2.1. FIDM reference architecture

According to Aldosary and Norah (Reference Aldosary and Norah2021), the four main FIDM components include:

1. 1. A user is a person who acquires a specific digital identity to interact with some services.

2. 2. The user agent or user interface is a software application or browser that allows users to interact with the services they require.

3. 3. The service provider (SP) site is an entity that offloads authentication to a third party. SP can also be called relying party (RP) as it relies on external identity authorization entities (i.e., IdP) to decide access to its services.

4. 4. The identity provider (IdP) is an entity that identifies users that later enables SPs to authorize user accesses based on their identities.

These four components interact differently in each FIDM standard and implementation, including but not limited to Liberty Alliance, Shibboleth, WS (Web Service) Federation Architecture, SAML (Security Assertion Markup Language), OIDC (OpenID Connect), and OAuth (Open Authentication). Moreover, some standards have modules that deliver the same functionality, but have a different name. Therefore, it is more feasible to find a high-level architecture with basic functionalities rather than to capture all the details in a broad model. Such an architecture can be found in Cabarcos (Reference Cabarcos2013), which is illustrated in Figure 1 with the functionalities described below:

1. 1. Circle of trust (CoT) configuration: Both SPs and IdPs provide a CoT configuration component on which the services depend. This component is responsible for accessing local data stores to verify that a provider involved in a current identity-related transaction can be trusted. The selection is essentially made by contacting the local data store to verify that the entity is on a list of trusted entities and, if necessary, that there is an explicit SLA between them.

2. 2. Identity services: This component comprises the services offered by the identity framework, that is, Single Sign-On, Single Log Out, Authentication, Authorization. SP and IdP use this component to exchange user identity data.

3. 3. Cryptographic services: This component provides cryptographic support for the required security processing such as encryption/decryption of assertions, signing/validation, and so forth.

4. 4. Logging: Vendors typically implement a logging module to monitor user and service activity. Identity services use the registers, but an interface for auditors (external parties) can also be provided.

5. 5. Data storage: contains information such as metadata documents, policies, SLAs, trust data, credentials, logs, session data, messages, and so forth.

Figure 1.

A general architecture for FIDM (based on Cabarcos, Reference Cabarcos2013).

FIDM standards and implementations differ from the methods or protocols used for authentication and authorization and maintaining the sessions, such as using access tokens (Liberty Alliance) or issuing access tokens which grant access to the resource (Oauth 2.0).

2.2. Federated IDM threat landscape

In general, attackers can exploit vulnerabilities in the user interface to attack users, RP, and IdP. User attacks involve breaching user access rights, manipulating user session, or information leakage. In this section, we synthesize the 23 potential threats in FIDM, which are divided into seven groups as follows.

2.2.7. Privacy threats

IdP can collect end-user attributes during the initial OpenID Connect registration phase, while RP can use IdP access tokens to get user data. However, end users have no control over their PII, that is, they have no method of controlling the use and storage of their attributes which were requested by IdP or RP. Therefore, the following privacy threats are possible (Mainka et al., Reference Mainka, Vladislav, Jörg and Tobias2017):

A21. PII leakage

If sensitive information is sent over insecure communication channels (e.g., without proper encryption), an attacker with network access can use a sniffer tool to extract identity information (name, surname, email, phone number, credit card details, etc.). In the case of opponents with web-only access, PII approved by an IdP or RP can be obtained or purchased via the Internet or the Dark Web. This threat can take effect with both privileged and nonprivileged access.

A22. User profiling

This happens when attackers can monitor the behavior of end users and combine this activity across different apps, services, or resources to create user profiles (e.g., behavior, habits, hobbies, schedule). Dynamic profiling is also possible if attackers combine existing data with other sources of information (e.g., social networks), investigate data from other similar users, or use advanced prediction methods.

A23. Location tracking

This is caused when agents within the IAAA flows can monitor the end-user locations over time through their computers and mobile devices. Location information can also be viewed from the logs of various applications, such as Wi-Fi history, IP addresses, and more. Location tracking can expose not only where an end user lives, works, or travels, but also their habits, hobbies, connections with others, and so forth.

A summary of attacks on FIDM components is given in Table 1.

Table 1.

A summary of attacks ^a toward FIDM components, attacks will be marked ✗ if included

^a Classification of attacks: C1, Authentication/Authorization; C2, Session; C3, IDP; C4, Information disclosure; C5, DoS; C6, Privilege elevation; C7, Privacy. List of attacks: A1, Code/Token/State leak attack; A2, Token spoofing; A3, Replay of authorization code; A4, Manufacturing fake token; A5, XSS attack; A6, Third-party resource attacks (malware); A7, Redirect attack (307 redirect); A8, Naïve RP session integrity attack; A9, Flow interception; A10, Session handling; A11, Injection attack; A12, Man in the middle attack; A13, IdP mix-up attack; A14, CSRF attacks and third-party login initiation; A15, server-side request forgery (SSRF); A16, IdP account compromise; A17, Snooping; A18, Network eavesdropping attack; A19, DoS attack; A20, Elevation of privileges attack; A21, PII leakage; A22, User profiling; A23, Location tracking.

3.1. SSI reference architecture

SSI management allows users to manage and distribute their digital identities in a more decentralized manner. Instead of central storage, ad hoc communication, and peer-to-peer protocols are used to store and exchange identification data. The data itself is self-claimed by the user or asserted by sovereign bodies such as governments or corporations via an out-of-band trust formation (Schanzenbach, Reference Schanzenbach2020).

There are many proposals for SSI; however, such systems share some similarities, such as the following (van Wingerde, Reference van Wingerde2017):

1. 1. Users (or subjects) have an independent existence that relies on decentralized identifiers

2. 2. IdPs issue verified claims that are linked to a user ID

3. 3. Users can save self-asserted or verified claims on a personal repository

4. 4. Users can give their consent after being informed who they wish to exchange certain parts of a claim

5. 5. RPs can review attestations of a claim

A general SSI architecture was synthesized from such similarities, as can be seen in Figure 2. SSI has some components that are similar to FIDM, which are:

1. 1. Subject or holder: subject is similar to user in FIDM, but this concept is extended to not only a person but can be a group, organization, or even a physical item that requires a unique identity without relying on any central authority (Kim et al., Reference Kim, Young-Seob, Seok-Hyun, Hyoungshick and Woo Simon2021).

2. 2. Issuers: similar to IdP, which is an entity that can hold and state information about the subject. Once receiving a request from the subject, the issuer can check its proprietary data and issue a verifiable credential (VC) if the subject is satisfied.

3. 3. Verifiers: similar to RP, which is a service provider that needs to verify whether users satisfy its requirement. The verifier can check the authority of the issuer by verifying its signature in the VC. If the VC is valid (i.e., issued by a legitimate issuer), the verifier can obtain the subject claim from that VC.

Figure 2.

A general architecture for SSI (based on Preukschat and Drummond, Reference Preukschat and Drummond2021).

A key distinction between the SSI and FIDM architectures is the use of a Verifiable Data Registry (VDR). The VDR is a conceptual component that can be either internet-accessible or manually configured in each end system, storing all the necessary data and metadata such as issuer public keys, credential schema, credential definition, and a revocation registry (Preukschat and Drummond, Reference Preukschat and Drummond2021; Dixit et al., Reference Dixit and Smith-Creasey2022). It serves a similar function as the Circle of Trust (CoT) in the FIDM model. Blockchain can be a viable choice for a VDR as it offers a highly tamper-resistant distributed database that is not controlled by any single entity (Bai et al., Reference Bai, Kumar, Aggarwal, Mahmud, Kaiwartya and Lloret2022). Other alternatives include centralized or distributed VDRs (Preukschat and Drummond, Reference Preukschat and Drummond2021), while the technology used to implement the VDR may continue to evolve over time as standards develop.

SSI subjects use the Identity Wallet, which is a software on a phone or computer, as the user interface. Identity Waller contains the credentials, including VCs, DID signature and verification keys, link secret, policy keys, and secret value commitments (Shuaib et al., Reference Shuaib, Mohd and Shadab2021). It provides each edge agent (i.e., the device and software used to store, manage, and share SSI digital credentials such as mobile, laptop) to handle each different relationship and also contains an interface for a tamper-proof secure element, with which each agent communicates via a cryptographic secret key management system. A digital wallet stores identity verification information, including passwords, keys, and personal information; therefore, it is a lucrative target for attackers. If the private keys in a digital wallet are exposed, the attackers can access all services provided via this wallet under the owner’s identity.

In addressing the cryptographic services needed to enable multi-device support and wallet synchronization, various key management solutions have emerged in the SSI landscape. One such solution is the decentralized key management system (DKMS), which avoids the dependency on a single organization to secure and distribute keys on behalf of the identity holder. In DKMS, link secrets are used in each identity holder’s credentials in blind form, allowing for the association of multiple credentials to a single logical identity holder, even when using various wallet software on different devices (Kim et al., Reference Kim, Young-Seob, Seok-Hyun, Hyoungshick and Woo Simon2021). DKMS also supports key revocation, agent revocation, key rotation, and recovery schemes. However, other key management solutions have gained prominence in SSI implementations. Hardware-based keys stored in the device or its peripherals, such as secure elements or trusted platform modules (TPM), offer enhanced security by isolating cryptographic operations from the main device environment (Edlira et al., Reference Edlira, Larsen, Chen, Kassem, Liang and Fu2022). Software-based key management solutions, on the other hand, can store keys on the device or in remote key stores, providing more flexibility and easier deployment (Edlira et al., Reference Edlira, Larsen, Chen, Kassem, Liang and Fu2022). These alternative key management approaches do not require the use of link secrets and may be more prevalent in certain SSI implementations.

To resolve the DID, SSI can use the Universal Resolver (UR) which enables the uniform search and resolution of DIDs using different DID methods (Soltani et al., Reference Soltani, Trang and Aijun2021). The UR contains a variety of DID method drivers that interact with various providers. As UR is similar to the DNS resolver in the resolution method, it is susceptible to the same cache poisoning and pollution attacks that run on the DNS resolver.

3.2. SSI threat landscape

For comparison, we categorize the 20 potential SSI threats in a structure similar to the FIDM section. Attack classification involves seven groups, including Authentication/Authorization; Session Attacks; Issuer Attacks (similar to IdP attacks in FIDM); Information Disclosure; Denial of Service; Privilege Elevation; and Privacy. These attacks are presented in the following.

3.2.7. Privacy threats

B18. Personal identifiable information (PII) leakage

In the context of SSI, the threat of PII leakage remains relevant. This could occur if sensitive data, potentially stored in a user’s wallet, are transmitted over insecure communication channels without proper encryption. Attackers with network or web access could intercept or illicitly acquire these data, exploiting them for malicious purposes. However, SSI architectures adopt stringent security measures to counteract this threat. Data are typically encrypted at rest and in transit, and users have more control over their data, reducing the chance of leakage. Additionally, the use of zero-knowledge proofs allows users to verify claims about themselves without revealing the actual data, further reducing the risk.

B19. User profiling

This threat involves attackers who monitor user behavior on various platforms to create detailed profiles. Within an SSI framework, this could involve tracking user interactions with their digital wallets or other SSI services. The decentralized model and the use of pseudonymous identifiers can reduce the ease and effectiveness of such profiling. Additionally, consent-based sharing means that users have control over which data they share and with whom, limiting the amount of data available for profiling. However, a critical subtlety arises when users present the same selectively disclosed VC (such as through SD-JWT) to one or multiple RPs. In such cases, each presentation can be interconnected via the DID, resulting in a more extensive user profile. Even if a user utilizes different DIDs for varied RPs, presenting successive selectively disclosed data to an identical RP can yield expansive user profiles. To mitigate this threat, it is imperative that users employ a distinct DID for every RP and for each presentation.

B20. Location tracking

In SSI systems, location tracking could potentially occur if agents within the system monitor end-user locations over time using various applications and devices. However, SSI has measures to reduce the risk of location tracking. First, information sharing in SSI is typically consent-based, meaning users have control over what data they share, including location data. Second, by employing decentralized identifiers and various privacy-preserving technologies, the ability for agents within the system to track a user’s location can be significantly limited.

A summary of attacks on SSI components is given in Table 2.

Table 2.

A summary of attacks ^a toward FIDM components, attacks will be marked ✗ if included

^a Classification of attacks: C1, Authentication/Authorization; C2, Session; C3, Issuer attack; C4, Information disclosure; C5, DoS; C6, Privilege elevation; C7, Privacy. List of attacks: B1, Key exposure attacks; B2, Reverse engineering; B3, FIDM-inherent authorization/authentication attacks; B4, Man-in-the-middle (MitM) attack; B5, Phishing/Impersonation attack; B6, Fraudulent issuance; B7, Issuer impersonation; B8, Disclosure of confidential information; B9, Snooping; B10, Network eavesdropping; B11, Wallet query language (WQL) injection attacks; B12, DID wallet database information disclosure attack; B13, Jailbreak/Rooting attack against DID identity wallet; B14, Cache poisoning/Pollution attack; B15, VDR partitioning; B16, Social recovery attack; B17, Elevation of privileges attack; B18, Personal identifiable information (PII) leakage; B19, User profiling; B20, Location tracking.

4.1. Federated IDM: eIDAS

The eIDAS system consists of a network of Member States, each of which subscribed to a federated operator, namely the eIDAS Node. Each Member State has to provide an eIDAS Node that acts as an IdP for the national eID of other countries. All SPs participating in a national network must be subscribed to the eIDAS Node of this country. Every citizen recognized by a Member State should be recognized within the trust network at the European level, enabling the use of services in other Member States that were previously not allowed or whose concession was laborious (Carretero et al., Reference Carretero, Guillermo, Mario and Javier2018. Note that there is a trade-off between convenience and security, as the eIDAS system skips the standardization of the authentication method (eID Scheme) of the Member States for cross-border authentication, although each country has different security level of the eID scheme.

The provision of the nodes to establish this trust network is the responsibility of a governmental institution of the Member State (e.g., a ministry), as it is linked to the national public eID scheme.

The workflow of eIDAS is illustrated in Figure 3. The details of this process are as follows (Carretero et al., Reference Carretero, Guillermo, Mario and Javier2018:

1. 1. The citizen applies for access to a SP in her host country with the home eID (Company A).

2. 2. The SP for Company A sends the request to its own eIDAS-Node Connector using a HTTP Redirect Binding (or HTTP POST Binding) that contains a SAML AuthnRequest.

3. 3. The eIDAS-Node Connector in Company A forwards the SAML request in Step 2 to the eIDAS-Node Proxy Service of the citizen’s Member State (Company B).

4. 4. The citizen authenticates himself at the IdP of his country with his eID and the confirmation is forwarded via the IdP with an HTTP POST Binding to the eIDAS-Node Proxy Service. This step can have two additional steps depending on the implementation:

   • • for the citizen to choose the attributes to be provided (therefore give consent);

   • • for the citizen to agree on the values of the attributes to be assigned.

5. 5. The eIDAS-Node Proxy Service sends a SAML Response with an encrypted SAML Assertion to the requesting eIDAS-Node Connector, which forwards the response to the SP.

6. 6. The SP grants access to the citizen.

Figure 3.

High-level architecture of eIDAS (based on Carretero et al., Reference Carretero, Guillermo, Mario and Javier2018).

4.2. SSI approach: theoretical model

The main components and activities of the model can be seen in Figure 4. Users (identity owner) can have DIDs and obtain verifiable claims and credentials from the Issuer authority using his smartphone. Users’ private keys are securely stored in their digital wallets. To increase privacy-preserving capabilities, users can be equipped with means to present Zero-Knowledge Proofs (ZKP) against a SP who acts as a verifier that verifies the attestations and signatures on the blockchain. Blockchain enables sovereignty, as users can be equipped with means to transfer digital assets, including DID, DID documents, identity attributes, verifiable claims, and proofs of identity (including ZKPs), to anyone privately and without rules (Bernabe et al., Reference Bernabe, Luis, Hernandez-Ramos Jose, Torres and Antonio2019. Blockchain can also act as a distributed and reliable identity verifier that provides the origin and verfiability of identities.

Figure 4.

Self-sovereign IDM using blockchain (based on Bernabe et al., Reference Bernabe, Luis, Hernandez-Ramos Jose, Torres and Antonio2019 ).

4.3. Cyber risk comparisons between the two systems

According to Engelbertz et al. (Reference Engelbertz, Vladislav, Juraj, David, Nurullah and Schwenk2019), the eID attackers mainly aim at:

1. 1. Disrupt the system services by creating internal system errors.

2. 2. Reducing the availability of the targeted service, for example, by consuming a large amount of computing resources.

3. 3. Accessing services on the internal network, such as cloud instance metadata, internal databases, or local file system.

4. 4. Accessing to identity data, for example, exfiltration if there is a direct return channel at application level. Attackers can also try to expose users’ privacy via data leakage.

5. 5. Bypassing signature protection and injecting arbitrary XML elements, for example, by manipulating the exchanged data or smuggling harmful XML content. Consequently, attackers can trick the server logic into processing newly inserted elements while the signature validation logic is still confirming a successful signature verification.

We evaluate the risks coming from these attackers via the following security and privacy criteria, which were influenced from Zhang et al. (Reference Zhang, Rui and Ling2021):

1. 1. Consistency: Identity data stored on a node (or IdP) should remain consistent for verification. For SSI, it means that all copies of the public identity data (which can be stored on the blockchain) maintain the same state at the same time even in the cases of partial failures and attacks.

2. 2. Integrity: Identity data packaged in a transaction cannot be changed with others during the entire communication and storage process.

3. 3. Authenticity: Users must confirm that the transaction is authenticated, that is, that it was provided by a legitimate owner with genuine content.

4. 4. Availability of system and transactions: Availability implies that users can access transactional data anytime, anywhere, including system-level and transaction-level availability. The former relates to the requirement that the system function reliably even in the event of large-scale network attacks. The latter implies that the recorded transactions are always available to users without being destroyed, damaged, or disturbed.

5. 5. Confidentiality: The confidentiality means that (1) an unauthorized user cannot successfully read or infer any private information from the stored data and (2) the confidentiality of identity data must be ensured even in the event of an unexpected failure or malicious network attack.

6. 6. Anonymity of users: Users can ask for anonymity when authenticating and transmitting identity data. For example, users can request that their sensitive personal data to be unlinked from the information used for authentication.

7. 7. Identity-control: Identity control includes (1) the users should control (or consent to) who can access which part of their identity data and (2) the system administrator or other users cannot disclose the identity data to third parties without the consent of the users.

8. 8. Fine-grained access control of transactions: When exchanging identity data with others, users do not have to reveal all of the attributes (claims) contained in a credential, but they can disclose only the minimal information as required from the verifiers.

It should be noted that the first five criteria focus on security requirements, while the last three criteria focus on privacy needs for the operations of the IDM systems.

In the following, we will refer to the FIDM system in Section 4.1 as A and the theoretical SSI system in Section 4.2 as B. A summary of the comparisons is given in Table 3. The details for each criterion are as follows.

Table 3.

A comparison of cyber risks between the two IDM systems - The red, orange, yellow colour indicates high, medium, and low risk respectively.

Consistency: In system A, the main consistency risks arise from IdP attacks (A13–A16) that could lead to unauthorized modification of user identity records stored on eIDAS nodes, with the most severe impact potentially coming from compromise of an eIDAS node account itself (A16). Others are related to code and token theft (A1–A4) or injection attacks (A11), which could allow unauthorized data modification. Despite having robust server-side protections, system A faces more significant consistency risks due to potential high-impact attacks targeting eIDAS nodes. On the contrary, the main consistency risks that system B faces include man-in-the-middle attacks (B4) and issuer impersonation attacks (B7), which could introduce inconsistencies between nodes; and some attacks toward users’ identity wallet (B1–B2, B5, B11, B13, B17). Due to its decentralized nature and the use of a distributed ledger to store identity records, system B can offer more robust consistency protection. Comparatively, system B appears to offer a significantly lower risk profile with respect to consistency.

Integrity: In system A, the main integrity risks arise from attacks aimed at unauthorized data modification, particularly those that target eIDAS nodes, such as IdP account compromise (A16) and server-side request forgery (A15). A successful attack could lead to large-scale data manipulation, hence posing a significant threat to data integrity. Other integrity risks come from attacks such as token theft (A1–A4) or session attacks (A7–A10), which do not directly alter data, but could conceal data corruption. In contrast, for system B, the main integrity risks originate from MitM attacks (B4) and cache poisoning attacks (B14), both of which could allow undetected tampering of identity data before it reaches the blockchain. Other risks come from issuer impersonation (B7), which could directly alter immutable user identity claims, and information disclosure attacks on the wallet database (B12), which could expose data to improper modification. When comparing these two systems, both face high-impact integrity threats that could result in large-scale alterations of identity data. However, system B’s inherent blockchain architecture adds an additional layer of security, as manipulations require higher levels of sophistication from attackers. Considering other controls in system B such as tamper-evident protocols and multiparty authorization schemas, it can be concluded that system B offers a lower risk of integrity violation than system A.

Authenticity: System A faces authenticity risks primarily from attacks that facilitate user impersonation, such as token theft (A1–A4), session hijacking (A7–A10), and particularly IdP account compromise (A16), which could significantly aid large-scale impersonation. Other authenticity risks relate to attacks such as XSS (A5) or injection (A11), which also have the potential for identity spoofing, but require more technical expertise. In system B, the main authenticity risks arise from issuer impersonation (B7) and key exposure (B1), both of which could lead to false credentials or forged transactions. Other risk arises from phishing/impersonation (B5), with the protection coming from cryptographic verifiability. When comparing the two systems, system A, despite the high level of security offered by eIDAS, appears to be more vulnerable to authenticity attacks, especially those targeting user access and session control. System B, through the use of decentralized identifiers, credential verification schemas, and blockchain-based consensus, offers strong defenses against inauthentic transactions, regardless of whether VDR uses blockchain technology or not. However, it is important to note that system B must still manage the risks of compromised issuer keys or sophisticated phishing attempts. In summary, system B appears to exhibit a lower risk profile in relation to authenticity compared to system A.

Availability of system and transactions: System A, which is centralized, faces a high level of risk from distributed denial-of-service (DDoS) attacks (A19). These attacks could inundate eIDAS nodes and disrupt the availability of system and transaction transactions across EU borders. Other availability risks pertain to attacks like injection (A11) and SSRF (A15), which could potentially crash local nodes, and thus degrade the system’s availability. However, these threats require a higher level of technical expertise and impact fewer nodes than a DDoS attack. In contrast, system B, being decentralized, is designed to offer greater resilience to availability disruptions. However, it faces significant risks from VDR partitioning attacks (B15) that could disrupt system availability by increasing transaction latency or completely preventing transactions. Other relevant attacks include cache poisoning (B14), which could make network locations inaccessible. Transaction-level availability risks arise from potential wallet database information disclosure attacks (B12) and social recovery attacks (B16), which could disrupt the key access necessary for transactions. In comparing the two systems, system A appears to be more vulnerable to availability attacks due to its centralized nature and the high likelihood of DDoS attacks. System B, on the other hand, enjoys inherent resilience due to its decentralized architecture but remains susceptible to targeted attacks on network infrastructure and data access. However, it can maintain a high level of availability for identity transactions and data with proper safeguards, such as redundancy, integrity checks, and multi-party authorizations. Therefore, with the right precautions, system B potentially offers a lower risk profile for availability compared to system A.

Confidentiality: System A faces main confidentiality risks from attacks such as network eavesdropping (A18) which could potentially expose sensitive user data if communications between eIDAS nodes are unencrypted. Other threats like snooping (A17) and SSRF (A15) can acquire user data through side channels, although they need technical expertise and have less impact than wholesale data intercept. On the other hand, system B, due to its decentralized nature, presents a more complex set of confidentiality risks. Notable risks include information disclosure attacks to the wallet database (B12), which could expose sensitive user information, and network eavesdropping (B10) that could lead to data packet interception, for example, in communication between users and RP when the users send VCs to RP. Other attacks such as phishing (B5) and code injection (B11) can also trick users into revealing private information or extracting it through malicious code. Comparatively, system A seems more susceptible to confidentiality breaches due to its higher-likelihood attacks, particularly network eavesdropping. On the contrary, system B, with its user-managed access controls and minimum disclosure mechanisms, presents a lower risk profile despite its possible attack vectors. Therefore, system B seems to offer a slightly more secure environment regarding confidentiality compared to system A.

Anonymity of users: For system A, user anonymity is significantly threatened by potential tracking and profiling attacks such as network eavesdropping (A18) and user profiling (A22). Large-scale intercepting of unencrypted traffic could reveal identifying information, facilitating profiling, while targeted monitoring could identify usage patterns and undermine user anonymity. Other threats like snooping (A17) or SSRF (A15) can potentially deanonymise users over time and across multiple contexts, although these require more technical proficiency. On the contrary, system B operates under the anonymity criterion that requires users to authenticate and share data without revealing sensitive personal information. The main risks include user profiling attacks (B19) and location tracking (B20), which could expose identifiers and compromise anonymity. Other risks such as phishing (B5) and network eavesdropping (B10) pose threats to anonymity through the potential disclosure of private data and interception of anonymized transactions. However, system B’s architecture, incorporating decentralized identifiers, zero-knowledge proofs, and consent-based data sharing, offers robust protections to preserve user anonymity. When comparing the two systems, it appears that system A is much more susceptible to anonymity breaches due to its higher probability of threats that can reveal user data. In contrast, system B, with its use of system identifiers and privacy-preserving technologies, presents a much lower risk profile for anonymity attacks.

Identity-Control: The main identity-control risks that system A faces aris from network eavesdropping (A18) and Personal Identifiable Information (PII) leakage (A21). Unencrypted traffic interception or data breaches could result in nonconsensual exposure of user information, leading to significant violations of identity control. Other risks come from threats such as snooping (A17) or profiling or tracking (A22–A23) can lead to unauthorized acquisition of user data through side channels, subtly undermining user control. On the other hand, system B operates under the identity-control criterion, stipulating that users should command control over their identity data access and prevent unauthorized disclosure. However, certain attacks can potentially subvert this control. The most relevant threats include user profiling (B19) and network eavesdropping (B10), which could lead to nonconsensual data gathering and identity transaction interception, respectively. Other threats such as phishing (B5) and code injection (B11) could also trick users into revealing private data or extract uncontrolled data. However, system B’s defenses against these threats, which include consent-based data sharing, encryption, and decentralized storage, provide strong identity control protections. Comparatively, system A is subject to greater risks regarding identity control due to the relevant privacy attacks having greater likelihood and impacts. In contrast, system B, where user consent is mandatory before entities can access their Verifiable Credentials (VCs), presents lower risks regarding identity control. Therefore, system B’s user-centric approach and consent-based architecture provide a more secure environment for maintaining identity control compared to system A.

Fine-grained access control: System A poses significant risks to this criterion, particularly from attacks like network eavesdropping (A18) and PII leakage (A21) that could nonconsensually expose user attributes, thus undermining fine-grained control. Server account compromises (A16), while less probable, could have severe consequences, leading to full dataset exposures. Other relevant threats include injection (A11) or SSRF attacks (A15) which could manipulate backend queries to access unauthorized data. On the other hand, system B operates under the fine-grained access control criterion, which advocates selective disclosure of identity attributes. However, it still faces some relevant threats include user profiling (B19) and network eavesdropping (B10), which could lead to uncontrolled data aggregation and complete transaction interceptions. Other threats include reverse engineering (B2) and code injection (B11) which could also extract unauthorized data. Despite these threats, system B provides substantial protection mechanisms such as zero-knowledge proofs, encryption, and consent-driven sharing to ensure fine-grained control. Comparatively, System A presents a higher risk, as it lacks user-centric fine-grained access control, making it susceptible to privacy attacks such as A21–A23. In contrast, system B, through the use of advanced protocols like ZKPs and selective disclosure non-ZKP schemes such as atomic credentials (W3C, 2019), enables fine-grained access control by requiring minimal identity information disclosure. Therefore, system B provides a more secure and privacy-preserving environment for identity data management than system A.

Overall, SSI design seems to have lower risk profile across most dimensions, provided that certain safeguards, such as multi-signature schemas, multiparty authorization schemas, user-managed access controls, minimum disclosure mechanisms, decentralized identifiers, zero-knowledge proofs, consent-based data sharing, and so forth are proper implemented. Another important point is the “decentralized” characteristic that shifts the risks from the server side more to the client side (e.g., user wallet) when switching between FIDM and SSI. Consequently, the impacts of cyber-attacks on SSI are lower as they often influence a smaller number of users and do not scale as quickly as that of the FIDM systems. However, FIDM vulnerabilities can be identified and fixed faster than those of the SSI system, since SSI users may not be aware that there are security vulnerabilities in their systems, while with FIDM the server takes care of security. As a result, the impacts of attacks on SSI can be longer-lasting than those on the FIDM system. SSI systems also offer much better privacy protections compared to FIDM systems, mainly because the FIDM lacks consideration of privacy issues in its design.