Security policies of authentication systems are a crucial factor in mitigating the risk of impersonation, which is often the first stage of advanced persistent threats. Online authentication systems may often interact with each other, due to various mechanisms, such as account recovery or federated authentication. This leads to an implicit extension of the security policies of an authentication system with policies over which the system has no control. As a result, an authentication system that adopts very strong security policies can be unexpectedly weak. This paper deals with the above problem, which affects most real-world online authentication systems. The paper proposes a theoretical framework that formalizes authentication policies and interactions among authentication systems, together with a protocol that prevents, whenever an interaction is established or updated, the security issues described above. An SSI-based implementation of the proposed protocol is presented as well.

Enforcing security policies on interacting authentication systems / Buccafurri, Francesco; De Angelis, Vincenzo; Lazzaro, Sara; Pugliese, Andrea. - In: COMPUTERS & SECURITY. - ISSN 0167-4048. - 140:103771(2024). [10.1016/j.cose.2024.103771]

Enforcing security policies on interacting authentication systems

Buccafurri, Francesco
;
De Angelis, Vincenzo;Lazzaro, Sara;
2024-01-01

Abstract

Security policies of authentication systems are a crucial factor in mitigating the risk of impersonation, which is often the first stage of advanced persistent threats. Online authentication systems may often interact with each other, due to various mechanisms, such as account recovery or federated authentication. This leads to an implicit extension of the security policies of an authentication system with policies over which the system has no control. As a result, an authentication system that adopts very strong security policies can be unexpectedly weak. This paper deals with the above problem, which affects most real-world online authentication systems. The paper proposes a theoretical framework that formalizes authentication policies and interactions among authentication systems, together with a protocol that prevents, whenever an interaction is established or updated, the security issues described above. An SSI-based implementation of the proposed protocol is presented as well.
2024
Authentication, Security policies, Digital identity
File in questo prodotto:
File Dimensione Formato  
Buccafurri_2024_j.cose_Enforcing_Editor.pdf

accesso aperto

Descrizione: Versione editoriale
Tipologia: Versione Editoriale (PDF)
Licenza: Creative commons
Dimensione 1.06 MB
Formato Adobe PDF
1.06 MB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/20.500.12318/149787
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 0
  • ???jsp.display-item.citation.isi??? 0
social impact