Authors:
Marco Pernpruner
1
;
2
;
Giada Sciarretta
2
and
Silvio Ranise
3
;
2
Affiliations:
1
Department of Informatics, Bioengineering, Robotics and System Engineering, University of Genoa, Genoa, Italy
;
2
Security & Trust Research Unit, Fondazione Bruno Kessler, Trento, Italy
;
3
Department of Mathematics, University of Trento, Trento, Italy
Keyword(s):
eDocuments, Enrollment, Onboarding, Risk Analysis, Security Analysis, Security Framework.
Abstract:
More and more online services are characterised by the need for strongly verifying the real-world identity of end users, especially when sensitive operations have to be carried out: just imagine a fully-remote signature of a contract, and what could happen whether someone managed to perform it by using another person’s name. For this reason, the identity management lifecycle contains specific procedures – called enrollment or onboarding – providing a certain level of assurance on digital users’ real identities. These procedures must be as secure as possible to prevent frauds and identity thefts. In this paper, we present a framework composed of a specification language, a security analysis methodology and a risk analysis methodology for enrollment solutions. For concreteness, we apply our framework to a real use case (i.e., fully-remote solutions relying on electronic documents as identity evidence) in the context of a collaboration with an Italian FinTech startup. Beyond validating
the framework, we analyse and highlight the essential role of mitigations on the overall security of enrollment procedures.
(More)