Skip to main content
SpringerLink
Log in

Strong Authentication with Mobile Phone

  • Conference paper
Book cover Information Security (ISC 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7483))

Included in the following conference series:

Abstract

As critical services and personal information are moving to the online world, password as the only user authentication method is no longer acceptable. The capacity of the human memory does not scale to the ever larger number of ever stronger passwords needed for these services. Single sign-on (SSO) systems help users cope with password fatigue, but SSO systems still mostly lack support for strong two-factor authentication. At the same time, the users have adopted mobile phones as personal digital assistants that are used both for accessing online services and for managing personal information. The phones increasingly include mobile trusted computing technology that can be used for hardware-based storage of user credentials. Thus, it is rather obvious that the mobile phones should be used as authentication tokens for critical online services.

In this paper, we show that existing open-source software platforms and commonly available mobile devices can be used to implement strong authentication for an SSO system. We use the Internet-enabled mobile phone as a secure token in a federated single sign-on environment. More specifically, we extend the Shibboleth SSO identity provider and build an authentication client based on a Nokia hardware security module. Our system design is modular, and both the SSO solution and the hardware-based security module in the phone can be replaced with other similar technologies. In comparison to most commercially available strong authentication services, our system is open in the sense that it does not depend on a specific credential issuer or identity provider. Thus, it can be deployed by any organization without signing contracts with or paying fees to a third party. No modifications need to be made to the client web browser or to the online service providers. We conclude that it is possible to implement strong personal authentication for an open-source SSO system with low start-up and operating costs and gradual deployment.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 3GPP. Generic bootstrapping architecture (GBA). Specification TS 33.220 v. 10.0.0, 3GPP (October 2010), http://www.3gpp.org/ftp/Specs/html-info/33220.html

  2. 3GPP. Generic authentication architecture (GAA); system description. Specification TR 33.919 v. 10.0.0, 3GPP (March 2011)

    Google Scholar 

  3. Abe, T., Itoh, H., Takahashi, K.: Implementing identity provider on mobile phone. In: The 2007 ACM Workshop on Digital Identity Management, DIM 2007. ACM (November 2007)

    Google Scholar 

  4. Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., Levkowetz, H.: Extensible Authentication Protocol (EAP). RFC 3748 (Proposed Standard), Updated by RFC 5247 (June 2004)

    Google Scholar 

  5. Aboba, B., Simon, D., Eronen, P.: Extensible Authentication Protocol (EAP) Key Management Framework. RFC 5247 (Proposed Standard) (August 2008)

    Google Scholar 

  6. Andrade, A.: Strong Mobile Authentication in Single Sign-On Systems. Master’s thesis, Aalto University School of Science (May 2011)

    Google Scholar 

  7. Aoyagi, M., Abe, T., Takahashi, K.: Symmetric identity federation for fixed-mobile convergence. In: Proceedings of the 4th ACM Workshop on Digital Identity Management, pp. 33–40 (October 2008)

    Google Scholar 

  8. Azema, J., Fayad, G.: M-Shield mobile security technology: making wireless secure. Texas Instruments, White paper (2008), http://focus.ti.com/pdfs/wtbu/ti_mshield_whitepaper.pdf (referred July 4, 2011)

  9. Bhargav-Spantzel, A., Squicciarini, A., Bertino, E.: Privacy preserving multi-factor authentication with biometrics. In: DIM 2006: Proceedings of the Second ACM Workshop on Digital Identity Management. ACM (2006)

    Google Scholar 

  10. Bhatti, R., Bertino, E., Ghafoor, A.: An integrated approach to federated identity and privilege management in open systems. Communications of the ACM 50(2) (February 2007)

    Google Scholar 

  11. Carmody, S., Erdos, M., Hazelton, K., Hoehn, W., Morgan, R.B., Scavo, T., Wasley, D.: Shibboleth Architecture: Protocols and Profiles. Technical report, Internet2 Middleware Initiative (September 2005)

    Google Scholar 

  12. CSC - IT Center for Science. Kalmar e-identity union linking nordic research networks (2011), http://www.csc.fi/english/csc/publications/cscnews/2010/4/kalmar/ (referred July 5, 2011)

  13. CSC - IT Center for Science. Funeteduperson schema (2011), http://www.csc.fi/english/institutions/haka/definitions/funeteduperson/ (referred July 5, 2011)

  14. CSC - IT Center for Science. Haka federation (2011), http://www.csc.fi/english/institutions/haka (referred July 5, 2011)

  15. DNA mobile network operator. DNA mobile certificate (2011), http://www.dna.fi/yksityisille/puhe/palvelut/Sivut/DNAMobiilivarmenne.aspx (ref. July 4, 2011)

  16. Ekberg, J.-E., Asokan, N., Kostiainen, K., Eronen, P., Rantala, A., Sharma, A.: Onboard credentials platform design and implementation. Technical Report NRC-TR-2008-001, Nokia Research Center (2008)

    Google Scholar 

  17. Ekberg, J.-E., Asokan, N., Kostiainen, K., Rantala, A.: On-board credentials with open provisioning. Technical Report NRC-TR-2008-007, Nokia Research Center (2008)

    Google Scholar 

  18. FiCom Ry. FiCom published application instructions for mobile certificate standard (May 25, 2005) (in Finnish), http://www.ficom.fi/ajankohtaista/ajankohtaista_1_1.html?Id=1117009845.html (referred July 4, 2011)

  19. FiCom Ry. Mobile certificate makes identification simpler (2008) (in Finnish), http://www.ficom.fi/tietoa/tietoa_5_3.html (rererred July 1, 2011)

  20. Finnish Population Register Centre. Fineid citizen certificate (2011), http://fineid.fi (referred July 1, 2011)

  21. Florêncio, D., Herley, C.: A largescale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007 (2007)

    Google Scholar 

  22. Ideelabor. OpenID in Estonia (2008), http://openiddirectory.com/openid-providers-c-1.html (referred February 27, 2009)

  23. Information society advisory board for creating electrical authentication. Mobile authentication methods, description and comparison (November 13, 2008) (in Finnish), http://www.arjen-tietoyhteiskunta.fi/files/185/mobiilitunnistamismenetelmat.pdf

  24. Internet2. Shibboleth (2006), http://shibboleth.internet2.edu/ (referred September 5, 2006)

  25. Kostiainen, K., Ekberg, J.-E., Asokan, N., Rantala, A.: On-board credentials with open provisioning. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS 2009 (2009)

    Google Scholar 

  26. Li, X., Ma, J., Park, Y., Xu, L.: A usim-based uniform access authentication framework in mobile communication. EURASIP Journal on Wireless Communications and Networking - Special Issue on Security and Resilience for Smart Devices and Applications (January 2011)

    Google Scholar 

  27. Messerges, T.S., Dabbish, E.A.: Digital rights management in a 3g mobile phone and beyond. In: DRM 2003: Proceedings of the 3rd ACM Workshop on Digital Rights Management, pp. 27–38. ACM, New York (2003)

    Chapter  Google Scholar 

  28. Mizuno, S., Yamada, K., Takahashi, K.: Authentication using multiple communication channels. In: ACM Workshop on Digital Identity Management (2005)

    Google Scholar 

  29. NorthID. Operations models for electrical authentication and identity management. Workshop material (September 15, 2009) (in Finnish)

    Google Scholar 

  30. OpenID.net. Get an OpenID (2006), http://openid.net/get-an-openid/ (referred July 1, 2011)

  31. OpenID.net. Openid.net website (2008), http://openid.net/ (referred December 30, 2008)

  32. Ragouzis, N., Hughes, J., Philpott, R., Maler, E., Madsen, P., Scavo, T.: Security assertion markup language (SAML) v2.0 technical overview. Technical report, OASIS (March 25, 2008)

    Google Scholar 

  33. Rahnama, B., Elci, A., Celik, S.: Securing rfid-based authentication systems using parsekey+. In: SIN 2010: Proceedings of the 3rd International Conference on Security of Information and Networks (September 2010)

    Google Scholar 

  34. Recordon, D., Reed, D.: OpenID 2.0: A platform for user-centric identity management. In: ACM Workshop on Digital Identity Management, DIM (2006)

    Google Scholar 

  35. RSA Security. RSA SecureID (2009), http://www.rsa.com/node.aspx?id=1156 (referred July 4, 2010)

  36. RSA Security. Software authenticators (2011), http://www.rsa.com/node.aspx?id=1313 (referred July 4, 2011)

  37. Sharma, A.K.: Onboard credentials: Hardware assisted secure storage of credentials. Master’s thesis, Helsinki University of Technology (2007)

    Google Scholar 

  38. Shibboleth. Wiki (2011), https://wiki.shibboleth.net/ (referred July 5, 2011)

  39. Sun, S.-T., Hawkey, K., Beznosov, K.: OpenIDemail enabled browser: Towards fixing the broken web single sign-on triangle. In: DIM 2010: Proceedigns of the 6th ACM Workshop on Digital Identity Management, October 8. ACM (2010)

    Google Scholar 

  40. Suoranta, S., Heikkinen, J., Silvekoski, P.: Authentication Session Migration. In: Aura, T., Järvinen, K., Nyberg, K. (eds.) NordSec 2010. LNCS, vol. 7127, pp. 17–32. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  41. The Finnish Bankers’ Association. Banks’ tupas certification service for service providers (October 2005), http://www.pankkiyhdistys.fi/sisalto/upload/pdf/tupasV21eng.pdf (ref. September 8, 2006)

  42. Trusted Computing Group. Trusted platform module (2011), http://www.trustedcomputinggroup.org/developers/trusted_platform_module/ (referred July 4, 2011)

  43. Virtanen, M.: Mobile electronic id. Master’s thesis, Aalto University School of Science and Technology (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Aalto University, Espoo, Finland

    Sanna Suoranta, André Andrade & Tuomas Aura

Authors
  1. Sanna Suoranta
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. André Andrade
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tuomas Aura
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute of Security in Distributed Applications, University of Technology, Harburger Schlossstrasse 20, 21073, Hamburg, Germany

    Dieter Gollmann

  2. Department of Computer Science, University of Erlangen-Nürnberg, Am Wolfsmantel 46, 91058, Erlangen, Germany

    Felix C. Freiling

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Suoranta, S., Andrade, A., Aura, T. (2012). Strong Authentication with Mobile Phone. In: Gollmann, D., Freiling, F.C. (eds) Information Security. ISC 2012. Lecture Notes in Computer Science, vol 7483. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33383-5_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33383-5_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33382-8

  • Online ISBN: 978-3-642-33383-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation