Toward Mending Two Nation-Scale Brokered Identification Systems

Authors: Luís T. A. N. Brandão (Carnegie Mellon University & University of Lisbon), Nicolas Christin (Carnegie Mellon University), George Danezis (University College London), Anonymous (06ac01f8898481dd 2acdaacbe7cea1fd 5cdec8e65fe87db5 8605e865b1860f8e (SHA256 commitment))

Volume: 2015
Issue: 2
Pages: 135–155

Download PDF

Abstract: Available online public/governmental services requiring authentication by citizens have considerably expanded in recent years. This has hindered the usability and security associated with credential management by users and service providers. To address the problem, some countries have proposed nation-scale identification/authentication systems that intend to greatly reduce the burden of credential management, while seemingly offering desirable privacy benefits. In this paper we analyze two such systems: the Federal Cloud Credential Exchange (FCCX) in the United States and GOV.UK Verify in the United Kingdom, which altogether aim at serving more than a hundred million citizens. Both systems propose a brokered identification architecture, where an online central hub mediates user authentications between identity providers and service providers. We show that both FCCX and GOV.UK Verify suffer from serious privacy and security shortcomings, fail to comply with privacy-preserving guidelines they are meant to follow, and may actually degrade user privacy. Notably, the hub can link interactions of the same user across different service providers and has visibility over private identifiable information of citizens. In case of malicious compromise it is also able to undetectably impersonate users. Within the structural design constraints placed on these nation-scale brokered identification systems, we propose feasible technical solutions to the privacy and security issues we identified. We conclude with a strong recommendation that FCCX and GOV.UK Verify be subject to a more in-depth technical and public review, based on a defined and comprehensive threat model, and adopt adequate structural adjustments.

Keywords: NSTIC, IDAP, identification, authentication, surveillance, privacy enhancing technologies, secure twoparty computation

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs license.