Single Sign-on (SSO) systems simplify user authentication for the many online services that we need to access every day. Solutions exist for both intra-organizational use and for the open web. While SSO systems meet their main goal of reducing the number of passwords that a user needs to memorize, many other aspects can still be improved. The goal of this thesis is to investigate how digital user identities are linked to real world identities, what opportunities and challenges mobile devices bring to the SSO systems, and how SSO sessions are managed after the initial authentication.
Many countries all around the world provide citizen authentication methods based on smart cards or other credentials. Most of these offer strong two-factor authentication and APIs for integration to private and commercial systems. However, organizations may want to implement strong authentication by themselves without relying on specific national identity systems. We designed and implemented a system that provides two-factor user authentication with mobile phone as a secure store for service-issued credentials. Mobile devices also give rise to questions about session mobility. Stateless web applications that are distributed between the browser and the cloud may store only authentication session information in the client device. We implemented session migration that allows SSO sessions to be moved from one device to another. This enables users to change to the best available device, such as switching between a desktop computer and a mobile device, and still continue working without reauthentication. Moreover, most SSO systems focus on the authentication at the beginning of sessions. We observe that the ending of sessions can be confusing and lead to security failures. We investigate logout in existing SSO systems and suggest separating the concepts of local and global logout.
As the computing environment changes, for example, applications move to mobile and cloud platforms, there is continuous need to update authentication technologies. This thesis proposes several incremental improvements to SSO systems and addresses various pain-points from the user’s and developer’s points of view.
Sanna Suoranta (Aalto University): Enhanced Security for Mobile User Authentication and Single Sign-On (Dissertation)