Design and Implementation Aspects of Mobile Derived Identities

TL;DR

This paper reviews 21 mobile derived identity systems to identify common design and implementation practices, highlighting differences between research prototypes and real-world deployments, especially in data storage and authentication factors.

Contribution

It provides a comprehensive analysis of existing mobile derived identity systems, revealing prevalent practices and highlighting gaps such as limited use of biometrics as a second factor.

Findings

Research favors storing identity data on devices

Real-world systems mainly rely on cloud storage

Biometrics are rarely used as a second authentication factor

Abstract

With the ongoing digitalisation of our everyday tasks, more and more eGovernment services make it possible for citizens to take care of their administrative obligations online. This type of services requires a certain assurance level for user authentication. To meet these requirements, a digital identity issued to the citizen is essential. Nowadays, due to the widespread use of smartphones, mobile user authentication is often favoured. This naturally supports two-factor authentication schemes (2FA). We use the term mobile derived identity to stress two aspects: a) the identity is enabled for mobile usage and b) the identity is somehow derived from a physical or digital proof of identity. This work reviews 21 systems that support mobile derived identities. One subset of the considered systems is already in place (public or private sector in Europe), another subset is subject to research. Our goal is to identify prevalent design and implementation aspects for these systems in order to gain a better understanding on best practises and common views on mobile derived identities. We found, that research prefers storing identity data on the mobile device itself whereas real world systems usually rely on cloud storage. 2FA is common in both worlds, however biometrics as second factor is the exception.