Design and Evaluation of an Architecture for Ubiquitous User Authentication Based on Identity Management Systems

Nowadays, users consume digital services with their digital identities on a multitude of different devices, e.g. notebooks, smartphones or even TV sets. Hereby, users are faced with additional challenges, i.e., devices have different security levels and not all digital identities must be used on all devices. Identities used for home banking should not be used on an insecure device and business identities should only be used on business devices. Moreover, it should be possible to switch between devices in a seamless way without the need to reauthenticate again on each device. Therefore, we propose an architecture that integrates all user devices and exploits identity management systems for ubiquitous user authentication. The proposed architecture improves usability by reducing the number of manual authentication procedures, by relaying authentication to devices with appropriate input capabilities and by supporting the user in identity selection. Security is improved by the possibility to perform authentication on secure devices, the provisioning of short-lived tokens to in secure devices and the opportunity to perform multifactor authentication across devices. Our implementation is based on the Shibboleth IdM system and serves as proof-of-concept of our architecture. The conducted security evaluation confirms that our concept does not introduce additional security threats.