D4.4 Guidelines for Secure Authentication to the Cloud

Contributing Partners

ATOS, ETUITUS, GUF, FOKUS, TUG, AIT, SIC

Executive Summary
During its development, the CREDENTIAL project had to face important issues related to privacy-preserving data, identity provision, authentication data, and their contextualization within a cloud environment. Studying the most successful technologies in the field helped the team in taking the sound decisions. The present document shows the in-depth study carried out throughout the project, with a particular focus on the “authentication to the cloud” topic, leveraging the lesson learned during the CREDENTIAL initiative.
Firstly, requirements related to the authentication-to-the-cloud are analysed from a general perspective, studying security and privacy topics, and the cloud requirements more particularly. A drill down of the CREDENTIAL requirements follows, with the aim of exposing what aspects could be improved.
Further on, the document focuses on the two most important strong authentication/authorization frameworks, namely, FIDO and OATH. Both of them can provide a second strong authentication factor, which was missing in the original. FIDO resulted being our favourite methodology.
The document then shows a review of state of the art authentication techniques, such as biometric mechanisms, hardware solutions, and privacy-enhancing technologies.
A technical assessment on how to accomplish a secure authentication-to-the-cloud is then carried out, conforming to FIDO Alliance guidelines, followed by a list of improvements to the cloud authentication process, which takes into account all the previous research work.
Finally, depict enhanced CREDENTIAL scenarios where those improvements could be used.