Third-party Identity Management Usage on the Web

Similar documents
Web Authentication using Third-parties in Untrusted Environments

Information Sharing and User Privacy in the Third-party Identity Management Landscape

A Look at the Third-Party Identity Management Landscape

Third-party Identity Management Usage on the Web

Scalable, Secure and Efficient Content Distribution and Services

YouTube Popularity Dynamics and Third-party Authentication

Performance and Scalability of Networks, Systems, and Services

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Interactive Branched Video Streaming and Cloud Assisted Content Delivery

Web Security Model and Applications

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Prof. Christos Xenakis

Prof. Christos Xenakis

Real-world security analyses of OAuth 2.0 and OpenID Connect

Cyber Security in Smart Commercial Buildings 2017 to 2021

Telco Working Group. Kantara Initiative Summit 2011 Trust Framework Model and IdM Summit

Mobile Banking and Payments Emerging Trends and Opportunities

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

GLOBAL MOBILE PAYMENT METHODS: FIRST HALF 2016

Federated Authentication for E-Infrastructures

1 INTRODUCTION OBJECTIVES OF THE STUDY MARKET DEFINITION MARKET SCOPE... 15

Telecom Cloud Market Research Report- Global Forecast 2022

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web

Federated authentication for e-infrastructures

Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records

2014 IT Priorities Mark Schlack Sr. VP, Editorial

Reinforcing bad behaviour: the misuse of security indicators on popular websites

Survey of Existing CI Systems

SOCIAL LOGIN FOR MAGENTO 2 USER GUIDE

Registration on express-scripts.com and Mobile App Express Scripts Holding Company. All All Rights Reserved.

The Password Exposé. 8 truths about the threats and opportunities of employee passwords.

Why can t users choose their identity providers on the web?

Standards-based Secure Signon for Cloud and Native Mobile Agents

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Winter Salesforce.com, inc. All rights reserved.

Trusted Profile Identification and Validation Model

Architecture Assessment Case Study. Single Sign on Approach Document PROBLEM: Technology for a Changing World

Partner Ready Portal: New Partner Registration Process

OPENID CONNECT 101 WHITE PAPER

On the Change in Archivability of Websites Over Time

Authentication. Katarina

How Facebook knows exactly what turns you on

Securing APIs and Microservices with OAuth and OpenID Connect

SmartGrid. Implications of Cloud Computing. New Technology in the Utility Environment

DIGITAL IDENTITY TRENDS AND NEWS IN CHINA AND SOUTH EAST ASIA

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Summer Salesforce.com, inc. All rights reserved.

Federated Identities and Services: the CHAIN-REDS vision

1000 Ways to Die in Mobile OAuth. Eric Chen, Yutong Pei, Yuan Tian, Shuo Chen,Robert Kotcher and Patrick Tague

Business value of Federated Login for Enterprises Enterprise SaaS vendors Consumer websites

Nigori: Storing Secrets in the Cloud. Ben Laurie

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

Access Management Handbook

AUTHENTICATION AND LOOKUP FOR NETWORK SERVICES

Global IT Services Market Size, Status and Forecast 2025

Files/News/Software Distribution on Demand. Replicated Internet Sites. Means of Content Distribution. Computer Networks 11/9/2009

Trusted Identities. Foundational to Cloud Services LILA KEE CHIEF PRODUCT OFFICER GLOBALSIGN

OpenID: From Geek to Chic. Greg Keegstra OpenID Summit Tokyo Dec 1, 2011

Using Twitter & Facebook API. INF5750/ Lecture 10 (Part II)

Variations in Tracking In Relation To Geographic Location

Security analysis of OpenID, followed by a reference implementation of an npabased OpenID provider

State of the Mobile Web, March 2009

Logging in to SecureSync

IPTV Statistics market analysis

What Does Logout Mean?

CSE 486/586 Distributed Systems

penelope case management software AUTHENTICATION GUIDE v4.4 and higher

Military Electro-Optics/Infrared Systems Market by Platform, System (Targeting, Imaging), Technology (Uncooled, Cooled), Sensor Technology (Staring,

Supplier Responding to New Products RFP Event

Warm Up to Identity Protocol Soup

A Welcome to Federated Identity Nate Klingenstein, Internet2, USA. Prepared for the Matsuyama University, December 2013

10th Edition. Global Base Station Market Analysis and Forecast, March 2014

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Measuring IPv6. Geoff Huston APNIC Labs, February 2014

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

5 OAuth Essentials for API Access Control

MBB Robot Crawler Data Report in 2014H1

digital.vector Global Animation Industry Strategies, Trends & Opportunities digital.vector

Mid-Market Data Center Purchasing Drivers, Priorities and Barriers

Keep the Door Open for Users and Closed to Hackers

Phishing Activity Trends Report August, 2006

Operator cooperation in South Korea has created a successful identity solution. SK Telecom South Korea

CAN WE ESCAPE PASSWORDS?

IPv6 Readiness in the Communication Service Provider Industry

Content Delivery Network (CDN) - Global Market Outlook ( )

Huawei AppGallery --Expand your business globally

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Mobile App Development Market Research Report- Global Forecast to 2022

Scalable Test Automation using DCqaf framework for a leading US plus-size Fashion Retailer ATTENTION. ALWAYS.

Executive Summary...1

Beyond X.509: Token-based Authentication and Authorization with the INDIGO Identity and Access Management Service

northeast group, llc Smart Meter Refresh: Market Forecast ( ) October Northeast Group, LLC

Worldwide Internet usage

Introduction: E.ON Strategic Co-Investments EcoSummit

Future and Emerging Threats in ICT

Single Sign-On Best Practices

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

How the world pays, now and in the future: The Global Payments Report. Ieuan Owen, SVP Strategy Worldpay ecom

Phishing Activity Trends Report August, 2005

Eight Minute Expert GDPR

Global Ultrabooks Market Insights, Forecast to 2025

Transcription:

Third-party Identity Management Usage on the Web Anna Vapen¹, Niklas Carlsson¹, Anirban Mahanti², Nahid Shahmehri¹ ¹Linköping University, Sweden ²NICTA, Australia

Third-party Web Authentication Web Authentication Registration with each website Many passwords to remember Third-party authentication Use an existing IDP (identity provider) account to access an RP (relying party) Log in less often; Stronger authentication Increase personalization opportunities Share information between websites 2

Motivation An emerging third-party authentication landscape Increasing usage of third-party identity providers Complex, nested relationships between RPs and IDPs Authorization protocol (OAuth) used for authentication Applications acting on user s behalf Data transfer between parties; Less control over data IDP selection Privacy implications 3

Contributions Novel Selenium-based data collection methodology Identification and validation of RP-IDP relationships Popularity-based logarithmic sampling technique Characterization of identified RP-IDP relationships Impact on IDP selection of RP characteristics Comparison to third-party content-delivery relationships 4

Methodology (1) Popularity-based logarithmic sampling 80,000 points uniformly on a logarithmic range Power-law distribution Capturing data from different popularity segments 1 million most popular websites Sampled websites 5

Methodology (2) Selenium-based crawling and relationship identification Able to process Web 2.0 sites with interactive elements Low number of false positives Validation with semi-manual classification and text-matching 1 million most popular websites Sampled websites 6

Collected Data 1,6 terabyte analyzed data 25 million analyzed links WHOIS, server location and audience location 35,620 sampled sites 3,329 unique relationships 50 IDPs and 1,865 RPs Total site size and number of links and objects 7

IDP Usage More than 75% of the RPs are served by 5% of the IDPs RPs tend to select popular sites as IDPs Only 15 of the 44 IDPs outside top 10 on Alexa serve more than 10 sampled RPs 75% of RPs served by 5% of IDPs 8

Top IDPs IDP rank Alexa rank IDP Protocol Number of IDP relationships 1 2 Facebook.com Oauth 1293 2 10 Twitter.com OAuth 378 3 9 QQ.com OAuth 278 4 1 Google.com Oauth / OpenID 250 5 4 Yahoo.com Oauth / OpenID 141 ** 6 16 Sina.com.cn Oauth 127 7 - OpenID field OpenID 87 * ** 8 4173 Vkontakte.ru Oauth 73 9 25 Weibo.com Oauth 64 10 12 Linkedin.com Oauth 63 * Domain change to vk.com ** Authentication with Sina.com.cn redirects to Weibo.com Login with any OpenID provider 9

Top IDPs IDP rank Alexa rank IDP Protocol Number of IDP relationships 1 2 Facebook.com Oauth 1293 2 10 Twitter.com OAuth 378 3 9 QQ.com OAuth 278 4 1 Google.com Oauth / OpenID 250 5 4 Yahoo.com Oauth / OpenID 141 ** 6 16 Sina.com.cn Oauth 127 7 - OpenID field OpenID 87 * ** Social networks (except no. 7) 8 4173 Vkontakte.ru Oauth 73 9 25 Weibo.com Oauth 64 10 12 Linkedin.com Oauth 63 * Domain change to vk.com ** Authentication with Sina.com.cn redirects to Weibo.com Login with any OpenID provider 10

IDP Selection Popular sites as IDPs, instead of specialized IDPs Popular sites with Lots of existing users Personal information Specialized IDPs with stronger authentication methods 11

Number of IDPs per sampled RP IDP widgets providing a pre-selected large set of IDPs Estimated weighted average: < 3 IDPs / RP 12

Number of IDPs per RP IDPs per RP Based on Popularity 4 3.5 3 2.5 2 1.5 1 0.5 0 [1-10] (10-10^2] (10^2-10^3] (10^3-10^4] Alexa site rank of RPs (10^4-10^5] (10^5-10^6]3 > 10^6 (10^5-10^6]3 (10^4-10^5] (10^3-10^4] (10^2-10^3] (10-10^2] [1-10] Breakdown of the average number of IDPs selected per RP and popularity segment 13

Comparison with Content Services Content: scripts, images and other third-party objects IDPs much more popular sites than content providers 14

Service-based Analysis 200 most popular websites Manual classification Likely to be RPs Using social IDPs: file sharing, info Likely to be IDPs; Many RPs in this category News File sharing Info Social/portal Video Tech Commerce Ads CDN Early adopters, using several IDPs Using IDPs from same category: tech, commerce 15

Cultural and Geographical Analysis North American and Chinese RPs use local IDPs to a large extent Content delivery usage less biased to local providers North America Europe China Russia Asia (all) Identity management Content delivery North America Europe China Russia Asia (rest) Other 16

Summary and Conclusions Large-scale characterization of third-party Web authentication Novel data collection methodology with popularity-based sampling Few large third-parties serve many websites Comparison with content sharing IDP selection much more biased Risk for privacy leaks Few large third-parties handling a lot of information The most popular IDPs are using protocols not adapted for strong authentication 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback