A comparative cyber risk analysis between federated and self-sovereign identity management systems

Abstract Self-sovereign identity (SSI) is an emerging and promising concept that enables users to control their identity while enhancing security and privacy compared to other identity management (IDM) approaches. Despite the recent advancements in SSI technologies, federated identity management (FIDM) systems continue to dominate the IDM market. Selecting an IDM to implement for a specific application is a complex task that requires a thorough understanding of the potential external cyber risks. However, existing research scarcely compares SSI and FIDM from the perspective of these external threats. In response to this gap, our article provides an attack surface analysis focused solely on external threats for both systems. This analysis can serve as a reference to compare the relevant security and privacy risks associated with these external threats. The threat landscapes of external attackers were systematically synthesized from the main components and functionalities of the common standards and designs. We further present a use case analysis that applies this attack surface analysis to compare the external cyber risks of the two systems in detail when managing cross-border identity between European countries. This work can be particularly useful for considering a more secure design for future IDM applications, taking into account the landscape of external threats.