This project aims to develop a solution that allows the Brazilian Academic Federation (CAFe) to operate with multiple authentication factors on Shibboleth Identity Providers and translate the federated authentication to physical devices in the Internet of Things (IoT).

There are five options of second authentication factor in our proposal:

  • Phone prompt – first, the user inputs login and password in the IdP (first authentication factor), then the user receives a notification on his/her smartphone (GT-AMPTo App) to confirm that the user is truly trying to authenticate in his/her IdP.
  • One-Time Password (OTP) – The Time-based One-Time Password (TOTP) [RFC 6238] standard is used by several 2FA solutions and smartphones has helped its rise. Smartphone TOTP applications have the advantages the possibility to use a unique application to manage all user TOTP tokens for different institutions.
  • FIDO2 (WebAuthN) –  FIDO2  is an industry standard for robust authentication and in this work we choose it to offer an 2FA option that does not depend of smartphone or even a 2FA device that relies over an Internet connection. Currently, our solution supports only one associate FIDO2 USB key per user account.
  • Biometric Authentication (FIDO UAF) – after the first authentication step, the user proves his/her identity using a biometric authentication app (GT-AMPTo App) in the smartphone. In this authentication process, no biometric data is shared, only the authentication confirmation is provided to the IdP.
  • Backup codes – In our solution when the user associates a second factor to his/her account, a set with ten disposable codes are generated automatically and the user is invited to print or save them in a file. Each disposable code can be used only once.

 

Solutions that rely on Phone prompt, also called push dialog, aim to increase the robustness of the authentication process with a minor impact on the usability. This 2FA technology requires a smartphone and its operation is quite similar to the TOTP scenario. The user receives a notification on his/her smartphone, which opens a prompt with a simple question: Are you trying to authenticate right now? (Yes or No). It is more user friendly compared to the TOTP solution.

In the IoT scenario, the biometric authentication (FIDO UAF) in the user device is the only authentication factor considered. In this scenario, the user makes use of federated authentication to physically access an environment in an institution that he/she is visiting.


Source code

The source code and the install instructions are available at https://git.rnp.br/GT-AMPTo/mfap-installation-guide. The source code is under Apache License Version 2.

Publications

  • Ribeiro de Mello, E., Silva Wangham, M., Bristot Loli, S. et al. Multi-factor authentication for shibboleth identity providers. J Internet Serv Appl 11, 8 (2020). https://doi.org/10.1186/s13174-020-00128-1. https://rdcu.be/cbzPJ
  • MELLO, E. R.; WANGHAM, M. S. ; LOLI, S. B. ; SILVA, C. E. ; SILVA, G. C.Autenticação multi-fator em provedores de identidade Shibboleth. In: Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg), 2018, Natal. Anais do Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg). Porto Alegre: SBC, 2018. p. 85-98.[download]
  • SILVA, G. C. ; SILVA, C. E. ; MELLO, E. R. ; WANGHAM, M. S. ; LOLI, S. B. Transposição da Autenticação Federada para uma Solução de Controle de Acesso Físico no contexto da Internet das Coisas. In: Salão de Ferramentas do Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg), 2018, Natal. Anais Estendidos do Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg). Porto Alegre: SBC, 2018. p. 73-80.[download]
  • SILVA, G. C.; SILVA, C.E. Uma Proposta de Arquitetura para Autorização Federada com Internet das Coisas. In Workshop de Trabalhos de Iniciação Científica e de Graduação (WTICG) do Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg), 2017, Brasília.

Team

Coordination

Technical Team

  • Bruno Bristot Loli
  • Gabriela Cavalcanti da Silva
  • Samuel Bristot Loli
  • Shirlei Aparecida de Chaves