978-1-4244-4694-0/09/$25.00 ©2009 IEEE

Releasing the potential of OpenID & SIM

Ivar Jørstad, Tor Anders Johansen & Elias Bakken Ubisafe AS

NO-2624 Lillehammer, Norway {ivar.jorstad | tor.anders.johansen |

elias.bakken}@ubisafe.no

Charlott Eliasson & Markus Fiedler Blekinge Institute of Technology

Karlskrona, Sweden {cel | markus.fiedler}@bth.se

Do van Thanh Telenor R&I

NO-1331 Fornebu, Norway thanh-van.do@telenor.com

Abstract— OpenID is starting to mature as an identity system. At the time of writing, more than 500 million users are OpenID-enabled, and more than 48 000 service provider sites support the solution and the growth is rapid. The next natural step now is to enable all those users to logon safely, yet easily, to all those services; this is not handled by the identity system itself. This paper discusses how telecom operators can be part of this evolution and exploit it commercially by facilitating the adoption of OpenID for their customers. The paper proposes a service architecture where the operator is able to exploit the growing acceptance and user base of OpenID by combining it with SIM-authentication, one of the operators’ most valuable assets. The service architecture has been implemented and tested both technically and towards users. The solution allows users to easily and conveniently log on to services like Plaxo using their mobile phone and/or USB dongle with inserted U/SIM, and it can enable telecom operators to capitalise on a huge user base by combining the strengths of OpenID and the U/SIM. A discussion of the business opportunities of the solution is provided.

Keywords- Identity management, OpenID, strong authentication, 2-factor authentication, SIM, GSM, UMTS

I. INTRODUCTION Of all the challenges that are increasing in complexity on

the Internet and WWW today, one of the major and critical ones is that of identity management and issues arising from poor practices of such, e.g. fraud, lack of privacy and identity theft. Although a lot of protocols, standards and initiatives (SAML [1], Liberty Alliance [2], CardSpace [3], Higgins [4], etc.) have been launched to improve on the situation, we are still seeing few initiatives that have substantial deployment in practice, at least in the consumer market.

None of the most talked about identity management initiatives incorporates the task of actual user authentication. This makes sense, as it increases the flexibility of the systems, and opens for others to adapt the solutions to their own requirements.

However, to enable the widespread use of identity management systems there are several requirements that must be met by the complete system, including the actual user authentication. The user must perceive the identity management system and the authentication functionality as a

whole, and the less he sees of it, the better. Most current identity management deployments still rely on username/password for authentication, but to further increase user-friendliness and security, other means for authentication might be the key.

This paper presents some of the efforts of the EUREKA Mobicome 1 project towards improving the identity management situation for services on the Internet. The solution presented in this paper introduces the mobile operator as a trusted 3rd party and identity provider, enabling the customers to easily log in to a vast number of services using their mobile phone and/or U/SIM card as a token to prove their identity, and using the OpenID [5] identity system as a foundation for managing user identities.

Using the combination of OpenID and U/SIM is a compelling solution because:

OpenID is distributed - As soon as the user has registered,

it immediately enables him to log on to any OpenID-enabled site without any hassle (although initial pairing of user accounts is of course necessary).

Deployment & adoption rate - There is an increasing

adoption and support of OpenID (500 million enabled users, more than 48 000 service providers).

Simplicity - Adoption of OpenID for service providers is

becoming easy due to emerging frameworks. The solution is also easy to understand and to use for the end-user. One identifier (the OpenID URI) may be used for a vast number of services.

Ubiquity - The mobile phone/SIM is a ubiquitous device

that has no real competitor as an authentication token today due to its widespread deployment.

Security - The SIM provides 2-factor authentication in a

user-friendly manner, thus radically increasing security and limiting opportunities for identity theft.

1 http://www.mobicome.org

Section II of this paper discusses related works; Section III

provides a brief look into the OpenID identity system terminology and SIM authentication; Section IV presents a solution called UnifID which incorporates OpenID and strong SIM authentication; Section V provides data from the user perspective collected through a user perception study, and finally Section VI provides a discussion of the proposed solution, Section VII presents future works and provides a conclusion.

II. RELATED WORKS It has been recognized for a long time that authentication

processes on the Internet are generally too weak, and that multi-factor authentication should be introduced to limit the number of identity thefts and fraud. However, most existing 2-factor authentication solutions have severe limitations and drawbacks; although they provide substantially improved security, they are commonly either inconvenient for the user, expensive to establish and maintain, or both. Examples of such solutions include Smart Cards with PKI and One-Time-Password (OTP) generators.

There exist many different solutions for using the mobile phone as a 2-factor authentication device for Internet services. Some of these are based on mobile applications that generate OTPs (e.g. the Norwegian company enCap’s solution for the financial sector [6]), others are based on sending OTPs to mobile phones using the Short Message Service (SMS). All these, if implemented correctly, increase the security of the authentication process. However, requiring the installation of additional software on the user’s mobile phone may still be a too demanding process for the common user, and the challenge of widely heterogeneous mobile application platforms is likely to exist for the foreseeable future. Solutions that do not rely on the mobile terminal platform are thus still favourable, e.g. the reception of OTPs through SMS (although inconvenient for the user) or the usage of the SIM as proposed in this paper.

As a supplement to username/password authentication in OpenID, PhoneFactor [7] has integrated its phone-based authentication service, CallVerifID, with it. Upon entering the first factor credentials, e.g. username/password, a phone call is established towards the user’s phone (mobile or landline), the user confirms the authentication by an acknowledgment or additional PIN code on his/her phone. This solution improves the authentication strength for OpenID. However, it may be a bit too inconvenient for services requiring a vast amount of authentications on a daily basis to result in large-scale adoption.

III. INTRODUCTION TO OPENID & SIM This section provides a brief introduction to the architecture

and functionality of OpenID, and gives a description of the general SIM authentication.

A. OpenID components & functionality OpenID defines two major components; Relying Party

(RP)/Service Provider and OpenID Provider.

An RP in OpenID terminology is a Service Provider, an entity that relies on the Identity Provider to verify and assert the identity of visiting users.

An OpenID provider is an identity provider that is capable of (properly) authenticating a user given an OpenID URI and asserting the authenticated user’s identity towards relying parties. An OpenID URI is the identifier used by OpenID to represent a user’s identity. The actual authentication mechanism and procedure is out of scope of OpenID, and can be anything the operator of the IdP chooses to use (e.g. username/password, Smart Card, One-Time-Password etc.).

B. SIM authentication

Figure 1. The GSM A3 function

SIM authentication as referred to in this paper means using the native authentication mechanisms of U/SIM of GSM/UMTS for authentication of Internet-based services. That is, the basic GSM/UMTS authentication messages are transported across IP instead of across the mobile wireless bearer. The core of GSM authentication is the A3 algorithm, whereas in UMTS, the authentication is realised by functions named f1-f5. Figure 1 shows how the A3 algorithm works. Basically, the network and the SIM calculates XRES and SRES correspondingly based on a random number (RAND) and the user’s secret key (Ki), and if these match, the user is considered authenticated. However, in the proposed solution, the authentication is made mutual (i.e., the network is authenticated as well) by utilising the EAP-SIM [8] protocol.

IV. UNIFID: SIM-ENABLED OPENID This section introduces the architecture of UnifID, a novel

solution that adopts OpenID as a framework for managing identities and the U/SIM for handling the actual user authentication.

A. Architecture & components Figure 2 shows the overall service-architecture. The

following components are depicted: Web browser – This is typically a modern Web browser

supporting Java Applet technology. Supplicant – The supplicant is realised as a Java Applet,

which is downloaded to the user’s Web browser. The supplicant communicates with the SIM across either a Bluetooth interface or a USB interface, using APDUs to access the algorithms of the SIM card. On the other end, the supplicant communicates with the Authenticator using EAP-SIM across an HTTP connection. Upon successful authentication, the supplicant provides the browser with proof of this fact, which the browser again presents to the OpenID

provider, which then concludes the authentication process and asserts the identity of the user towards the service provider.

Authenticator – The authenticator communicates with the supplicant as described above, and on the other end communicates with an AAA server to perform the actual verification of user identity. The AAA server exposes a RADIUS interface towards the authenticator, and communicates with the SS7 network of the telco through a MAP gateway (currently a Ulticom Signalware platform).

OpenID Provider – This entity is in the figure co-located with the authenticator, but it could also be located elsewhere. This component implements the OpenID protocol according to the specifications.

OpenID Consumer/Relying Party – This represents the service provider with OpenID support added.

Figure 2. Overall architecture of the solution

B. UnifID logon procedure The solution presented in this paper has been successfully

implemented and tested with services like Plaxo and myGeolog, which support OpenID login. Figure 3 shows the welcome screen with Plaxo when using OpenID for login, and Figure 4 shows the OpenID provider developed by Ubisafe where the user is redirected for authentication with the mobile phone or U/SIM.

Figure 5 shows a sequence diagram illustrating the logon procedure with the UnifID solution. The steps in the procedure are as follows:

1) The user visits a service provider site and enters his/her OpenID URI (Figure 3).

2) & 3) The service provider’s OpenID solution deducts the appropriate OpenID provider and redirects the user there for authentication (Figure 4).

Figure 3. Using the SIM for secure and simplified log on to Plaxo –

specifying the OpenID identifier

4) The user selects authentication with either USB SIM dongle or using the mobile phone with a Bluetooth connection

5)-6) The authentication procedure is carried out between the Supplicant and the Authenticator

7) The proof of successful authentication is provided to the OpenID solution, and the user is redirected back to the service provider carrying an assertion of this fact to the OpenID implementation there

8) The user is successfully logged in with his/her username at the service provider site

Figure 4. The login screen of the Ubisafe OpenID provider with Bluetooth

SIM/USB dongle option for authentication

Step 8) assumes that the OpenID URI and local user

account at the service provider site have already been paired. Otherwise, the service provider OpenID implementation decides what action to take, but usually it will lead the user to a feature for establishing a relationship between the OpenID URI and the local account username.

Figure 5. Logon sequence when using SIM and OpenID

C. Alternative architecture for unified service support To support other services than Web-based ones, an

alternative service-architecture has been devised which ensures that any type of service client in theory can be able to exploit the SIM authentication. One example where this is required is for example for services realised with Widget-technology (see [9] for example developed in the Mobicome-project), e.g. using Google Gadgets or Mac OS X Dashboard widgets. In this case, OpenID can still be used for identity management and SIM for authentication. The architecture is depicted in Figure 6. The same architecture can be used for SIP and IMS authentication as well, and these solutions are currently being studied in the Mobicome-project.

Figure 6. Alternative architecture for standalone clients

V. EVALUATION OF USER-PERCEPTION The degree of acceptance of an authentication solution

depends amongst others on the degree of impediment it causes to its users. While a fast and smooth login procedure might be considered as not disturbing at all, a slow or copious procedure might frustrate or frighten off users. On this background, we have evaluated user perception of the proposed security solutions. In particular, we have measured authentication times and user reactions on them. So far, we can say that in most cases, the authentication times stay within well-accepted limits.

The experiments where performed in Karlskrona, Sweden, connecting to the OpenID server in Oslo, Norway, which makes it more comparative to a real scenario than in a normal laboratory environment. 30 users with varying background experience logged into the location-based community and media sharing service myGeolog (http://www.mygeolog.com) using OpenID, five times each. For each login trail they provided feedback according to the Mean Opinion Score (MOS) scale, with 5 = excellent; 4 = good, 3 = fair; 2 = poor; and 1 = bad. Furthermore, the response times, which were found between 0.96 s and 1.76 s, were recorded at the level of the user interface.

From the results, which are visualised in Figure 7, we can see that the user rankings are high, with an average of 4.8, a median of 5, and a standard deviation of 0.49. Thus, the results show that the users are very happy with their login experience.

Figure 7. User-perception of SIM+OpenID solution

VI. DISCUSSION OF PROPOSAL This section is divided in two. First, a discussion of the

technological challenges, feasibility and limitations of the proposed solution is provided. Second, a discussion of the business opportunities arising due to the proposed solution is given.

A. Remarks to the technical implementation The feasibility of the proposed solution is proven by the

already existing implementation. However, most solutions have some compromises and limitations.

The proposed solution can as mentioned operate in two modes; either using a USB dongle with on-board SIM reader, or by accessing the SIM through the cellular phone using Bluetooth. However, access to the SIM through Bluetooth requires the mobile phone in question to support some specific Bluetooth protocols, and not all existing terminals do this. However, most recent phones by the major manufacturers currently include support for this now.

Authentication is performed by utilising Java Applet technology in Web-browsers, and although established and well-proven, there are challenges getting this to work in all Web-browsers on all platforms.

SSL/TLS should be used for all HTTP communication to further limit the possibility of eavesdropping, although the protocols used should not expose any information that can be used to break the security of the solution.

B. Business opportunities The business opportunities for the previously described

service architecture closely resembles the ones of existing Content Provider Access (CPA) [10] approaches. Basically, three different models are identified which differ in both business and technical relationships among the stakeholders:

1) SP as IdP

In this case (Figure 8), the service provider takes care of identity management, but is provided access to the mobile network operator’s authentication service. Thus, identity management is performed on a per service basis, and some of the benefits of the proposal are lost. In this situation, each service provider establishes a business and technological relationship with the mobile network operator.

Figure 8. Stakeholder relationships and responsibilities in model 1

2) Operator as IdP

In this case (Figure 9), the mobile network operator assumes the role of identity provider and takes care of identity management for several service providers. In this situation, several different service providers may establish circles-of-trust (CoT), thus enabling single-sign-on among them. Each service provider is required to establish both business and technological relationships with the mobile network operator.

3) 3rd party IdP The last model (Figure 10) introduces a new stakeholder,

namely a 3rd party identity provider. This stakeholder assumes the role of a mediator between the service providers and the mobile network operator. Each service provider must establish both business and technological relationships with the identity provider, however only the identity provider establishes business and technological relationships with the mobile network operator(s).

Figure 9. Stakeholder relationships and responsibilities in model 2

Figure 10. Stakeholder relationships and responsibilities in model 3

C. Discussion of business opportunity models Model #3 promotes an open innovation [11] strategy that

has many similarities to the existing CPA models [12]. One of the benefits of this model is that the identity provider can establish relationships with several operators, and thus support identity management and authentication for “all” users of “all” the service providers connected to the IdP. To expect all service providers to (even wanting to) achieve this is close to utopia. Instead, the model leverages a win-win situation for all 3 stakeholders by:

- Service Providers: Reducing complexity of establishment of user-friendly security at service provider sites, increasing registration rate, and increasing returned customer rate and user loyalty. Can keep focus on the service to provide, instead of spending vast amount of resources on improving the security architecture.

- Identity Providers: Introducing new business opportunities to the identity provider, enabling it to differentiate from competitors, and to propose different business models according to service provider requirements.

- Mobile Network Operators: Introducing new revenue sources, building on other companies’ expertise, services and

technology while exploiting unique infrastructures and assets through an open innovation strategy.

VII. CONCLUSION AND FUTURE WORK This paper presented a novel architecture facilitating

OpenID identity management using SIM and GSM functionality for authentication. The solution improves existing identity management solutions by complementing them with stronger, user-friendly authentication, and at the same time provides an opportunity for mobile network operators to capitalise on their most unique asset, namely the U/SIM card. The architecture has been studied through the Mobicome research project, and has been implemented and tested both with respect to technical feasibility as well as with regards to usability. Some preliminary results from a user perception study were provided.

If mobile network operators are looking for new sources of revenue with limited investments and quick and easy access to large volumes of users, the proposed solution should be further investigated and different business models should be considered, as the solution facilitates all these requirements. MNOs should at least position themselves with regards to the identity management role, as this is going to be one of the most important roles in the future market of services in the Internet cloud, and probably also one of the keys to attracting users due to the increased focus on identity theft and fraud, privacy and security in general. In the continuance of the Mobicome-project, solutions for the usage of the U/SIM for other services like e.g. IETF SIP will be designed and implemented.

REFERENCES [1] S. Cantor, et. al. (ed.), “Assertion and Protocols for the OASIS Security

Assertion Markup Language (SAML) V2.0”, OASIS Standard, 15 March 2005, online: http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

[2] T. Wason (ed.), “Liberty ID-FF Architecture Overview”, Liberty Alliance Project, online: http://www.projectliberty.org/resource_center/specifications/liberty_alliance_id_ff_1_2_specifications

[3] Microsoft, “Windows CardSpace”, online: http://en.wikipedia.org/wiki/Windows_CardSpace

[4] Higgins Open Source Identity Framework, “Higgins Overview”, online: http://www.eclipse.org/higgins/

[5] OpenID community, “OpenID Authentication 2.0”, online: http://openid.net/specs/openid-authentication-2_0.html

[6] A. M. Hagalisletto, & A. Riiber, “Using the mobile phone in two-factor authentication”, First International Conference on Security for Spontaneous Interaction (IWSSI), Innsbruck, Austria, September 2007, online: http://www.encap.no/admin/userfiles/file/iwssi2007-05.pdf

[7] S. Dispensa, “Tokenless Two-Factor Authentication: It Finally Adds Up”, PhoneFactor, white paper, online: http://www.phonefactor.com/wp-content/pdfs/PhoneFactor-WhitePaper.pdf

[8] IETF, H. Haverinen & J. Salowey, (ed.), “Extensible Authentication Protocol Method for Global System for Mobile Communications (GSM) Subscriber Identity Modules (EAP-SIM)”, IETF, January 2006

[9] T. V. Do, et. al. (2009), “Personalised Dynamic IMS Client using Widgets”, Joint white paper by Telenor, Linus, Ubisafe and Oslo University College, Presented at the Mobile World Congress 2009 in Barcelona

[10] “Telco 2.0 Case Study: Telenor CPA”, http://www.telco2.net/blog/2008/06/telco_20_case_study_telenor_cp.html

[11] H. Chesbrough, (2006), “Open Business Models”, Harvard Business School Press, ISBN: 1-4221-0427-3

[12] P. J. Nesse (2008), “Open service innovation in telecom industry – case study of partnership models enabling 3’rd party development of novel mobile services”, ICIN 2008, 20-23. October 2008, Bordeaux, France