Abstract
In this paper we propose a simple, novel scheme for using a mobile device to enhance CardSpace authentication. During the process of user authentication on a PC using CardSpace, a random and short-lived one-time password is sent to the user’s mobile device; this must then be entered into the PC by the user when prompted. The scheme does not require any changes to login servers, the CardSpace identity selector, or to the mobile device itself. We specify the scheme and give details of a proof-of-concept prototype. Security and operational analyses are also provided.
Chapter PDF
References
Lach, J.: Using Mobile Devices for User Authentication. In: Kwiecień, A., Gaj, P., Stera, P. (eds.) CN 2010. Communications in Computer and Information Science, vol. 79, pp. 263–268. Springer, Heidelberg (2010)
Bertocci, V., Serack, G., Baker, C.: Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital Identities. Addison-Wesley, Reading (2008)
Mercuri, M.: Beginning Information Cards and CardSpace: From Novice to Professional. Apress, New York (2007)
Al-Sinani, H.S., Mitchell, C.J.: Using CardSpace as a Password Manager. In: de Leeuw, E., Fischer-Hübner, S., Fritsch, L. (eds.) IDMAN 2010. IFIP Advances in Information and Communication Technology, vol. 343, pp. 18–30. Springer, Heidelberg (2010)
Al-Sinani, H.S., Alrodhan, W.A., Mitchell, C.J.: CardSpace-Liberty integration for CardSpace users. In: Klingenstein, K., Ellison, C.M. (eds.) Proceedings of the 9th Symposium on Identity and Trust on the Internet (IDtrust 2010), Gaithersburg, Maryland, USA, April 13-15, pp. 12–25. ACM, New York (2010)
Jones, M.B.: A Guide to Using the Identity Selector Interoperability Profile V1.5 within Web Applications and Browsers. Microsoft Corporation (2008)
Jones, M.B., McIntosh, M. (eds.): Identity Metasystem Interoperability Version 1.0 (IMI 1.0). OASIS Standard (2009), http://docs.oasis-open.org/imi/identity/v1.0/identity.html
Guthery, S.B., Cronin, M.J.: Mobile Application Development with SMS and SIM Toolkit. McGraw-Hill, New York (2002)
Le Bodic, G.: Mobile Messaging Technologies and Services SMS, EMS and MMS. Wiley, Chichester (2003)
Al-Sinani, H.S., Mitchell, C.J.: Implementing PassCard — a CardSpace-based Password Manager. Technical Report: RHUL–MA–2010–15 (Department of Mathematics, Royal Holloway, University of London) (2010), http://www.ma.rhul.ac.uk/static/techrep/2010/RHUL-MA-2010-15.pdf
Hart, J., Markantonakis, K., Mayes, K.: Website Credential Storage and Two-Factor Web Authentication with a Java SIM. In: Samarati, P., Tunstall, M., Posegga, J., Markantonakis, K., Sauveron, D. (eds.) WISTP 2010. LNCS, vol. 6033, pp. 229–236. Springer, Heidelberg (2010)
Wu, M., Garfinkel, S., Miller, R.: Secure web authentication with mobile phones. In: DIMACS Workshop on Usable Privacy and Security Systems (2004), http://homepages.mcs.vuw.ac.nz/~ian/shared/papers/secureweb.pdf
Jammalamadaka, R., van der Horst, T., Mehrotra, S., Seamons, K., Venkasubramanian, N.: Delegate: A proxy based architecture for secure website access from an untrusted machine. In: ACSAC 2006: Proceedings of the 22nd Annual Computer Security Applications Conference, pp. 57–66. IEEE Computer Society, Washington (2006)
Pashalidis, A., Mitchell, C.J.: Impostor: A single sign-on system for use from untrusted devices. In: Proceedings of IEEE Globecom 2004, Global Telecommunications Conference, Dallas, Texas, USA, vol. 4, pp. 2191–2195. IEEE Press, Los Alamitos (2004)
Florêncio, D., Herley, C.: One-time password access to any server without changing the server. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 401–420. Springer, Heidelberg (2008)
Luotonen, A.: Web Proxy Servers. Prentice Hall PTR, New Jersey (1997)
Aloul, F., Zahidi, S., El-Hajj, W.: Two factor authentication using mobile phones. In: AICCSA 2009: Proceedings of the IEEE/ACS International Conference on Computer Systems and Applications, Rabat, Morroco, pp. 641–644. IEEE, Los Alamitos (2009)
Mannan, M., Oorschot, P.V.: Using a personal device to strengthen password authentication from an untrusted computer. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 88–103. Springer, Heidelberg (2007)
Alqattan, A., Kaviani, N., Lewis, P., Pearson, N.: A two-Factor Authentication System using Mobile Devices to Protect against Untrusted Public Computers. University of British Columbia, Canada (2007), http://courses.ece.ubc.ca/412/term_project/reports/2007-fall/A_Two-Factor_Authentication_System_Using_Mobile%20_Devices_to_Protect_against_Untrusted_Public_Computers.pdf
Schuba, M., Gerstenberger, V., Lahaije, P.: Internet ID — Flexible Re-use of Mobile Phone Authentication Security for Service Access (2004), http://www.ericsson.com/res/thecompany/docs/journal_conference_papers/service_layer/internet_id_nordsec.pdf
Jørstad, I., Van Thuan, D., Jønvik, T., Van Thanh, D.: Bridging CardSpace and Liberty Alliance with SIM authentication. In: Proceedings of the 10th International Conference on Intelligence in Next Generation Networks (ICIN 2007), Adera, Pessac, pp. 8–13 (2007)
Abdelhameed, R., Khatun, S., Ali, B., Ramli, A.: Authentication model based bluetooth-enabled mobile phone. Journal of Computer Science 1(2), 200–203 (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 IFIP International Federation for Information Processing
About this paper
Cite this paper
Al-Sinani, H.S., Mitchell, C.J. (2011). Enhancing CardSpace Authentication Using a Mobile Device. In: Li, Y. (eds) Data and Applications Security and Privacy XXV. DBSec 2011. Lecture Notes in Computer Science, vol 6818. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22348-8_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-22348-8_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22347-1
Online ISBN: 978-3-642-22348-8
eBook Packages: Computer ScienceComputer Science (R0)