. Version v0.34. 

Scudder, J., & Jøsang, A. (2010). Identity Dashboard System and Architecture. In Proc. 2nd IFIP WG 11.6 Working Conference on Policies & Research in Identity 

Management (IDMAN’10). Oslo, Norway. 

Schmidt, Howard, A. (2011) The National Strategy for Trusted Identities in Cyberspace and Your Privacy, April 

Tsai, J., Egelman, S., Cranor, L., & Acquisti, A. (2007). The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study. In ICIS 2007 Proceedings. 

Turow, J., Feldman, L., & Meltzer, K. (2005). Open to Exploitation: American Shoppers Online and Offline. University of Pennsylvania, Philadelphia, PA: Annenberg Public Policy Center. 

Van den Broek, T., & Huijboom, N. (2010). The effects of interpersonal trust on joint eIDM innovations (No. 35291). TNO.