JoWUA

Abstract

Federated electronic identity systems are increasingly used in commercial and public services to let users share their electronic identities (eIDs) across countries and providers. In Europe, the eIDAS Regulation and its implementation - the eIDAS Network - allowing mutual recognition of citizen’s eIDs in various countries, is now in action. We discuss authorization (before authentication), named also authorize-then-authenticate (AtA), in services exploiting the eIDAS Network. In the eIDAS Network, each European country runs a national eIDAS Node, which transfers in other Member State countries, via the eIDAS protocol, some personal attributes, upon successful authentication of a person in his home country. Service Providers in foreign countries typically use these attributes to implement authorization decisions for the requested service. We present a scenario where AtA is required, namely Wi-Fi access, in which the service provider has to implement access control decisions before the person is authenticated through the eIDAS Network with his/her national eID. The Wi-Fi access service is highly required in public and private places (e.g. shops, hotels, a.s.o.), but its use typically involves users’ registration at service providers and is still subject to security attacks. The eIDAS Network supports different authentication assurance levels, thus it might be exploited for a more secure and widely available Wi-Fi access service to the citizens with no prior registration, by exploiting their national eIDs. We propose first a model that discusses AtA in eIDAS-based services, and we consider different possible implementation choices. We describe next the implementation of AtA in an eIDAS-based Wi-Fi access service leveraging the eIDAS Network and a Zeroshell captive portal supporting the eIDAS protocol. We discuss the problems encountered and the deployment issues that may impact on the service acceptance by the users and its exploitation on large scale.