Bluetooth SSO: Single Sign-On with the Mobile Telephone and Context Authorization
How many times a day do we have to enter our password? When we want to unlock the operating system session, access a protected application, authenticate from a different computer... The mobile phone can become our ally in avoiding this inconvenience while also increasing system security.For many, mobile phones have become an essential tool for communication and personal organization, mainly at work but also for personal use. As we nearly always have our mobiles with us, we can make use of their capacity for storage, processing and interacting with other devices to help us with repetitive but necessary tasks, such as authentication.
To do this, Safelayer has developed the Bluetooth SSO experimental authentication mechanism, which uses Bluetooth communication between a mobile and another device (normally a PC) to speed up the identification of users. But these are not the only benefits of the mobile: its capacity for collecting context information on the user can also be harnessed to improve authorization processes.
Bluetooth SSO is aimed especially at business environments, in which the users normally access a defined set of corporate services and applications (email, document servers, management tools, etc.), and the devices are supervised by a system administrator, which means the devices in the network can be considered trusted devices.
Bluetooth SSO has been implemented for mobile devices with the Android operating system.
Single sign on
Bluetooth SSO allows users to access several corporate web applications from different devices, authenticating only once using the application installed in their mobile phones. The process is as follows: users run the application in their mobiles and authenticate; then, when they approach any of the PCs in the trusted network, they only have to confirm that they want to open a web session in that PC. In addition, this new session assumes the status of the previous session, even when it was held on another PC.
To be able to use this experimental authentication mechanism, the machines in the trusted network must each have a Bluetooth interface and a small agent that manages mobile connections installed.
As well as increasing user convenience, Bluetooth SSO increases the level of security compared with other authentication mechanisms, such as the traditional username and password combination. With Bluetooth SSO, the user password is never sent in the communication between the application and the authentication server because one-time passwords (OTP) are used, which are renewed in each authentication session. This prevents attackers from intercepting and reusing the password of users.
Context Authorization
As well as entailing an authentication process in which user identity is validated, controlling access to applications and resources consists in verifying that users meet certain conditions before denying or allowing access requests. These conditions are usually rules that check certain constant user attributes, such as the user's role or privilege level. In many scenarios, however, it can be critical that other environment-influenced characteristics, which are far more changeable, are taken into account in authorization processes.
The mobile phone's advanced functionality makes it the ideal device for compiling user context information. For this reason, Bluetooth SSO also supports capturing additional information on the authorization context (e.g., the location of the user or if the telephone belongs to the company). This process is performed transparently to the user, i.e., it is carried out in the background without affecting other functionality.
The use case implemented by Bluetooth SSO is the digital signing of a document in which multiple signers intervene. The users authenticate in the web portal with the application installed in their mobiles and can only sign the document if certain environmental conditions are met, such as being at a given location or connected to a secure network or having the latest version of the operating system.
According to the Spanish National Institute of Statistics (Instituto Nacional de Estadística, Survey on ICT and Electronic Commerce Use in Companies 2008-2009), more than 90% of Spanish companies had a mobile telephone network in 2009; in these, according to the Spanish National Institute of Communication Technologies (Instituto Nacional de Tecnologías de la Comunicación, indicator INT161: Use habits of Bluetooth in the advanced mobile devices of companies), more than 43% of users of advanced mobile phones say they always have Bluetooth activated. Bluetooth SSO aims to take advantage of these new habits to improve ICT security.
The Spanish Ministry for Industry, Tourism and Trade (Ministerio de Industria, Turismo y Comercio) has co-funded this work as part of the SAT2 project, ref. TSI-020100-2008-365 and TSI-020100-2009-374 of the AVANZA I+D sub-program.
