Strong Authentication with Mobile Phone

  • Sanna Suoranta
  • André Andrade
  • Tuomas Aura
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7483)


As critical services and personal information are moving to the online world, password as the only user authentication method is no longer acceptable. The capacity of the human memory does not scale to the ever larger number of ever stronger passwords needed for these services. Single sign-on (SSO) systems help users cope with password fatigue, but SSO systems still mostly lack support for strong two-factor authentication. At the same time, the users have adopted mobile phones as personal digital assistants that are used both for accessing online services and for managing personal information. The phones increasingly include mobile trusted computing technology that can be used for hardware-based storage of user credentials. Thus, it is rather obvious that the mobile phones should be used as authentication tokens for critical online services.

In this paper, we show that existing open-source software platforms and commonly available mobile devices can be used to implement strong authentication for an SSO system. We use the Internet-enabled mobile phone as a secure token in a federated single sign-on environment. More specifically, we extend the Shibboleth SSO identity provider and build an authentication client based on a Nokia hardware security module. Our system design is modular, and both the SSO solution and the hardware-based security module in the phone can be replaced with other similar technologies. In comparison to most commercially available strong authentication services, our system is open in the sense that it does not depend on a specific credential issuer or identity provider. Thus, it can be deployed by any organization without signing contracts with or paying fees to a third party. No modifications need to be made to the client web browser or to the online service providers. We conclude that it is possible to implement strong personal authentication for an open-source SSO system with low start-up and operating costs and gradual deployment.


Mobile Phone Trusted Platform Module Extensible Authentication Protocol Identity Provider Security Assertion Markup Language 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    3GPP. Generic bootstrapping architecture (GBA). Specification TS 33.220 v. 10.0.0, 3GPP (October 2010),
  2. 2.
    3GPP. Generic authentication architecture (GAA); system description. Specification TR 33.919 v. 10.0.0, 3GPP (March 2011)Google Scholar
  3. 3.
    Abe, T., Itoh, H., Takahashi, K.: Implementing identity provider on mobile phone. In: The 2007 ACM Workshop on Digital Identity Management, DIM 2007. ACM (November 2007)Google Scholar
  4. 4.
    Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., Levkowetz, H.: Extensible Authentication Protocol (EAP). RFC 3748 (Proposed Standard), Updated by RFC 5247 (June 2004)Google Scholar
  5. 5.
    Aboba, B., Simon, D., Eronen, P.: Extensible Authentication Protocol (EAP) Key Management Framework. RFC 5247 (Proposed Standard) (August 2008)Google Scholar
  6. 6.
    Andrade, A.: Strong Mobile Authentication in Single Sign-On Systems. Master’s thesis, Aalto University School of Science (May 2011)Google Scholar
  7. 7.
    Aoyagi, M., Abe, T., Takahashi, K.: Symmetric identity federation for fixed-mobile convergence. In: Proceedings of the 4th ACM Workshop on Digital Identity Management, pp. 33–40 (October 2008)Google Scholar
  8. 8.
    Azema, J., Fayad, G.: M-Shield mobile security technology: making wireless secure. Texas Instruments, White paper (2008), (referred July 4, 2011)
  9. 9.
    Bhargav-Spantzel, A., Squicciarini, A., Bertino, E.: Privacy preserving multi-factor authentication with biometrics. In: DIM 2006: Proceedings of the Second ACM Workshop on Digital Identity Management. ACM (2006)Google Scholar
  10. 10.
    Bhatti, R., Bertino, E., Ghafoor, A.: An integrated approach to federated identity and privilege management in open systems. Communications of the ACM 50(2) (February 2007)Google Scholar
  11. 11.
    Carmody, S., Erdos, M., Hazelton, K., Hoehn, W., Morgan, R.B., Scavo, T., Wasley, D.: Shibboleth Architecture: Protocols and Profiles. Technical report, Internet2 Middleware Initiative (September 2005)Google Scholar
  12. 12.
    CSC - IT Center for Science. Kalmar e-identity union linking nordic research networks (2011), (referred July 5, 2011)
  13. 13.
    CSC - IT Center for Science. Funeteduperson schema (2011), (referred July 5, 2011)
  14. 14.
    CSC - IT Center for Science. Haka federation (2011), (referred July 5, 2011)
  15. 15.
    DNA mobile network operator. DNA mobile certificate (2011), (ref. July 4, 2011)
  16. 16.
    Ekberg, J.-E., Asokan, N., Kostiainen, K., Eronen, P., Rantala, A., Sharma, A.: Onboard credentials platform design and implementation. Technical Report NRC-TR-2008-001, Nokia Research Center (2008)Google Scholar
  17. 17.
    Ekberg, J.-E., Asokan, N., Kostiainen, K., Rantala, A.: On-board credentials with open provisioning. Technical Report NRC-TR-2008-007, Nokia Research Center (2008)Google Scholar
  18. 18.
    FiCom Ry. FiCom published application instructions for mobile certificate standard (May 25, 2005) (in Finnish), (referred July 4, 2011)
  19. 19.
    FiCom Ry. Mobile certificate makes identification simpler (2008) (in Finnish), (rererred July 1, 2011)
  20. 20.
    Finnish Population Register Centre. Fineid citizen certificate (2011), (referred July 1, 2011)
  21. 21.
    Florêncio, D., Herley, C.: A largescale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007 (2007)Google Scholar
  22. 22.
    Ideelabor. OpenID in Estonia (2008), (referred February 27, 2009)
  23. 23.
    Information society advisory board for creating electrical authentication. Mobile authentication methods, description and comparison (November 13, 2008) (in Finnish),
  24. 24.
    Internet2. Shibboleth (2006), (referred September 5, 2006)
  25. 25.
    Kostiainen, K., Ekberg, J.-E., Asokan, N., Rantala, A.: On-board credentials with open provisioning. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS 2009 (2009)Google Scholar
  26. 26.
    Li, X., Ma, J., Park, Y., Xu, L.: A usim-based uniform access authentication framework in mobile communication. EURASIP Journal on Wireless Communications and Networking - Special Issue on Security and Resilience for Smart Devices and Applications (January 2011)Google Scholar
  27. 27.
    Messerges, T.S., Dabbish, E.A.: Digital rights management in a 3g mobile phone and beyond. In: DRM 2003: Proceedings of the 3rd ACM Workshop on Digital Rights Management, pp. 27–38. ACM, New York (2003)CrossRefGoogle Scholar
  28. 28.
    Mizuno, S., Yamada, K., Takahashi, K.: Authentication using multiple communication channels. In: ACM Workshop on Digital Identity Management (2005)Google Scholar
  29. 29.
    NorthID. Operations models for electrical authentication and identity management. Workshop material (September 15, 2009) (in Finnish)Google Scholar
  30. 30. Get an OpenID (2006), (referred July 1, 2011)
  31. 31. website (2008), (referred December 30, 2008)
  32. 32.
    Ragouzis, N., Hughes, J., Philpott, R., Maler, E., Madsen, P., Scavo, T.: Security assertion markup language (SAML) v2.0 technical overview. Technical report, OASIS (March 25, 2008)Google Scholar
  33. 33.
    Rahnama, B., Elci, A., Celik, S.: Securing rfid-based authentication systems using parsekey+. In: SIN 2010: Proceedings of the 3rd International Conference on Security of Information and Networks (September 2010)Google Scholar
  34. 34.
    Recordon, D., Reed, D.: OpenID 2.0: A platform for user-centric identity management. In: ACM Workshop on Digital Identity Management, DIM (2006)Google Scholar
  35. 35.
    RSA Security. RSA SecureID (2009), (referred July 4, 2010)
  36. 36.
    RSA Security. Software authenticators (2011), (referred July 4, 2011)
  37. 37.
    Sharma, A.K.: Onboard credentials: Hardware assisted secure storage of credentials. Master’s thesis, Helsinki University of Technology (2007)Google Scholar
  38. 38.
    Shibboleth. Wiki (2011), (referred July 5, 2011)
  39. 39.
    Sun, S.-T., Hawkey, K., Beznosov, K.: OpenIDemail enabled browser: Towards fixing the broken web single sign-on triangle. In: DIM 2010: Proceedigns of the 6th ACM Workshop on Digital Identity Management, October 8. ACM (2010)Google Scholar
  40. 40.
    Suoranta, S., Heikkinen, J., Silvekoski, P.: Authentication Session Migration. In: Aura, T., Järvinen, K., Nyberg, K. (eds.) NordSec 2010. LNCS, vol. 7127, pp. 17–32. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  41. 41.
    The Finnish Bankers’ Association. Banks’ tupas certification service for service providers (October 2005), (ref. September 8, 2006)
  42. 42.
    Trusted Computing Group. Trusted platform module (2011), (referred July 4, 2011)
  43. 43.
    Virtanen, M.: Mobile electronic id. Master’s thesis, Aalto University School of Science and Technology (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Sanna Suoranta
    • 1
  • André Andrade
    • 1
  • Tuomas Aura
    • 1
  1. 1.Department of Computer Science and EngineeringAalto UniversityEspooFinland

Personalised recommendations