Presentation is loading. Please wait.

Presentation is loading. Please wait.

Experiences Deploying OpenID for a Broad User Base Security and Usability Considerations Breno de Medeiros Identity Management 2009, September 29-30.

Published byOscar Lambert Modified over 9 years ago

Similar presentations

Presentation on theme: "Experiences Deploying OpenID for a Broad User Base Security and Usability Considerations Breno de Medeiros Identity Management 2009, September 29-30."— Presentation transcript:

1 Experiences Deploying OpenID for a Broad User Base Security and Usability Considerations Breno de Medeiros Identity Management 2009, September 29-30

2 Presentation outline Usability research: user attitudes Implementing lessons learned Security considerations

3 Before We Begin: Some Terminology This talk covers technologies for authentication, identification, as well as authorization/delegation. o Unless it is important to specify the context, I will refer to any of these as an Auth API. The provider of such an API will be called Provider or: o Identity Provider (IDP): Emphasis on identify/authenticate o Service Provider (SP): Emphasis on authorize/delegate A site integrating with such an API is a Consumer or Relying Party (RP)‏

4 User Attitudes

5 Build It and They Will Come...

6 User Attitudes: Password Sharing

7 Social Sharing Social sites need access to users' social graph Impractical to re-enter social graph in new sites Password harvesting to import social graph, settings, access APIs Users trained to share passwords

8 Users prize convenience Security hard to gauge: o Client malware o Account recovery procedures o Site security o Strong passwords Moving Against Password Anti-Pattern

9 User Attitudes: Consequences Users likely to share passwords with sites they trust o The more reputable the site, the less it is likely to benefit from implementing identity/authorization/delegation APIs as an RP In order for an identification/authorization solution to succeed: o Provider should define rich authorization/delegation APIs o Provider should deploy smooth user experience Otherwise, companies likely to be first-adopters of identity solutions are also least likely to benefit (market failure).

10 Deployment Experiences

11 Federated Login with Legacy Accounts Relying Parties typically also support legacy login o How to surface Auth APIs w/o impacting legacy use? In the following, I will show some usability research results on how to modify typical login boxes to accommodate Auth APIs.

12 Login Box Transmutation

13 Login Box Transmutation (2)‏

14 Login Box Transmutation (3)‏

15 Outcomes Users have no difficulty the first time they visit the RP On subsequent visit, user may be confused: o 'Do I have a password?' UX should work even with incorrect choice by user o Still, most users go through an additional click to login Further research is ongoing...

16 Example Education Page

17 (Counter) Example

18 (Counter) Example: 2

19 RP Integration with Google's IDP Conservative display of federated sign-in option by Plaxo.

20 Plaxo Onboarding

21 RP Integration with Google's IDP Bold (NASCAR type) integration via RPX

22 RPX Integration (User returns)‏

23 Presenting IDP Options NASCAR interfaces perform well, but do they adapt to changing membership composition? Ideally, sites should discover the user's IDP automatically o OpenID provides a passive login approach, not supported by all IDPs o Facebook Connect provides API to detect if the browser has a session in Facebook. An OpenID extension add this as an experimental feature. o More on this later

24 Other considerations Further integration with Auth APIs o Google examples: Gmail + IMAP clients, Calendar + Sync, Google Earth, Picasa uploader,... o Full Password-less auth support to combat password harvesting Better developer tools

25 Security and Privacy Considerations

26 Global or Pairwise Identity? User perceptions: o Machine-generated identities as pairwise o Identifying account by email only may change perspective Varying RP needs: o Social sites want global identifiers o GSA requires pairwise identifiers o User expectation matches RP's?

27 Discovering User Provider Preferences Automatic provider disclosure Privacy vs. usability trade-off Session presence discovery Browser-based interface Usability challenges

28 Additional Privacy Considerations PII in URLs o PAPE profile o Artifact mode? Transport encryption?

29 Assertion Trustworthiness Non-mandatory SSL usage o PAPE profile for Government Delegation via unsigned documents o New XRD spec provides support for signatures

30 Surviving IDP Account Takeover Account compromise signals Multiple failed login attempts are useful signal. RP loses this in the federated login scenario Credential reset capability If RP detects malicious behavior, how to communicate issue to IDP? How to refresh user credentials?

31 Single Sign-off Today: RPs may 'ping' IDP periodically to confirm presence of session Scalability and usability issues Single sign-on solution is complex Usability issues are not well understood

32 Eric Sachs esachs@google.com Breno de Medeiros breno@google.com Dirk Balfanz balfanz@google.com breno@google.com Public Documentation (Google OAuth & Federated Login Research) https://sites.google.com/site/oauthgoog/

Download ppt "Experiences Deploying OpenID for a Broad User Base Security and Usability Considerations Breno de Medeiros Identity Management 2009, September 29-30."

Similar presentations

Yahoo! OpenID and OAuth 1 Allen Tom Yahoo! Membership Architect OpenID Foundation Board

Yahoo! OpenID and OAuth 1 Allen Tom Yahoo! Membership Architect OpenID Foundation Board
How is OpenID helping Google? Steven Bazyl Developer Advocate

How is OpenID helping Google? Steven Bazyl Developer Advocate
Identity Network Ideals – Heterogeneity & Co-existence

Identity Network Ideals – Heterogeneity & Co-existence
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Looking Ahead Archive-It Partner Meeting November 12, 2013.

Looking Ahead Archive-It Partner Meeting November 12, 2013.
And YADIS David Recordon Six Apart, Ltd. / LiveJournal.com / Danga Interactive, Inc. Parts of presentation stolen from Brad Fitzpatrick.

And YADIS David Recordon Six Apart, Ltd. / LiveJournal.com / Danga Interactive, Inc. Parts of presentation stolen from Brad Fitzpatrick.
Attribute Validation proposal for OpenID AX Spec ____________________________.

Attribute Validation proposal for OpenID AX Spec ____________________________.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.

The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.
Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.

Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.
Account Management Best Practices OpenID for Mobile Webfinger Allen Tom Yahoo! Membership

Account Management Best Practices OpenID for Mobile Webfinger Allen Tom Yahoo! Membership
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Managing Client Access

Managing Client Access
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SharePoint External Login Access – Forms Authentication vs Azure ACS.

SharePoint External Login Access – Forms Authentication vs Azure ACS.
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
What makes users refuse web single sign-on? An empirical investigation of OpenID S.-T. Sun, E. Pospisil, I. Muslukhov, N. Dindar, K. Hawkey, and K. Beznosov.

What makes users refuse web single sign-on? An empirical investigation of OpenID S.-T. Sun, E. Pospisil, I. Muslukhov, N. Dindar, K. Hawkey, and K. Beznosov.

Similar presentations

Ads by Google