A single sign-on authentication framework for security-critical Web applications

Abstract

As more organisations move their applications to the web, the need for secure authentication methods for security-critical applications is increasing rapidly. At the same time, many organisations cannot afford to develop their own strong authentication mechanisms and sometimes end up developing systems vulnerable to security flaws inherited from the complexity of web development technologies. In the first chapter of this report we introduce the reader to web application security with special emphasis on authentication-related issues. We show how password-based systems could easily be vulnerable to identity theft, and we also highlight common mistakes in web application development that lead to serious security issues. We produce a set of guidelines that help web developers write and test secure web applications. After stressing the need for strong authentication mechanisms to access our sensitive information online, we proceed to introduce IdentiLink - the framework developed for this final year project. IdentiLink attempts to make it easy for organisations to implement strong authentication on their web applications. The framework implements multi-factor authentication by delivering one-time passwords via SMS, taking advantage of the widespread use of mobile phones and the strong security built into GSM SIM Cards. It also implements a single sign-on mechanism that allows users to be authenticated simultaneously with a single profile across multiple affiliated Service Providers. On the other hand, web site owners can plug-in strong authentication with no programming at all. IdentiLink implements a consent-driven infrastructure, based on secure web-services, for sharing user profile attributes, with the user being in full control of which organisations have access to which data. The framework is also extensible, allowing management and reporting applications to be built on top of it.