Security Research Centre, School of Computer and Security Science, Edith Cowan University, Perth, Western Australia
The popularity of the Internet and the variety of services it provides has been immense. Unfortunately, many of these services require the user to register and subsequently login to the system in order to access them. This has resulted in the user having to remember a multitude of username and password combinations in order to use the service securely. However, literature has clearly demonstrated this is not an effective approach, as users will frequently choose simple passwords, write them down, share them or use the same password for multiple systems. This paper proposes a novel concept where Internet users authenticate to web services (service providers) by the use of a smartcard – taking away any requirement for the user to provide credentials. The smartcard is useful in this context as it is a trusted device that is capable of applying cryptography in a tamper resistant environment. The development of the concept is based upon an extension to Authentication Authorisation Infrastructure (AAI) models, where a trusted authority (Identity Provider) will provide and manage the smart card to end-users. In devices such as mobile phones, a smartcard is already present (e.g. the SIM) to facilitate this and it is envisaged such a card could also be produced for desktop environments – similarly to what many banks are currently implementing.