Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements

“…As identified in [6], the two requirements that we expect for a native SSO solution are: (i) the IdP user credentials can be used to gain access to several SP C apps-this implies that a User does not need to have credentials with a SP C to access it; (ii) if a User has already a login session with an IdP S , then she can access new SP C apps without re-entering her IdP credentials-only the User consent is required.…”

“…As the S steps can vary depending on the choices of the SP developers, in our analysis, we will focus on the A steps. Compared to the protocol flow proposed in [6], we have enhanced its security by adding the generation, exchange and validation of OTPs. For example, the OTP extension protects mainly against a stolen smartphone.…”

“…In this section, we present a mobile identity management solution that augments the security of the native SSO solution proposed in [6] by adding a multi-factor authentication based on the generation of OTPs. We called it mID(OTP) to highlight the dual goal that our solution pursued: (i) to establish a multi-factor authentication and (ii) to manage identities for native mobile apps, e.g., providing a SSO service.…”

“…In addition to the procedure described in [6]-user login and release of a token (token IdP ) used (from here on) to identify the user session in place of the user credentials-at the end of the activation phase the IDOTP is configured to generate OTPs, usually requiring the creation of a PIN code for the future interactions.…”

“…For the security assumptions and the design of a native SSO solution, our work is based on [6,7]. In this previous work, we presented a solution for native SSO and performed a semi-formal security analysis.…”

Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience

“…As identified in [6], the two requirements that we expect for a native SSO solution are: (i) the IdP user credentials can be used to gain access to several SP C apps-this implies that a User does not need to have credentials with a SP C to access it; (ii) if a User has already a login session with an IdP S , then she can access new SP C apps without re-entering her IdP credentials-only the User consent is required.…”

“…As the S steps can vary depending on the choices of the SP developers, in our analysis, we will focus on the A steps. Compared to the protocol flow proposed in [6], we have enhanced its security by adding the generation, exchange and validation of OTPs. For example, the OTP extension protects mainly against a stolen smartphone.…”

“…In this section, we present a mobile identity management solution that augments the security of the native SSO solution proposed in [6] by adding a multi-factor authentication based on the generation of OTPs. We called it mID(OTP) to highlight the dual goal that our solution pursued: (i) to establish a multi-factor authentication and (ii) to manage identities for native mobile apps, e.g., providing a SSO service.…”

“…In addition to the procedure described in [6]-user login and release of a token (token IdP ) used (from here on) to identify the user session in place of the user credentials-at the end of the activation phase the IDOTP is configured to generate OTPs, usually requiring the creation of a PIN code for the future interactions.…”

“…For the security assumptions and the design of a native SSO solution, our work is based on [6,7]. In this previous work, we presented a solution for native SSO and performed a semi-formal security analysis.…”

Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience

Analyzing Security and Privacy in Design and Implementation of Web Authentication Protocols

Understanding and mitigating OpenID Connect threats