Using GSM/UMTS for single sign-on

Abstract

At present, network users have to remember a user-name and a corresponding password for every service with which they are registered. Single sign-on (SSO) has been proposed as a solution to the usability, security and management implications of this situation. Under SSO, users authenticate themselves only once to an entity termed the 'authentication service provider' (ASP) and subsequently use disparate service providers (SPs) without re-authenticating. The information about the user's authentication status is handled between the ASP and the desired SP in a manner transparent to the user. We propose an SSO protocol where a GSM or UMTS operator plays the role of the ASP and by which its subscribers can be authenticated to SPs without any user interaction and in a way that preserves the user's privacy and mobility. The protocol requires only minimal changes to the deployed GSM infrastructure.