{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,15]],"date-time":"2026-04-15T16:54:11Z","timestamp":1776272051037,"version":"3.50.1"},"reference-count":86,"publisher":"Association for Computing Machinery (ACM)","issue":"2","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Web"],"published-print":{"date-parts":[[2026,5,31]]},"abstract":"\n The traditional protected web services rely on a user authentication process. The combination of an identifier (e.g., username, email address and so on) and credential (e.g., password) still remains the most widely deployed user authentication process, even though such a process is one of the major sources of security breaches. Moreover, in this traditional setting, the management and sharing of user identity information is cumbersome. The consequence of this is that users increasingly find it difficult to manage their identity data scattered across multiple sites and they have limited controls over their own identity data. In recent times,\n Self-sovereign Identity (SSI)<\/jats:italic>\n has emerged as a new mechanism for managing and exchanging identity information in a more user-centric and privacy-friendly way. There are many explorations of SSI in different application domains, however, its utility for passwordless authentication for the web mostly remains unexplored. In this article, we present\n SSI4Web<\/jats:italic>\n , a framework which can facilitate a passwordless authentication mechanism for the web by employing a state-of-the-art SSI technology for providing web services with much more user control and greater flexibility. We present its architecture which is based on a threat model and requirement analysis, discuss its implementation details and sketch out its use-cases along with protocol flows. In addition, we analyse its performance, evaluate its security using\n ProVerif<\/jats:italic>\n , a state-of-the-art protocol verifier and discuss its advantages and limitations.\n <\/jats:p>","DOI":"10.1145\/3778360","type":"journal-article","created":{"date-parts":[[2026,1,22]],"date-time":"2026-01-22T21:20:37Z","timestamp":1769116837000},"page":"1-43","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["A Passwordless Authentication Mechanism for the Web Using Self-Sovereign Identity"],"prefix":"10.1145","volume":"20","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8361-4870","authenticated-orcid":false,"given":"Md Sadek","family":"Ferdous","sequence":"first","affiliation":[{"name":"Computer Science and Engineering, BRAC University","place":["Dhaka, Bangladesh"]},{"name":"Imperial College Business School, Imperial College London","place":["Dhaka, Bangladesh"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7789-9945","authenticated-orcid":false,"given":"Md Yeasin","family":"Ali","sequence":"additional","affiliation":[{"name":"BRAC University","place":["Dhaka, Bangladesh"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-9745-4099","authenticated-orcid":false,"given":"Fairuz Rahaman","family":"Chowdhury","sequence":"additional","affiliation":[{"name":"Cryptic Consultancy Limited","place":["London, United Kingdom of Great Britain and Northern Ireland"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-9829-4720","authenticated-orcid":false,"given":"Masum Alam","family":"Nahid","sequence":"additional","affiliation":[{"name":"Cryptic Consultancy Limited","place":["London, United Kingdom of Great Britain and Northern Ireland"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9781-5657","authenticated-orcid":false,"given":"Andrei","family":"Ionita","sequence":"additional","affiliation":[{"name":"Fraunhofer Institute for Applied Information Technology FIT","place":["Sankt Augustin, Germany"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6846-5945","authenticated-orcid":false,"given":"Wolfgang","family":"Prinz","sequence":"additional","affiliation":[{"name":"Fraunhofer Institute for Applied Information Technology FIT","place":["Sankt Augustin, Germany"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2026,4,15]]},"reference":[{"key":"e_1_3_3_2_2","unstructured":"2024. DIDComm Messaging Specification v2 Editor\u2019s Draft. Retrieved from https:\/\/identity.foundation\/didcomm-messaging\/spec. [Online; accessed 14. Jun. 2025]."},{"key":"e_1_3_3_3_2","unstructured":"2025. Gataca Wallet \\(\\vert\\) Digital Identity Wallet. Retrieved from https:\/\/gataca.io\/products\/wallet. [Online; accessed 1. Dec. 2025]."},{"key":"e_1_3_3_4_2","unstructured":"2025. We are experts in managing digital identities. \\(\\vert\\) esatus AG. Retrieved from https:\/\/esatus.com\/en\/digital-identity. [Online; accessed 1. Dec. 2025]."},{"key":"e_1_3_3_5_2","unstructured":"2025. What are digital wallets? Try it out with the Lissi Wallet! Retrieved from https:\/\/www.lissi.id\/for-users. [Online; accessed 1. Dec. 2025]."},{"key":"e_1_3_3_6_2","doi-asserted-by":"crossref","unstructured":"Christopher Alberts Audree Dorofee James Stevens and Carol Woody. 2003. Introduction to the OCTAVE Approach. Technical Report Networked Systems Survivability Program Software Engineering Institute Carnegie Mellon University Pittsburgh PA. Retrieved from https:\/\/www.sei.cmu.edu\/documents\/16\/2003_012_001_51556.pdf. [Online; accessed 10 Jan. 2026].","DOI":"10.21236\/ADA634134"},{"key":"e_1_3_3_7_2","doi-asserted-by":"publisher","unstructured":"Zainab Alkhalil Chaminda Hewage Liqaa Nawaf and Imtiaz Khan. 2021. Phishing attacks: A recent comprehensive study and a new anatomy. Frontiers in Computer Science 3 (2021). DOI:10.3389\/fcomp.2021.563060","DOI":"10.3389\/fcomp.2021.563060"},{"key":"e_1_3_3_8_2","volume-title":"User Authentication Specifications Overview\u2014FIDO Alliance","author":"Alliance FIDO","year":"2022","unstructured":"FIDO Alliance. 2022. User Authentication Specifications Overview\u2014FIDO Alliance. Retrieved September 21, 2023 from https:\/\/fidoalliance.org\/specifications\/"},{"key":"e_1_3_3_9_2","doi-asserted-by":"crossref","unstructured":"Ifteher Alom Md Sadek Ferdous and Mohammad Jabed Morshed Chowdhury. 2023. Blockmeter: An application agnostic performance measurement framework for private blockchain platforms. IEEE Transactions on Services Computing. 16 6 (2023) 3879\u20133891.","DOI":"10.1109\/TSC.2023.3293724"},{"key":"e_1_3_3_10_2","unstructured":"Bruno Blanchet and Vincent Cheval. n.d. ProVerif: Cryptographic Protocol Verifier in the Formal Model. Retrieved from https:\/\/bblanche.gitlabpages.inria.fr\/proverif\/. [Online; accessed 10 Jan. 2026]."},{"key":"e_1_3_3_11_2","unstructured":"Bruno Blanchet Ben Smyth Vincent Cheval and Marc Sylvestre. 2018. ProVerif 2.00: Automatic Cryptographic Protocol Verifier User Manual and Tutorial. Retrieved from https:\/\/bblanche.gitlabpages.inria.fr\/proverif\/manual.pdf. [Online; accessed 10 Jan. 2026]."},{"key":"e_1_3_3_12_2","first-page":"758","volume-title":"SECRYPT","author":"Boi Biagio","year":"2023","unstructured":"Biagio Boi, Marco De Santis, Christian Esposito, et\u00a0al. 2023. Self-sovereign identity (SSI) attribute-based web authentication. In SECRYPT. 758\u2013763."},{"key":"e_1_3_3_13_2","first-page":"216","volume-title":"2023 IEEE International Conference on Cloud Computing Technology and Science (CloudCom)","author":"Boi Biagio","year":"2023","unstructured":"Biagio Boi and Christian Esposito. 2023. Decentralized authentication in microservice architectures with SSI and DID in blockchain. In 2023 IEEE International Conference on Cloud Computing Technology and Science (CloudCom). IEEE, 216\u2013223."},{"key":"e_1_3_3_14_2","first-page":"553","volume-title":"IEEE Symposium on Security and Privacy","author":"Bonneau Joseph","year":"2012","unstructured":"Joseph Bonneau, Cormac Herley, Paul C. Van Oorschot, and Frank Stajano. 2012. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In IEEE Symposium on Security and Privacy. 553\u2013567."},{"key":"e_1_3_3_15_2","doi-asserted-by":"crossref","first-page":"1620","DOI":"10.1145\/3589334.3645426","volume-title":"Proceedings of the ACM Web Conference 2024","author":"Braun Christoph H.-J.","year":"2024","unstructured":"Christoph H.-J. Braun, Ross Horne, Tobias K\u00e4fer, and Sjouke Mauw. 2024. SSI, from specifications to protocol? formally verify security!. In Proceedings of the ACM Web Conference 2024. 1620\u20131631."},{"key":"e_1_3_3_16_2","doi-asserted-by":"crossref","first-page":"3011","DOI":"10.1145\/3543507.3583409","volume-title":"Proceedings of the ACM Web Conference 2023","author":"Braun Christoph H.-J.","year":"2023","unstructured":"Christoph H.-J. Braun, Vasil Papanchev, and Tobias K\u00e4fer. 2023. SISSI: An architecture for semantic interoperable self-sovereign identity-based access control on the web. In Proceedings of the ACM Web Conference 2023. 3011\u20133021."},{"key":"e_1_3_3_17_2","doi-asserted-by":"crossref","unstructured":"Michael Burrows Martin Abadi and Roger Needham. 1990. A logic of authentication. ACM Transactions on Computer Systems (TOCS) 8 1 (1990) 18\u201336.","DOI":"10.1145\/77648.77649"},{"key":"e_1_3_3_18_2","doi-asserted-by":"crossref","first-page":"16","DOI":"10.1007\/978-3-030-64455-0_2","volume-title":"Emerging Technologies for Authorization and Authentication: Third International Workshop, ETAA 2020, Guildford, UK, September 18, 2020, Proceedings 3","author":"Casey Matthew","year":"2020","unstructured":"Matthew Casey, Mark Manulis, Christopher J. P. Newton, Robin Savage, and Helen Treharne. 2020. An interoperable architecture for usable password-less authentication. In Emerging Technologies for Authorization and Authentication: Third International Workshop, ETAA 2020, Guildford, UK, September 18, 2020, Proceedings 3. Springer, 16\u201332."},{"key":"e_1_3_3_19_2","unstructured":"National Cyber Security Centre. 2018. Phishing attacks: defending your organisation. Retrieved from https:\/\/www.ncsc.gov.uk\/guidance\/phishing"},{"key":"e_1_3_3_20_2","doi-asserted-by":"publisher","unstructured":"Sunil Chaudhary Tiina Schafeitel-T\u00e4htinen Marko Helenius and Eleni Berki. 2019. Usability security and trust in password managers: A quest for user-centric properties and features. Computer Science Review 33 (2019) 69\u201390. 10.1016\/j.cosrev.2019.03.002","DOI":"10.1016\/j.cosrev.2019.03.002"},{"key":"e_1_3_3_21_2","doi-asserted-by":"publisher","DOI":"10.4018\/978-1-5225-8100-0.ch008"},{"key":"e_1_3_3_22_2","unstructured":"CSecLab. 2025. avispa-project-web. Retrieved from https:\/\/github.com\/CSecLab\/avispa-project-web. [Online; accessed 1. Dec. 2025]."},{"key":"e_1_3_3_23_2","doi-asserted-by":"crossref","unstructured":"Mina Deng Kim Wuyts Riccardo Scandariato Bart Preneel and Wouter Joosen. 2011. A privacy threat analysis framework: Supporting the elicitation and fulfillment of privacy requirements. Requirements Engineering 16 1 (2011) 3\u201332.","DOI":"10.1007\/s00766-010-0115-7"},{"key":"e_1_3_3_24_2","unstructured":"Digital Enabling GmbH. 2023. Digital Enabling GmbH. Retrieved from https:\/\/digital-enabling.eu. [Online; accessed 1. Dec. 2025]."},{"key":"e_1_3_3_25_2","doi-asserted-by":"publisher","unstructured":"D. Dolev and A. Yao. 1983. On the security of public key protocols. IEEE Transactions on Information Theory 29 2 (1983) 198\u2013208. DOI:10.1109\/TIT.1983.1056650","DOI":"10.1109\/TIT.1983.1056650"},{"key":"e_1_3_3_26_2","volume-title":"Email Security Risk Report","year":"2023","unstructured":"Egress.com. 2023. Email Security Risk Report. Retrieved September 22, 2023 from https:\/\/www.egress.com\/media\/vjxp1yc2\/egress_email_security_risk_report.pdf"},{"key":"e_1_3_3_27_2","unstructured":"evernym. 2025. ConnectMe. Retrieved from https:\/\/github.com\/evernym\/ConnectMe. [Online; accessed 1. Dec. 2025]."},{"key":"e_1_3_3_28_2","doi-asserted-by":"crossref","first-page":"160","DOI":"10.1109\/SECPRI.1998.674832","volume-title":"Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No. 98CB36186)","author":"F\u00e1brega F. Javier Thayer","year":"1998","unstructured":"F. Javier Thayer F\u00e1brega, Jonathan C. Herzog, and Joshua D. Guttman. 1998. Strand spaces: Why is a security protocol correct?. In Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No. 98CB36186). IEEE, 160\u2013171."},{"key":"e_1_3_3_29_2","doi-asserted-by":"crossref","first-page":"1101","DOI":"10.1109\/COMPSAC61105.2024.00149","volume-title":"2024 IEEE 48th Annual Computers, Software, and Applications Conference (COMPSAC)","author":"Farhad Mohammad","year":"2024","unstructured":"Mohammad Farhad, Gourab Saha, Masum Alam Nahid, Fairuz Rahaman Chowdhury, Partha Protim Paul, Mohammed Raihan Ullah, and Md Sadek Ferdous. 2024. Secure backup and recovery of SSI wallets using solid pod technology. In 2024 IEEE 48th Annual Computers, Software, and Applications Conference (COMPSAC). IEEE, 1101\u20131111."},{"key":"e_1_3_3_30_2","unstructured":"Md Sadek Ferdous. 2015. User-controlled Identity Management Systems using mobile devices. PhD. Thesis. University of Glasgow."},{"key":"e_1_3_3_31_2","doi-asserted-by":"crossref","unstructured":"Md Sadek Ferdous Farida Chowdhury and Madini O. Alassafi. 2019. In search of self-sovereign identity leveraging blockchain technology. IEEE Access 7 (2019) 103059\u2013103079.","DOI":"10.1109\/ACCESS.2019.2931173"},{"key":"e_1_3_3_32_2","volume-title":"4th International Congress on Blockchain and Applications (BLOCKCHAIN 22)","author":"Ferdous Md Sadek","year":"2022","unstructured":"Md Sadek Ferdous, Andrei Ionita, and Wolfgang Prinz. 2022. SSI4Web: A self-sovereign identity (SSI) framework for the web. In 4th International Congress on Blockchain and Applications (BLOCKCHAIN 22), Vol. 595. Springer, Cham."},{"key":"e_1_3_3_33_2","unstructured":"Firebase. 2023. Firebase Cloud Messaging \u2014 firebase.google.com. Retrieved from https:\/\/firebase.google.com\/docs\/cloud-messaging. [Accessed 05-10-2023]."},{"key":"e_1_3_3_34_2","volume-title":"Apache JMeter","author":"Foundation Apache Software","year":"2023","unstructured":"Apache Software Foundation. 2023. Apache JMeter. Retrieved 2023-06-17 from https:\/\/jmeter.apache.org"},{"key":"e_1_3_3_35_2","unstructured":"Hyperledger Foundation. 2021. Aries Mobile Agent React Native. Retrieved November 1 2021 from https:\/\/github.com\/hyperledger\/aries-mobile-agent-react-native"},{"key":"e_1_3_3_36_2","volume-title":"Hyperledger Aries","author":"Foundation Hyperledger","year":"2021","unstructured":"Hyperledger Foundation. 2021. Hyperledger Aries. Retrieved November 10, 2021 from https:\/\/www.hyperledger.org\/use\/hyperledger-aries"},{"key":"e_1_3_3_37_2","volume-title":"Hyperledger Aries Cloud Agent - Python","author":"Foundation Hyperledger","year":"2021","unstructured":"Hyperledger Foundation. 2021. Hyperledger Aries Cloud Agent - Python. Retrieved May 12, 2021 from https:\/\/github.com\/hyperledger\/aries-cloudagent-python"},{"key":"e_1_3_3_38_2","unstructured":"Andrew Griffin. 2022. Plex hack: Video streaming service urges people to take action after major data breach. Independent (Aug.2022). Retrieved from https:\/\/www.independent.co.uk\/tech\/plex-hack-data-breach-streaming-service-b2151642.html. [Accessed 18-10-2023]."},{"key":"e_1_3_3_39_2","doi-asserted-by":"crossref","first-page":"280","DOI":"10.1109\/IVS.2018.8500557","volume-title":"2018 IEEE Intelligent Vehicles Symposium (IV)","author":"Hao Yue","year":"2018","unstructured":"Yue Hao, Yi Li, Xinghua Dong, Li Fang, and Ping Chen. 2018. Performance analysis of consensus algorithm in private blockchain. In 2018 IEEE Intelligent Vehicles Symposium (IV). IEEE, 280\u2013285."},{"key":"e_1_3_3_40_2","doi-asserted-by":"crossref","unstructured":"Dick Hardt Ed. 2012. The OAuth 2.0 Authorization Framework. RFC 6749 Internet Engineering Task Force (IETF) October 2012. Retrieved from https:\/\/www.rfc-editor.org\/info\/rfc6749. [Online; accessed 2 Feb. 2026].","DOI":"10.17487\/rfc6749"},{"key":"e_1_3_3_41_2","doi-asserted-by":"crossref","unstructured":"Riko Herwanto Hari Sabita and Fajrin Armawan. 2021. Measuring throughput and latency distributed ledger technology: Hyperledger. Journal of Information Technology Ampera 2 1 (2021) 17\u201331.","DOI":"10.51519\/journalita.volume2.isssue1.year2021.page17-31"},{"key":"e_1_3_3_42_2","first-page":"1","volume-title":"2017 IEEE International Conference on Communications (ICC)","author":"Holtmanns Silke","year":"2017","unstructured":"Silke Holtmanns and Ian Oliver. 2017. SMS and one-time-password interception in LTE networks. In 2017 IEEE International Conference on Communications (ICC). IEEE, 1\u20136."},{"key":"e_1_3_3_43_2","doi-asserted-by":"crossref","unstructured":"Seongho Hong and Heeyoul Kim. 2020. Vaultpoint: A blockchain-based ssi model that complies with oauth 2.0. Electronics 9 8 (2020) 1231.","DOI":"10.3390\/electronics9081231"},{"key":"e_1_3_3_44_2","doi-asserted-by":"crossref","first-page":"79","DOI":"10.1109\/DAPPS61106.2024.00019","volume-title":"2024 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPS)","author":"Hoops Felix","year":"2024","unstructured":"Felix Hoops and Florian Matthes. 2024. A middleware architecture for self-sovereign identity authentication and authorization. In 2024 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPS). IEEE, 79\u201385."},{"key":"e_1_3_3_45_2","doi-asserted-by":"crossref","first-page":"1367","DOI":"10.1109\/SP40001.2021.00094","volume-title":"2021 IEEE Symposium on Security and Privacy (SP)","author":"Huaman Nicolas","year":"2021","unstructured":"Nicolas Huaman, Sabrina Amft, Marten Oltrogge, Yasemin Acar, and Sascha Fahl. 2021. They would do better if they worked together: The case of interaction problems between password managers and websites. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 1367\u20131381."},{"key":"e_1_3_3_46_2","unstructured":"John Hughes and Eve Maler. 2005. Security assertion markup language (saml) v2. 0 technical overview. OASIS SSTC Working Draft sstc-saml-tech-overview-2.0-draft-08 13 (2005)."},{"key":"e_1_3_3_47_2","unstructured":"Riley Hughes and Riley Hughes. 2021. An introduction to the trinsic wallet - trinsic. Trinsic - (March2021). Retrieved from https:\/\/trinsic.id\/an-introduction-to-the-trinsic-wallet"},{"key":"e_1_3_3_48_2","volume-title":"Hyperledger Indy","author":"Foundation Hyperledger","year":"2021","unstructured":"Hyperledger Foundation. 2021. Hyperledger Indy. Retrieved November 10, 2021 from https:\/\/www.hyperledger.org\/use\/hyperledger-indy"},{"key":"e_1_3_3_49_2","unstructured":"B. Identity. 2021. The Importance of User Experience in Customer Authentication. Retrieved from https:\/\/www.beyondidentity.com\/blog\/importance-user-experience-customer-authentication"},{"key":"e_1_3_3_50_2","unstructured":"Indicio. 2021. Indicio Public Mediator. Retrieved November 1 2021 from https:\/\/indicio-tech.github.io\/mediator\/"},{"key":"e_1_3_3_51_2","unstructured":"jolocom. 2025. smartwallet-app. Retrieved from https:\/\/github.com\/jolocom\/smartwallet-app. [Online; accessed 1. Dec. 2025]."},{"key":"e_1_3_3_52_2","first-page":"143","volume-title":"ACSW Frontiers 2007","author":"Josang Audun","year":"2007","unstructured":"Audun Josang, Mohammed AlZomai, and Suriadi Suriadi. 2007. Usability and privacy in identity management architectures. In ACSW Frontiers 2007. 143\u2013152."},{"key":"e_1_3_3_53_2","first-page":"2005","volume-title":"AusCERT Asia Pacific Information Technology Security Conference","volume":"22","author":"J\u00f8sang Audun","year":"2005","unstructured":"Audun J\u00f8sang and Simon Pope. 2005. User centric identity management. In AusCERT Asia Pacific Information Technology Security Conference, Vol. 22. Citeseer, 2005."},{"key":"e_1_3_3_54_2","first-page":"1","volume-title":"Proceedings of the 20th Pan-Hellenic conference on informatics","author":"Katsini Christina","year":"2016","unstructured":"Christina Katsini, Marios Belk, Christos Fidas, Nikolaos Avouris, and George Samaras. 2016. Security and usability in knowledge-based user authentication: A review. In Proceedings of the 20th Pan-Hellenic conference on informatics. 1\u20136."},{"key":"e_1_3_3_55_2","volume-title":"2017 Consumer Mobile Security App Use","year":"2017","unstructured":"keepersecurity.com. 2017. 2017 Consumer Mobile Security App Use. Retrieved September 22, 2023 from https:\/\/www.keepersecurity.com\/assets\/pdf\/Keeper-Mobile-Survey-Infographic.pdf"},{"key":"e_1_3_3_56_2","unstructured":"Heather Kelly. 2018. Twitter says all 336 million users should change their passwords. CNNMoney (May2018). Retrieved from https:\/\/money.cnn.com\/2018\/05\/03\/technology\/twitter-password-bug\/index.html. [Accessed 18-10-2023]."},{"key":"e_1_3_3_57_2","doi-asserted-by":"crossref","unstructured":"Michal Kepkowski Maciej Machulak Ian Wood and Dali Kaafar. 2023. Challenges with passwordless FIDO2 in an enterprise setting: A usability study. arXiv:2308.08096. Retrieved from https:\/\/arxiv.org\/abs2308.08096","DOI":"10.1109\/SecDev56634.2023.00017"},{"key":"e_1_3_3_58_2","doi-asserted-by":"crossref","first-page":"1857","DOI":"10.1109\/TrustCom50675.2020.00254","volume-title":"2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)","author":"Klieme Eric","year":"2020","unstructured":"Eric Klieme, Jonathan Wilke, Niklas van Dornick, and Christoph Meinel. 2020. FIDOnuous: A FIDO2\/WebAuthn extension to support continuous web authentication. In 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). IEEE, 1857\u20131867."},{"key":"e_1_3_3_59_2","doi-asserted-by":"crossref","unstructured":"Kat Krol Eleni Philippou Emiliano De Cristofaro and M. Angela Sasse. 2015. \u201cThey brought in the horrible key ring thing!\u201d analysing the usability of two-factor authentication in UK online banking. arXiv:1501.04434. Retrieved from https:\/\/arxiv.org\/abs1501.04434","DOI":"10.14722\/usec.2015.23001"},{"key":"e_1_3_3_60_2","first-page":"472","volume-title":"International Conference on Computational Science and Its Applications","author":"Kulabukhova Nataliia","year":"2019","unstructured":"Nataliia Kulabukhova, Andrei Ivashchenko, Iurii Tipikin, and Igor Minin. 2019. Self-sovereign identity for iot devices. In International Conference on Computational Science and Its Applications. Springer, 472\u2013484."},{"key":"e_1_3_3_61_2","doi-asserted-by":"crossref","first-page":"536","DOI":"10.1109\/Blockchain.2019.00003","volume-title":"2019 IEEE International Conference on Blockchain (Blockchain)","author":"Kuzlu Murat","year":"2019","unstructured":"Murat Kuzlu, Manisa Pipattanasomporn, Levent Gurses, and Saifur Rahman. 2019. Performance analysis of a hyperledger fabric blockchain framework: Throughput, latency and scalability. In 2019 IEEE International Conference on Blockchain (Blockchain). IEEE, 536\u2013540."},{"key":"e_1_3_3_62_2","unstructured":"Kalev Leetaru. 2019. Facebook\u2019s password breach suggests the public sees cybersecurity as obsolete. Forbes (March2019). Retrieved from https:\/\/www.forbes.com\/sites\/kalevleetaru\/2019\/03\/23\/facebooks-password-breach-suggests-the-public-sees-cybersecurity-as-obsolete\/?sh=ea632273e248. [Accessed 18-10-2023]."},{"key":"e_1_3_3_63_2","doi-asserted-by":"crossref","first-page":"268","DOI":"10.1109\/SP40000.2020.00047","volume-title":"2020 IEEE Symposium on Security and Privacy (SP)","author":"Lyastani Sanam Ghorbani","year":"2020","unstructured":"Sanam Ghorbani Lyastani, Michael Schilling, Michaela Neumayr, Michael Backes, and Sven Bugiel. 2020. Is FIDO2 the kingslayer of user authentication? A comparative usability study of FIDO2 passwordless authentication. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 268\u2013285."},{"key":"e_1_3_3_64_2","first-page":"434","volume-title":"CEUR Workshop Proceedings","volume":"3041","author":"Matiushin I.","year":"2021","unstructured":"I. Matiushin and V. Korkhov. 2021. Passwordless authentication using magic link technology. In CEUR Workshop Proceedings, Vol. 3041. 434\u2013438."},{"key":"e_1_3_3_65_2","unstructured":"G. Milka. 2018. Anatomy of Account Takeover. Retrieved from https:\/\/www.usenix.org\/conference\/enigma2018\/presentation\/milka"},{"key":"e_1_3_3_66_2","doi-asserted-by":"crossref","unstructured":"Alexander M\u00fchle Andreas Gr\u00fcner Tatiana Gayvoronskaya and Christoph Meinel. 2018. A survey on essential components of a self-sovereign identity. Computer Science Review 30 (2018) 80\u201386.","DOI":"10.1016\/j.cosrev.2018.10.002"},{"key":"e_1_3_3_67_2","doi-asserted-by":"crossref","unstructured":"Stefania Loredana Nita and Marius Iulian Mihailescu. 2024. A novel authentication scheme based on verifiable credentials using digital identity in the context of web 3.0. Electronics 13 6 (2024) 1137.","DOI":"10.3390\/electronics13061137"},{"key":"e_1_3_3_68_2","volume-title":"Node.js","year":"2021","unstructured":"NodeJS. 2021. Node.js. Retrieved November 10, 2021 from https:\/\/nodejs.org\/en\/"},{"key":"e_1_3_3_69_2","doi-asserted-by":"crossref","first-page":"1266","DOI":"10.1109\/ICSCDS53736.2022.9760934","volume-title":"2022 International Conference on Sustainable Computing and Data Communication Systems (ICSCDS)","author":"Parmar Viral","year":"2022","unstructured":"Viral Parmar, Harshal A. Sanghvi, Riki H. Patel, and Abhijit S. Pandya. 2022. A comprehensive study on passwordless authentication. In 2022 International Conference on Sustainable Computing and Data Communication Systems (ICSCDS). IEEE, 1266\u20131275."},{"key":"e_1_3_3_70_2","doi-asserted-by":"crossref","first-page":"223","DOI":"10.1145\/3374664.3375727","volume-title":"Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy","author":"Pernpruner Marco","year":"2020","unstructured":"Marco Pernpruner, Roberto Carbone, Silvio Ranise, and Giada Sciarretta. 2020. The good, the bad and the (not so) ugly of out-of-band authentication with eID cards and push notifications: Design, formal and risk analysis. In Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy. 223\u2013234. DOI:10.1145\/3374664.3375727"},{"key":"e_1_3_3_71_2","first-page":"1","volume-title":"2017 26th International Conference on Computer Communication and Networks (ICCCN)","author":"Pongnumkul Suporn","year":"2017","unstructured":"Suporn Pongnumkul, Chaiyaphum Siripanpornchana, and Suttipong Thajchayapong. 2017. Performance analysis of private blockchain platforms in varying workloads. In 2017 26th International Conference on Computer Communication and Networks (ICCCN). IEEE, 1\u20136."},{"key":"e_1_3_3_72_2","volume-title":"Self-Sovereign Identity: Decentralized Digital Identity and Verifiable Credentials","author":"Preukschat A.","year":"2021","unstructured":"A. Preukschat and D. Reed. 2021. Self-Sovereign Identity: Decentralized Digital Identity and Verifiable Credentials. Manning. 2021287468 Retrieved from https:\/\/books.google.com.bd\/books?id=Nh4uEAAAQBAJ"},{"key":"e_1_3_3_73_2","volume-title":"WebAuthn: A better alternative for securing our sensitive information online","author":"Raman Suby","year":"2021","unstructured":"Suby Raman. 2021. WebAuthn: A better alternative for securing our sensitive information online. Retrieved September 14, 2023 from https:\/\/webauthn.guide\/"},{"key":"e_1_3_3_74_2","doi-asserted-by":"crossref","first-page":"11","DOI":"10.1145\/1179529.1179532","volume-title":"Proceedings of the Second ACM Workshop on Digital Identity Management","author":"Recordon David","year":"2006","unstructured":"David Recordon and Drummond Reed. 2006. OpenID 2.0: A platform for user-centric identity management. In Proceedings of the Second ACM Workshop on Digital Identity Management. 11\u201316."},{"key":"e_1_3_3_75_2","volume-title":"ECIS","author":"Sartor Sebastian","year":"2022","unstructured":"Sebastian Sartor, Johannes Sedlmeir, Alexander Rieger, and Tamara Roth. 2022. Love at first sight? a user experience study of self-sovereign identity wallets. In ECIS."},{"key":"e_1_3_3_76_2","first-page":"101","volume-title":"IFIP International Summer School on Privacy and Identity Management","author":"Satybaldy Abylay","year":"2022","unstructured":"Abylay Satybaldy. 2022. Usability evaluation of SSI digital wallets. In IFIP International Summer School on Privacy and Identity Management. Springer, 101\u2013117."},{"key":"e_1_3_3_77_2","volume-title":"Threat Modeling: Designing for Security","author":"Shostack Adam","year":"2014","unstructured":"Adam Shostack. 2014. Threat Modeling: Designing for Security. John Wiley & Sons."},{"key":"e_1_3_3_78_2","unstructured":"Mohammed Shuaib Shadab Alam Mohammad Shabbir Alam and Mohammad Shahnawaz Nasir. 2021. Self-sovereign identity for healthcare using blockchain. Materials Today: Proceedings (2021)."},{"key":"e_1_3_3_79_2","doi-asserted-by":"crossref","first-page":"1129","DOI":"10.1109\/Cybermatics_2018.2018.00205","volume-title":"2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData)","author":"Soltani Reza","year":"2018","unstructured":"Reza Soltani, Uyen Trang Nguyen, and Aijun An. 2018. A new approach to client onboarding using self-sovereign identity and distributed ledger. In 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). 1129\u20131136. DOI:10.1109\/Cybermatics_2018.2018.00205"},{"key":"e_1_3_3_80_2","volume-title":"Verifiable Credentials Data Model 1.0","author":"Sporny Manu","year":"2022","unstructured":"Manu Sporny, Dave Longley, and David Chadwick. 2022. Verifiable Credentials Data Model 1.0. Retrieved April 27, 2022 from https:\/\/www.w3.org\/TR\/vc-data-model\/"},{"key":"e_1_3_3_81_2","doi-asserted-by":"crossref","first-page":"14","DOI":"10.1109\/RISP.1994.296595","volume-title":"Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy","author":"Syverson Paul F.","year":"1994","unstructured":"Paul F. Syverson and Paul C. Van Oorschot. 1994. On unifying some cryptographic protocol logics. In Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy. IEEE, 14\u201328."},{"key":"e_1_3_3_82_2","volume-title":"2017 Data Breach Investigations Report","year":"2017","unstructured":"Verizon. 2017. 2017 Data Breach Investigations Report. Retrieved September 27, 2023 from https:\/\/www.verizon.com\/business\/resources\/Tb6a\/reports\/2017_dbir.pdf"},{"key":"e_1_3_3_83_2","volume-title":"Web Authentication: An API for Accessing Public Key Credentials Level 1","year":"2019","unstructured":"W3C. 2019. Web Authentication: An API for Accessing Public Key Credentials Level 1. Retrieved September 21, 2023 from https:\/\/www.w3.org\/TR\/webauthn-1\/"},{"key":"e_1_3_3_84_2","unstructured":"Kristina Yasuda and Michael B. Jones. 2022. Self-Issued OpenID Provider v2. Retrieved from https:\/\/openid.net\/specs\/openid-connect-self-issued-v2-1_0-ID1.html. [Online; accessed 12. Mar. 2025]."},{"key":"e_1_3_3_85_2","unstructured":"Wei-Zhu Yeoh Michal Kepkowski Gunnar Heide Dali Kaafar and Lucjan Hanzlik. 2023. Fast IDentity online with anonymous credentials (FIDO-AC). arXiv:2305.16758. Retrieved from https:\/\/arxiv.org\/abs2305.16758"},{"key":"e_1_3_3_86_2","doi-asserted-by":"crossref","unstructured":"M Y\u0131ld\u0131r\u0131m and Ian Mackie. 2019. Encouraging users to improve password security and memorability. International Journal of Information Security 18 (2019) 741\u2013759.","DOI":"10.1007\/s10207-019-00429-y"},{"key":"e_1_3_3_87_2","first-page":"1","volume-title":"Proceedings of the 2021 IEEE Symposium on Computers and Communications (ISCC)","author":"Yildiz Hakan","year":"2021","unstructured":"Hakan Yildiz, Christopher Ritter, Lan Thao Nguyen, Berit Frech, Maria Mora Martinez, and Axel K\u00fcpper. 2021. Connecting self-sovereign identity with federated and user-centric identities via saml integration. In Proceedings of the 2021 IEEE Symposium on Computers and Communications (ISCC). IEEE, 1\u20137. 10.1109\/ISCC53001.2021.9631453"}],"container-title":["ACM Transactions on the Web"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3778360","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,15]],"date-time":"2026-04-15T16:05:07Z","timestamp":1776269107000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3778360"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,4,15]]},"references-count":86,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2026,5,31]]}},"alternative-id":["10.1145\/3778360"],"URL":"https:\/\/doi.org\/10.1145\/3778360","relation":{},"ISSN":["1559-1131","1559-114X"],"issn-type":[{"value":"1559-1131","type":"print"},{"value":"1559-114X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,4,15]]},"assertion":[{"value":"2025-06-17","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-11-23","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-04-15","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}