Welcome to the homepage of the project 'eID Connect'. We present a new solution for identity-as-a-service, which is focused on security and usability at the same time.
Who doesn't know this situation? You want to use a new online service, and you are requested a username and password yet again. Over the last years not only the numbers of web services increased a lot, but also the amount of account access data, which every Internet user should recall.
Lately it has become more common, that websites replace their own logins with those of Facebook, Gmail or Twitter, such that a single login is enough to use different web services. This is bothering privacy and security experts, because Facebook, Google and co do not only manage the identities of their users, but are enabled to track their users in the Internet and use this information for advertisement.
Although, the idea of a single login isn't new: the principle of single sign-on is existing for a while, and the most successful implementation is OpenID. However, the basic idea is just that a web service can delegate the login to a dedicated OpenID provider and can request personal data of its users (granted with user approval).
As of late, the term identity-as-a-service has been used commonly, and most of the time it is just seen as an other implementation of the single sign-on principle. This term is derived from similar expressions like plattform-as-a-service and software-as-a-service, and is ment to describe a service for identity management.
In this project we present such an identity-as-a-service solution, however, it goes beyond just a simple implementation of single sign-on.
Security with Hardware Token
In order to support an easy integration of eID Connect, it is reasonable to build upon the widely used Internet standard OpenID. However, OpenID has its weaknesses in its security due to shortcomings in its standardized definition. OpenID is susceptible to phishing attacks, because it is not guaranteed that its automatic redirection actually leads to the login site of the OpenID provider.
eID Connect solves this problem by using secure hardware tokens. These tokens replace the usual login with username and password and can not be deceived by phishing websites. The token connects to the server and can verify the identity of the server with digital signatures without relying on the appearance of the website or its address.
Integration of the German ID card
It is one of the characteristics of OpenID, that everyone can set up an OpenID server and this server can provide any kind of information about its users. This is the reason that websites tend to request personal data from their users manually instead of asking the OpenID server. This kind of sharing information is more commonly known from the 'graph API' of 'Facebook Connect' (Facebook's interface to Facebook apps) and is promoted more actively.
Even in case the OpenID provider is acting truthfully , the website can not know whether this information is verified or not. This issue is adressed by eID Connect, which does not only supply the websites with the requested information but also about their verification(again, granted the user's approval). By using the eID features of the German ID card it is possible for the eID Connect provider to verify the user's data and pass it on to websites.