Skip to main content

Mobile Personal Identity Provider Based on OpenID Connect

  • Conference paper
  • First Online:
Trust, Privacy and Security in Digital Business (TrustBus 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10442))

Included in the following conference series:

Abstract

In our digital society managing identities and according access credentials is as painful as needed. This is mainly due to the demand for a unique password for each service a user makes use of. Various approaches have been proposed for solving this issue amongst which Identity Provider (IDP) based systems gained most traction for Web services. An obvious disadvantage of these IDPs is, however, the level of trust a user requires to place into them. After all, an IDP stores a lot of sensitive information about its users and is able to impersonate each of them.

In the present paper we therefore propose an architecture that enables to operate a personal IDP (PIDP) on a mobile device owned by the user. To evaluate the properties of our introduced mobile PIDP (MoPIDP) we analyzed it by means of a prototype. Our MoPIDP architecture provides clear advantages in comparison to classical IDP approaches in terms of required trust and common threats like phishing and additionally regarding the usability for the end user.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Until here the protocol is identical to OAuth 2.0.

References

  1. Abe, T., Itoh, H., Takahashi, K.: Implementing identity provider on mobile phone. In: Proceedings of the 2007 ACM Workshop on Digital Identity Management, DIM 2007, pp. 46–52. ACM, New York (2007). http://doi.acm.org/10.1145/1314403.1314412

  2. Alliance, F.: FIDO UAF Architectural Overview (2016). https://fidoalliance.org/specs/fido-uaf-v1.1-rd-20161005/fido-uaf-overview-v1.1-rd-20161005.html

  3. Barnes, R., Mozilla: Use Cases and Requirements for JSON Object Signing and Encryption (JOSE) (2014). https://tools.ietf.org/html/rfc7165

  4. Bennett, A.: Jose library for ruby. https://github.com/potatosalad/ruby-jose

  5. Bradley, J., Sakimura, N., Jones, M.: JSON Web Token (JWT) (2015). https://tools.ietf.org/html/rfc7519

  6. Cisco Systems: cjose - jose library for c/c++. https://github.com/cisco/cjose

  7. Connect2id: JOSE + JWT library for Java. https://connect2id.com/products/nimbus-jose-jwt

  8. Dhamija, R., Dusseault, L.: The seven flaws of identity management: usability and security challenges. IEEE Secur. Priv. 6(2), 24–29 (2008)

    Article  Google Scholar 

  9. Dierks, T.: The Transport Layer Security (TLS) Protocol Version 1.2 (2008). https://tools.ietf.org/html/rfc5246

  10. Facebook: Access Tokens - Facebook Login - Documentation (2017). https://developers.facebook.com/docs/facebook-login/access-tokens/

  11. Ferdous, M.S., Poet, R.: Portable personal identity provider in mobile phones. In: 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 736–745. IEEE (2013). http://ieeexplore.ieee.org/abstract/document/6680909/

  12. Foundation, O.: OpenID Authentication 2.0 (2007). http://openid.net/specs/openid-authentication-2_0.html

  13. Google: Google Authenticator (2016). https://github.com/google/google-authenticator

  14. Google: Using OAuth 2.0 to Access Google APIs \(|\) Google Identity Platform (2016). https://developers.google.com/identity/protocols/OAuth2

  15. Haller, N.: The S/KEY One-Time Password System (1995). https://tools.ietf.org/html/rfc1760

  16. Hardt, D.: The OAuth 2.0 authorization framework (2012). https://tools.ietf.org/html/rfc6749.txt

  17. Jain, A.K., Ross, A., Prabhakar, S.: An introduction to biometric recognition. IEEE Trans. Circuits Syst. Video Technol. 14(1), 4–20 (2004)

    Article  Google Scholar 

  18. Jones, R., Microsoft: JSON Web Key (JWK) (2015). https://tools.ietf.org/html/rfc7517

  19. Lockhart, H., Campbell, B.: Security assertion markup language (SAML) V2.0 technical overview. OASIS Comm. Draft 2, 94–106 (2008). https://www.oasis-open.org/committees/download.php/14360/sstc-saml-tech-overview-2.0-draft-08-diff.pdf

    Google Scholar 

  20. Lopez, G., Canovas, O., Gomez-Skarmeta, A.F., Girao, J.: A SWIFT take on identity management. Computer 42(5), 58–65 (2009)

    Article  Google Scholar 

  21. Morgan, R.L., Cantor, S., Carmody, S., Hoehn, W., Klingenstein, K.: Federated security: the shibboleth approach. Educ. Q. 27(4), 12–17 (2004). http://eric.ed.gov/?id=EJ854029

    Google Scholar 

  22. Rydell, J., M’Raihi, D., Pei, M., Machani, S.: TOTP: Time-based One-time Password Algorithm (2011). https://tools.ietf.org/html/rfc6238

  23. Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C.: Openid connect core 1.0. The OpenID Foundation p. S3 (2014). http://openid.net/specs/openid-connect-core-1_0-final.html

  24. Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 378–390. ACM (2012). http://dl.acm.org/citation.cfm?id=2382238

  25. Thomas, I., Meinel, C.: An identity provider to manage reliable digital identities for SOA and the web. In: Proceedings of the 9th Symposium on Identity and Trust on the Internet, IDTRUST 2010, pp. 26–36. ACM, New York (2010). http://doi.acm.org/10.1145/1750389.1750393

  26. Twitter: OAuth Twitter Developers (2017). https://dev.twitter.com/oauth

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Nils Gruschka .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Iacono, L.L., Gruschka, N., Nehren, P. (2017). Mobile Personal Identity Provider Based on OpenID Connect. In: Lopez, J., Fischer-Hübner, S., Lambrinoudakis, C. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2017. Lecture Notes in Computer Science(), vol 10442. Springer, Cham. https://doi.org/10.1007/978-3-319-64483-7_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-64483-7_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64482-0

  • Online ISBN: 978-3-319-64483-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics