In light of the GDPR, data controllers (DC) need to allow data subjects (DS) to exercise certain data subject rights. A key requirement here is that DCs can reliably authenticate a DS. Due to a lack of clear technical specifications, this has been realized in different ways, such as by requesting copies of ID documents or by email address verification. However, previous research has shown that this is associated with various security and privacy risks and that identifying DSs can be a non-trivial task. In this paper, we review different authentication schemes and propose an architecture that enables DCs to authenticate DSs with the help of independent Identity Providers in a secure and privacy-preserving manner by utilizing attribute-based credentials and eIDs. Our work contributes to a more standardized and privacy-preserving way of authenticating DSs, which will benefit both DCs and DSs.

翻译：根据《通用数据保护条例》（GDPR），数据控制者（DC）需要允许数据主体（DS）行使某些数据主体权利。其中一个关键要求是DC能够可靠地认证DS。由于缺乏明确的技术规范，这一要求已通过不同方式实现，例如要求提供身份证件副本或通过电子邮件地址验证。然而，以往研究表明，这种做法存在各种安全与隐私风险，且识别DS可能并非易事。本文回顾了不同的认证方案，并提出了一种架构，使DC能够借助独立身份提供商，通过使用基于属性的凭证和电子身份证（eID），以安全且保护隐私的方式认证DS。我们的工作为以更标准化、更保护隐私的方式认证DS做出了贡献，这将惠及DC和DS双方。