Experiences Deploying OpenID for a Broad User Base Security and Usability Considerations Breno de Medeiros Identity Management 2009, September 29-30.

Slides:



Advertisements
Similar presentations
Yahoo! OpenID and OAuth 1 Allen Tom Yahoo! Membership Architect OpenID Foundation Board
Advertisements

How is OpenID helping Google? Steven Bazyl Developer Advocate
Identity Network Ideals – Heterogeneity & Co-existence
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Looking Ahead Archive-It Partner Meeting November 12, 2013.
And YADIS David Recordon Six Apart, Ltd. / LiveJournal.com / Danga Interactive, Inc. Parts of presentation stolen from Brad Fitzpatrick.
Attribute Validation proposal for OpenID AX Spec ____________________________.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.
Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.
Account Management Best Practices OpenID for Mobile Webfinger Allen Tom Yahoo! Membership
GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Managing Client Access
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SharePoint External Login Access – Forms Authentication vs Azure ACS.
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
What makes users refuse web single sign-on? An empirical investigation of OpenID S.-T. Sun, E. Pospisil, I. Muslukhov, N. Dindar, K. Hawkey, and K. Beznosov.
Microsoft Office Communicator A General Introduction.
V6 Portal – Features of KCR May Introduction >The purpose of this training is to present Version 6.0 of KDS Portal >The training will cover the.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Websitepipeline ™ university Customer Logins.  Customer and Account relationship  How to add Customers to the website.
SAML Right Here, Right Now Hal Lockhart September 25, 2012.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.
Session 1.  Websites  Mobile Websites  WordPress Security  Reputation Marketing  Coming Soon ◦ Contractor Software ◦ Facebook Pages ◦ Mobile Apps.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.
Simplify TeleHealth - Copyright 2012 Emerge.MD inc - Confidential Single Sign On via Active Directory Federation Services 4.6 Release (March 2014) Updates.
Openid Connect
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Authority of Information Technology Application National Center of Digital Signature Authentication Ninh Binh, June 25, 2010.
The Social Web: An Implementer's Guide Google I/O May 2009 Google Moderator:
What Makes Users Refuse Web Single Sign-On? An Empirical Investigation of OpenID Daniel Smith.
Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.
GOAL User Interactive Web Interface Update Pages by Club Officers Two Level of Authentication.
SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
Session: MIX09-T27F. Web Developers Customizable identity UX Single Sign On Access to user data ISVs Federation for selling their applications to organizations.
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
Building consumer apps with Azure AD B2C
Joseph Smarr A Practical Vision for Friends-List Portability Joseph Smarr IIW 2007b, 12/5/2007.
Adxstudio Portals Training
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
IdP Selection WG A proposal to next steps (Draft) Version v0.2.
Click to edit Master title style © by Nat Sakimura. Coping with Information Asymmetry SESSION G: Managing Risk & Reducing Online Fraud Using New.
Identities and Azure AD Premium
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Improving the Usability and Security of OpenID Mike Jones Microsoft Federated Identity Team
Secure Mobile Development with NetIQ Access Manager
B2access.eudat.eu B2ACCESS User Training How to register with B2ACCESS Version 1 February 2016 This work is licensed under the Creative Commons.
ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.
Authentication Interact Cloud.
Analyn Policarpio Andrew Jazon Gupaal
Federation made simple
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
Cloud Connect Seamlessly
Introduction to Authentication Authentication සදහා හැදින්වීම
Office 365 Identity Management
The Social Web: An Implementer's Guide
Mary Montoya, CIO Bogi Malecki, Project Manager
07 | Introduction to Authentication
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Experiences Deploying OpenID for a Broad User Base Security and Usability Considerations Breno de Medeiros Identity Management 2009, September 29-30

Presentation outline Usability research: user attitudes Implementing lessons learned Security considerations

Before We Begin: Some Terminology This talk covers technologies for authentication, identification, as well as authorization/delegation. o Unless it is important to specify the context, I will refer to any of these as an Auth API. The provider of such an API will be called Provider or: o Identity Provider (IDP): Emphasis on identify/authenticate o Service Provider (SP): Emphasis on authorize/delegate A site integrating with such an API is a Consumer or Relying Party (RP)‏

User Attitudes

Build It and They Will Come...

User Attitudes: Password Sharing

Social Sharing Social sites need access to users' social graph Impractical to re-enter social graph in new sites Password harvesting to import social graph, settings, access APIs Users trained to share passwords

Users prize convenience Security hard to gauge: o Client malware o Account recovery procedures o Site security o Strong passwords Moving Against Password Anti-Pattern

User Attitudes: Consequences Users likely to share passwords with sites they trust o The more reputable the site, the less it is likely to benefit from implementing identity/authorization/delegation APIs as an RP In order for an identification/authorization solution to succeed: o Provider should define rich authorization/delegation APIs o Provider should deploy smooth user experience Otherwise, companies likely to be first-adopters of identity solutions are also least likely to benefit (market failure).

Deployment Experiences

Federated Login with Legacy Accounts Relying Parties typically also support legacy login o How to surface Auth APIs w/o impacting legacy use? In the following, I will show some usability research results on how to modify typical login boxes to accommodate Auth APIs.

Login Box Transmutation

Login Box Transmutation (2)‏

Login Box Transmutation (3)‏

Outcomes Users have no difficulty the first time they visit the RP On subsequent visit, user may be confused: o 'Do I have a password?' UX should work even with incorrect choice by user o Still, most users go through an additional click to login Further research is ongoing...

Example Education Page

(Counter) Example

(Counter) Example: 2

RP Integration with Google's IDP Conservative display of federated sign-in option by Plaxo.

Plaxo Onboarding

RP Integration with Google's IDP Bold (NASCAR type) integration via RPX

RPX Integration (User returns)‏

Presenting IDP Options NASCAR interfaces perform well, but do they adapt to changing membership composition? Ideally, sites should discover the user's IDP automatically o OpenID provides a passive login approach, not supported by all IDPs o Facebook Connect provides API to detect if the browser has a session in Facebook. An OpenID extension add this as an experimental feature. o More on this later

Other considerations Further integration with Auth APIs o Google examples: Gmail + IMAP clients, Calendar + Sync, Google Earth, Picasa uploader,... o Full Password-less auth support to combat password harvesting Better developer tools

Security and Privacy Considerations

Global or Pairwise Identity? User perceptions: o Machine-generated identities as pairwise o Identifying account by only may change perspective Varying RP needs: o Social sites want global identifiers o GSA requires pairwise identifiers o User expectation matches RP's?

Discovering User Provider Preferences Automatic provider disclosure Privacy vs. usability trade-off Session presence discovery Browser-based interface Usability challenges

Additional Privacy Considerations PII in URLs o PAPE profile o Artifact mode? Transport encryption?

Assertion Trustworthiness Non-mandatory SSL usage o PAPE profile for Government Delegation via unsigned documents o New XRD spec provides support for signatures

Surviving IDP Account Takeover Account compromise signals Multiple failed login attempts are useful signal. RP loses this in the federated login scenario Credential reset capability If RP detects malicious behavior, how to communicate issue to IDP? How to refresh user credentials?

Single Sign-off Today: RPs may 'ping' IDP periodically to confirm presence of session Scalability and usability issues Single sign-on solution is complex Usability issues are not well understood

Eric Sachs Breno de Medeiros Dirk Balfanz Public Documentation (Google OAuth & Federated Login Research)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.