A Survey on Non-transferable Anonymous Credentials

There are at least two principal approaches to prevent users from sharing their anonymous credentials: adding valuable secrets into the system the user does not want to share or embedding biometric access control. This paper seeks to identify possible fields of application and to compare both approaches with respect to the credentials’ nontransferability. The paper shows that both approaches do not ensure the non-transferability of anonymous credentials, but may be applicable in some fields. On the one hand, it might be hard to find valuable secrets to really prevent the sharing of credentials, in particular with close family members. On the other hand, biometric sensors embedded in a smartcard can be circumvented with some effort, especially if access control is unattended. Although the combination of both approaches may prevent more users from sharing their credentials, it suffers from restrictions of both approaches and from the effort needed to put it in place. However, assuming that anonymous credentials will probably not be used in high-security environments, both approaches might be sufficient to prevent sharing in some applications. If the users already possess personal digital assistants, embedded valuable secrets are a quite cheap solution, even though they raise the system’s value. If access control is attended, biometric sensors are reasonably safe and limit the possibility of unintentionally sharing the credentials for free.