Smart OpenID: A Smart Card Based OpenID Protocol
نویسندگان
چکیده
OpenID is a lightweight, easy to implement and deploy approach to Single Sign-On (SSO) and Identity Management (IdM), and has great potential for large scale user adoption especially for mobile applications. At the same time, Mobile Network Operators are increasingly interested in leveraging their existing infrastructure and assets for SSO and IdM. In this paper, we present the concept of Smart OpenID, an enhancement to OpenID which moves part of the OpenID authentication server functionality to the smart card of the user’s device. This seamless, OpenID-conformant protocol allows for scaling security properties, and generally improves the security of OpenID by avoiding the need to send user credentials over the Internet and thus avoid phishing attacks. We also describe our implementation of the Smart OpenID protocol based on an Android phone, which interacts with OpenID-enabled web services.
منابع مشابه
Verified by Visa and MasterCard SecureCode: Or, How Not to Design Authentication
Banks worldwide are starting to authenticate online card transactions using the ‘3-D Secure’ protocol, which is branded as Verified by Visa and MasterCard SecureCode. This has been partly driven by the sharp increase in online fraud that followed the deployment of EMV smart cards for cardholder-present payments in Europe and elsewhere. 3-D Secure has so far escaped academic scrutiny; yet it mig...
متن کاملClient-Based CardSpace-OpenID Interoperation
We propose a novel scheme to provide interoperability between two of the most widely discussed identity management systems, namely CardSpace and OpenID. In this scheme, CardSpace users are able to obtain an assertion token from an OpenID-enabled identity provider, the contents of which can be processed by a CardSpace-enabled relying party. The scheme, based on a browser extension, is transparen...
متن کاملAnalysing the Security of Google's Implementation of OpenID Connect
Many millions of users routinely use their Google accounts to log in to relying party (RP) websites supporting the Google OpenID Connect service. OpenID Connect, a newly standardised single-sign-on protocol, builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management services. It adds identity management functionality to the OAu...
متن کاملOn the security of modern Single Sign-On Protocols: Second-Order Vulnerabilities in OpenID Connect
OpenID Connect is a new Single Sign-On (SSO) authentication protocol, which is becoming increasingly important since its publication in February 2014. OpenID Connect relies on the OAuth protocol, which currently is the de facto standard for delegated authorization in the modern web and is supported by leading companies like, e.g., Google, Facebook and Twitter. An important limitation of OAuth i...
متن کاملSoK: Single Sign-On Security – An Evaluation of OpenID Connect
OpenID Connect is the OAuth 2.0-based replacement for OpenID 2.0 (OpenID) and one of the most important Single Sign-On (SSO) protocols used for delegated authentication. It is used by companies like Amazon, Google, Microsoft, and PayPal. In this paper, we systematically analyze wellknown attacks on SSO protocols and adapt these on OpenID Connect. We additionally introduce two novel attacks on O...
متن کامل