We present a novel approach to use a mobile device for authentication and authorization purposes, where the user is able to authenticate and authorize himself for access on a public terminal. The concept is based on an extension of a Single-Sign On solution for mobile and public terminals.
1. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
The Smartphone as a Mobile Authorization Proxy
- Towards Authentication Using Smartphones
Luis Roalter, Matthias Kranz, Stefan Diewald,
Andreas Möller, Kåre Synnes
February 14, 2013
MCPT Workshop at Eurocast 2013
2. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Daily routines…
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 2
3. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Scenario
Starting your work
• Login into the computer
• You must know your username and password
Reading your mails
• Login into your mailserver
• You must know another username and password (probably)
Scientific Research
• Login for your library
• You must know another username and password
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 3
4. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Overview
Motivation
System architecture
Current implementation
Problems and Outlook
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 4
5. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Past Scenario
Situation
• Various platforms
• Different user name / password combinations
• No unified login mask
Problems
• Many credentials to remember
• No overview
• Multiple accounts to maintain
• Phishing
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 5
6. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 6
7. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Recent Scenario
Situation
• Various platforms
• Usage of distributed login methods (LDAP, ADS, NIS, …)
• Mostly no unified login mask
• Only one username to remember
Problems
• One credential opens everything
• Phishing causes loss of complete system
• Public terminals / displays
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 7
8. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 8
9. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Future Motivation
Situation
• Various platforms
• Usage of distributed login methods (LDAP, ADS, NIS, …)
• Unified login mask è replace it with a QR code
• No username to remember
• Smartphone is your identity provider
• Phishing is hardly possible
Requirements/Problems
• Need of a smartphone with internet connection
• More involved parties; trust
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 9
10. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
The standard login…
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 10
11. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Novel approach with QR codes…
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 11
12. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Ideas
Single Sign-On
• Reduce number of different credentials
• Substitute other authentication methods
• Substitute many individual logins by one
• Works especially for organizations with many services
Motivation
• Easy usage at different services
• Global sign-off
• Privacy
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 12
13. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Existing Single Sign-On Solutions
OpenID
• De-centralized authentication system
• OpenID identity provided by OpenID provider
• “Relying party” accepts identity as login
• Prone to phishing attacks as redirect is required
• Used by e.g. Yahoo, Microsoft, Facebook, Google
Shibboleth
• Identity provider, service provider and discovery service
• Used mainly in university and educational context
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 13
14. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Single Sign-On
Goals for Single Sign-On with mobile devices
• Improved usability & utility: faster authentication process, less error-prone, …
• Improved security
(no overseeing of credentials input when typed on on-screen keyboard)
• Separation of private and public devices/data (no Bluetooth link for
password input)
• No own login/password management
• No typing on a public display!
(no keyboard substitution!)
• Better than direct login for public terminals
(might be hacked as hardware is public)
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 14
15. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Overview
Motivation
System architecture
Current implementation
Problems and Outlook
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 15
16. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Concept
Service
1 Service
2 Service
n Service
1 Service
2 Service
n
Authenticate
Authenticate Authenticate
Username
2
Password
2 SSO
Server
Username
1 Username
n
Password
1 Password
n
Username
Password
User User
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 16
17. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
How does single sign-on work?
Service SSO
Server
4.
Grant
Access
for
User
at
Service
5.
User
Information
1.
Access
Service 2.
Redirect
to
SSO 3.
Authenticate
6.
Get
Information
From
Service
Client
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 17
18. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Introducing QR codes
Why make use of QR codes?
• Fast and easy transfer of ASCII/binary data to a smartphone
• Move forms to a trusted device (my smartphone)
Why smartphones?
• Independent connection to the internet
• Storage of personal information
• Usage for other auxiliary services
(to read from and write to)
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 18
19. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Integrating the smartphone
Service 5.
Grant
Access
for
User
at
Service
SSO
Server
6.
User
Information
2.
Register
Token
3.
Print
QR
Code
1.
Access
Service
4.
Send
Data
from
QR
Code
7.
Get
Information
From
Service
Client
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 19
20. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Overview
Motivation
System architecture
Current implementation
Problems and Outlook
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 20
21. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Current Implementation
Platform
• TomCat Server for RPC
• LDAP for user management
• SQL DB for service and session management
Mobile Client
• Android Smartphone
• UMTS/WiFi Connection
• SSL secured communication
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 21
22. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Android Application: Registration
Registration / Login
• Your account (username, password)
• Your hardware: mobile unique ID (MUID), can
be e.g. IMEI (direct device identification) or be
calculated from hardware parameters for no
direct relation to a device
• MUID is used to identify the device to transfer
the session to, or for history information (who
authenticated a SID)
What will be stored?
• Login name
• (hashed) MUID
• (hashed) password is just transferred once and
discarded afterwards
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 22
23. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Android Application: Profile / Management
Features
• Visualize running sessions
• Maintain your profile and personal information
• Recognize hijacking of account
• Logout session(s)
• Transparency to the user
Ideas
• Transfer sessions between devices (from
desktop to mobile)
• Not only authenticating on public terminals, but
improve mobility
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 23
24. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Example Use Case: Room Reservation and Access
• Tablet PC as door sign for meeting rooms
• See when room is occupied or available
• Book a room through the public display
– Needs authentication
(who reserves the room?)
– Single-Sign-On with QR Code
does not require to type
credentials on public display
• Allows even room access
(digital lock)
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 24
25. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Android Application: Authentication
Go to a (public or private) terminal
• Request service, e.g. open the login page of
the service
• Wait for SSO authentication (e.g. QR code)
Terminal sends
• Session ID (SID) to SSO server
• Creates QR Code with that information and
displays it on the terminal’s screen
Mobile Device
• Scans QR code, gets: SID, service, SSO Server
• Authenticates SID at SSO Server
• SSO Server authenticates session both on
mobile and public terminal
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 25
26. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Overview
Motivation
System architecture
Current implementation
Problems and Outlook
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 26
27. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Analysis
Improvements compared to traditional Single Sign-On
• No password input (direct or indirect) on a potentially insecure terminal
• Faster, less error-prone, more convenient identification
• Lost mobile – de-authenticate all sessions, deactivate MUID (SSO admin
interface required)
• SSO server hard coded (typed in as preference on the mobile, substituting
server in QR Code)
• No phishing login sites (as mobile always uses preferred SSO server)
• Additional hardware binding (one piece more of information)
• Additional channel for authentication (terminal, SSO server; mobile SSO
server)
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 27
28. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Analysis
Equal (or at least not worse)
• Only identification (ID verification), no access control yet (authorization)!
• “Fake” MUID (assuming algorithm is known), that is: send “copied” hashed
MUID: as with lost physical key, as mobile has no trusted computing
platform (TPM) module
• Both: at least accounting of active SIDs, monitoring “key usage”
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 28
29. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Outlook and Future Work
Usability
• PAM module for QR code authentication
• Operating system login using QR codes
• Transfer sessions between terminals
Security
• Full encrypted connections (tokens already present)
User study
• Acceptance / Usability concept
• Novel applications (public displays)
• etc.
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 29
30. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Thank you for your attention!
Questions?
?
?
andreas.moeller@tum.de
roalter@tum.de
www.vmi.ei.tum.de/
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 30
31. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
Paper Reference
• Please find the associated paper at:
https://vmi.lmt.ei.tum.de/publications/2013/MCPT2013-IndoorNav_preprint.pdf
• Please cite this work as follows:
• L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes
Decision-Point Panorama-Based Indoor Navigation
In: 14th International Conference on Computer Aided Systems Theory
(EUROCAST 2013), pp. 306-307, Las Palmas de Gran Canaria, Spain,
February 2013
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 31
32. Institute for Media Technology
Distributed Multimodal Information Processing Group Technische Universität München
If you use BibTex, please use the following entry to cite
this work:
@INPROCEEDINGS{MCPT13MobAuth,
author = {Luis Roalter and Matthias Kranz and Stefan Diewald and Andreas M{"o}ller},
title = {{The Smartphone as Mobile Authorization Proxy}},
booktitle = {14th International Conference on Computer Aided Systems Theory (EUROCAST 2013)},
editor = {Alexis Quesada-Arencibia and Jos'{e} Carlos Rodriguez and Roberto Moreno-Diaz jr. and Roberto Moreno-Diaz},
year = {2013},
month = feb,
pages = {306--307},
ISBN = {978-84-695-6971-9},
location = {Las Palmas de Gran Canaria, Spain},
}
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 32