This document presents a literature survey on online identity management and its importance in e-commerce. The objectives are to identify various identity management methods, universal identity systems, and the importance of a user's online identity to both users and e-commerce companies. The survey covers papers on authentication and authorization infrastructure, password practices on popular websites, challenges with identity management on mobile devices, universal identity models like OpenID, and the benefits of consistent online identity for users and businesses. The document also evaluates and compares authentication methods used by various e-commerce and financial websites.
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Literature survey on identity management
1. Literature Survey to understand online identity
management and its importance in E-commerce
Sathe, Vaibhav1
Indian Institute of Management Lucknow
IIM Campus, Prabandh Nagar, Off Sitapur Road, Lucknow, Uttar Pradesh – 226013, INDIA
1
vaibhav.sathe@iiml.org
I. INTRODUCTION II. PROBLEM DEFINITION
Last decade we have observed explosion of e-commerce. Following are objectives of this literature review.
Forrester projects size of e-commerce market in triad (U.S.,
Western Europe and Japan) markets in 2012[1] to cross $400 (1) Various Identity Management Methods
Billion. Even in India, the e-commerce market reached INR We need to identify various authentication and
460 Billion or $10 Billion size[2]. This translates to billions of authorization methods used by popular e-commerce
transactions every year on World Wide Web. After launch of websites. We will also look into various security
Apple’s iPhone, smartphone market suddenly exploded in last measures undertaken to prevent identity thefts. We will
couple of years. Forrester also projects total smartphones and look into details how trust is managed in online
tablet will reach 1 billion device mark by 2016. The m- transactions.
commerce, which is mobile version of e-commerce, is Considering variety of authentication systems, there is
predicted to grow at CAGR of 40% to $40 Billion by 2016. high likelihood that users will forget required credentials
This e-commerce model is highly fragmented due to low e.g. passwords. We need to identify what all methods that
capital requirement and high reach to customers through web are used by e-commerce websites that let user recover
as only medium. This means that there are millions of shops his/her credentials. We also need to identify how easy it is
online which are selling their products or services. From for user to recover same.
security point of view, this means there are millions of
authentication systems in place. This complicates task of user (2) Universal Identity Systems
who wants to access these sites. For e.g. any common online We will identify various universal identity systems like
user has several online login username/passwords like email Facebook Login, Google Account, and Windows Live ID
addresses, social network accounts, Amazon ID, eBay login, etc. We will look into Single Sign On and Federated
Netflix login, e-banking IDs, flight booking websites, Identity methods and evaluate if such methods will be
Apple/iTunes IDs etc. A common tendency is to have same effective solution for this problem.
userID or password across sites. But not all websites allow
this. Some websites have automated user IDs, some allow (3) Importance of user’s online identity
email addresses while others have custom IDs. Even different We need to identify how online identity of user is
websites have different rules on passwords like minimum valuable to user. We will identify benefits that user gets
length, black list, special characters, uppercase or numbers. by maintaining his identity with the e-commerce website.
This heterogeneity in authentication systems complicates We will identify what are potential losses due to loss of
user’s task to remember these dozens of username/passwords such identity. It’s not just user that is benefited from
that are commonly required. online identity. The e-commerce websites are also
Some of these sites like email addresses and social benefited by tracking their users. We will also look at
networks are very frequently used. Hence, these have less benefits that e-commerce companies receive from
likelihood that users will forget username or password. But maintaining online identity of their users.
when it comes to occasionally used sites like Amazon or eBay,
the likelihood that users will forget userID is higher. User also III. LITERATURE SEARCH
does not have much incentive to take efforts in recovering The literature surveyed for this is divided into following
forgotten passwords on such websites. He has easy way of sections.
creating new account in order to cater to the purchase he or
she is looking for. When it comes to further more secure sites A. Various Identity Management Methods
like banks, they enforce password expirations and detect Following articles contribute to first objective to identify
IP/location changes. This further complicates life of user. But various identity management methods. Detailed reference is
this is generally done due to sensitivity of information and/or included in references section.
legal requirements. Sr. Article/Paper Journal/Publisher
In this paper, we will look at aspects like different identity 1 A Reference Model for IEEE
management methods, steps taken by websites to protect Authentication and Authorisation
identity, ways to recover lost or stolen identity and finally we Infrastructures Respecting Privacy
will look at value of maintaining consistent identity and Flexibility in b2c eCommerce
information to users and the websites. 2 An assessment of website Science Direct
2. password practices required number of validation rules should be executed in
3 When the Password Doesn’t Work IEEE order to authenticate user and not more. Federation will be
4 Identity management in mobile IEEE explained in more details in later section.
ubiquitous environments
B. Universal Identity Systems
Following articles contribute to second objective of
identifying role of universal identity management systems.
Detailed reference is included in references section.
Sr. Article/Paper Journal/Publisher
1 Universal Identity Management IEEE
Model Based on Anonymous
Credentials
2 What Makes Users Refuse Web ACM
Single Sign-On? An Empirical
Investigation of OpenID
3 OpenID: Single Sign-on for the Blackhat USA
Internet: A Security Story Furnell, in his paper [4], criticizes password based
authentication models. He identifies that password
C. Importance of User’s Online Identity authentication has problems like (1) Poor passwords (2) Risk
Following articles contribute to third objective of of theft based on general knowledge (3) Same password for
identifying importance of user’s consistent identity to vendors long period (4) Use of same password across multiple sites
and customers. Detailed reference is included in references and from multiple systems. He, however does not want to
section. blame users alone. He performs assessment of top 10 websites
Sr. Article/Paper Journal/Publisher on their password practices. From our research point of view,
1 Consumer Trust in E-Commerce ACM Computing this information is important. We are not concerned with
Web Sites: A Meta-Study Surveys actual findings of the paper about effectiveness of password
2 Ethics of Collecting and Using IS Management based authentication. The paper includes summary of
Consumer Internet Data password restrictions and guidelines for these sites. Furnell
3 Amazon.com Recommendations IEEE also concludes that this heterogeneity is not good from
maintaining security of user’s data. He recommends that sites
IV. DATA EVALUATION should switch to Single Sign On authentication models or
This section is split into sections as below. federated security models like Facebook, Windows Live ID or
A. Identity Management Methods Google Accounts. He makes certain important identifications.
Schlager et al [11], in their paper state that security in e- This includes that complexity of retrieval techniques is not
commerce world is not unidirectional i.e. threat to website correlated to sensitivity of information. He cites example of
from malicious users. It is bidirectional. User data is of greater Yahoo which has more complex multi-step retrieval process
use to websites and hence there is threat to users from possible compared to Amazon, which just emails reset link. And it is
misuse of the data that user has shared with the website with Amazon that saves credit card information for easy purchases
the trust. The authors focus on b2c i.e. business to consumer against Yahoo, where there is less likelihood of user storing
e-commerce, which is standard online shopping experience for credit card details due to nature of its services, which are less
most users. We also have focussed in this study on such type paid and more advertisement supported.
of e-commerce websites only. The authors refer to AAI which We have however, updated same based on current system
stands for Authentication and Authorization Infrastructure. on these sites. We have included some websites different than
The authors have proposed following schematic diagram for discussed in the paper, which are more relevant for our
typical AAI system. Authors further add that important research.
characteristics of such system are that it has power to connect Cat. Site Authentication
business partners together in order to facilitate exchange of EC Amazon User ID: Email Address
secure data like federated circle of vendors. E.g. if customer is Password: Min. 6 length
buying from website like Amazon, the site needs to share FI BNP UserID: Assigned by Bank, numeric
certain data like shipping address with vendor and logistic Paribas Password: 6 digit numeric code, forced
partners who are in turn going to ship the product ordered. change after 80 logins
The AAI system has to be holistic and needs to take care of Transaction verification through SMS
end-to-end data transfer. The threat to user’s private data EC eBay UserID: 6 or more alpha numeric
exists at each stage. Authors elaborate that there are three Password: 6-20, mix of alpha, numeric,
most important characteristics expected from any AAI system symbols and different than email or userid.
when it comes to handling e-commerce. These are Privacy, Password strength meter shown.
Flexibility and Federation. Privacy means that only required SN Facebook UserID: Email address (Not verified)
details are shared with the user and strict policies are provided Password: 6 characters
with respect to such data usage. Flexibility means that not all Birth Date required, but no verification
validations are done for each type of access. E.g. email service EC Flipkart UserID: Email address (Not verified)
may require lesser verification rules than a bank authorizing Password: Any
transaction. Based on qualification of the process, only SN Google UserID: @gmail.com address, 6-30 alpha,
3. numeric, _ and . EC eBay UserID recoverable via email. For
Password: 8 characters, just guideline not password, answer to secret question from
to use pet name or other website password possible drop down.
FI HDFC UserID: assigned by bank, numeric If email address not available, re-register
Bank Password: Combination of Alphabet, mandatory.
numbers and symbols, forced change SN Facebook Recovery using email/phone number or
every 3 months, old password can’t be part information on one of friends. Password
of new password reset code is sent.
Phishing proof image verification EC Flipkart Email address entry to receive reset link.
Transaction verification separate password SN Google Recovery using other email address asked
SN LinkedIn UserID: Email Address at time of registration. Link is sent.
Password: Min. 6 length Possibility of SMS verification depending
SN Twitter User ID: Custom/User can choose upon country.
Password: Min. 6 length, Obvious FI HDFC No online recovery, possible from branch
passwords Block List e.g. password Bank office only
Additional recommendation for stronger SN LinkedIn Email address entry to receive reset link.
password (password meter) SN Twitter Need Email address for retrieving
EC Yatra UserID: Email address forgotten username and password
Password: 6 characters. Mandatory mobile EC Yatra Email address entry to receive reset link.
number and name 4 character checks. Johansen in his paper [10], describes the identity
management challenges in mobile environment. He identifies
Article by Reeder et al [7] identifies that even genuine users that mobile environment is characterized by large number of
are not able to present required password at all times. This is devices like mobile, tablet, laptop, MP3 players etc. Also
due to password being forgotten, lost or stolen. To clarify on these devices consume several services in public or private
case of stolen, it means that some unauthorized user steals domain based on their spatio-temporal requirements. The
user’s passwords and in order to block him from accessing the services are also classified as high level or low level. High
account, he changes the password. The website must provide level services are ones which are related to carrier and
way to retrieve such access for users through means of telecommunication services related to sim card etc. Low level
secondary authentication. This includes techniques like (1) are related to services in local wifi at home or office level. The
Sending email to registered email address with reset link (2) authentication requirements at all these levels are very
Answering security question (3) Sending SMS password to different and also impacted due to different protocols of data
registered mobile (4) Ask for old password and (5) Ask third access. Wifi based systems follow mostly Internet like model,
party or friend to verify the user. But as authors identified, while Sim services authenticate on GSM protocols. There is
these additional secondary authorization methods result in need to bring Single Sign On across all such protocols through
widespread weakness of system. Techniques like secondary Identity Federation systems. Identity Federation means that
questions are standard and based on user’s profile. Many multiple systems identity systems are combined and use one
times such information is available in public through resumes server/system and trust authentication performed by it. This
or profiles on social network like Facebook. Authors classify facilitates user to login using one credential and receive
these methods into 2 sections – (1) Knowledge Based Systems authorization on all linked services.
which rely on genuine user’s knowledge supplied at register
time and (2) Transitive mechanism in which task of B. Universal Identity Systems
authentication is delegated to other system like Email. The In previous section we have seen the importance of
author identifies several problems with secondary federated identity systems highlighted by many authors. In
authorization techniques. We will discuss only those which this section we will look at some academic papers and real life
result in user forgetting secondary credentials. With security example of such universal identity systems which will let
questions, there are issues like non-configurable e.g. What’s users login once and use it for all partner websites.
name of first pet to user who never had pet and dynamic e.g. Zhang and Chen [12] explain in their paper on universal
favourite song which changes over time. Problems with email identity management model about anonymous credentials.
addresses is user may not remember which exact email This paper actually talks about extending WS-Federation for
address he used at time of registration. People are associated anonymous credentials. We will look at partially to understand
with schools, companies and these email addresses change characteristics of such universal system. The system should
over time. This complicates task of retrieval. Problem with have mechanism for brokering of identity, attributes,
SMS based retrieval is again due to people changing locations authentication and authorization assertions between domains,
or losing their phones resulting in changing phone numbers. and privacy of federated domains. Since, most e-commerce
Even if user is travelling to different country, he may not have websites run on SOA, which is Service Oriented Architecture,
his phone active. In today’s world of extreme mobility, phone the users are key in this model. Hence, the user oriented
based authentications have serious limitations. characteristics like easy-to-use, consistent experience and
Following table summarizes various password retrieval transparent security are critical. Self presentation of valid
techniques used by 10 websites identified in previous table. identity is important considering that user roams across
Cat. Site Retrieval Method multiple systems in spatio-temporal frame. This is especially
EC Amazon Need Email address registered with true for mobile devices. What this means is user should hold
FI BNP No online recovery, possible from branch some sort of encrypted verified identity token, that when it
Paribas office only presents to client site, it believes the authenticity of user
4. without actually verifying again with the authenticating server. vendors. User’s buying behaviour can be easily determined.
This can be easily achieved with help of certificates and Further, websites store cookies on client side for quick
digital signatures. identification next time he visits such site. Authors have
Paper by Tsyrklevich [14], explains what OpenID is. The performed factor analysis in order to reduce factors with
most famous implementation of OpenID is Google Account, summarization techniques. The most important factor
the authentication system of Google and allied websites. It can identified is reputation. E.g. user would trust reputed brands
also be used by third party websites through Google Apps and like Microsoft, Google with their capability to secure user’s
federation. The OpenID as single sign on protocol was information.
designed keeping in mind web 2.0, which is era of e- Sipior et al[8] paper’s on ethics in collecting online shopping
commerce and web as two-way communication medium. It is data explains what all data is collected by websites about
a decentralized system with several providers like Google, consumers. The information collected includes
Yahoo etc. And then he can use this id on all OpenID enabled communication tools information like phone, email, social
websites. This is in contrast to services like Microsoft networks etc. which consumer uses mostly. This can help
Passport, which are centralized. What that means is, it is advertisers to target advertisements to correct channel. Also,
Microsoft which will store the authentication of users and clickstream data is collected, which includes access to logs,
provide it as service to any website interested. There is cookies, computer/browser types, IP addresses etc. Even third
obvious conflict of interest in such models. First, not everyone, party websites can track user’s access pattern on other
especially Microsoft’s competitors would trust it with such websites through means of web bugs, which are one point
information and then they would not want to create such pixel images embedded in Html but from different web server
dependency. On other hand, OpenID remains neutral and source.
provides multiple provider options. This helps client websites Linden et al [9] in their paper highlight that major marketing
choose the one they find most suitable to their requirements campaign of Amazon is through linked sales. It recognizes
and business strategy. The benefits of OpenID to end users are customer purchase patterns and cluster them through
Single Sign On and security advantages like certificates, SSL, associations. These are not necessarily simultaneous purchases,
smartcards etc. due to advantage of scale to providers. but purchases made over period of time by same consumer. It
The OpenID and Universal Identity System appear to have even tracks time spent between twopurchases. This is used to
solved the problem. But, we need to look at following paper in create recommendations for all customers which are
order to understand the limitations of such systems and why communicated when those users visit website by logging in or
users are still not ready to trust such universal systems. through email.
In paper by Sun et al [13], empirical study was done in 2011
to find out why users are not ready to adopt the universal V. ANALYSIS AND INTERPRETATION
Single Sign On method like Google Account (OpenID). It was A. Identity Management Methods
found that there were following behaviours, concerns and As Schlager [11] says, the bidirectional nature of security in
misconceptions. (1) Their existing password management e-commerce, added with privacy laws upcoming in many
strategies reduced the importance of Single Sign On. They are nations has resulted in additional complexity when it comes to
comfortable with weak passwords. They typically save create various authentication systems. The criteria of ideal
password in browser which reduces their task to enter it every Authorization and Authentication System mentioned here is
time. (2) Single Point of Failure – This is correctly identified very important for discussion and we will look in section B on
as concern by many users. (3) Users had misconception about Global Identity Systems how they fare against these criteria.
OpenID model. They thought that participating websites get As Reeder [7] discusses various reasons due to which users
access to their username and password from identity provider forget the password and find it hard to recover. Interesting
like Google. (4) Users were concerned about phishing attacks recommendation by him is about giving freedom to user to
as they could not distinguish fake forms from real one. (5) choose what authentication he wants to use. Very few
Many users had privacy concerns due to possible use of their websites gives such freedom to user. Based on user’s own idea
personal data. (6) Users wanted separate identity for website of value of his information associated with particular account
with sensitive information like financial transactions e.g. bank. and conditions apply to his behaviour, user should be best
They do not want to share same username/password for such judge of his security needs. Website should not uniformly
website with other less important ones. (Natural protection) (7) apply same set of authentication mechanisms to all its clients.
Many users did not understand why it is necessary to link the Reeder further adds that website also regularly prompt user for
accounts across websites. They did not feel the need to have updating all such information. This is done frequently done by
SSO. Google nowadays, which prompts to verify phone number and
additional email address once in a while. Reeder further
C. Importance of User’s Online Identity specifies that website should alter authentication requirement
In literature meta study by Beatty et al[5], authors have based on user activity. If user changes password, accessing
identified a qualitative model based on empirically determined computer, location etc. then it indicates some change in
factors that affect the trust put by consumers at time of making behaviour. Then website can request suitable additional
purchase. Authors identify that consumers disclose a great authentication to detect illegal attempts of access. This is done
amount of confidential information to websites like billing by many banks like ICICI when accessing PC changes, bank
details, authorization required by banks for releasing generates One Time Password and sends it to mobile number
payments. Users not only trust vendor’s intentions but also registered with bank. Only upon entering this code, user can
trust vendors capability to guard such information. The access e-banking account. But this also carries problem faced
authors also identify that apart from payment information, by mobile phone verifications as highlighted by Reeder.
huge private information like purchase history is recorded by
5. As highlighted by Johansen [10], the system complexity has implemented its own custom security. Further, passwords
increased with explosion of smartphones. The identity were not stored in encrypted format. This resulted in store
management is also critical for mobiles as users are being taken down for several weeks, possibly for security
continuously online from them and at same time they pose revamp. This highlights negligence on part of Microsoft to
higher risk of physical access through theft. Today, even license its valued brand name to third company without even
mobile banking, stock trading are showing increasing trends. performing basic checks on what kind of security is
implemented. This indicates that user information on e-
B. Universal Identity Systems commerce websites is extremely sensitive and must be
As explained in paper by Zhang [12], it is important that e- handled carefully. Users trusted online store of Microsoft as
commerce websites should think about user while framing one operated by Microsoft, due to lack of knowledge that
their authentications. We are not debating here whether the some vendor company operated the store on Microsoft’s
framework proposed by author is the best way to achieve, but behalf. That’s why they put equal amount of trust on
desired characteristics of such system identified by authors are intentions and capability of Microsoft Store India as they
important here. Such system can help in bringing consistent would put in any other site under umbrella of Microsoft Corp.
identity for user as we have discussed in objectives of this Paper by Sipior et al [8] is little old and several things have
paper. changed due to rise of Ajax and Mobile applications, some
As explained in paper of OpenID, the open source, foundational things still apply. We are not aiming to discuss
decentralized system which is well supported by Internet ethical implications here, but this paper helps us understand
giants like Google, appears a good solution to this problem of all the information that is tracked for the user and how useful
maintaining consistent identity of user. But then there can be such information can be for the e-commerce business. Primary
many other ways. Possible ones are the operating system of information collected is most effective communication media,
user integrates identity with itself and then federate it with any access pattern and preferences. Naturally these have huge
website that is interested. One such experiment was performed benefits in optimizing advertisement spending and increasing
by Microsoft through .NET Cardspace, but it did not find effectiveness.
much support. Another way is if users don’t trust E-commerce pioneer Amazon, as in paper of Linden et al [9]
username/passwords, the operating systems can integrate highlights that technology enables businesses to react quickly
biometric security and then federate it. Windows supports to changing customer data which benefits businesses. Ability
login to local PC with fingerprint scan. But, there are obvious of businesses to accurately track customer preferences is
limitations with respect to management of such information critical for survival. Consistent identity maintenance of user
and physical security of credentials. But still then the trust online is therefore very important.
problem with centralized security providers is not answered.
Paper by Sun [13], helps us understand several issues that VI. CONCLUSION
impact adoption of Single Sign On methods or universal Based on this literature survey we learnt about the identity
identity systems. It can be easily identified that users are management framework that exist today with popular e-
trusting their local browsers which store passwords in plain commerce websites. We also understand user behaviour with
text, more than the OpenID providers which take utmost care respect to security management. We have identified
as per protocol to protect their identity. While concerns like importance of maintaining consistent identity from both user
single point of failure or obtaining natural protection through and vendor point of view and only possible solution is
different password are valid, they can be handled through implementation of single sign on or global identity
some changes in functionality of OpenID. For example, for management system which is decentralized and open like
critical accounts, in addition to username/password some OpenID. But, some of the concerns from the user on its
more advanced credential can be asked like OTP (One time adoption are valid and those should be answered categorically
password), or additional password. And remaining in such design in the future.
misconceptions are clearly matter of knowledge by users.
They should be made aware how dangerous it is to store REFERENCES
passwords in browsers which are subject to get hacked by so [1] Forrester predictions on E-commerce, retrieved from
many different means. http://www.fortune3.com/blog/2011/01/ecommerce-
sales-2011/ on Feb. 26, 2012.
C. Importance of User’s Online Identity [2] Internet and Mobile Association of India (IAMAI) report
Corresponding to observation by Beatty et al[5] about on Indian E-commerce Market Size, retrieved from
reputation of site indicating higher trust on capability of Economics Times website on Feb. 24, 2012.
vendors to guard user’s information, we would like to cite [3] Forrester US m-commerce report, retrieved from
real-life contradiction to this observation. It further highlights http://techcrunch.com/2011/06/17/forrester-u-s-mobile-
why it is important to consolidate authentication methods. On commerce-to-reach-31-billion-by-2016/ on Feb. 26,
February 12, 2012, online store of Microsoft India was hacked 2012.
by a group of Chinese Hackers[6]. The username/password [4] Furnell S., An assessment of website password practices,
information of thousands of users was stolen. The hackers Computers & Security 26 2007, Science Direct.
used this information to compromise email accounts of users [5] Beatty P., Reay I., Dick S., Miller J., Consumer Trust in
as most users had same passwords for their email addresses. E-Commerce Web Sites: A Meta-Study, ACM
The issue happened as the online of store of Microsoft was not Computing Surveys, Vol. 43, No. 3, Article 14, April
actually run by Microsoft but licensed to one third party 2011. ACM Digital Library.
vendor company. The company in question did not follow [6] Anwer Javed, Microsoft’s India Store Hacked, retrieved
Microsoft’s own Windows Live ID security system, but from http://articles.timesofindia.indiatimes.com/2012-
6. 02-13/security/31054691_1_passwords-security-breach-
hackers, Times of India.
[7] Reeder R., Schechter S., When the Password Doesn’t
Work – Secondary Authentication for Websites, IEEE
Computer and Reliability Societies, March/April 2011.
[8] Sipior J., Ward B., Rongione N., Ethics of Collecting
and Using Consumer Internet Data, Information System
Management, Winter 2004.
[9] Linden G., Smith B., York J., Amazon.com
Recommendations – Item-to-Item Collaborative Filtering,
IEEE Internet Computing Jan-Feb 2003, IEEE Computer
Society.
[10] Johansen T., Jorstad I., Thanh D., Identity management
in mobile ubiquitous environments, Internet Monitoring
and Protection, 2008, IEEE Computer Society.
[11] Schlager C., Nowey T., Montenegro J., A Reference
Model for Authentication and Authorization
Infrastructures Respecting Privacy and Flexibility in b2c
eCommerce, Proceedings of Int’l Conference on
Availability, Reliability and Security 2006, IEEE.
[12] Zhang Y., Chen J., Universal Identity Management
Model Based on Anonymous Credentials, IEEE
International Conference on Services Computing, 2010,
IEEE Computer Society.
[13] Sun S., Pospisil E., Muslukhov I., Dindar N., Hawkey K.,
Beznosov K., What Makes Users Refuse Web Single
Sign-On? An Empirical Investigation of OpenID,
Proceedings of Symposium on Usable Privacy and
Security, ACM.
[14] Tsyrklevich E., Tsyrklevich V., OpenID: Single Sign-on
for the Internet: A Security Story, Proceedings of
Blackhat USA 2007.