Using a Smartphone to Access Personalized Web Services on a Workstation

“…Using this identifier, the relying party carries out a discovery, the result of which is the identity provider's URL (2). Next, a session is established between the relying party and the identity provider (3). The association that OpenID provides here, is insufficient.…”

“…In addition, since an OpenID account is used for single sign-on, a permanently authenticated session with the identity provider is not uncommon. If the latter does not implement proper user authorisation, cross-site request forgery (CSRF) allows an attacker 3 to authenticate to other relying parties on behalf of the user [4,1]. Once logged in, further exploitation could allow the adversary to perform privileged actions.…”

“…Identifiable, pseudonymous as well as (accountable) anonymous transactions are supported. Standalone mobile use of this architecture was previously validated by Boukayoua et al [3]. However, real-life use requires an approach that is more interoperable with existing infrastructure.…”

“…https://www.myopenid.com3 This can be a malicious website or an attacker infecting a trusted website 4. To avoid confusion, claim-based identity providers are referred to as claim providers.…”

Making OpenID Mobile and Privacy-Friendly

“…Using this identifier, the relying party carries out a discovery, the result of which is the identity provider's URL (2). Next, a session is established between the relying party and the identity provider (3). The association that OpenID provides here, is insufficient.…”

“…In addition, since an OpenID account is used for single sign-on, a permanently authenticated session with the identity provider is not uncommon. If the latter does not implement proper user authorisation, cross-site request forgery (CSRF) allows an attacker 3 to authenticate to other relying parties on behalf of the user [4,1]. Once logged in, further exploitation could allow the adversary to perform privileged actions.…”

“…Identifiable, pseudonymous as well as (accountable) anonymous transactions are supported. Standalone mobile use of this architecture was previously validated by Boukayoua et al [3]. However, real-life use requires an approach that is more interoperable with existing infrastructure.…”

“…https://www.myopenid.com3 This can be a malicious website or an attacker infecting a trusted website 4. To avoid confusion, claim-based identity providers are referred to as claim providers.…”

Making OpenID Mobile and Privacy-Friendly

Out-of-Band Password Based Authentication towards Web Services