Paper 2025/1686

Honest Users Make Honest Mistakes: A Framework for Analysing eID Protocols

Ole Martin Edstrøm, Norwegian University of Science and Technology
Kristian Gjøsteen, Norwegian University of Science and Technology
Hans Heum, Norwegian University of Science and Technology
Sjouke Mauw, University of Luxembourg
Felix Stutz, University of Luxembourg
Abstract

Electronic identification (eID) protocols and federated identity management systems play an increasingly important role in our modern society, both on the internet through services from Google and others, and through the eIDAS regulation in Europe. A key feature of eID protocols is that humans are intimately involved in the protocol, often responsible for critical security steps. Traditional security analyses of such protocols typically assume flawless user behaviour, yet widespread real-world adoption makes user mistakes inevitable. We present a framework for analysing the security of eID protocols that can model users making mistakes. It is suitable for automated analysis with Tamarin and supports fine-grained corruption modelling of protocol actors. We demonstrate the framework's utility by describing and analysing common eID protocols based on passwords, mobile applications and authentication tokens, as well as by systematically evaluating the impact of various combinations of user mistakes on security.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
eIDTamarineIDAS
Contact author(s)
ole m edstrom @ ntnu no
kristian gjosteen @ ntnu no
hans heum @ ntnu no
sjouke mauw @ uni lu
felix stutz @ uni lu
History
2025-09-18: approved
2025-09-16: received
See all versions
Short URL
https://ia.cr/2025/1686
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/1686,
      author = {Ole Martin Edstrøm and Kristian Gjøsteen and Hans Heum and Sjouke Mauw and Felix Stutz},
      title = {Honest Users Make Honest Mistakes: A Framework for Analysing {eID} Protocols},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/1686},
      year = {2025},
      url = {https://eprint.iacr.org/2025/1686}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.