Identification, Authentication and Authorization

Identification

Privacy is relevant as the identification data may reveal additional information

  • Impact: OSINT tracking, Doxing, ID Theft

Identifier reuse

  • Tracking users across platforms

Badly constructed

  • Reveal real name, location, age, profession

Non selective

  • Presenting identification discloses too much information

OSINT

Identifier reuse

Track users across services

Some services allow further deanonimization

  • Github: profession

  • Social networks: age

  • Chess: ?

Behavior reveal

  • Data from League of Legends reveals links between real-world and online personality.

  • Players with antisocial usernames behaved in an antisocial manner within the game.

  • Ages estimated from usernames correlate strongly with ages entered at registration.

  • Online interactions valence correlates positively age. Older players behave better.

  • Gaming usernames provide a useful source of psychological information.

Best practices

Identifiers should:

  • Be service specific

  • Be unique within the limits of usability

    • Alternative: numbers or a digest of a public key

  • Be kept private within the limits of service operation

  • Not disclose further information

Good practices:

  • Discord allows a different profile per user

  • Reddit: allows random usernames

May require application to manage usernames

  • Key vault

PreviousPrivacy and IAANextAuthentication

Last updated