Single Sign-On Authentication
Abhisek Maity
1st author's affiliation
1st line of address
Flat num
9051522671, +91
abhisekmaity30@gmail.com
ABSTRACT
A system that has become common in various tech and non-tech
firms, single sign-on authentication is required now more than
ever. The increasing usage of cloud apps and services in
industries has created a unique fragmentation issue. It is a
challenge that the IT department of the organization has to deal
with. Multiple login IDs and passwords are the primary target
for cybercriminals. The report deals with the way single sign-on
is helping to deal with the fragmentation issue thus solving
security problems. It is also helping organizations to improve
employee productivity and regulatory compliance. However, the
method has its set of disadvantages. The effectiveness of the
system as an authentication structure is analyzed along with a
review of its advantages and disadvantages. The report critically
reviews the limitations of the method including high stakes
involved in case of system breach. A research paper which
analyses the integration of multifactor authentication with a
convention SSO, has been extensively discussed. The viability
of the method has been reviewed along with examples where the
method has been pilot tested in industries. Limitations posed by
the current single sign-on authentication system is still a
challenge for IT. The report reviews few approaches that might
be effective in resolving the issue.
General Terms
OpenID authentication, Multifactor authentication, OAuth 2.0
framework
Keywords
SSO, OTP, Identity Paper (IDP), Relying Party (RP),
authorization, authentication
1. INTRODUCTION
With the ongoing trends of digitisation, it has become important
for organisations to develop innovative methods to improve
security of systems. Employees in an organisation often get
access to multiple portals for various purposes. Each of these
portals are protected by a user log in and password. Single Sign-
On is an authentication system which has become common in
several enterprises. It allows the user to access multiple
accounts with a single set of credentials. Thus, it avoids the need
to remember separate passwords. In other words, the system
works as an identity provider to the user for access to separate
portals. There are other benefits for users interacting with single
sign-on. Apart from convenience, there is transparency. One
knows what is being shared from system to system. The
productivity of the employees increases as a result of increase in
speed. Users don’t have to go through separate sign-in and
authorization process. For businesses, it means avoiding the
tussle of resetting people’s password too frequently, meaning
less work at the back end.
2. CRITICAL ANALYSIS OF
EXISTING LITERATURE
Let us consider a shopping website such as Amazon offers login
through a social media platform such as Facebook. This kind of
arrangement is referred to as a web SSO which is widely used
nowadays to enhance overall user experience. A web SSO
system works through interaction between three parties the
entity providing ID, the user and the relying party.
Researches have been conducted in the authentication
community on SSO. The objective of all these studies has been
to formulate methods to find protocol flaws. There is lack of
prior work though on commercially deployed web SSO systems.
There are challenges associated with analyzing the security of
commercially deployed SSO systems. This is on account of the
fact that the systems don’t publish specifications of their
operations, also their codes are not accessible to the public.
Thus, web traffic is the only way left. This information though
is also visible to adversaries. This makes the analysis more
realistic.
2.1 MULTIFACTOR
AUTHENTICATION
Multifactor authentication has been a subject in most of these
studies. The system enhances the security of the basic
authentication system by using two or more authentication
factor. More number of factors gives way to more confidence.
There are numerous multifactor methods that are available. A
research paper published in 2018 (Sciarretta et al., 2018)
focusses on integrating a PIN code with OTP generation process
using an OTP generating software. The main algorithms
available for generating OTP are
Time synchronization where OTP generation process initiates
from shared secret key (seed). Identity providers are required to
authenticate this value. When OTPs lie within a defined range,
they are accepted.
Lamport’s algorithm where OTP generation begins from a seed
value and each OTP value is based on the preceding value. If s
is a seed value and F(x) a one way function, o1 = s, o2 = F(o1 ),
o3 = F(o2 ),... on = F(on−1 ) will be the OTPs with the last one
being stored on the identity provider. on-1 is sent to the server,
when a user wants to login, subsequently a function F is applied
by the server to verify whether it corresponds to the value
stored. If they do, the identity authenticates the user and the
stored value is updated with on-1. The user will need to use on-2
next and so on. After n logins, a new value will have to be
calculated.
A mobile identity management solution mID(OTP) is used for
multifactor authentication and manage identities for native
mobile apps. Three phases are there: registration, activation and
exploitation. The whole process is based on assumptions which
can be classified into strong and weak. Strong assumption
includes i) trust assumption which states that identity providers
are trusted by service providers and ii) communication
assumptions between the different elements. Activation
assumption which assumes that activation phases will be free
from phishing attacks. Weak Assumptions include background
assumptions which assumes that integrity of data stored in the
device is maintained and no surveillance softwares are there in
the device capable of spying on the user. The second weak
assumption is assumption related to user behavior which states
that the user will be rational and enter the correct OTPs into the
correct app. The behavior of an intruder who is capable of
overhearing and modifying messages has been inculcated into
the system. The main goal is to see whether having a limited
number of protocol sessions while ensuring thar anticipated
results are produced. Irrespective of the intrusion, security
objectives are met. In order to achieve this, a state of the art
model checker (SATMC) is used to create a formal model for
security protocols. The following analyses were carried out: by
removing just one of the strong assumptions, there is a violation
of the security goal. With removal of one of the weak
assumptions, SATMC does not find any attack. Removing
specific subsets of weak assumption also leads to compromising
the security goal.
2.2 THE OAuth 2.0 AUTHORIZATION
FRAMEWORK
The parties involved in this framework include a resource owner
who provides access to a protected resource. A client which is
an application that demands for the protected resource on behalf
of the resource owner. An authorization server which
authenticates the resource owner and subsequently issuing
access tokens to client. The final component is a resource server
which issues accepts and responds to requests for the protected
resource.
In a conventional authentication model, the client demands a
protected source on the server using the resource owner’s
credentials. However, this causes several issues including
obligation on the part of third-party applications to store the
client’s details, usually a password in text format. The third
parties cannot restrict the duration and any breach at their end
compromises the user’s password.
The OAuth framework resolves these issues by creating a rift
between the roles of the resource owner and the client (Sciaretta
et al., 2018) Rather than using the credentials of the identity
provider’s credentials, access tokens are used by the client
through an authorization process. These tokens are credentials
which are used for accessing the resource.
Figure 1: Protocol flow
Figure 1 shows the interaction that takes place between the
parties involved in the framework. The process is however,
more of a delegation protocol or an authorization protocol.
There’s some difference between authentication and
authorization. Authentication is the process of verifying the
identity of a user while authorization verifies what the user is
permitted to do. The access tokens which are issued by the
server do not represent a user, rather it is a kind of access
provided to the client by the resource owner. Access token may
contain anything and it is not necessary that the client
application will be able to decipher everything. Also, the client
application may not be able to match th received token to the
request of the client, since it is not the intended audience for the
tokens. When a token is stole, the perpetrator can gain access to
the protected resource. A vulnerability related to authorization
code type is now being shared. When a few client applications
allowed clients to gain access using their google accounts.
Hence, when the client was redirected to SSO, the button to
login through google account was added to the login page.
However, when they were redirected from other clients, the
button was not there. The reason for this is that the other group
were unaware that login through google account was possible
and hence they did not verify the authorization code
accordingly. The code was just used to obtain tokens. Hence,
this created a weak point for the attacker to exploit.
2.3 OPENID SSO
OpenID is an open form of web single sign-on authentication
system. Developed in 2005 by Brad Fritzpatrick, it was used to
avoid spamming of comments on online articles. When an
individual drops a comment, he would need to share the link to
his blog. Subsequently, the website would perform a verification
process to ensure that comment is from the owner of the blog.
Here, the parties involved are relaying party (RP) and openID
provider (OP).
A user would enter his openID when he wants to access the RP.
Using the code, RP searches for parameters in order to initiate
the authentication process. Using OP endpoint URL, RP forms
and interlink between the parties. RP redirects the user to OP.
OP then verifies whether authentication is already done for the
user, if not the user is redirected to RP. The RP finally
completes the authorization process and performs local
authorizations if there is a need. The system provides basic
information about the user avoiding the need to note down the
same every time. However, the system is vulnerable to phishing
attacks like other systems. It allows user authentication without
taking on the burden of keeping and managing passwords in the
face of a large number of persons attempting to get access to
your users' accounts for personal benefit. (Zakaria et al., 2018)
Figure 2: OpenID authentication steps
3. OVERCOMING DRAWBACKS
So far in this report, vulnerabilities or some other form of
limitation has been observed with each method. Continuous and
transparent authentication systems have potential to resolve the
issue. The user identity is verified in a periodic manner using
biometrics without meddling with normal interaction of the user.
Studies have been conducted on Transparent Authentication
Systems (TAS).
Multimodal authentication system is subdivided into
physiological multimodal systems, hybrid, distributed
multimodal systems; and web- and cloud-based multimodal
systems.
Physiological multimodal systems use a combination of 2 traits
from facial features and fingerprint. Behavioral multimodal
systems include voice recognition of mobile phones. (Laka and
Mazurczyk, 2018). However, in order to deal with the
operational complications involved in both the methods,
researchers began to study hybrid multimodal systems. In
research conducted in 2019 (Altinok and Turk, 2019) researched
with facial recognition, voice verification and fingerprint. All
the three features were integrated when it was necessary. The
outcome would be a higher trust level which varied depending
on the interval from the timeline of last captured modalities
samples. In another report (Clark et al., 2018) a mobile non-
intrusive and continuous authentication was analyzed using
biometrics existing on the device. An interesting characteristic
of this was that it was planned to align the level of confidence of
the valid user to user privileges.
4. Conclusion
Verification the identity of an individual for any form of digital
service has become imperative to safeguard against cyber
criminals. Most of the authentication systems are effective at the
point at the entry, that is they function only at the point of entry.
Drawbacks associated with various forms of single sign-on
authentication method include lack of transparency, scalability,
interoperability and poor performance. Hence, there is a need to
develop innovative and robust mechanism to substitute existing
methods. The emergence of AI, machine learning and other
advanced tools has given way to a wide range of possibilities.
Effective utilizing fingerprint, facial features or other gestures
will prove an effective alternative form of authentication.
Hence, there is a need for further research in the concerned area.
5. REFERENCES
[1] Sciarretta, G., Carbone, R., Ranise, S. and Viganò, L.,
2018, April. Design, formal specification and analysis of
multi-factor authentication solutions with a single sign-on
experience. In International Conference on Principles of
Security and Trust (pp. 188-213). Springer, Cham.
[2] Hossain, N., Hossain, M.A., Hossain, M.Z., Sohag, M.H.I.
and Rahman, S., 2018, August. OAuth-SSO: a framework
to secure the OAuth-based SSO service for packaged web
applications. In 2018 17th IEEE International Conference
On Trust, Security And Privacy In Computing And
Communications/12th IEEE International Conference On
Big Data Science And Engineering
(TrustCom/BigDataSE) (pp. 1575-1578). IEEE.
[3] 2022. [online] Available at:
<https://www.mckinsey.com/industries/paper-forest-
products-and-packaging/our-insights/the-drive-toward-
sustainability-in-packaging-beyond-the-quick-wins>
[Accessed 9 January 2022].
[4] 2022. [online] Available at:
<https://www.mckinsey.com/industries/paper-forest-
products-and-packaging/our-insights/the-drive-toward-
sustainability-in-packaging-beyond-the-quick-wins>
[Accessed 9 January 2022].
[5] 2022. [online] Available at:
<https://www.mckinsey.com/industries/paper-forest-
products-and-packaging/our-insights/the-drive-toward-
sustainability-in-packaging-beyond-the-quick-wins>
[Accessed 9 January 2022].
[6] Zakaria, N.H., Zainul, M.F., Katuk, N., Tahir, H.M. and
Omar, M.N., 2018. An evaluation of page token in OpenID
Single Sign on (SSO) to thwart phishing attack. Journal of
Telecommunication, Electronic and Computer Engineering
(JTEC), 10(1-11), pp.19-23.
[7] Laka, P. and Mazurczyk, W., 2018. User perspective and
security of a new mobile authentication
method. Telecommunication Systems, 69(3), pp.365-379.
[8] Oh, I., Lee, K., Lee, S.Y., Do, K., beom Ahn, H. and Yim,
K., 2018, July. Vulnerability analysis on the image-based
authentication through the PS/2 interface. In International
Conference on Innovative Mobile and Internet Services in
Ubiquitous Computing (pp. 212-219). Springer, Cham.