Increasing Identity Governance when using OpenID: Hosting an OpenID Identity Provider on a smartphone

Abstract

In the area of identity management OpenID is an identity system allowing users to log in to OpenID-enabled web sites by proving ownership of an OpenID Identifier by authenticating with its controlling OpenID Identity Provider. A user can choose to host an OpenID Identity Provider herself or trust in existing third-party providers such as Google. Technical skill is required for the former, leaving it unavailable for the average user.This thesis simplifies the matter by implementing an OpenID Identity Provider as a smartphone application, making use of the traditional server-like features inherent in such devices. New possiblities for authenticating the user arise as she is enabled to physically interact with the OpenID Identity Provider, which in the traditional scheme is performed through the web browser. As a result from these new possiblities, phishing attacks are claimed to be avoided and identity attributes are exempted from being controlled and possibly exploited by any third-party.One of several technical challenges include enabling the smartphone to receive inbound connections as this is required by the OpenID Authentication protocol, but restricted by telecom operators by default. Functionality must be in place to backup identity repositories stored on the smartphone in order not to lose possession of the established OpenID identities if the device becomes lost or damaged. Lastly, focus is given to make the solution easily applicable for even the novice consumer.