Enhancing Public Digital Identity System (SPID) to Prevent Information Leakage

Public Digital Identity System (SPID) is the Italian government framework compliant with the EU eIDAS regulatory environment, aimed at implementing electronic identification and trust services in e-government and business applications. According to this federated identity management framework, digital identities are issued, upon application of the interested party, by digital identity providers. This way, users authenticate to service providers, which are public or private organizations providing a service to authorized users, provided that they adhere to SPID. A drawback that could limit the real diffusion of this framework is that, despite the fact that identity and service providers might be competitor private companies, SPID authentication results in information leakage about customers of identity providers. To overcome this potential limitation, in this paper, we propose a modification of SPID to allow user authentication by preserving the anonymity of the identity provider that grants the authentication credentials. This way, information leakage about customers of identity providers is fully prevented.