Strong mobile authentication in single sign-on systems
No Thumbnail Available
URL
Journal Title
Journal ISSN
Volume Title
School of Science |
Master's thesis
Checking the digitized thesis and permission for publishing
Instructions for the author
Instructions for the author
Authors
Date
2011
Department
Major/Subject
Tietokoneverkot
Mcode
T-110
Degree programme
Language
en
Pages
ix + 92
Series
Abstract
With high risk services, such as online banking, coming to the Internet, traditional authentication schemes like username and password are no longer sufficient to cope with the latest security threats. Therefore, strong authentication methods that use two or more identification factors are becoming more relevant to web authentication. These methods often require an additional device to act as a security token. The mobile phone qualifies as a cheap, available and usable option. Moreover, single sign-on (SSO) authentication systems offer more usability and flexibility to authentication, and enhance identity management. Hence, SSO and strong authentication complement each other. SSO provides the advantages mentioned above and strong authentication offers a safer method for service providers to authenticate users. This thesis focuses on studying the state-of-the-art methods of strong web authentication, SSO technologies and the use of the mobile phone as a security token. The main contribution is a strong authentication protocol for SSO systems using the mobile phone as security token. It aims to be a secure, usable, flexible and cost-efficient user authentication platform that does not assume a direct connection between the device that accesses the services and the security token. The solution is based on PKI and mobile certificates, session management, and a hardware-based secure credential manager in the mobile phone. Furthermore, this thesis describes a proof-of-concept implementation of the protocol using the Shibboleth federated SSO system and On-board Credentials from Nokia. The prototype achieves usable strong authentication using the mobile phone, and integrates easily with the SSO platform.Description
Supervisor
Aura, Tuomas|Ferreira, PauloThesis advisor
Suoranta, SannaKeywords
strong authentication, security token, mobile phone, credential, SSO, federation, identity management, PKI, SIM, ObC