Authentication; Digital wallet; IAM; Security; SSI; Verifiable credential
Résumé :
[en] Digital identity and access management (IAM) poses significant challenges for companies. Cyberattacks and resulting data breaches frequently have their root cause in enterprises' IAM systems. During the COVID-19 pandemic, issues with the remote authentication of employees working from home highlighted the need for better IAM solutions. Using a design science research approach, the paper reviews the requirements for IAM systems from an enterprise perspective and identifies the potential benefits of self-sovereign identity (SSI) – an emerging, passwordless paradigm in identity management that provides end users with cryptographic attestations stored in digital wallet apps. To do so, this paper first conducts a systematic literature review followed by an interview study and categorizes IAM system requirements according to security and compliance, operability, technology, and user aspects. In a second step, it presents an SSI-based prototype for IAM, whose suitability for addressing IAM challenges was assessed by twelve domain experts. The results suggest that the SSI-based authentication of employees can address requirements in each of the four IAM requirement categories. SSI can specifically improve manageability and usability aspects and help implement acknowledged best practices such as the principle of least privilege. Nonetheless, the findings also reveal that SSI is not a silver bullet for all of the challenges that today’s complex IAM systems face.
Centre de recherche :
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > FINATRAX - Digital Financial Services and Cross-organizational Digital Transformations NCER-FT - FinTech National Centre of Excellence in Research
Disciplines :
Gestion des systèmes d’information Sciences informatiques
Auteur, co-auteur :
Glöckler, Jana
SEDLMEIR, Johannes ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > FINATRAX
FRANK, Muriel-Larissa ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > FINATRAX
FRIDGEN, Gilbert ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > FINATRAX
Co-auteurs externes :
yes
Langue du document :
Anglais
Titre :
A systematic review of identity and access management requirements in enterprises and potential contributions of self-sovereign identity
Date de publication/diffusion :
12 septembre 2023
Titre du périodique :
Business and Information Systems Engineering
ISSN :
2363-7005
eISSN :
1867-0202
Maison d'édition :
Springer, Wiesbaden, Allemagne
Peer reviewed :
Peer reviewed vérifié par ORBi
Focus Area :
Security, Reliability and Trust
Projet FnR :
FNR16326754 - Privacy-preserving Tokenisation Of Artworks, 2021 (01/06/2022-31/05/2025) - Gilbert Fridgen FNR13342933 - Paypal-fnr Pearl Chair In Digital Financial Services, 2019 (01/01/2020-31/12/2024) - Gilbert Fridgen
Intitulé du projet de recherche :
Fraunhofer Blockchain Center (20-3066-2-6-14)
Organisme subsidiant :
Bavarian Ministry of Economic Affairs, Regional Development and Energy
Acemyan CZ, Kortum P, Xiong J, Wallach DS (2018) 2FA might be secure, but it’s not usable: a summative usability assessment of Google’s two-factor authentication (2FA) methods. Proc Human Factors Ergon Soc Annu Meeting SAGE 62:1141–1145. 10.1177/1541931218621262 DOI: 10.1177/1541931218621262
Ahn GJ, Ko M, Shehab M (2009) Privacy-enhanced user-centric identity management. In: Proceedings of the international conference on communications, IEEE, 10.1109/ICC.2009.5199363
Alsmadi I (2019) Identity management. In: The NICE cyber security framework, Springer, Heidelberg, chap 12, pp 313–329
Babel M, Sedlmeir J (2023) Bringing data minimization to digital wallets at scale with general-purpose zero-knowledge proofs. arXiv:2301.00823. Accessed 9 Aug 2023
Backes M, Camenisch J, Sommer D (2005) Anonymous yet accountable access control. In: Proceedings of the ACM workshop on privacy in the electronic society, ACM, pp 40–46, https://doi.org/10.1145/1102199.1102208
Bartolomeu PC, Vieira E, Hosseini SM, Ferreira J (2019) Self-sovereign identity: use-cases, technologies, and challenges for industrial IoT. In: Proceedings of the 24th international conference on emerging technologies and factory automation, IEEE, pp 1173–1180, https://doi.org/10.1109/ETFA.2019.8869262
Baskerville R, Baiyere A, Gregor S, Hevner A, Rossi M (2018) Design science research contributions: finding a balance between artifact and theory. J AIS 19:358–376. 10.17705/1jais.00495 DOI: 10.17705/1jais.00495
Belchior R, Putz B, Pernul G, Correia M, Vasconcelos A, Guerreiro S (2020) SSIBAC: self-sovereign identity based access control. In: Proceedings of the 19th international conference on trust, security and privacy in computing and communications, IEEE, pp 1935–1943, https://doi.org/10.1109/TrustCom50675.2020.00264
Benantar M (2006) Access control systems: security, identity management and trust models. Springer, Heidelberg
Bertino E, Takahashi K (2011) Identity management: concepts, technologies, and systems. Artech House, London
Bertino E, Bonatti PA, Ferrari E (2001) TRBAC: a temporal role-based access control model. ACM Transact Inf Syst Secur (TISSEC) 4:191–233. 10.1145/501978.501979 DOI: 10.1145/501978.501979
Bonneau J, Herley C, Van Oorschot PC, Stajano F (2012) The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: Symposium on security and privacy, IEEE, pp 553–567, 10.1109/SP.2012.44
Bradford M, Earp JB, Grabski S (2014) Centralized end-to-end identity and access management and ERP systems: a multi-case analysis using the technology organization environment framework. Int J Account Inf Syst 15:149–165. 10.1016/j.accinf.2014.01.003 DOI: 10.1016/j.accinf.2014.01.003
Braun CHJ, Papanchev V, Käfer T (2023) SISSI: an architecture for semantic interoperable self-sovereign identity-based access control on the web. In: Proceedings of the ACM web conference 2023, pp 3011–3021. 10.1145/3543507.3583409
Bringer JD, Johnston LH, Brackenridge CH (2004) Maximizing transparency in a doctoral thesis 1: the complexities of writing about the use of QSR*NVIVO within a grounded theory study. Qual Res 4:247–265. 10.1177/1468794104044434 DOI: 10.1177/1468794104044434
Brod M, Tesler LE, Christensen TL (2009) Qualitative research and content validity: developing best practices based on science and experience. Qual Life Res 18:1263–1278. 10.1007/s11136-009-9540-9 DOI: 10.1007/s11136-009-9540-9
Buck C, Olenberger C, Schweizer A, Völter F, Eymann T (2021) Never trust, always verify: a multivocal literature review on current knowledge and research gaps of zero-trust. Comput Secur 110(102):436. 10.1016/j.cose.2021.102436 DOI: 10.1016/j.cose.2021.102436
Camenisch J, Lysyanskaya A (2001) An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Proceedings of the international conference on the theory and applications of cryptographic techniques, Springer, Heidelberg, pp 93–118, 10.1007/3-540-44987-6_7
Casassa Mont M, Bramhall P, Pato J (2003) On adaptive identity management: the next generation of identity management technologies. https://www.hpl.hp.com/techreports/2003/HPL-2003-149.pdf. Accessed 9 Aug 2023
Chadwick DW (2020) Why I do NOT need DIDs or a DLT for VCs and SSI. https://verifiablecredentials.info/contact-us. Accessed 9 Aug 2023
Charmaz K (2014) Constructing grounded theory. Sage, Thousand Oaks
Cram WA, Proudfoot JG, D’Arcy J (2021) When enough is enough: investigating the antecedents and consequences of information security fatigue. Inf Syst J 31:521–549. 10.1111/isj.12319 DOI: 10.1111/isj.12319
Čučko Š, Turkanović M (2021) Decentralized and self-sovereign identity: systematic mapping study. IEEE Access 9:139,009-139,027. 10.1109/ACCESS.2021.3117588 DOI: 10.1109/ACCESS.2021.3117588
Damon F, Coetzee M (2013) Towards a generic identity and access assurance model by component analysis – a conceptual review. In: Proceedings of the first international conference on enterprise systems, IEEE, https://doi.org/10.1109/ES.2013.6690086
Damon F, Coetzee M (2018) The design of an identity and access management assurance dashboard model. In: Proceedings of the international conference on research and practical issues of enterprise information systems, Springer, Heidelberg, pp 123–133, https://doi.org/10.1007/978-3-319-99040-8_10
D’Costa-Alphonso MM, Lane M (2010) The adoption of single sign-on and multifactor authentication in organisations: a critical evaluation using TOE framework. Issues Inform Sci Inf Technol 7:161–189. 10.28945/1199 DOI: 10.28945/1199
Deloitte (2020) Impact of COVID-19 on cybersecurity. https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html. Accessed 9 Aug 2023
Di Francesco Maesa D, Lisi A, Mori P, Ricci L, Boschi G (2023) Self sovereign and blockchain based access control: supporting attributes privacy with zero knowledge. J Netw Comput Appl 212(103):577. 10.1016/j.jnca.2022.103577 DOI: 10.1016/j.jnca.2022.103577
Dyble J (2020) McAfee: cybercrime costs the global economy $600bn annually. https://technologymagazine.com/data-and-data-analytics/mcafee-cybercrime-costs-global-economy-dollar600bn-annually,. Accessed 9 Aug 2023
Eekels J, Roozenburg NF (1991) A methodological comparison of the structures of scientific research and engineering design: their similarities and differences. Design Stud 12:197–203. 10.1016/0142-694X(91)90031-Q DOI: 10.1016/0142-694X(91)90031-Q
Ehrlich T, Richter D, Meisel M, Anke J (2021) Self-Sovereign identity als Grundlage für universell einsetzbare digitale Identitäten. HMD Prax Wirtschaftsinform 58:247–270. 10.1365/s40702-021-00711-5 DOI: 10.1365/s40702-021-00711-5
Enterprise Management Associates, Inc (2020) Contextual awareness: advancing identity and access management to the next level of security effectiveness. https://www.enzoic.com/wp-content/uploads/EMA-Contextual-Awareness-Report-03.2020-ENZOIC-SUMMARY.pdf. Accessed 9 Aug 2023
European Commission (2021) Commission proposes a trusted and secure digital identity for all Europeans. https://ec.europa.eu/commission/presscorner/detail/en/IP_21_2663. Accessed 9 Aug 2023
Fairchild A, Ribbers P (2011) Privacy-enhancing identity management in business. In: Camenisch J, Leenes R, Sommer D (eds) Digital Privacy. Springer, Heidelberg, pp 107–129. 10.1007/978-3-642-19050-6_7 DOI: 10.1007/978-3-642-19050-6_7
Ferraiolo DF, Chandramouli R, Kuhn DR (2007) Role-based access control, 2nd edn. Artech House, London
Feulner S, Sedlmeir J, Schlatt V, Urbach N (2022) Exploring the use of self-sovereign identity for event ticketing systems. Electron Market 32:1759–1777. 10.1007/s12525-022-00573-9 DOI: 10.1007/s12525-022-00573-9
Forina M, Armanino C, Raggio V (2002) Clustering with dendrograms on interpretation variables. Analytica Chimica Acta 454:13–19. 10.1016/S0003-2670(01)01517-3 DOI: 10.1016/S0003-2670(01)01517-3
Frank M, Kohn V (2021) How to mitigate security-related stress: the role of psychological capital. In: Proceedings of the 55th Hawaii international conference on system sciences, pp 4538–4547. https://doi.org/10.24251/HICSS.2021.550
Fuchs L, Pernul G (2013) Qualitätssicherung im Identity-und Access Management. HMD Prax Wirtschaftsinform 50:88–97 DOI: 10.1007/BF03340780
Gartner Inc (2020) Hype cycle for identity and access management technologies. https://www.gartner.com/en/documents/4004062. Accessed 9 Aug 2023
Glaude M, Kudra A (2021) SSI for identity & access management (IAM). https://northernblock.io/ssi-for-identity-access-management-iam/. Accessed 9 Aug 2023
Globenewswire (2020) New ESG & JumpCloud study uncovers IT’s biggest identity and security challenges due to COVID-19. https://www.globenewswire.com/news-release/2020/10/02/2102941/0/en/New-ESG-JumpCloud-Study-Uncovers-IT-s-Biggest-Identity-and-Security-Challenges-Due-to-COVID-19.html. Accessed 9 Aug 2023
Goldwasser S, Micali S, Rackoff C (1989) The knowledge complexity of interactive proof systems. SIAM J Comput 18:186–208. 10.1137/0218012 DOI: 10.1137/0218012
Graef I, Verschakelen J, Valcke P (2013) Putting the right to data portability into a competition law perspective. Law J High School Econ Annu Rev pp 53–63
Grech A, Sood I, Ariño L (2021) Blockchain, self-sovereign identity and digital credentials: promise versus praxis in education. Front Blockchain 4:7. 10.3389/fbloc.2021.616779 DOI: 10.3389/fbloc.2021.616779
Gregor S, Hevner AR (2013) Positioning and presenting design science research for maximum impact. MIS Q 37:337–355. 10.25300/misq/2013/37.2.01 DOI: 10.25300/misq/2013/37.2.01
Guggenberger T, Lockl J, Röglinger M, Schlatt V, Sedlmeir J, Stoetzer JC, Urbach N, Völter F (2021) Emerging digital technologies to combat future crises: learnings from COVID-19 to be prepared for the future. Int J Innov Technol Manag 18:2140,002. 10.1142/S0219877021400022 DOI: 10.1142/S0219877021400022
Guggenberger T, Neubauer L, Stramm J, Völter F, Zwede T (2023) Accept me as I am or see me go: a qualitative analysis of user acceptance of self-sovereign identity applications. In: Proceedings of the 56th Hawaii international conference on system sciences, pp 6560–6569. https://hdl.handle.net/10125/103427
Haber MJ, Rolls D (2020) Identity attack vectors: implementing an effective identity and access management solution. Apress, New York DOI: 10.1007/978-1-4842-5165-2
Hardman D (2020) No paradox here: ZKPs deliver savvy trust. https://www.evernym.com/blog/no-paradox-here-zkps-deliver-savvy-trust/. Accessed 9 Aug 2023
Harry B, Sturges KM, Klingner JK (2005) Mapping the process: an exemplar of process and challenge in grounded theory analysis. Edu Res 34:3–13. 10.3102/0013189X034002003 DOI: 10.3102/0013189X034002003
Hevner AR (2007) A three cycle view of design science research. Scand J Inf Syst 19, http://aisel.aisnet.org/sjis/vol19/iss2/4
Hevner AR, March ST, Park J, Ram S (2004) Design science in information systems research. MIS Q 28:75–105. 10.2307/25148625 DOI: 10.2307/25148625
Hoepman JH, Joosten R, Siljee J (2008) Comparing identity management frameworks in a business context. In: IFIP summer school on the future of identity in the information society, Springer, Heidelberg, pp 184–196, https://doi.org/10.1007/978-3-642-03315-5_14
Hummer M, Groll S, Kunz M, Fuchs L, Pernul G (2018) Measuring identity and access management performance – an expert survey on possible performance indicators. In: Proceedings of the international conference on information systems security and privacy, pp 233–240, https://doi.org/10.5220/0006557702330240
IDG Business Media GmbH (2017) Studie Identity- & Access-Management 2017. https://www.airlock.com/fileadmin/content/07_Airlock-PDFs/Studie_Identity-_und_Access_Management_2017.pdf. Accessed 9 Aug 2023
Irwin L (2021) The cyber security risks of working from home. https://www.itgovernance.co.uk/blog/the-cyber-security-risks-of-working-from-home. Accessed 9 Aug 2023
Jacobson K (2020) 8 scary statistics about the password reuse problem. https://securityboulevard.com/2020/04/8-scary-statistics-about-the-password-reuse-problem/. Accessed 9 Aug 2023
Johannesson P, Perjons E (2014) An introduction to design science, vol 10. Springer, Heidelberg DOI: 10.1007/978-3-319-10632-8
Jørgensen KP, Beck R (2022) Universal wallets. Bus Inf Syst Eng pp 115–125, 10.1007/s12599-021-00736-6
Jøsang A, Pope S (2005) User centric identity management. In: Proceedings of the AUSCERT Asia Pacific information technology security conference, Citeseer, pp 77–89. https://citeseerx.ist.psu.edu/document?repid=rep1 &type=pdf &doi=6bf895c183de4673085f556b2d89043a95a21759
Juniper Research (2019) Business losses to cybercrime data breaches to exceed $5 trillion by 2024. https://www.juniperresearch.com/press/business-losses-cybercrime-data-breaches. Accessed 9 Aug 2023
Kern A, Walhorn C (2005) Rule support for role-based access control. In: Proceedings of the tenth symposium on access control models and technologies, ACM, pp 130–138. https://doi.org/10.1145/1063979.1064002
Keszthelyi A, Michelberger P (2012) From the IT authorisation to the role- and identity management. In: 4th international symposium on logistics and industrial informatics, IEEE, pp 173–178. https://doi.org/10.1109/LINDI.2012.6319483
Khayretdinova A, Kubach M, Sellung R, Roßnagel H (2022) Conducting a usability evaluation of decentralized identity management solutions. In: Selbstbestimmung, Privatheit und Datenschutz: Gestaltungsoptionen für einen europäischen Weg, Springer, Heidelberg, pp 389–406, https://doi.org/10.1007/978-3-658-33306-5_19
Kitchenham B, Pearl Brereton O, Budgen D, Turner M, Bailey J, Linkman S (2009) Systematic literature reviews in software engineering - a systematic literature review. Inf Softw Technol 51:7–15. 10.1016/j.infsof.2008.09.009 DOI: 10.1016/j.infsof.2008.09.009
Kubach M, Sellung R (2021) On the market for self-sovereign identity: structure and stakeholders. In: Open Identity Summit, pp 143–154. https://dl.gi.de/handle/20.500.12116/36488
Kubach M, Schunck CH, Sellung R, Roßnagel H (2020) Self-sovereign and decentralized identity as the future of identity management? Open Identity Summit, pp 35–47, https://doi.org/10.18420/ois2020_03
Kuperberg M, Klemens R (2022) Integration of self-sovereign identity into conventional software using established IAM protocols: a survey. In: Open Identity Summit, pp 51–60. 10.18420/OID2022_04
Lee AS (2001) Editor’s comments. MIS Q 25:iii–vii, https://www.jstor.org/stable/3250954
Levy Y, Ellis TJ (2006) A systems approach to conduct an effective literature review in support of information systems research. Inform Sci J 9:181–212. 10.28945/479 DOI: 10.28945/479
Li J, Karp AH (2007) Access control for the services oriented architecture. In: Proceedings of the workshop on secure web services, ACM, pp 9–17. https://doi.org/10.1145/1314418.1314421
Linux Foundation (2020) Hyperledger Aries Cloud Agent – Python. https://github.com/hyperledger/aries-cloudagent-python. Accessed 9 Aug 2023
Lioy A, Marian M, Moltchanova N, Pala M (2006) PKI past, present and future. Int J Inf Secur 5:18–29. 10.1007/s10207-005-0077-9 DOI: 10.1007/s10207-005-0077-9
Lissi (2021) Diskussion über die Sicherheit von Wallets für digitale Identitäten. https://lissi-id.medium.com/diskussion-%C3%BCber-die-sicherheit-von-wallets-f%C3%BCr-digitalen-identit%C3%A4ten-d1c6218fef66. Accessed 9 Aug 2023
LogMeIn (2019) Der dritte jährliche globale Passwort-Sicherheitsreport. https://www.lastpass.com/de/business/articles/password-benchmark-report. Accessed 9 Aug 2023
Mezler-Andelberg C (2008) Identity Management - eine Einführung: Grundlagen, Technik, wirtschaftlicher Nutzen. Dpunkt, Heidelberg
Mühle A, Grüner A, Gayvoronskaya T, Meinel C (2018) A survey on essential components of a self-sovereign identity. Comput Sci Rev 30:80–86. 10.1016/j.cosrev.2018.10.002 DOI: 10.1016/j.cosrev.2018.10.002
Naidoo R (2020) A multi-level influence model of COVID-19 themed cybercrime. Europ J Inf Syst 29:306–321. 10.1080/0960085X.2020.1771222 DOI: 10.1080/0960085X.2020.1771222
O’Gorman L (2003) Comparing passwords, tokens, and biometrics for user authentication. Proc IEEE 91:2021–2040. 10.1109/JPROC.2003.819611 DOI: 10.1109/JPROC.2003.819611
Oh S, Park S (2003) Task-role-based access control model. Inf Syst 28:533–562. 10.1016/S0306-4379(02)00029-7 DOI: 10.1016/S0306-4379(02)00029-7
Onwuegbuzie AJ, Frels RK, Hwang E (2016) Mapping Saldaña’s coding methods onto the literature review process. J Edu Issues 2:130–150 DOI: 10.5296/jei.v2i1.8931
Osmanoglu E (2014) Identity and access management: business performance through connected intelligence. Elsevier, Amsterdam
Peffers K, Tuunanen T, Rothenberger MA, Chatterjee S (2007) A design science research methodology for information systems research. J Manag Inf Syst 24:45–77. 10.2753/mis0742-1222240302 DOI: 10.2753/mis0742-1222240302
Podsakoff PM, MacKenzie SB, Lee JY, Podsakoff NP (2003) Common method biases in behavioral research: a critical review of the literature and recommended remedies. J Appl Psychol 88:879–903. 10.1037/0021-9010.88.5.879 DOI: 10.1037/0021-9010.88.5.879
Pöhn D, Hommel W (2020) An overview of limitations and approaches in identity management. In: Proceedings of the 15th international conference on availability, reliability and security, 10.1145/3407023.3407026
Ponemon Institute (2019) Cost of a data breach report. https://www.ibm.com/downloads/cas/RDEQK07R. Accessed 9 Aug 2023
Preukschat A, Reed D (2021) Self-sovereign identity: decentralized digital identity and verifiable credentials. Manning, Shelter Island, NY
Puchta A, Böhm F, Pernul G (2019) Contributing to current challenges in identity and access management with visual analytics. In: IFIP annual conference on data and applications security and privacy, Springer, Heidelberg, pp 221–239, https://doi.org/10.1007/978-3-030-22479-0_12
Richter D, Praas CR, Anke J (2023) Beyond paper and plastic: a meta-model for credential use and governance. In: Proceedings of the 31st European conference on information systems. https://aisel.aisnet.org/ecis2023_rp/371/. Accessed 9 Aug 2023
Royer D (2013) EIdM: concepts, technologies, and application fields. In: Enterprise Identity Management, Springer, Heidelberg, pp 27–56, https://doi.org/10.1007/978-3-642-35040-5_3
Ruff T (2018) The three models of digital identity relationships. https://medium.com/evernym/the-three-models-of-digital-identity-relationships-ca0727cb5186. Accessed 9 Aug 2023
Sadler T, Hancock J (2020) A Stanford deception expert and cybersecurity CEO explain why people fall for online scams. https://www.fastcompany.com/90542273/a-stanford-deception-expert-explains-why-people-fall-for-online-scams. Accessed 9 Aug 2023
Saldaña J (2015) The coding manual for qualitative researchers. Sage, Thousand Oaks
Sartor S, Sedlmeir J, Rieger A, Roth T (2022) Love at first sight? A user experience study of self-sovereign identity wallets. In: Proceedings of the 30th European conference on information systems, AIS. https://aisel.aisnet.org/ecis2022_rp/46/. Accessed 9 Aug 2023
Schellinger B, Sedlmeir J, Willburger L, Strüker J, Urbach N (2022) Mythbusting self-sovereign identity (SSI): discussion paper on user-centric identities. https://www.fim-rc.de/Paperbibliothek/Veroeffentlicht/1426/wi-1426.pdf. Accessed 9 Aug 2023
Schlackl F, Link N, Hoehle H (2022) Antecedents and consequences of data breaches: a systematic review. Inf Manag 59(103):638. 10.1016/j.im.2022.103638 DOI: 10.1016/j.im.2022.103638
Schlatt V, Sedlmeir J, Feulner S, Urbach N (2022) Designing a framework for digital KYC processes built on blockchain-based self-sovereign identity. Inf Manag 59(103):553. 10.1016/j.im.2021.103553 DOI: 10.1016/j.im.2021.103553
Schlatt V, Sedlmeir J, Traue J, Völter F (2022) Harmonizing sensitive data exchange and double-spending prevention through blockchain and digital wallets: the case of e-prescription management. Distrib Ledger Technol Res Pract 2. https://doi.org/10.1145/3571509
Schmidt K, Mühle A, Grüner A, Meinel C (2021) Clear the fog: Towards a taxonomy of self-sovereign identity ecosystem members. In: Proceedings of the 18th international conference on privacy, security and trust, IEEE, 10.1109/PST52912.2021.9647797
Schwalm S, Albrecht D, Alamillo I (2022) eIDAS 2.0: challenges, perspectives and proposals to avoid contradictions between eIDAS 2.0 and SSI. In: Open Identity Summit, pp 63–74. 10.18420/OID2022_05
Sedlmeir J, Ross P, Luckow A, Lockl J, Miehle D, Fridgen G (2021) The DLPS: a new framework for benchmarking blockchains. In: Proceedings of the 54th Hawaii international conference on system sciences, pp 6855–6864. https://doi.org/10.24251/hicss.2021.822
Sedlmeir J, Barbereau T, Huber J, Weigl L, Roth T (2022) Transition pathways towards design principles of self-sovereign identity. In: Proceedings of the 43rd international conference on information systems, AIS. https://aisel.aisnet.org/icis2022/is_implement/is_implement/4/. Accessed 9 Aug 2023
Sinclair S, Smith SW (2008) Preventative directions for insider threat mitigation via access control. In: Stolfo SJ, Bellovin SM, Keromytis AD, Hershkop S, Smith SW, Sinclair S (eds) Insider Attack and Cyber Security. Springer, Heidelberg, pp 165–194. 10.1007/978-0-387-77322-3_10 DOI: 10.1007/978-0-387-77322-3_10
Small M (2006) Unify and simplify: Re-thinking identity management. Netw Secur 2006:11–14. 10.1016/S1353-4858(06)70411-1 DOI: 10.1016/S1353-4858(06)70411-1
Smith D (2008) The challenge of federated identity management. Netw Secur 2008:7–9. 10.1016/S1353-4858(08)70051-5 DOI: 10.1016/S1353-4858(08)70051-5
Smith HA, McKeen JD (2011) The identity management challenge. Commun AIS 28, 10.17705/1CAIS.02811
Soltani R, Nguyen UT, An A (2021) A survey of self-sovereign identity ecosystem. Secur Commun Netw 2021:1–26. 10.1155/2021/8873429 DOI: 10.1155/2021/8873429
Sporny M, Longley D, Chadwick D (2021) Verifiable credentials data model 1.1: expressing verifiable information on the Web. https://www.w3.org/TR/vc-data-model/. Accessed 9 Aug 2023
Strauss A, Corbin J (1998) Basics of qualitative research: techniques and procedures for developing grounded theory. Sage, Thousand Oaks
Thakur MA, Gaikwad R (2015) User identity and access management trends in IT infrastructure – an overview. In: Proceedings of the international conference on pervasive computing, IEEE, https://doi.org/10.1109/PERVASIVE.2015.7086972
Theofanos M, Garfinkel S, Choong YY (2016) Secure and usable enterprise authentication: lessons from the field. IEEE Secur Priv 14:14–21. 10.1109/MSP.2016.96 DOI: 10.1109/MSP.2016.96
Velocity Smart Technology (2021) Velocity smart market research report 2021. https://www.velocity-smart.com/en-gb/velocity-smart-technology-market-research-report-2021. Accessed 9 Aug 2023
Venable J, Baskerville R (2012) Eating our own cooking: toward a more rigorous design science of research methods. Electron J Bus Res Method 10:141–153
Verizon (2020) 2020 Data breach investigations report. https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf,. Accessed 9 Aug 2023
Walter T, Bussard L, Robinson P, Roudier Y (2004) Security and trust issues in ubiquitous environments – the business-to-employee dimension. In: International symposium on applications and the internet workshops, IEEE, pp 696–701, 10.1109/SAINTW.2004.1268723
Yildiz H, Ritter C, Nguyen LT, Frech B, Martinez MM, Küpper A (2021) Connecting self-sovereign identity with federated and user-centric identities via SAML integration. In: Symposium on computers and communications, IEEE, 10.1109/ISCC53001.2021.9631453
Yubico, 451 Research (2021) Work-from-home policies driving MFA adoption, but still work to be done. https://resources.yubico.com/53ZDUYE6/at/kxjzxgg79h94js67jt8mnv/451_Advisory_BW_Yubico_v2.pdf. Accessed 9 Aug 2023
Zhao X, Johnson ME (2010) Managing information access in data-rich enterprises with escalation and incentives. Int J Electron Commer 15:79–112. 10.2753/JEC1086-4415150104 DOI: 10.2753/JEC1086-4415150104
