Digital Identity is a set of attributes of a person or company in a specific domain. An entity has multiple Digital Identities.

Identity is a set of attributes related to an entity (individual / company)

in a given domain

An entity can have multiple identities, such as:• Email account (private and corporate)• Social network accounts (i.e. Facebook,Twitter, LinkedIn…)• E-Commerce identities (i.e. Amazon, eBay)• Banking identity• Account to purchase flights or trains• SIM phone• E-Passport• Health cards• National service card

Identity is a set of attributes related to an entity (individual / company)

in a given domain

An entity can have multiple identities, such as:• Email account (private and corporate)• Social network accounts (i.e. Facebook,Twitter, LinkedIn…)• E-Commerce identities (i.e. Amazon, eBay)• Banking identity• Account to purchase flights or trains• SIM phone• E-Passport• Health cards• National service card

ID for c/c online

ID for c/c online

ID to request certificates

ID to request certificates

ID to purchase flights

ID to purchase flights

ID for online magazines

ID for online magazines

E-Commerce ID

E-Commerce ID

ID for social network

ID for social network

ExamplesDigital Identity

The use of Digital Identities is subject to several risks

• Identity theft• Impersonation• Bank fraud (i.e. unauthorized transfers of

money, through mobile banking, ATM and POS)• Credit card fraud (i.e. unauthorized withdrawals

on Internet, from ATM and POS)• Mail identity theft• Fraud to the State (i.e. to take advantage of

special benefits even if you don’t have the

rights)

• Unauthorized withdrawal of money• Reputation damage for misappropriation of

identity• Economic and reputation damage for the

organization that manages the identity• Defamation• Attribution of responsibility• Loss of confidential information• Violation of electronic correspondence• Computer intrusion• Violation of privacy

Risks Consequences

• 2012: Hackers steal data of 1.5 million Visa and MasterCard customers in North America1

• 2011: Theft of credit card details of up to 77 million Sony users2 with estimated damage for 172 mln $3

• 2010: Bank tellers, retail workers, waiters and alleged criminals steals data from credit cards to a value of 13 mln $4

• 2009: Data robbery of more than 130 million credit and debit card numbers5 to Hannaford Brothers, 7-Eleven and

two other companies

Some cases and consequences

1) www.globalpaymentsinc.com; 2) www.stampa.it; 3) www.latimes.com; 4) www.lastampa.it ; 5) www.csoonline.com

The assurance level of identity is characterized by registration process and by authentication process

Authentication is the verification process of the attributes associated with identity 1

Authentication is the verification process of the attributes associated with identity 1

1-factor authentication

2-factor authentication

3-factor authentication

Self-assertion

Third party verification

Direct verification

Detailed direct verification

The user makes a self-assertion of identity and there are no checks

Verification of identity is direct and detailed (i.e. for e-passport)

Verification of identity is direct (i.e. background check of clients)

Verification is left to third party (i.e. phone number)

Registration is the process that makes known entity in a given domain 1

Registration is the process that makes known entity in a given domain 1

1) ISO/IEC 24760

Strong Digital Identities are characterized by a process of registration and authentication that is able to ensure the verification of the data provided by the individual and the secure authentication to its user profile

Soft Digital Identities, although sometimes they are used for commercial transactions (i.e. Amazon), do not require registration and authentication processes with high security levels

+

-

Level of trust

The authentication is done through something that you know, or you have (i.e. password)

The authentication is done through something that you know and you have (i.e. token and PIN)

The authentication is done through something that you know, you are and you have (i.e. token, PIN, biometric)

There are different types of Digital Identities that, depending on the use and the level of security required, we can divide into two categories: soft and strong

• Social Networks• (Private ed Corporate) Email accounts• Identities for the eCommerce• Online magazine subscription• Accounts for Blogs and Forums• …

Soft Identity

• National ID card

• Digital Sign

• Electronic Passport

• Secure card of Payment

• …

Strong Identity

Soft identities are used by online operators to access to digital services that are not considered critical in a

more or less secure way

These soft identities normally consist of a user name and a password plus several attributes needed to use

the specific services

Strong identities are released with procedures that involve a de visu user recognition

Specific technologies are usedto ensure a secure authentication process (i.e. smart

cards, tokens, biometrics)

The attention of legislators is currently focused on

strong identity

There isn’t a regulation about Digital Identity on Internet. There are only some technical standards (ISO) and guidelines (US NISTC or OCSE)

There are not international legislations or policies dealing with Digital Identity topics

Regulations and legislations are concerned only with technical standard facing single aspects such as

authentication, data management, privacy (i.e. ISO), principles and guidelines (NIST, OECD) or

standards de facto (OpenID, Persona, OneID)

The result of this “legislation/regulation” heterogeneity is transferred in the heterogeneity of the

implemented solutions and in the difficulties to create interoperability systems between existing

infrastructures

• ISO/IEC 24760, A framework for identity management• ISO/IEC 29115, Entity authentication assurance framework• ISO/IEC 9798, Entity Authentication• ISO/IEC 29100, Privacy Framework• OECD Recommendation on Electronic Authentication and OECD Guidance for Electronic

Authentication• NIST Recommendations for establishing an identity ecosystem governance structure

The Digital Identities related to financial systems (i.e. Credit/Debit Cards) are ruled by operators’ consortium such as EMV and PCI

Financial systems are strongly ruled by operators’ consortiums or standardization bodies that have

defined standard and technical procedures to guarantee interoperability and security. These standards

defer in the application between traditional use (POS/ATM) and online (Card Not Present)

The adopted security countermeasures for the security of cards, such as EMV, are not useful for online

services (absence of card readers), for that reason the PCI/DSS standard has been defined by credit

card operators. The NO Compliance bring to sanctions and reimbursement duties to end users, in case

of fraud online

At European level, European Directives have been published (95/46/CE27 e 2002/58/CE28). They

define a legal framework for personal data treatment during a payment transaction and the directive on

payment services (2007/64/CE), that provide a legal framework on payment topics and has a strong

impact on Digital Identity

• EMV standard on interoperability (defined by Europay, Visa, MasterCard) between smart card, POS and ATM define a secure authentication procedure of cc/bancomat

• SecureCode/Verified by Visa, standard on online security• PCI/DSS, standard applied to any subjects dealing with the PAN of cards delivered by Visa,

Mastercard, American Express, JCB o Discovery• SEPA-Single Euro Payments Area (CE)• EU Directives ( 2007/64/CE, 95/46/CE27, 2002/58/CE28)

At the moment, major focus is on eGovernment for the adoption of "Electronic ID", although use of soft identity for access and identification through Internet is raising (i.e. INPS).

presence in some Countries of strategic guidelines to define standards and regulations

of trusted digital identities both for public and private sectors

presence of operative projects in some small realities, started as Governments initiatives but open to

private services too (i.e. Estonia, Portugal)

presence at European level of strategic guidelines where digital identity is a driver

(i.e. Europa 2020 and European Digital Agenda)

presence at European level of regulations initiatives on eSignature and eAuthentication.

• “National strategy for Trusted Identities in Cyberspace” (USA)• “National Identity Security Strategy” (AU)• “Digital Identity Management” – OECD Report

Considering the current risk scenario and the fragmented approach of International Institutions, Member States could adopt a short term programme to guarantee security and interoperability of Digital Identity

Involvement policy for Identity Service Provider

Functioning and Control Regulations

Possibility of Digital Identity Federation in

international and commercial environment

Identity Service Provider must be involved in a working group together with Public Institutions delivering online services in order to regulate Digital Identity topics

Identity Service Provider must be involved in a working group together with Public Institutions delivering online services in order to regulate Digital Identity topics

It is strongly suggested that at national level a series of regulations should be defined to manage Digital Identities. Moreover, control mechanism should be defined in order to

guarantee minimum operational parameters such as 24h access to Digital Identity, minimum levels of security,…

It is strongly suggested that at national level a series of regulations should be defined to manage Digital Identities. Moreover, control mechanism should be defined in order to

guarantee minimum operational parameters such as 24h access to Digital Identity, minimum levels of security,…

The Identity Service Provicer should give the possibility to federate the system both in national and International level. That means a starting architecture that allows trust and

federation mechanism with other platforms

The Identity Service Provicer should give the possibility to federate the system both in national and International level. That means a starting architecture that allows trust and

federation mechanism with other platforms

Awareness of Commercial providers on minimum security levels to protect personal data and to manage Digital

Identity

It’s necessary to make aware commercial providers to guarantee secure services and data protection to the end users. For that reason a national information campaign should be

targeted to Identity providers

It’s necessary to make aware commercial providers to guarantee secure services and data protection to the end users. For that reason a national information campaign should be

targeted to Identity providers

eCo

mm

erce

eGo

vern

men

t

Description

Some initiatives could be taken in order to improve the framework for Digital Identities

Proposals for EU

Define EU common framework, standard and regulation on Digital Identity (soft

and strong) mutually recognized in all Member States

Define also a set of minimal security requirements that Identity Service

Providers must be compliant with

Create public awareness on importance to secure Digital Identity in order to

mitigate threats and vulnerabilities