Rostam: A passwordless web single sign-on solution integrating credential manager and federated identity systems

Abstract

The challenge of transitioning to a passwordless future is a multifaceted issue, especially as web applications continue to lean heavily on passwords for authentication. This problem is amplified in enterprise environments, where identity providers, tasked with overseeing federated identity management systems, maintain single sign-on (SSO) services that lack universal compatibility with all applications. To address these complexities, we introduce Rostam, an innovative passwordless solution that integrates credential management with federated identity systems, streamlining access to web applications. Password managers, as per the literature, broadly fall into two primary categories: password wallets and derived passwords. Derived passwords generate unique passwords for websites by amalgamating a master password with supplemental information, such as the target domain name. However, these password managers come with certain limitations, like the need for users to change their existing passwords for websites. Consequently, we have chosen the password wallets category, a prevalent choice among both commercially available and browser-integrated password managers. This approach offers a more secure and user-friendly solution for managing online credentials, allowing users to retain their current credentials securely in encrypted form. Our solution, Rostam, integrates seamlessly through a dashboard, displaying all applications accessible to a user with a single click, after completing a passwordless SSO process. This intuitive interface eradicates the need for users to memorize multiple passwords, simplifying the user experience by centralizing access to diverse applications. We've examined existing works and adhered to essential use cases and design paradigms in credential managers while designing Rostam. For instance, Rostam simplifies the setup process by offering mobile app installation, extension installation, and requiring a cloud account. It accommodates credential registration through both manual and auto-detection methods, and updates credentials manually or through auto-detection, also allowing for manual credential removal. Rostam enhances the user experience by providing various autofill credential options and handling separate subdomains. It also ensures security with manual lock and timed auto-lock features, necessitating the user to reauthenticate themselves. These diverse use cases and paradigms cater to the varied needs of users, underscoring Rostam's comprehensive approach to credential management. Many credential managers focus on thwarting server-related attacks and bolstering privacy through client-side encryption, requiring users to select and remember a potent master password. However, the memorization of such passwords poses a significant challenge. While there have been efforts to counteract this issue, such as using spaced repetition or graphical password schemes, these methods are not as robust as randomly generated long keys. Furthermore, features like the temporary or even permanent storage of the master password to enhance user-experience compromise security, and the ability to alter or reset the master password is absent in some widely used credential managers. Our proposed system prioritizes security by employing a MasterKey, instead of a Master Password, to ensure the safety of encrypted passwords stored in the credential manager. In case of a security breach, encrypted passwords remain secure even if stolen from the server. This security is achieved because all keys, including the MasterKey, are robust, randomly generated, and stored securely on the client-side without any user interference. Furthermore, we employ a dual position technique meaning that to access and recover data, the user needs access to both Rostam's servers and one of the paired devices.