No more password mayhem

From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control

Fact Sheet

Result in Brief

Reporting

Results

Objective

ReCRED’s ultimate goal is to promote the user’s personal mobile device to the role of a unified authentication and authorization proxy towards the digital world. ReCRED adopts an incrementally deployable strategy in two complementary directions: extensibility in the type and nature of supported stakeholders and services (from local access control to online service access), as well as flexibility and extensibility in the set of supported authentication and access control techniques; from widely established and traditional ones to emerging authentication and authorization protocols as well as cryptographically advanced attribute-based access control approaches. Simplicity, usability, and users privacy is accomplished by: i) hiding inside the device all the complexity involved in the aggregation and management of multiple digital identifiers and access control attribute credentials, as well as the relevant interaction with the network infrastructure and with identity consolidation services; ii) integrating in the device support for widespread identity management standards and their necessary extensions; and iii) controlling the exposure of user credentials to third party service providers. ReCRED addresses key security and privacy issues such as resilience to device loss, theft and impersonation, via a combination of: i) local user-to-device and remote device-to-service secure authentication mechanisms; ii) multi-factor authentication mechanisms based on behavioral and physiological user signatures not bound to the device; iii) usable identity management and privacy awareness tools; iv) usable tools that offer the ability for complex reasoning of authorization policies through advanced learning techniques. ReCRED’s viability will be assessed via four large-scale realistic pilots in real-world operational environments. The pilots will demonstrate the integration of the developed components and their suitability for end-users, so as to show their TRL7 readiness.

Programme(s)

H2020-EU.3.7. - Secure societies - Protecting freedom and security of Europe and its citizens

Topic(s)

DS-02-2014 - Access Control

Call for proposal

H2020-DS-2014-1

See other projects for this call

Funding Scheme

IA - Innovation action

Leaflet | Map data © OpenStreetMap contributors, Credit: EC-GISCO, © EuroGeographics for the administrative boundaries

Coordinator

UNIVERSITY OF PIRAEUS RESEARCH CENTER

Address

Gr. Lampraki 122
185 32 Piraeus

Greece

Activity type

Higher or Secondary Education Establishments

EU Contribution

€ 514 898,50

Website

Contact the organisation

Participants (11)

Sort alphabetically

Sort by EU Contribution

Expand all

TELEFONICA INVESTIGACION Y DESARROLLO SA

Spain

EU Contribution

€ 491 314,25

VERIZON NEDERLAND BV

Netherlands

EU Contribution

€ 524 170,50

CERTSIGN SA

Romania

EU Contribution

€ 487 375

WEDIA LIMITED

Greece

EU Contribution

€ 452 418,75

EXUS SOFTWARE LTD

United Kingdom

EU Contribution

€ 365 750

UPCOM BVBA

Belgium

EU Contribution

€ 427 875

DE PRODUCTIZERS BV

Netherlands

EU Contribution

€ 192 062,50

TECHNOLOGIKO PANEPISTIMIO KYPROU

Cyprus

EU Contribution

€ 516 127,50

UNIVERSIDAD CARLOS III DE MADRID

Spain

EU Contribution

€ 430 250

CONSORZIO NAZIONALE INTERUNIVERSITARIO PER LE TELECOMUNICAZIONI

Italy

EU Contribution

€ 437 500

STUDIO PROFESSIONALE ASSOCIATO A BAKER & MCKENZIE

Italy

EU Contribution

€ 157 500

Project information

ReCRED

Grant agreement ID: 653417

Project website

Status

Closed project

Start date

1 May 2015
End date

30 April 2018

Funded under:

H2020-EU.3.7.

Overall budget:

€ 6 325 156
EU contribution

€ 4 997 242

Coordinated by:

UNIVERSITY OF PIRAEUS RESEARCH CENTER

Greece

DE EN ES FR IT PL

Anybody who uses online accounts knows how chaotic it can be to store and remember the location of a load of usernames and passwords. EU-funded researchers unveiled a new mobile authentication platform that connects all online accounts with the user’s identity, putting the smartphone in charge.

DIGITAL ECONOMY

Most mobile devices are linked with hundreds of accounts and applications, with all sorts of security settings, identities and passwords. The EU-funded project ReCRED produced advanced software solutions to address this so-called password overload issue, so that the user can safely access its accounts without having to remember multiple passwords. Only one password to memorise ReCRED moves beyond the password era by providing advanced and flexible architecture. “Embracing the device-centric authentication architecture is key to removing passwords as the main method of authentication on the web,” notes project coordinator Christos Xenakis. This scheme improves the end-user internet security by using the mobile as an authorisation proxy. Authentication and authorisation mandates the combined use of a short pin, biometric information and anonymous credentials. User identity and account management The majority of internet users are registered to many online services such as email providers, social media, e-banking, or corporate applications. This makes the task of proving joint-ownership of services hard. ReCRED offers secure access to these services and account management from a single device, regardless of the applied authentication method of each service. The Online Identity Acquisition module is responsible for horizontally binding the fragmented online user identities. The service enables the user to give explicit authorisation to ReCRED to access the information of each online account that he maintains. Researchers also implemented the ‘Physical Identity Acquisition’ module for services requiring higher attribute assurance level. This service verifies all the identity attributes included in the user’s physical identity. With all these services, ReCRED is improving identity assurance and tightens the binding amongst physical and online identities. “End users are now able to prove ownership of different accounts from different identity providers, link them together and consolidate their identity attributes,” states project coordinator Xenakis. Privacy-enhancing technology A typical scenario that exposes the whole identity realm of users relates to some services that require end users to sign in to be given access. Implementing attribute-based access control (ABAC) – dubbed the next-generation authorisation model – seems to be one of the best solutions to data-centric security. ReCRED combined ABAC with multifactor authentication schemes, granting a higher level of security and privacy. “User characteristics or attributes such as age, nationality or occupation comprise a unique identity that can provide authorisation privileges on accessing data, resources or services,” outlines project coordinator Xenakis. As he further explains, “ABAC allows end users to be authenticated by providing only the necessary attributes that the service is requesting. Anonymous credentials provide access to services without requiring from the user to validate his email and thus reveal his entire identity.” Doubling up on security The device becoming the main authentication gateway does not come without its security issues. It can either become a single point of failure in case of loss or damage or be vulnerable to hijacking after the user authentication. ReCRED skirted these issues by building additional security layers with locking and recovery capabilities. In particular, researchers leveraged an entity called Identity Consolidator (IDC) along with behavioural and physiological user signatures and secure-SIM protocols to verify the user identity. The IDC enables identity consolidation and management, while also allows efficient failure recovery. “In case a user loses his device, his can recover access to services by providing two-factor authentication such as personal attributes mapped from physical characteristics or behavioural biometrics,” notes project coordinator Xenakis. Removing the need to employ separate passwords will ultimately make internet-based services more user-friendly while being secure. Besides end users, other beneficiaries of this brand new open platform will be telecom operators, web-hosting companies, and mobile device manufacturers.

Keywords

ReCRED, authentication, account, mobile device, user identity, attribute-based access control (ABAC), anonymous credentials, biometrics, device-centric authentication, two-factor authentication

Project information

ReCRED

Grant agreement ID: 653417

Project website

Status

Closed project

Start date

1 May 2015
End date

30 April 2018

Funded under:

H2020-EU.3.7.

Overall budget:

€ 6 325 156
EU contribution

€ 4 997 242

Coordinated by:

UNIVERSITY OF PIRAEUS RESEARCH CENTER

Discover other articles in the same domain of application

Results in Brief

Cardiovascular disease biomarkers in blood detected at nano levels

6 December 2019

News

New products and technologies

The GDPR Temperature Tool - A new free resource for European SMEs to understand their risk of GDPR-related sanctions

21 October 2019

Results in Brief

Gamers in ten countries make learning fun

2 September 2019

Periodic Reporting for period 1 - ReCRED (From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control)

Reporting period: 2015-05-01 to 2016-04-30

Summary of the context and overall objectives of the project

The main idea behind ReCRED is to anchor all access control (AC) needs to mobile devices that users habitually carry along. Following recent Device Centric Authentication (DCA) industry trends (e.g. FIDO alliance), ReCRED mandates that users authenticate locally against their device using short pins, biometrics or combinations. Subsequently the device, which holds the required credentials, becomes a proxy for all access control needs for online services. This concept effectively liberates users from the burden of having to deal directly with multiple passwords, pins and accounts.

ReCRED attempts to address four main problems that plague traditional password-based access control:
• password overload, referring to the inability of users to remember different secure passwords for each one of their accounts;
• identity fragmentation, stemming from the fact that independent identity providers (email, social networks, etc.) create disjoint identity realms, making it difficult for end users to prove joint ownership of accounts, e.g. for reputation transfer or to fend off impersonation attacks;
• lack of real-world identity binding to an individual’s legal presence, e.g. ID number, passport, etc.; and
• lack of support for attribute-based access control (ABAC), which facilitates account-less access through verified identity attributes (e.g. age or location).

To address the above, ReCRED offers to end users and administrators the following:
a) solution to the password overload problem: the DCA architecture offers increased security while requiring end-users to memorize at most only one password, which renders Internet-based services more trustworthy, thus yielding growth and innovation;
b) solution to the single point of failure problem: we address FIDO DCA’s main problem, by offering locking and recovery mechanisms in case the device is compromised or lost (or damaged), respectively;
c) solution to the identity fragmentation problem: ReCRED addresses identity fragmentation by leveraging the integration of all access control needs on the mobile device to link accounts and consolidate identity attributes; and
d) account and attribute-based access control in one architecture; ABAC enables applications, such as restricting access to content based on age, without sustaining the overhead of managing accounts.

The overarching goal of ReCRED is to design and implement an integrated next generation access control (AC) solution that satisfies the following properties.
• First, it solves all the aforementioned problems.
• Second, it is aligned with current technological trends and capabilities.
• Third, it offers a unifying access control framework that is suitable for a multitude of use cases that involve online and physical authentication and authorization via an off-the-shelf mobile device.
• Lastly and importantly, it is attainable and productizable under the scope and timeframe of the project.

Work performed from the beginning of the project to the end of the period covered by the report and main results achieved so far

Progress beyond the state of the art and expected potential impact (including the socio-economic impact and the wider societal implications of the project so far)

recred-access-control.jpg

Project information

ReCRED

Grant agreement ID: 653417

Project website

Status

Closed project

Start date

1 May 2015
End date

30 April 2018

Funded under:

H2020-EU.3.7.

Overall budget:

€ 6 325 156
EU contribution

€ 4 997 242

Coordinated by:

UNIVERSITY OF PIRAEUS RESEARCH CENTER

Deliverables

Documents, reports (15)

Reference architecture (revised)

Report on system architecture, components and interfaces; D2.7 will revise D2.3.

Business and technical requirements

A detailed documentation of all business and technical needs and requirements.

Description of device-centric authentication (DCA) protocols and technology support (revised and extended)

The deliverable will describe DCA protocols, user/device and device/server interfaces and APIs, including description of needed extensions to FIDO standards with multi-level authentication and recovery mechanisms. Moreover, it will document how the trusted device execution environment can be exploited for human-to-device authentication, and it will document the implementation of TPM- and Telco-signed behavioral certificates. First DCA prototype implemented. D3.3 will revise and extend D3.1.

HCI concept testing on user groups

Initial test of HCI concept design on user groups, and design revision using users from first pilot.

Advanced extensions: cryptographic attribute management, learning algorithms for complex ABAC reasoning, and privacy awareness tool

Implementation and integration of cryptographic attribute-based authentication protocol to be used in conjunction with device-centric authentication. Implementation and integration of machine learning algorithms for complex policy creation and end user tool for privacy awareness and consent management.

Specification and initial design of the ABAC infrastructure

This deliverable documents the first stage of the design and components prototyping of the attribute-based access-control framework.

Final Dissemination report

Final release of accounting for all the dissemination activities and results during the project.

Business and technical requirements (revised)

A detailed documentation of all business and technical needs and requirements; D2.6 will revise D2.2.

Identity consolidator baseline platform

Initial setup of identity consolidator web service and the web-based utility for user-assisted identity collection, and report on identity crawling and matching approaches.

Reference architecture

Report on system architecture, components and interfaces.

Online identity and profile management

Formal description of a standard for the representation of user identity attributes emphasizing on the reputation use case. Open-sourced implementation of network application for secure and reliable ID information transfer. Implementation of a web application that helps users manage their identity profiles across sites. The application will include features for managing partial verifiable profiles and tools to assess privacy and de-anonymization risks.

Second Dissemination report

Second release of accounting for all the dissemination activities and results during the project.

First dissemination report

First release of accounting for all the dissemination activities and results during the project.

Market research report

Report on the potential market opportunity across Europe.

HCI concept testing on user groups (revised)

Design revision of D7.1 using users from first pilot.

Other (7)

Multifactor authentication for DCA: user to device and device to network support

Implementation of failover authentication mechanisms for human-to-device and device-to-service access based on behavioral and physiological biometrics. Implementation of locking out and log off mechanism in case the behavioral and physiological signatures of the user do not match the one of the legitimate user.

Campus-wide Wi-Fi and web services access control pilot set up

First running of pilot at month 12, supporting initial DCA and attribute-based device-centric Wi-Fi and web services’ access control solution in university campuses.

Description of device-centric authentication (DCA) protocols and technology support

Multifactor authentication for DCA: user to device and device to network support (revised and extended)

Full design and prototype of the ABAC infrastructure

Final design, implementation and integration of the attribute-based access-control framework.

All four pilots initial set up and progressing

Extended version of Campus-wide Wi-Fi and web services pilot, and initial setup of the three remaining pilots (ISIC student authentication and offers, age verification online gateway, microloan origination).

All pilots in operation and end user assessment report (campus, ISIC student authentication and offers, Age verification online gateway, Microloan origination)

Large scale demonstration of the four pilots, including final report on end users experience with detailed assessment for each pilot’s user group.

Websites, patent fillings, videos etc. (1)

Demonstrators, pilots, prototypes (1)

Full identity consolidator and attributes acquisition

Identity consolidator portal operative; automatic identity crawler with plug-ins for the major social network sites, and the probabilistic identity matching algorithms; smartphone and laptop application for the acquisition of physical identities attributes to be stored by the identity consolidator.

Publications

Non-peer reviewed articles (2)

Internet Computing: Using Reputation to Select Workers from a Pool

Author(s): Evgenia Christoforou, Antonio Fernández Anta, Chryssis Georgiou, Miguel A. Mosteiro

Published in: CoRR arXiv, Issue abs/1603.04394, 2016, ISSN 2331-8422

CoVer-ability: Consistent Versioning for Concurrent Objects

Author(s): Nicolas Nicolaou, Antonio Fernández Anta, Chryssis Georgiou

Published in: CoRR arXiv, Issue abs/1601.07352, 2016, ISSN 2331-8422

Conference proceedings (5)

Evaluation of Cryptography Usage in Android Applications

Author(s): Alexia Chatzikonstantinou, Christoforos Ntantogian, Georgios Karopoulos, Christos Xenakis

Published in: 9th EAI International Conference on Bio-inspired Information and Communications Technologies, Issue December 2015, 2015

DOI: 10.5281/zenodo.46623

Ensuring Authenticity and Fidelity of Captured Photos Using Trusted Execution and Mobile Application Licensing Capabilities

Author(s): Kwstantinos Papadamou, Riginos Samaras, Michael Sirivianos

Published in: FASES 2016 - Workshop on Future Access Control, Identity Management and Privacy Preserving Solutions in Internet Services, 2016

I Always Feel Like Somebody's Watching Me. Measuring Online Behavioural Advertising

Author(s): J. Carrascosa, J. Mikians, R. Cuevas, V. Erramilli, N. Laoutaris

Published in: 11th ACM International Conference on emerging Networking Experiments and Technologies (ACM CoNEXT)., 2015

Understanding the detection of fake-view fraud in Video Content Portal

Author(s): M. Marciel, R. Cuevas, A. Banchs, R. Gonzalez, S. Traverso, M. Ahmed, A. Azcorra

Published in: 25th International World Wide Web Conference (WWW), 2016

Internet Computing: Using Reputation to Select Workers from a Pool

Author(s): Evgenia Christoforou, Antonio Fernández Anta, Chryssis Georgiou, Miguel A. Mosteiro

Published in: Proceedings of the 4th International Conference on Networked Systems (NETYS 2016), Issue annual, 2016

Peer reviewed articles (3)

Quantifying the Economic and Cultural Biases of Social Media through Trending Topics

Author(s): Juan Miguel Carrascosa, Ruben Cuevas, Roberto Gonzalez, Arturo Azcorra, David Garcia

Published in: PLOS ONE, Issue 10/7, 2015, Page(s) e0134407, ISSN 1932-6203

DOI: 10.1371/journal.pone.0134407

(U)SimMonitor: A mobile application for security evaluation of cellular networks

Author(s): Christos Xenakis, Christoforos Ntantogian, Orestis Panos

Published in: Computers & Security, Issue 60, 2016, Page(s) 62-78, ISSN 0167-4048

DOI: 10.1016/j.cose.2016.03.005

On the Feasibility of Attribute-Based Encryption on Internet of Things Devices

Author(s): Moreno Ambrosin, Arman Anzanpour, Mauro Conti, Tooska Dargahi, Sanaz Rahimi Moosavi, Amir M. Rahmani, Pasi Liljeberg

Published in: IEEE Micro, Issue 36/6, 2016, Page(s) 25-35, ISSN 0272-1732

DOI: 10.1109/MM.2016.101

Project information

ReCRED

Grant agreement ID: 653417

Project website

Status

Closed project

Start date

1 May 2015
End date

30 April 2018

Funded under:

H2020-EU.3.7.

Overall budget:

€ 6 325 156
EU contribution

€ 4 997 242

Coordinated by:

UNIVERSITY OF PIRAEUS RESEARCH CENTER

Project information

ReCRED

Grant agreement ID: 653417

Project website

Status

Closed project

Start date

1 May 2015
End date

30 April 2018

Funded under:

H2020-EU.3.7.

Overall budget:

€ 6 325 156
EU contribution

€ 4 997 242

Coordinated by:

UNIVERSITY OF PIRAEUS RESEARCH CENTER

Download

PDF

XML

Last update: 13 August 2018

Record number: 238602

CORDIS

Objective

Coordinator

Participants (11)

Project information