Mobile Personal Identity Provider Based on OpenID Connect

  • Luigi Lo Iacono
  • Nils GruschkaEmail author
  • Peter Nehren
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10442)


In our digital society managing identities and according access credentials is as painful as needed. This is mainly due to the demand for a unique password for each service a user makes use of. Various approaches have been proposed for solving this issue amongst which Identity Provider (IDP) based systems gained most traction for Web services. An obvious disadvantage of these IDPs is, however, the level of trust a user requires to place into them. After all, an IDP stores a lot of sensitive information about its users and is able to impersonate each of them.

In the present paper we therefore propose an architecture that enables to operate a personal IDP (PIDP) on a mobile device owned by the user. To evaluate the properties of our introduced mobile PIDP (MoPIDP) we analyzed it by means of a prototype. Our MoPIDP architecture provides clear advantages in comparison to classical IDP approaches in terms of required trust and common threats like phishing and additionally regarding the usability for the end user.


  1. 1.
    Abe, T., Itoh, H., Takahashi, K.: Implementing identity provider on mobile phone. In: Proceedings of the 2007 ACM Workshop on Digital Identity Management, DIM 2007, pp. 46–52. ACM, New York (2007).
  2. 2.
  3. 3.
    Barnes, R., Mozilla: Use Cases and Requirements for JSON Object Signing and Encryption (JOSE) (2014).
  4. 4.
    Bennett, A.: Jose library for ruby.
  5. 5.
    Bradley, J., Sakimura, N., Jones, M.: JSON Web Token (JWT) (2015).
  6. 6.
    Cisco Systems: cjose - jose library for c/c++.
  7. 7.
    Connect2id: JOSE + JWT library for Java.
  8. 8.
    Dhamija, R., Dusseault, L.: The seven flaws of identity management: usability and security challenges. IEEE Secur. Priv. 6(2), 24–29 (2008)CrossRefGoogle Scholar
  9. 9.
    Dierks, T.: The Transport Layer Security (TLS) Protocol Version 1.2 (2008).
  10. 10.
    Facebook: Access Tokens - Facebook Login - Documentation (2017).
  11. 11.
    Ferdous, M.S., Poet, R.: Portable personal identity provider in mobile phones. In: 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 736–745. IEEE (2013).
  12. 12.
    Foundation, O.: OpenID Authentication 2.0 (2007).
  13. 13.
    Google: Google Authenticator (2016).
  14. 14.
    Google: Using OAuth 2.0 to Access Google APIs \(|\) Google Identity Platform (2016).
  15. 15.
    Haller, N.: The S/KEY One-Time Password System (1995).
  16. 16.
    Hardt, D.: The OAuth 2.0 authorization framework (2012).
  17. 17.
    Jain, A.K., Ross, A., Prabhakar, S.: An introduction to biometric recognition. IEEE Trans. Circuits Syst. Video Technol. 14(1), 4–20 (2004)CrossRefGoogle Scholar
  18. 18.
    Jones, R., Microsoft: JSON Web Key (JWK) (2015).
  19. 19.
    Lockhart, H., Campbell, B.: Security assertion markup language (SAML) V2.0 technical overview. OASIS Comm. Draft 2, 94–106 (2008). Google Scholar
  20. 20.
    Lopez, G., Canovas, O., Gomez-Skarmeta, A.F., Girao, J.: A SWIFT take on identity management. Computer 42(5), 58–65 (2009)CrossRefGoogle Scholar
  21. 21.
    Morgan, R.L., Cantor, S., Carmody, S., Hoehn, W., Klingenstein, K.: Federated security: the shibboleth approach. Educ. Q. 27(4), 12–17 (2004). Google Scholar
  22. 22.
    Rydell, J., M’Raihi, D., Pei, M., Machani, S.: TOTP: Time-based One-time Password Algorithm (2011).
  23. 23.
    Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C.: Openid connect core 1.0. The OpenID Foundation p. S3 (2014).
  24. 24.
    Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 378–390. ACM (2012).
  25. 25.
    Thomas, I., Meinel, C.: An identity provider to manage reliable digital identities for SOA and the web. In: Proceedings of the 9th Symposium on Identity and Trust on the Internet, IDTRUST 2010, pp. 26–36. ACM, New York (2010).
  26. 26.
    Twitter: OAuth Twitter Developers (2017).

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Cologne University of Applied SciencesCologneGermany
  2. 2.Kiel University of Applied SciencesKielGermany

Personalised recommendations