Periodic Reporting for period 2 - ReCRED (From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control) Reporting period: 2016-05-01 to 2018-04-30 Summary of the context and overall objectives of the project The main idea behind ReCRED is to anchor all access control (AC) needs to mobile devices that users habitually carry along. Following recent Device Centric Authentication (DCA) industry trends (e.g. FIDO alliance), ReCRED mandates that users authenticate locally against their device using short pins, biometrics or combinations. Subsequently the device, which holds the required credentials, becomes a proxy for all access control needs for online services. This concept effectively liberates users from the burden of having to deal directly with multiple passwords, pins and accounts.ReCRED addresses four main problems that plague traditional password-based access control: • password overload, referring to the inability of users to remember different secure passwords for each one of their accounts; https• identity fragmentation, stemming from the fact that independent identity providers (email, social networks, etc.) create disjoint identity realms, making it difficult for end users to prove joint ownership of accounts, e.g. for reputation transfer or to fend off impersonation attacks; • lack of real-world identity binding to an individual’s legal presence, e.g. ID number, passport, etc.; and • lack of support for attribute-based access control (ABAC), which facilitates account-less access through verified identity attributes (e.g. age or location).The overarching goal of ReCRED is to design and implement an integrated next generation access control (AC) solution that satisfies the following properties. • First, it solves all the aforementioned problems. • Second, it is aligned with current technological trends and capabilities. • Third, it offers a unifying access control framework that is suitable for a multitude of use cases that involve online and physical authentication and authorization via an off-the-shelf mobile device. • Lastly and importantly, it is attainable and productizable under the scope and timeframe of the project. Work performed from the beginning of the project to the end of the period covered by the report and main results achieved so far In order to achieve its objectives, the ReCRED consortium has successfully performed the followings: 1. The assessment of security and privacy of the provided platform and the project itself during the third year, as well as the evaluation of the level of compliance with the new regulation and legislation framework; 2. The finalization of the implementation of password-less authentication mechanisms and solutions for users to authenticate either to local devices or to remote services; 3. The implementation of the Identity Consolidator Platform. All the modules of the IDC have been fully implemented according to the specifications.4. The integration of the P-ABAC architecture and protocols within the ReCRED framework. Moreover, the integration with other ReCRED components (e.g. Identity Consolidator) and protocols (e.g. FIDO UAF) that allows to exploit the P-ABAC architecture in the whole DCA-oriented ReCRED framework. Furthermore, the finalization of machine learning algorithms for attributes definition and policy enforcement mechanisms; 5. The integration of all the components produced and used in ReCRED into a unitary system capable to offer the authentication and access control functionality that the project implements; 6. To establish and confirm the TRL 7 readiness of the technologies that ReCRED develops, by testing our developed modules in realistic and versatile operational environments and assessing any end-user experience issues; and the dissemination, industrial exploitation and standardization of the ReCRED’s outcomes. Progress beyond the state of the art and expected potential impact (including the socio-economic impact and the wider societal implications of the project so far) ReCRED will help in generating a tangible impact on the market since it will focus on demonstrating the viability of Device Centric Authentication as an aggregator for both account-based as well as attribute-based access control with associated very well specified business and exploitation plans. Such solutions, after demonstration and validation in real life environments directly involving end users, will be able to find a wide take up in the market since they will provide a competitive advantage in the market for all industrial and non-industrial players participating in ReCRED as detailed next.End users: End users are the main beneficiaries from the DCA architecture around mobile devices designed, implemented, and tested in ReCRED for both account and attribute based access control. Benefits for end users include:- Solution to the password overload problem- Solution to the single point of failure problem- Solution to the identity fragmentation problem- Account and attribute based access control in one architectureTelecom operators: The mobile sector is the fastest growing sector of telecoms attracting investment and driving revenue. By integrating into the mobile device all access control technologies and making it the gateway and proxy for access control needs, Telcos are improving their position in the end-to-end Internet ecosystem by participating in additional services that go beyond basic data transfer.Web hosting companies: Web hosting and Digital design agencies like WEDIA are on the forefront of access control problems. They typically host a multitude of web and e-commerce sites each with its own account and password protection issues. Maintaining the security of all those accounts and users is a major cost component for any web hosting company. The integrated DCA approach of ReCRED that eliminates the need for passwords solves automatically many of these problems. For example, web-sites they do not need to spend effort to keep revising the minimum security requirements for passwords, checking for password reuse, etc. Therefore, web hosting companies benefit from ReCRED by simplifying operations while enhancing security for users.Security technology providers: In ReCRED security technology providers have the opportunity to develop, test and integrate in their products new authentication protocols that go beyond standard passwords. Highlighting and solving password-related problems of access control is expected to bring a wave of innovation, opportunity, and growth to the security sector. Also, ReCRED will provide an important user base and a test-bed for the development of such technologies and products.Financial sector technology providers: The financial sector suffers from constant attempts for fraud, the vast majority of which is based on impersonation. The total value of fraudulent transactions amounts to 1.33billion Euro.Furthermore, as new forms of credit such as microcredit become commonplace, there is a requirement for faster, yet credible identification and authentication mechanisms.Mobile device and OS manufacturers: A final industrial beneficiary of ReCRED is the device and mobile OS sector. Proxying and integrating all access control needs on the mobile device increases even further the value of the sector and brings it closer to several long pursued objectives, e.g. to become the provider of e-identity and e-wallet for citizens. Telefonica and Verizon maintain very close contacts with the entire sector and will collaborate with it for both diffusion of results as well as integration and standardization, e.g. through GSMA.