What makes users refuse web single sign-on? An empirical investigation of OpenID S.-T. Sun, E. Pospisil, I. Muslukhov, N. Dindar, K. Hawkey, and K. Beznosov.

Slides:

Advertisements

Similar presentations

OAuth Phil Wilson, University of Bath, what the? "OAuth provides a way to grant access to your data on some website to a third website, without.

Advertisements

B: STUDENT DRIVE MOVE INSTRUCTIONS. Using Internet Explorer: From your computers desktop, double click on the Internet Explorer icon. (Internet Explorer.

Keeping Your Identity Your Own Amy Ginther, Project NEThics Coordinator OIT Town Meeting August 24, 2005.

How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.

‘Lord’ was a click away from £229m “They installed software on the company computers allowing them to steal [Sumitomo bank] staff user names and passwords”

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

By: Ansuya Chauhan.

Standardizing Usable Security and Privacy: Taking It To the Next Level, or Settling for Less? Mary Ellen Zurko, IBM Maritza Johnson, Columbia University.

Mark Phillip markphillip.com “Badges? We don't need no stinkin' badges!” A Look at Identity on the Web.

Introduction to OpenID Huanxing Shen WHIM 2009Spring.

The Inconvenient Truth about Web Certificates Jean-Pierre Hubaux Joint work with N. Vratonjic, J. Freudiger and V. Bindschaedler Work presented at WEIS.

Account Management Best Practices OpenID for Mobile Webfinger Allen Tom Yahoo! Membership

Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.

INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 16 Prof. Crista Lopes.

Using Skype for Building Effective Group Collaboration MODULE I.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

PASSWORD MANAGEMENT MADE EASY A Project Play Date - September 26, 2008 Beth Carpenter, Library Services Manager, Outagamie Waupaca Library System.

NASA NEX & OpenID -- Observations -- Andreas Matheus Secure Dimensions.

Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education

Identity Management Report By Jean Carreon and Marlon Gonzales.

Websitepipeline ™ university Customer Logins.  Customer and Account relationship  How to add Customers to the website.

The Significance and Evolution of End User Privacy Julie Earp College of Management North Carolina State University WISE 2010 Sponsored by TRUST June 21-24,

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

Goals One ASP.NET Membership story – Web APIs and Web Apps Profile. Extensibility allows for non SQL persistence model. Improve unit testability of.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Phishing Pharming Spam. Phishing: Definition  A method of identity theft carried out through the creation of a website that seems to represent a legitimate.

An Investigation of Facebook Grouping Robin Brewer Yael Mayer Lorrie Cranor Patrick Kelley facebook Home Profile Account Search.

Authority of Information Technology Application National Center of Digital Signature Authentication Ninh Binh, June 25, 2010.

The Social Web: An Implementer's Guide Google I/O May 2009 Google Moderator:

What Makes Users Refuse Web Single Sign-On? An Empirical Investigation of OpenID Daniel Smith.

Profile Dr Alice Good (MSc, BSC, PGCE, FHEA) Senior Lecturer Human Computer Interaction (SoC) Research Interests Supporting mental health and wellbeing.

University of British Columbia Towards Web 2.0 Content Sharing Beyond Walled Gardens San-Tsai Sun Supervisor: Kosta Beznosov Laboratory for Education and.

All Rights Reserved 2014 © CMG Consulting LLC Federated Identity Management and Access Andres Carvallo Dwight Moore CMG Consulting, LLC October

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

Yuchen Zhou and David Evans Presented by Simon du Preez Compsci 726 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities.

Student Experience It’s your education Type the web site address into the browser given to you by your junior high or high school Select “I am a student”

Bell Ringer Activity  Pick up a graphic organizer about Social Networking  First, in your own words, explain what social media means to you (be prepared.

Prepare to set up you new Gmail Account. What are you using? Software Program Name Owned bySoftware Location Outlook ExpressMicrosoftOn Your Computer.

1.  Usability study of phishing attacks & browser anti-phishing defenses – extended validation certificate.  27 Users in 3 groups classified 12 web.

© Copyright 2012 STI INNSBRUCK Facebook Usage for identification, personalization and recommendation.

0 SAT Online - Student Registration What You Will Need In order to register, you must have: –A working account –Several possible user names* –A unique.

Experiences Deploying OpenID for a Broad User Base Security and Usability Considerations Breno de Medeiros Identity Management 2009, September

Improving the Usability and Security of OpenID Mike Jones Microsoft Federated Identity Team

Washington NFIRS May The WFC began handling customer support July of The WFC changed the submittal process as of January 1 st, 2012 to be.

Android and IOS Permissions Why are they here and what do they want from me?

General Overview of Various SSO Systems: Active Directory, Google & Facebook Antti Pyykkö Mikko Malinen Oskari Miettinen.

ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.

PowerSchool What’s new? Parent Single Sign-On Coming Wed, September 21, 2011.

Client Certs -- the old-new thing CAcert The Community CA cacert.org.

11 | Managing User Info Jeremy Foster Michael Palermo

Ideas for Seafood Buffet Menu

One Picture 4 Points No Passwords

Access Policy - Federation March 23, 2016

Earthdata Login and Open ID A Look at Federated User Identities

Data and Applications Security Developments and Directions

By: Michael Meehan & Robert Shogren ITEC December 4, 2007

Client Certs -- the old-new thing

The innocent login form

dCache, towards Federated Identities and Anonymized Delegation

Lab for Internet and Security Technology Yan Chen

ACS Deployment Scenarios

Student Experience It’s your education.

The Social Web: An Implementer's Guide

Mary Montoya, CIO Bogi Malecki, Project Manager

start to finish – November 20181

Open Google Chrome and go to the Woodbridge High School website Login = username for logging into the computer Password = password (change it via edit.

07 | Introduction to Authentication

Introduction to Let’s Encrypt

Presentation transcript:

What makes users refuse web single sign-on? An empirical investigation of OpenID S.-T. Sun, E. Pospisil, I. Muslukhov, N. Dindar, K. Hawkey, and K. Beznosov SOUPS '11. ACM, 2011, PP. 4:1 - 4:20 Eru Penkman epen234

What Is OpenID?  Sign in with trusted identity provider (Google, Facebook, etc.)  Identity provider confirms your identity to a third party  Only the identity provider knows your password

Users Don’t Trust OpenID Most users believe that their password is being shared with every website where they use OpenID, this paper presents improvements that can increase user understanding and adoption of OpenID.

This study is practical They provide recommendations for websites and software developers to improve the usability of single sign on; their recommendations, can result in greatly increase usage of single sign on.

Possible to Misinterpret The study outlines several symptoms but does not sufficiently explain the causes of each symptom.

Two Core issues  Users have an incorrect mental model of OpenID  They believe that their password is being shared with every website that they login to.  OpenID presents a single point of failure  Vulnerable to phishing

Multiple symptoms  Single point of failure (26%)  Believe their passwords are being shared(71%)  Cannot spot phishing forms (50%)  Hesitant to release profile information(40%)  Concern about untrustworthy websites(36%)

Improvements? 70% of users believed that their passwords were shared with every site where they used OpenID. How can the login interface be improved so that users understand that their passwords are not being shared?

Questions?