Investigating Open Source Alternatives for an Electronic Identity System

Sammanfattning: Electronic IDs enable people, companies and organizations to sign documents and authenticate online. Considering the potential losses, the security in an eID system is crucial. The eID system in Sweden today, BankID, is closed source and uses proprietary standards. In our thesis we have investigated if open standard and open source can be an alternative. First we reviewed the research about security in open source contra closed source. The research was not conclusive and one can not conclude that either of them provide more security. We show that using open source is a possibility, by implementing a proof-of-concept eID solution utilizing the framework SAML 2.0 and the protocol FIDO U2F. They are both open standards and there are several open implementations of SAML 2.0 and libraries for FIDO U2F to use. To verify that FIDO is a suitable protocol we looked at other possible two factor authentication solutions, such as OATH-HOTP and OATH-TOTP. The thesis also reviews some potential attacks against our system and we discuss how to mitigate them.