Literature Survey to understand online identity management and its importance in E-commerce Sathe, Vaibhav1 Indian Institute of Management Lucknow IIM Campus, Prabandh Nagar, Off Sitapur Road, Lucknow, Uttar Pradesh – 226013, INDIA 1 firstname.lastname@example.org I. INTRODUCTION II. PROBLEM DEFINITION Last decade we have observed explosion of e-commerce. Following are objectives of this literature review.Forrester projects size of e-commerce market in triad (U.S.,Western Europe and Japan) markets in 2012 to cross $400 (1) Various Identity Management MethodsBillion. Even in India, the e-commerce market reached INR We need to identify various authentication and460 Billion or $10 Billion size. This translates to billions of authorization methods used by popular e-commercetransactions every year on World Wide Web. After launch of websites. We will also look into various securityApple’s iPhone, smartphone market suddenly exploded in last measures undertaken to prevent identity thefts. We willcouple of years. Forrester also projects total smartphones and look into details how trust is managed in onlinetablet will reach 1 billion device mark by 2016. The m- transactions.commerce, which is mobile version of e-commerce, is Considering variety of authentication systems, there ispredicted to grow at CAGR of 40% to $40 Billion by 2016. high likelihood that users will forget required credentials This e-commerce model is highly fragmented due to low e.g. passwords. We need to identify what all methods thatcapital requirement and high reach to customers through web are used by e-commerce websites that let user recoveras only medium. This means that there are millions of shops his/her credentials. We also need to identify how easy it isonline which are selling their products or services. From for user to recover same.security point of view, this means there are millions ofauthentication systems in place. This complicates task of user (2) Universal Identity Systemswho wants to access these sites. For e.g. any common online We will identify various universal identity systems likeuser has several online login username/passwords like email Facebook Login, Google Account, and Windows Live IDaddresses, social network accounts, Amazon ID, eBay login, etc. We will look into Single Sign On and FederatedNetflix login, e-banking IDs, flight booking websites, Identity methods and evaluate if such methods will beApple/iTunes IDs etc. A common tendency is to have same effective solution for this problem.userID or password across sites. But not all websites allowthis. Some websites have automated user IDs, some allow (3) Importance of user’s online identityemail addresses while others have custom IDs. Even different We need to identify how online identity of user iswebsites have different rules on passwords like minimum valuable to user. We will identify benefits that user getslength, black list, special characters, uppercase or numbers. by maintaining his identity with the e-commerce website.This heterogeneity in authentication systems complicates We will identify what are potential losses due to loss ofuser’s task to remember these dozens of username/passwords such identity. It’s not just user that is benefited fromthat are commonly required. online identity. The e-commerce websites are also Some of these sites like email addresses and social benefited by tracking their users. We will also look atnetworks are very frequently used. Hence, these have less benefits that e-commerce companies receive fromlikelihood that users will forget username or password. But maintaining online identity of their users.when it comes to occasionally used sites like Amazon or eBay,the likelihood that users will forget userID is higher. User also III. LITERATURE SEARCHdoes not have much incentive to take efforts in recovering The literature surveyed for this is divided into followingforgotten passwords on such websites. He has easy way of sections.creating new account in order to cater to the purchase he orshe is looking for. When it comes to further more secure sites A. Various Identity Management Methodslike banks, they enforce password expirations and detect Following articles contribute to first objective to identifyIP/location changes. This further complicates life of user. But various identity management methods. Detailed reference isthis is generally done due to sensitivity of information and/or included in references section.legal requirements. Sr. Article/Paper Journal/Publisher In this paper, we will look at aspects like different identity 1 A Reference Model for IEEEmanagement methods, steps taken by websites to protect Authentication and Authorisationidentity, ways to recover lost or stolen identity and finally we Infrastructures Respecting Privacywill look at value of maintaining consistent identity and Flexibility in b2c eCommerceinformation to users and the websites. 2 An assessment of website Science Direct
password practices required number of validation rules should be executed in3 When the Password Doesn’t Work IEEE order to authenticate user and not more. Federation will be4 Identity management in mobile IEEE explained in more details in later section. ubiquitous environmentsB. Universal Identity Systems Following articles contribute to second objective ofidentifying role of universal identity management systems.Detailed reference is included in references section.Sr. Article/Paper Journal/Publisher1 Universal Identity Management IEEE Model Based on Anonymous Credentials2 What Makes Users Refuse Web ACM Single Sign-On? An Empirical Investigation of OpenID3 OpenID: Single Sign-on for the Blackhat USA Internet: A Security Story Furnell, in his paper , criticizes password based authentication models. He identifies that passwordC. Importance of User’s Online Identity authentication has problems like (1) Poor passwords (2) Risk Following articles contribute to third objective of of theft based on general knowledge (3) Same password foridentifying importance of user’s consistent identity to vendors long period (4) Use of same password across multiple sitesand customers. Detailed reference is included in references and from multiple systems. He, however does not want tosection. blame users alone. He performs assessment of top 10 websitesSr. Article/Paper Journal/Publisher on their password practices. From our research point of view,1 Consumer Trust in E-Commerce ACM Computing this information is important. We are not concerned with Web Sites: A Meta-Study Surveys actual findings of the paper about effectiveness of password2 Ethics of Collecting and Using IS Management based authentication. The paper includes summary of Consumer Internet Data password restrictions and guidelines for these sites. Furnell3 Amazon.com Recommendations IEEE also concludes that this heterogeneity is not good from maintaining security of user’s data. He recommends that sites IV. DATA EVALUATION should switch to Single Sign On authentication models or This section is split into sections as below. federated security models like Facebook, Windows Live ID orA. Identity Management Methods Google Accounts. He makes certain important identifications. Schlager et al , in their paper state that security in e- This includes that complexity of retrieval techniques is notcommerce world is not unidirectional i.e. threat to website correlated to sensitivity of information. He cites example offrom malicious users. It is bidirectional. User data is of greater Yahoo which has more complex multi-step retrieval processuse to websites and hence there is threat to users from possible compared to Amazon, which just emails reset link. And it ismisuse of the data that user has shared with the website with Amazon that saves credit card information for easy purchasesthe trust. The authors focus on b2c i.e. business to consumer against Yahoo, where there is less likelihood of user storinge-commerce, which is standard online shopping experience for credit card details due to nature of its services, which are lessmost users. We also have focussed in this study on such type paid and more advertisement supported.of e-commerce websites only. The authors refer to AAI which We have however, updated same based on current systemstands for Authentication and Authorization Infrastructure. on these sites. We have included some websites different thanThe authors have proposed following schematic diagram for discussed in the paper, which are more relevant for ourtypical AAI system. Authors further add that important research.characteristics of such system are that it has power to connect Cat. Site Authenticationbusiness partners together in order to facilitate exchange of EC Amazon User ID: Email Addresssecure data like federated circle of vendors. E.g. if customer is Password: Min. 6 lengthbuying from website like Amazon, the site needs to share FI BNP UserID: Assigned by Bank, numericcertain data like shipping address with vendor and logistic Paribas Password: 6 digit numeric code, forcedpartners who are in turn going to ship the product ordered. change after 80 loginsThe AAI system has to be holistic and needs to take care of Transaction verification through SMSend-to-end data transfer. The threat to user’s private data EC eBay UserID: 6 or more alpha numericexists at each stage. Authors elaborate that there are three Password: 6-20, mix of alpha, numeric,most important characteristics expected from any AAI system symbols and different than email or userid.when it comes to handling e-commerce. These are Privacy, Password strength meter shown.Flexibility and Federation. Privacy means that only required SN Facebook UserID: Email address (Not verified)details are shared with the user and strict policies are provided Password: 6 characterswith respect to such data usage. Flexibility means that not all Birth Date required, but no verificationvalidations are done for each type of access. E.g. email service EC Flipkart UserID: Email address (Not verified)may require lesser verification rules than a bank authorizing Password: Anytransaction. Based on qualification of the process, only SN Google UserID: @gmail.com address, 6-30 alpha,
numeric, _ and . EC eBay UserID recoverable via email. For Password: 8 characters, just guideline not password, answer to secret question from to use pet name or other website password possible drop down.FI HDFC UserID: assigned by bank, numeric If email address not available, re-register Bank Password: Combination of Alphabet, mandatory. numbers and symbols, forced change SN Facebook Recovery using email/phone number or every 3 months, old password can’t be part information on one of friends. Password of new password reset code is sent. Phishing proof image verification EC Flipkart Email address entry to receive reset link. Transaction verification separate password SN Google Recovery using other email address askedSN LinkedIn UserID: Email Address at time of registration. Link is sent. Password: Min. 6 length Possibility of SMS verification dependingSN Twitter User ID: Custom/User can choose upon country. Password: Min. 6 length, Obvious FI HDFC No online recovery, possible from branch passwords Block List e.g. password Bank office only Additional recommendation for stronger SN LinkedIn Email address entry to receive reset link. password (password meter) SN Twitter Need Email address for retrievingEC Yatra UserID: Email address forgotten username and password Password: 6 characters. Mandatory mobile EC Yatra Email address entry to receive reset link. number and name 4 character checks. Johansen in his paper , describes the identity management challenges in mobile environment. He identifies Article by Reeder et al  identifies that even genuine users that mobile environment is characterized by large number ofare not able to present required password at all times. This is devices like mobile, tablet, laptop, MP3 players etc. Alsodue to password being forgotten, lost or stolen. To clarify on these devices consume several services in public or privatecase of stolen, it means that some unauthorized user steals domain based on their spatio-temporal requirements. Theuser’s passwords and in order to block him from accessing the services are also classified as high level or low level. Highaccount, he changes the password. The website must provide level services are ones which are related to carrier andway to retrieve such access for users through means of telecommunication services related to sim card etc. Low levelsecondary authentication. This includes techniques like (1) are related to services in local wifi at home or office level. TheSending email to registered email address with reset link (2) authentication requirements at all these levels are veryAnswering security question (3) Sending SMS password to different and also impacted due to different protocols of dataregistered mobile (4) Ask for old password and (5) Ask third access. Wifi based systems follow mostly Internet like model,party or friend to verify the user. But as authors identified, while Sim services authenticate on GSM protocols. There isthese additional secondary authorization methods result in need to bring Single Sign On across all such protocols throughwidespread weakness of system. Techniques like secondary Identity Federation systems. Identity Federation means thatquestions are standard and based on user’s profile. Many multiple systems identity systems are combined and use onetimes such information is available in public through resumes server/system and trust authentication performed by it. Thisor profiles on social network like Facebook. Authors classify facilitates user to login using one credential and receivethese methods into 2 sections – (1) Knowledge Based Systems authorization on all linked services.which rely on genuine user’s knowledge supplied at registertime and (2) Transitive mechanism in which task of B. Universal Identity Systemsauthentication is delegated to other system like Email. The In previous section we have seen the importance ofauthor identifies several problems with secondary federated identity systems highlighted by many authors. Inauthorization techniques. We will discuss only those which this section we will look at some academic papers and real liferesult in user forgetting secondary credentials. With security example of such universal identity systems which will letquestions, there are issues like non-configurable e.g. What’s users login once and use it for all partner websites.name of first pet to user who never had pet and dynamic e.g. Zhang and Chen  explain in their paper on universalfavourite song which changes over time. Problems with email identity management model about anonymous credentials.addresses is user may not remember which exact email This paper actually talks about extending WS-Federation foraddress he used at time of registration. People are associated anonymous credentials. We will look at partially to understandwith schools, companies and these email addresses change characteristics of such universal system. The system shouldover time. This complicates task of retrieval. Problem with have mechanism for brokering of identity, attributes,SMS based retrieval is again due to people changing locations authentication and authorization assertions between domains,or losing their phones resulting in changing phone numbers. and privacy of federated domains. Since, most e-commerceEven if user is travelling to different country, he may not have websites run on SOA, which is Service Oriented Architecture,his phone active. In today’s world of extreme mobility, phone the users are key in this model. Hence, the user orientedbased authentications have serious limitations. characteristics like easy-to-use, consistent experience and Following table summarizes various password retrieval transparent security are critical. Self presentation of validtechniques used by 10 websites identified in previous table. identity is important considering that user roams acrossCat. Site Retrieval Method multiple systems in spatio-temporal frame. This is especiallyEC Amazon Need Email address registered with true for mobile devices. What this means is user should holdFI BNP No online recovery, possible from branch some sort of encrypted verified identity token, that when it Paribas office only presents to client site, it believes the authenticity of user
without actually verifying again with the authenticating server. vendors. User’s buying behaviour can be easily determined.This can be easily achieved with help of certificates and Further, websites store cookies on client side for quickdigital signatures. identification next time he visits such site. Authors have Paper by Tsyrklevich , explains what OpenID is. The performed factor analysis in order to reduce factors withmost famous implementation of OpenID is Google Account, summarization techniques. The most important factorthe authentication system of Google and allied websites. It can identified is reputation. E.g. user would trust reputed brandsalso be used by third party websites through Google Apps and like Microsoft, Google with their capability to secure user’sfederation. The OpenID as single sign on protocol was information.designed keeping in mind web 2.0, which is era of e- Sipior et al paper’s on ethics in collecting online shoppingcommerce and web as two-way communication medium. It is data explains what all data is collected by websites abouta decentralized system with several providers like Google, consumers. The information collected includesYahoo etc. And then he can use this id on all OpenID enabled communication tools information like phone, email, socialwebsites. This is in contrast to services like Microsoft networks etc. which consumer uses mostly. This can helpPassport, which are centralized. What that means is, it is advertisers to target advertisements to correct channel. Also,Microsoft which will store the authentication of users and clickstream data is collected, which includes access to logs,provide it as service to any website interested. There is cookies, computer/browser types, IP addresses etc. Even thirdobvious conflict of interest in such models. First, not everyone, party websites can track user’s access pattern on otherespecially Microsoft’s competitors would trust it with such websites through means of web bugs, which are one pointinformation and then they would not want to create such pixel images embedded in Html but from different web serverdependency. On other hand, OpenID remains neutral and source.provides multiple provider options. This helps client websites Linden et al  in their paper highlight that major marketingchoose the one they find most suitable to their requirements campaign of Amazon is through linked sales. It recognizesand business strategy. The benefits of OpenID to end users are customer purchase patterns and cluster them throughSingle Sign On and security advantages like certificates, SSL, associations. These are not necessarily simultaneous purchases,smartcards etc. due to advantage of scale to providers. but purchases made over period of time by same consumer. It The OpenID and Universal Identity System appear to have even tracks time spent between twopurchases. This is used tosolved the problem. But, we need to look at following paper in create recommendations for all customers which areorder to understand the limitations of such systems and why communicated when those users visit website by logging in orusers are still not ready to trust such universal systems. through email. In paper by Sun et al , empirical study was done in 2011to find out why users are not ready to adopt the universal V. ANALYSIS AND INTERPRETATIONSingle Sign On method like Google Account (OpenID). It was A. Identity Management Methodsfound that there were following behaviours, concerns and As Schlager  says, the bidirectional nature of security inmisconceptions. (1) Their existing password management e-commerce, added with privacy laws upcoming in manystrategies reduced the importance of Single Sign On. They are nations has resulted in additional complexity when it comes tocomfortable with weak passwords. They typically save create various authentication systems. The criteria of idealpassword in browser which reduces their task to enter it every Authorization and Authentication System mentioned here istime. (2) Single Point of Failure – This is correctly identified very important for discussion and we will look in section B onas concern by many users. (3) Users had misconception about Global Identity Systems how they fare against these criteria.OpenID model. They thought that participating websites get As Reeder  discusses various reasons due to which usersaccess to their username and password from identity provider forget the password and find it hard to recover. Interestinglike Google. (4) Users were concerned about phishing attacks recommendation by him is about giving freedom to user toas they could not distinguish fake forms from real one. (5) choose what authentication he wants to use. Very fewMany users had privacy concerns due to possible use of their websites gives such freedom to user. Based on user’s own ideapersonal data. (6) Users wanted separate identity for website of value of his information associated with particular accountwith sensitive information like financial transactions e.g. bank. and conditions apply to his behaviour, user should be bestThey do not want to share same username/password for such judge of his security needs. Website should not uniformlywebsite with other less important ones. (Natural protection) (7) apply same set of authentication mechanisms to all its clients.Many users did not understand why it is necessary to link the Reeder further adds that website also regularly prompt user foraccounts across websites. They did not feel the need to have updating all such information. This is done frequently done bySSO. Google nowadays, which prompts to verify phone number and additional email address once in a while. Reeder furtherC. Importance of User’s Online Identity specifies that website should alter authentication requirement In literature meta study by Beatty et al, authors have based on user activity. If user changes password, accessingidentified a qualitative model based on empirically determined computer, location etc. then it indicates some change infactors that affect the trust put by consumers at time of making behaviour. Then website can request suitable additionalpurchase. Authors identify that consumers disclose a great authentication to detect illegal attempts of access. This is doneamount of confidential information to websites like billing by many banks like ICICI when accessing PC changes, bankdetails, authorization required by banks for releasing generates One Time Password and sends it to mobile numberpayments. Users not only trust vendor’s intentions but also registered with bank. Only upon entering this code, user cantrust vendors capability to guard such information. The access e-banking account. But this also carries problem facedauthors also identify that apart from payment information, by mobile phone verifications as highlighted by Reeder.huge private information like purchase history is recorded by
As highlighted by Johansen , the system complexity has implemented its own custom security. Further, passwordsincreased with explosion of smartphones. The identity were not stored in encrypted format. This resulted in storemanagement is also critical for mobiles as users are being taken down for several weeks, possibly for securitycontinuously online from them and at same time they pose revamp. This highlights negligence on part of Microsoft tohigher risk of physical access through theft. Today, even license its valued brand name to third company without evenmobile banking, stock trading are showing increasing trends. performing basic checks on what kind of security is implemented. This indicates that user information on e-B. Universal Identity Systems commerce websites is extremely sensitive and must be As explained in paper by Zhang , it is important that e- handled carefully. Users trusted online store of Microsoft ascommerce websites should think about user while framing one operated by Microsoft, due to lack of knowledge thattheir authentications. We are not debating here whether the some vendor company operated the store on Microsoft’sframework proposed by author is the best way to achieve, but behalf. That’s why they put equal amount of trust ondesired characteristics of such system identified by authors are intentions and capability of Microsoft Store India as theyimportant here. Such system can help in bringing consistent would put in any other site under umbrella of Microsoft Corp.identity for user as we have discussed in objectives of this Paper by Sipior et al  is little old and several things havepaper. changed due to rise of Ajax and Mobile applications, some As explained in paper of OpenID, the open source, foundational things still apply. We are not aiming to discussdecentralized system which is well supported by Internet ethical implications here, but this paper helps us understandgiants like Google, appears a good solution to this problem of all the information that is tracked for the user and how usefulmaintaining consistent identity of user. But then there can be such information can be for the e-commerce business. Primarymany other ways. Possible ones are the operating system of information collected is most effective communication media,user integrates identity with itself and then federate it with any access pattern and preferences. Naturally these have hugewebsite that is interested. One such experiment was performed benefits in optimizing advertisement spending and increasingby Microsoft through .NET Cardspace, but it did not find effectiveness.much support. Another way is if users don’t trust E-commerce pioneer Amazon, as in paper of Linden et al username/passwords, the operating systems can integrate highlights that technology enables businesses to react quicklybiometric security and then federate it. Windows supports to changing customer data which benefits businesses. Abilitylogin to local PC with fingerprint scan. But, there are obvious of businesses to accurately track customer preferences islimitations with respect to management of such information critical for survival. Consistent identity maintenance of userand physical security of credentials. But still then the trust online is therefore very important.problem with centralized security providers is not answered. Paper by Sun , helps us understand several issues that VI. CONCLUSIONimpact adoption of Single Sign On methods or universal Based on this literature survey we learnt about the identityidentity systems. It can be easily identified that users are management framework that exist today with popular e-trusting their local browsers which store passwords in plain commerce websites. We also understand user behaviour withtext, more than the OpenID providers which take utmost care respect to security management. We have identifiedas per protocol to protect their identity. While concerns like importance of maintaining consistent identity from both usersingle point of failure or obtaining natural protection through and vendor point of view and only possible solution isdifferent password are valid, they can be handled through implementation of single sign on or global identitysome changes in functionality of OpenID. For example, for management system which is decentralized and open likecritical accounts, in addition to username/password some OpenID. But, some of the concerns from the user on itsmore advanced credential can be asked like OTP (One time adoption are valid and those should be answered categoricallypassword), or additional password. And remaining in such design in the future.misconceptions are clearly matter of knowledge by users.They should be made aware how dangerous it is to store REFERENCESpasswords in browsers which are subject to get hacked by so  Forrester predictions on E-commerce, retrieved frommany different means. http://www.fortune3.com/blog/2011/01/ecommerce- sales-2011/ on Feb. 26, 2012.C. Importance of User’s Online Identity  Internet and Mobile Association of India (IAMAI) report Corresponding to observation by Beatty et al about on Indian E-commerce Market Size, retrieved fromreputation of site indicating higher trust on capability of Economics Times website on Feb. 24, 2012.vendors to guard user’s information, we would like to cite  Forrester US m-commerce report, retrieved fromreal-life contradiction to this observation. It further highlights http://techcrunch.com/2011/06/17/forrester-u-s-mobile-why it is important to consolidate authentication methods. On commerce-to-reach-31-billion-by-2016/ on Feb. 26,February 12, 2012, online store of Microsoft India was hacked 2012.by a group of Chinese Hackers. The username/password  Furnell S., An assessment of website password practices,information of thousands of users was stolen. The hackers Computers & Security 26 2007, Science Direct.used this information to compromise email accounts of users  Beatty P., Reay I., Dick S., Miller J., Consumer Trust inas most users had same passwords for their email addresses. E-Commerce Web Sites: A Meta-Study, ACMThe issue happened as the online of store of Microsoft was not Computing Surveys, Vol. 43, No. 3, Article 14, Aprilactually run by Microsoft but licensed to one third party 2011. ACM Digital Library.vendor company. The company in question did not follow  Anwer Javed, Microsoft’s India Store Hacked, retrievedMicrosoft’s own Windows Live ID security system, but from http://articles.timesofindia.indiatimes.com/2012-
02-13/security/31054691_1_passwords-security-breach- hackers, Times of India. Reeder R., Schechter S., When the Password Doesn’t Work – Secondary Authentication for Websites, IEEE Computer and Reliability Societies, March/April 2011. Sipior J., Ward B., Rongione N., Ethics of Collecting and Using Consumer Internet Data, Information System Management, Winter 2004. Linden G., Smith B., York J., Amazon.com Recommendations – Item-to-Item Collaborative Filtering, IEEE Internet Computing Jan-Feb 2003, IEEE Computer Society. Johansen T., Jorstad I., Thanh D., Identity management in mobile ubiquitous environments, Internet Monitoring and Protection, 2008, IEEE Computer Society. Schlager C., Nowey T., Montenegro J., A Reference Model for Authentication and Authorization Infrastructures Respecting Privacy and Flexibility in b2c eCommerce, Proceedings of Int’l Conference on Availability, Reliability and Security 2006, IEEE. Zhang Y., Chen J., Universal Identity Management Model Based on Anonymous Credentials, IEEE International Conference on Services Computing, 2010, IEEE Computer Society. Sun S., Pospisil E., Muslukhov I., Dindar N., Hawkey K., Beznosov K., What Makes Users Refuse Web Single Sign-On? An Empirical Investigation of OpenID, Proceedings of Symposium on Usable Privacy and Security, ACM. Tsyrklevich E., Tsyrklevich V., OpenID: Single Sign-on for the Internet: A Security Story, Proceedings of Blackhat USA 2007.