Implementing identity provider on mobile phone

Abstract

We have implemented an identity provider (IdP), which is defined by the Liberty Alliance on a mobile phone. We propose an authentication method, which uses this personal IdP as a security token to prevent password leakage. In our method, the personal IdP on a mobile phone issues a security assertion signed by a private key on a Universal Subscriber Identifier Module (USIM). There are some authentication solutions that require special hardware tokens to prevent password leakage incidents, but their disadvantage is a higher distribution cost. In our method, there is no need for distribution of special hardware tokens because mobile phones are widespread personal devices. There are other authentication methods that use mobile phone terminals, but our method has the advantage that there is no need for installation of special software on PCs. In addition, users are able to carry out single sign-on (SSO) with our method by using the Liberty Alliance architecture. Compared with ordinary SSO where the IdP is a server computer, our method has a unique feature that the initial authentication is performed on a user's mobile phone with the key pad as an input device and LCD as an output device. Therefore, the credential for initial authentication is not transmitted from the mobile phone, and we can avoid the risk of password theft. If the mobile phone has its own security feature like fingerprint authentication, the feature can be used for SSO too. In this paper, we also discuss implementation issues on a mobile phone network and security issues regarding the man-in-the-middle attack. Results of the performance test of a prototype system are also described.