Today, the trend on the web is to move away as quickly as possible from password-based authentication by adopting stronger and more secure authentication. Two factor authentication is already being widely adopted, but this should be regarded as a stop-gap measure until stronger methods based on asymmetric cryptography and/or biometrics such as Web Authentication (FIDO2) and Face ID are rolled out. Simultaneously, Verifiable Credentials (VCs) bring the possibility of strong identification and authorization to the web. This technology is already being associated with different authentication technologies such as FIDO and DIDs (decentralized identifiers). Verifiable credentials resolve many of the problems that Federated Identity management systems introduced, such as loss of privacy and phishing attacks. Part of the reason for the weaknesses in federated identity management systems is that the communications and trust models are fundamentally wrong, in that they place the identity provider at the center of the communications eco-system, rather than the user. Consequently, users of today’s electronic communications have no way of obtaining certified credentials about themselves, which they can keep under their control and release to service providers when they want to gain access – so-called Self Sovereign Identity.

However, there are still many challenges facing the ubiquitous adoption of the new authentication mechanisms and VCs. Regarding FIDO authentication mechanism, the FIDO Alliance doesn’t specify procedures for users’ account recovery, suspension, and delegation. The only recommendation given by the FIDO Alliance regarding account recovery is to register at least two authenticators for each account. Enterprises can easily adopt this for their employees but is difficult to apply at Internet scale, as many users will be unwilling to purchase additional authenticators. Regarding the account suspension, it is not clear what should happen when a serious vulnerability is discovered in an authenticator. The metadata service of the FIDO Alliance informs the web server to remove its trust in the vulnerable authenticator, but can the web server immediately suspend the user’s access? Regarding strong identification, providing privacy protection and selective disclosure when VCs need to be linked and shared remains a difficult problem. The use of Blockchain as a mechanism to provide users with identifiers under their control is counter to the principles of GDPR, and blockchains currently do not have a solution to their cryptography being easily broken once quantum computing is realized. Finally, workable business models and case studies that illustrate the deployment of these technologies are still in short supply.

The aim of this Special Issue is to present the latest research in the technologies that handle all or some of the aforementioned problems. Original research and review articles are welcome.

Potential topics include but are not limited to the following:

• Privacy issues in authentication and VCs
• Limitations of federated identity systems
• Advances in blockchain technology and their limitations for VCs
• Data minimization and selective attribute disclosure
• Webauthn and/or VC use cases and pilot studies
• Usability of Authenticators and VCs
• Authentication and identity management systems in general