A Survey on Federated Identity Management Systems Limitation and Solutions

An efficient identity management system has become one of the fundamental requirements for ensuring safe, secure, and transparent use of identifiable information and attributes. Federated Identity Management (FIdM) allows users to distribute their identity information across security domains which increases the portability of their digital identities, and it is considered a promising approach to facilitate secure resource sharing among collaborating participants in heterogeneous IT environments. However, it also raises new architectural challenges and significant security and privacy issues that need to be mitigated. In this paper, we provide a comparison between FIdM architectures, presented the limitations and risks in FIdM system, and discuss the results and proposed solutions.

Federated Identity Management (FIdM) Systems Limitation and Solutions

Efficient identity management system has become one of the fundamental requirements for ensuring safe, secure, and transparent use of identifiable information and attributes. FIdM allows users to distribute their identity information across security domains which increase the portability of their digital identities. However, it also raises new architectural challenges and significant security and privacy issues that need to be mitigated. In this paper, we presented the limitations and risks in Federated Identity Management system and discuss the results and proposed solutions.

Accessing Patient Electronic Health Record Portals Safely Using Social Credentials: Case Study (Preprint)

BACKGROUND Patient portals for electronic health records are becoming increasingly prevalent and important, allowing users to communicate with clinicians, access labs and test results, schedule vaccination appointments, and track health conditions. Their use requires another set of logins and passwords, which can become increasingly unwieldy as patients have records at multiple institutions. Social credentials (e.g. Google, Facebook) are often used in the private sector to allow users to log into websites and can reduce password burden. OBJECTIVE The objective of the Single-FILE (Single Federated Identity Login for EHR) project was to test the feasibility and acceptability of implementing social credentials into a portal for patients with records at two institutions, Cedars-Sinai Medical Center (CSMC) and the California Rehabilitation Institute (CalRehab). METHODS We provided a portal that allowed patients to use a federated identity to access to multiple EHR patient portals with a single sign-on. The federated identity could be either a social identity (Google or Facebook) or one created and managed within Single-FILE. Binding the federated identity to the patient’s EHR identities was performed by confirming the patient had a valid EHR portal login and sending a one-time passcode to a telephone (SMS text or voice) that was stored in the EHR. This step reduced the risk that the binding was being performed with stolen EHR portal credentials since the one-time passcode was being sent a device that was already registered in the EHR. After the binding, the patient could use their federated identity to access their EHR portals at both CSMC and CalRehab. To evaluate the feasibility and acceptability, we recruited patients and/or their caregivers from CalRehab who were (1) 18 years and older, (2) had patient records at both CSMC and CalRehab. Next, we signed up patients onto the Single-FILE portal and connected their patient records. A short qualitative interview was conducted to assess interest and use of the patient portal. Thirty days after sign-up, we called the patients and reviewed use logs to measure use of the Single-FILE portal. RESULTS We enrolled 8 patients and/or their caregivers (spouses or siblings) into the study. Eight patients and/or their caregivers were interviewed at CalRehab, Patients enrolled were predominantly White (88%) and non-Hispanic (62%). Patients noted that they appreciated only having to remember one login as part of Single-FILE and being able to sign up through Facebook. However, we did not see use of Single-FILE by patients after they signed up. CONCLUSIONS The implementation of Single-FILE demonstrated that it is possible to safely bind a social identity to an EHR identity. The use of the one-time passcode sent to the patient’s EHR phone number provides a high degree of confidence that the binding is valid. However, we did not see use by patients of the Single-FILE portal after signup. We hypothesize that patients typically use the patient portal when they receive an email/text from the site that an appointment is upcoming, lab results are available, etc., which then takes them directly to the portal and not to Single-FILE. In other words, use of the patient portal is typically reactive rather than proactive, which limited the use of Single-FILE. Despite this limitation, we found that Single-FILE demonstrated a patient can use an identity they are comfortable with (i.e. social identity and associated credentials) to safely ease the friction associated with access to EHR data.

FAIDM for Medical Privacy Protection in 5G Telemedicine Systems

5G networks have an efficient effect in energy consumption and provide a quality experience to many communication devices. Device-to-device communication is one of the key technologies of 5G networks. Internet of Things (IoT) applying 5G infrastructure changes the application scenario in many fields especially real-time communication between machines, data, and people. The 5G network has expanded rapidly around the world including in healthcare. Telemedicine provides long-distance medical communication and services. Patient can get help with ambulatory care or other medical services in remote areas. 5G and IoT will become important parts of next generation smart medical healthcare. Telemedicine is a technology of electronic message and telecommunication related to healthcare, which is implemented in public networks. Privacy issue of transmitted information in telemedicine is important because the information is sensitive and private. In this paper, 5G-based federated anonymous identity management for medical privacy protection is proposed, and it can provide a secure way to protect medical privacy. There are some properties below. (i) The proposed scheme provides federated identity management which can manage identity of devices in a hierarchical structure efficiently. (ii) Identity authentication will be achieved by mutual authentication. (iii) The proposed scheme provides session key to secure transmitted data which is related to privacy of patients. (iv) The proposed scheme provides anonymous identities for devices in order to reduce the possibility of leaking transmitted medical data and real information of device and its owner. (v) If one of devices transmit abnormal data, proposed scheme provides traceability for servers of medical institute. (vi) Proposed scheme provides signature for non-repudiation.

A Smart Biometric Identity Management Framework for Personalised IoT and Cloud Computing-Based Healthcare Services

This paper proposes a novel identity management framework for Internet of Things (IoT) and cloud computing-based personalized healthcare systems. The proposed framework uses multimodal encrypted biometric traits to perform authentication. It employs a combination of centralized and federated identity access techniques along with biometric based continuous authentication. The framework uses a fusion of electrocardiogram (ECG) and photoplethysmogram (PPG) signals when performing authentication. In addition to relying on the unique identification characteristics of the users’ biometric traits, the security of the framework is empowered by the use of Homomorphic Encryption (HE). The use of HE allows patients’ data to stay encrypted when being processed or analyzed in the cloud. Thus, providing not only a fast and reliable authentication mechanism, but also closing the door to many traditional security attacks. The framework’s performance was evaluated and validated using a machine learning (ML) model that tested the framework using a dataset of 25 users in seating positions. Compared to using just ECG or PPG signals, the results of using the proposed fused-based biometric framework showed that it was successful in identifying and authenticating all 25 users with 100% accuracy. Hence, offering some significant improvements to the overall security and privacy of personalized healthcare systems.

Multi-factor authentication for shibboleth identity providers

The federated identity model provides a solution for user authentication across multiple administrative domains. The academic federations, such as the Brazilian federation, are examples of this model in practice. The majority of institutions that participate in academic federations employ password-based authentication for their users, with an attacker only needing to find out one password in order to personify the user in all federated service providers. Multi-factor authentication emerges as a solution to increase the robustness of the authentication process. This article aims to introduce a comprehensive and open source solution to offer multi-factor authentication for Shibboleth Identity Providers. Based on the Multi-factor Authentication Profile standard, our solution provides three extra second factors (One-Time Password, FIDO2 and Phone Prompt). The solution has been deployed in the Brazilian academic federation, where it was evaluated using functional and integration testing, as well as security and case study analysis.