Digital rights management in a 3G mobile phone and beyond
Proceedings of the 3rd ACM workshop on Digital rights management
Authentication using multiple communication channels
Proceedings of the 2005 workshop on Digital identity management
OpenID 2.0: a platform for user-centric identity management
Proceedings of the second ACM workshop on Digital identity management
Privacy preserving multi-factor authentication with biometrics
Proceedings of the second ACM workshop on Digital identity management
An integrated approach to federated identity and privilege management in open systems
Communications of the ACM - Spam and the ongoing battle for the inbox
A large-scale study of web password habits
Proceedings of the 16th international conference on World Wide Web
Implementing identity provider on mobile phone
Proceedings of the 2007 ACM workshop on Digital identity management
Symmetric identity federation for fixed-mobile convergence
Proceedings of the 4th ACM workshop on Digital identity management
On-board credentials with open provisioning
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Securing RFID-based authentication systems using ParseKey+
Proceedings of the 3rd international conference on Security of information and networks
OpenIDemail enabled browser: towards fixing the broken web single sign-on triangle
Proceedings of the 6th ACM workshop on Digital identity management
A USIM-based uniform access authentication framework in mobile communication
EURASIP Journal on Wireless Communications and Networking - Special issue on security and resilience for smart devices and applications
Authentication session migration
NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
| Hi-index | 0.00 |
As critical services and personal information are moving to the online world, password as the only user authentication method is no longer acceptable. The capacity of the human memory does not scale to the ever larger number of ever stronger passwords needed for these services. Single sign-on (SSO) systems help users cope with password fatigue, but SSO systems still mostly lack support for strong two-factor authentication. At the same time, the users have adopted mobile phones as personal digital assistants that are used both for accessing online services and for managing personal information. The phones increasingly include mobile trusted computing technology that can be used for hardware-based storage of user credentials. Thus, it is rather obvious that the mobile phones should be used as authentication tokens for critical online services. In this paper, we show that existing open-source software platforms and commonly available mobile devices can be used to implement strong authentication for an SSO system. We use the Internet-enabled mobile phone as a secure token in a federated single sign-on environment. More specifically, we extend the Shibboleth SSO identity provider and build an authentication client based on a Nokia hardware security module. Our system design is modular, and both the SSO solution and the hardware-based security module in the phone can be replaced with other similar technologies. In comparison to most commercially available strong authentication services, our system is open in the sense that it does not depend on a specific credential issuer or identity provider. Thus, it can be deployed by any organization without signing contracts with or paying fees to a third party. No modifications need to be made to the client web browser or to the online service providers. We conclude that it is possible to implement strong personal authentication for an open-source SSO system with low start-up and operating costs and gradual deployment.