Autenticação multi-fator em provedores de identidade Shibboleth
Abstract
Federated identity management model provides a solution for credencial access proliferation, such as based on passwords. However, it only takes the attacker to find out one password in order to personify the user in all federated service providers. The multifactor authentication emerge as a solution to increase the authentication process robustness. This work aims to present a comprehensive and open source solution in order to offer multifactor authentication to all Shibboleth Identity Provider users.
References
Alliance, F. (2016). The FIDO UAF metadata service white paper. [link].
Aloul, F., Zahidi, S., and El-Hajj, W. (2009). Multi factor authentication using mobile phones. International Journal of Mathematics and Computer Science, 4(2):65–80.
Arias-Cabarcos, P., Almenárez, F., Trapero, R., Díaz-Sánchez, D., and Marín, A. (2015). Blended identity: Pervasive idm for continuous authentication. IEEE Security Privacy, 13(3):32–39.
Bhargav-Spantzel, A., Squicciarini, A. C., Xue, R., and Bertino, E. (2010). Multifactor identity verification using aggregated proof of knowledge. IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews), 40(4):372–383.
Brainard, J., Juels, A., Rivest, R. L., Szydlo, M., and Yung, M. (2006). Fourth-factor authentication: somebody you know. In Proceedings of the 13th ACM conference on Computer and communications security, pages 168–178. ACM.
Cantor (2015). Authentication flow selection. [link].
Committee, O. S. S. T. et al. (2012). Security assertion markup language (saml) 2.0.
Dasgupta, D., Roy, A., and Nag, A. (2017). Multi-Factor Authentication, pages 185–233. Springer International Publishing, Cham.
Google (2017). Making google prompt the primary choice for 2-step verification. Google Official Blog. [link].
Haller, N., Metz, C., Nesser, P., and Straw, M. (1998). Rfc 2289: A one-time password system. Technical report, Technical report, IETF.
Joie, C. L. (2017). Authentication. [link].
Langenberg, D. (2015). Multi context broker. [link].
Lindemann, R., Bharadwaj, V., Czeskis, A., Jones, M. B., Hodges, J., Kumar, A., Brand, C., Verrept, J., and Ehrensvärd, J. (2017). Fido alliance proposed standard.
Machani, S., Philpott, R., Srinivas, S., Kemp, J., and Hodges, J. (2014). Fido uaf architectural overview. FIDO Alliance, December.
Morii, M., Tanioka, H., Ohira, K., Sano, M., Seki, Y., Matsuura, K., and Ueta, T. (2017). Research on integrated authentication using passwordless authentication method. In 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC), volume 1, pages 682–685.
M’Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., and Ranen, O. (2005). Hotp: An hmac-based one-time password algorithm. RFC 4226, RFC Editor.
M’Raihi, D., Machani, S., Pei, M., and Rydell, J. (2011). Totp: Time-based one-time password algorithm. RFC 6238, RFC Editor.
Mulliner, C., Borgaonkar, R., Stewin, P., and Seifert, J.-P. (2013). Sms-based one-time passwords: attacks and defense. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 150–159. Springer.
NIST (2017a). Digital Authentication Guideline. NIST Special Publication 800-63-3. DOI: 10.6028/NIST.SP.800-63-3.
NIST (2017b). Digital Identity Guidelines: Authentication and Lifecycle Management. NIST Special Publication 800-63B.
Refeds (2017). Refeds mfa profile. [link].
Srinivas, S., Balfanz, D., and Tiffany, E. (2014). Fido universal 2nd factor (u2f) overview. Version v1. 0-rd-20140209, FIDO Alliance, February.
TC, O. S. S. (2008). Security assertion markup language (saml) v2.0. [link].
W3C (2018). Web Authentication: An API for accessing Public Key Credentials Level 1. Technical report, World Wide Web Consortium.
Weiser, M. (1991). The computer for the 21st century. Scientific american, 265(3):94–104.
Zhang, N., Yao, L., Chin, J., Shi, Q., Nenadic, A., McNab, A., Rector, A., and Goble, C. (2005). Plugging a scalable authentication framework into shibboleth. In 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE’05), pages 271–276.
Aloul, F., Zahidi, S., and El-Hajj, W. (2009). Multi factor authentication using mobile phones. International Journal of Mathematics and Computer Science, 4(2):65–80.
Arias-Cabarcos, P., Almenárez, F., Trapero, R., Díaz-Sánchez, D., and Marín, A. (2015). Blended identity: Pervasive idm for continuous authentication. IEEE Security Privacy, 13(3):32–39.
Bhargav-Spantzel, A., Squicciarini, A. C., Xue, R., and Bertino, E. (2010). Multifactor identity verification using aggregated proof of knowledge. IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews), 40(4):372–383.
Brainard, J., Juels, A., Rivest, R. L., Szydlo, M., and Yung, M. (2006). Fourth-factor authentication: somebody you know. In Proceedings of the 13th ACM conference on Computer and communications security, pages 168–178. ACM.
Cantor (2015). Authentication flow selection. [link].
Committee, O. S. S. T. et al. (2012). Security assertion markup language (saml) 2.0.
Dasgupta, D., Roy, A., and Nag, A. (2017). Multi-Factor Authentication, pages 185–233. Springer International Publishing, Cham.
Google (2017). Making google prompt the primary choice for 2-step verification. Google Official Blog. [link].
Haller, N., Metz, C., Nesser, P., and Straw, M. (1998). Rfc 2289: A one-time password system. Technical report, Technical report, IETF.
Joie, C. L. (2017). Authentication. [link].
Langenberg, D. (2015). Multi context broker. [link].
Lindemann, R., Bharadwaj, V., Czeskis, A., Jones, M. B., Hodges, J., Kumar, A., Brand, C., Verrept, J., and Ehrensvärd, J. (2017). Fido alliance proposed standard.
Machani, S., Philpott, R., Srinivas, S., Kemp, J., and Hodges, J. (2014). Fido uaf architectural overview. FIDO Alliance, December.
Morii, M., Tanioka, H., Ohira, K., Sano, M., Seki, Y., Matsuura, K., and Ueta, T. (2017). Research on integrated authentication using passwordless authentication method. In 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC), volume 1, pages 682–685.
M’Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., and Ranen, O. (2005). Hotp: An hmac-based one-time password algorithm. RFC 4226, RFC Editor.
M’Raihi, D., Machani, S., Pei, M., and Rydell, J. (2011). Totp: Time-based one-time password algorithm. RFC 6238, RFC Editor.
Mulliner, C., Borgaonkar, R., Stewin, P., and Seifert, J.-P. (2013). Sms-based one-time passwords: attacks and defense. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 150–159. Springer.
NIST (2017a). Digital Authentication Guideline. NIST Special Publication 800-63-3. DOI: 10.6028/NIST.SP.800-63-3.
NIST (2017b). Digital Identity Guidelines: Authentication and Lifecycle Management. NIST Special Publication 800-63B.
Refeds (2017). Refeds mfa profile. [link].
Srinivas, S., Balfanz, D., and Tiffany, E. (2014). Fido universal 2nd factor (u2f) overview. Version v1. 0-rd-20140209, FIDO Alliance, February.
TC, O. S. S. (2008). Security assertion markup language (saml) v2.0. [link].
W3C (2018). Web Authentication: An API for accessing Public Key Credentials Level 1. Technical report, World Wide Web Consortium.
Weiser, M. (1991). The computer for the 21st century. Scientific american, 265(3):94–104.
Zhang, N., Yao, L., Chin, J., Shi, Q., Nenadic, A., McNab, A., Rector, A., and Goble, C. (2005). Plugging a scalable authentication framework into shibboleth. In 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE’05), pages 271–276.
Published
2018-10-25
How to Cite
MELLO, Emerson Ribeiro de; WANGHAM, Michelle Silva; LOLI, Samuel Bristot; DA SILVA, Carlos Eduardo; SILVA, Gabriela Cavalcante da.
Autenticação multi-fator em provedores de identidade Shibboleth. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 18. , 2018, Natal.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2018
.
p. 85-98.
DOI: https://doi.org/10.5753/sbseg.2018.4245.
