A billion keys, but few locks: The crisis of web single sign-on

Proceedings New Security Paradigms Workshop

Volumn , Issue , 2010, Pages 61-71

  Sun, San Tsai ^a   Boshmaf, Yazan ^a   Hawkey, Kirstie ^a   Beznosov, Konstantin ^a  

^a UNIVERSITY OF BRITISH COLUMBIA   (Canada)

Author keywords

authentication; infocard; openid; web identity management; web single sign on

Indexed keywords

BUSINESS MODELS; BUSINESS NEEDS; IDENTITY MANAGEMENT; INFOCARD; OPENID; SERVICE PROVIDER; SINGLE SIGN ON; TRUST FRAMEWORKS; BUSINESS MODELING; IDENTITY PROVIDERS; NOCV1;

AUTHENTICATION; SECURITY OF DATA;

AUTHENTICATION;

EID: 78751558943     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1900546.1900556     Document Type: Conference Paper

References (79)

1. ActivIdentity Corp. Actividentity securelogin. http://www.protocom.com/, 2009.
2. A. Adams and M. A. Sasse. Users are not the enemy. Commun. ACM, 42(12):40-46, 1999.
3. B. Adida. EmID: Web authentication by email address. In Web 2.0 Security and Privacy Workshop 2008, Oakland, California, USA, 2008.
4. AOL LLC. AOL Open Authentication API. http://dev.aol.com/api/openauth, January 2008.
5. P. Austel, S. Bhola, S. Chari, L. Koved, M. McIntosh, M. Steiner, and S. Weber. Secure delegation for web 2.0 and mashups. In Workshop on Web 2.0 Security And Privacy, 2008.
6. P. Becker. Identity's First Big War: a history lesson. http://www.identityblog.com/?p=551, August 2006.
7. B. Blakley. The meta-identity system. http://notabob.blogspot.com/2006/ 07/meta-identity-system.html, July 2006.
8. B. Blakley. The Information Card Landscape. Technical report, Burton Group, Febrary 2009.
9. CBS News. Poll: Privacy rights under attack. http://www.cbsnews.com/ stories/2005/09/30/opinion/polls/main894733.shtml, October 2005.
10. S. Chiasson, P. C. van Oorschot, and R. Biddle. A usability study and critique of two password managers. In Proceedings of 15th USENIX UNIX Security Symposium, pages 1-16, Vancouver, Canada, August 2-4 2006. USENIX.
11. E. Cohen, R. K. Thomas, W. Winsborough, and D. Shands. Models for coalition-based access control (CBAC). In Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies, pages 97-106, Monterey, California, USA, 2002.
12. CoreStreet Ltd. Spoofstick. http://www.spoofstick.com/, 2005.
13. R. Dhamija and L. Dusseault. The seven flaws of identity management: Usability and security challenges. IEEE Security and Privacy, 6:24-29, 2008.
14. R. Dhamija and J. D. Tygar. The battle against phishing: Dynamic security skins. In SOUPS '05: Proceedings of the 2005 Symposium on Usable Privacy and Security, pages 77-88, New York, NY, USA, 2005. ACM.
15. R. Dhamija, J. D. Tygar, and M. Hearst. Why phishing works. In CHI '06: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 581-590, Montréal, Québec, Canada, 2006. ACM.
16. Earthlink Inc. Earthlink toolbar: scambloker for Windows users. http://www.earthlink.net/, 2008.
17. I. Facebook. Facebook Platform. http://www.facebook.com/platform, 2010.
18. I. Facebook. Facebook Press Room Statistics. http://www.facebook.com/ press/info.php?statistics, October 2010.
19. D. Florencio and C. Herley. A large-scale study of web password habits. In WWW '07: Proceedings of the 16th International Conference on World Wide Web, pages 657-666, New York, NY, USA, 2007. ACM.
20. B. Freeman. Yahoo! OpenID:One Key, Many Doors. http://developer.yahoo. com/openid/openid-research-jul08.pdf, July 2008.
21. D. Fuelling and W. Norris. Email Address to URL Transformation 1.0. http://eaut.org/specs/1.0/, June 2008.
22. S. Gaw and E. W. Felten. Password management strategies for online accounts. In Proceedings of the Second Symposium on Usable Privacy and Security, pages 44-55, 2006.
23. N. Good, R. Dhamija, J. Grossklags, D. Thaw, S. Aronowitz, D. Mulligan, and J. Konstan. Stopping spyware at the gate: a user study of privacy, notice and spyware. In SOUPS '05: Proceedings of the 2005 Symposium on Usable Privacy and Security, pages 43-52, New York, NY, USA, 2005. ACM.
24. Google Inc. Authsub authentication for web applications. http://code.google.com/apis/accounts/docs/AuthSub.html, December 2008.
25. J. Grossklags and N. Good. Empirical studies on software notices to inform policy makers and usability designers. In USEC 2007: Proceedings of 1st International Workshop on Usable Security, pages 341-355, 2007.
26. J. A. Halderman, B. Waters, and E. W. Felten. A convenient method for securely managing passwords. In Proc. of WWW 2005, pages 471-479, 2005.
27. E. Hammer-Lahav. WebFinger. http://webfinger.net/, August 2009.
28. X. Hao. Attacking Certificate-based Authentication System and Microsoft InfoCard. In Power of Community Security Conference, 2009.
29. C. Herley. So long, and no thanks for the externalities: the rational rejection of security advice by users. In NSPW '09: Proceedings of the 2009 Workshop on New Security Paradigms Workshop, pages 133-144, New York, NY, USA, 2009. ACM.
30. A. Herzberg and A. Jbara. Security and identification indicators for browsers against spoofing and phishing attacks. ACM Trans. Internet Technology, 8(4):1-36, 2008.
31. J. Inc. RPX: User Engagement Make Easy. http://www.janrain.com/products/ rpx, March 2010.
32. Internet2. Shibboleth System. http://shibboleth.internet2.edu/, 2008.
33. JanRain Inc. Relying Party Stats. http://www.janrain.com/blogs/relying- party-stats-april-1st-2009, 2009.
34. K. O. Jerry DeVault, Brian Tretick. Privacy and independent verification: What consumers want. http://consumerprivacyguide.com/privacy/ccp/verification1. pdf, 2002.
35. A. Jøsang, M. A. Zomai, and S. Suriadi. Usability and privacy in identity management architectures. In ACSW '07: Proceedings of the Fifth Australasian Symposium on ACSW Frontiers, pages 143-152, Darlinghurst, Australia, Australia, 2007. Australian Computer Society, Inc.
36. B. Laurie. OpenID: Phishing Heaven. http://www.links.org/?p=187, January 2007.
37. Liberty Alliance. Liberty Alliance Project. http://www.projectliberty. org/, 2002.
38. E. Maler and D. Reed. The venn of identity: Options and issues in federated identity management. IEEE Security and Privacy, 6:16-23, 2008.
39. J. McCrea. Introducing two-click signup. http://blog.plaxo.com/archives/ 2009/01/introducing-two -1.html, January 2009.
40. C. Messina. OpenID Phishing Brainstorm. http://wiki.openid.net/OpenID- Phishing-Brainstorm, 2009.
41. Microsoft Corp. Windows CardSpace. http://www.microsoft.com/windows/ products/winfamily/cardspace/default.mspx, 2009.
42. D. Mills. Identity in the Browser (Mozila Labs). https://mozillalabs.com/ blog/2009/05/identity-in-the-browser/, 2010.
43. Mozila Labs. Weave Identity Account Manager. https://wiki.mozilla.org/ Labs/Weave/Identity/Account-Manager, 2009.
44. J. Mulligan and A. Elbirt. Desktop security and usability trade-offs: An evaluation of password management systems. Information Systems Security, 14(2):10-19, 2005.
45. S. J. Murdoch and R. Anderson. Verified by visa and mastercard securecode: or, how not to design authentication. In In the proceedings of Financial Cryptography and Data Security 2010, January 2010.
46. MyOpenID. OpenID Site Directory. http://openiddirectory.com/, 2010.
47. A. Nanda and M. B. Jones. Identity Selector Interoperability Profile V1.5. http://informationcard.net/specifications, July 2008.
48. Netcraft. August 2010 Web Server Survey. http://news.netcraft.com/ archives/category/web-server-survey/, 2010.
49. Novell Inc. Novell securelogin. http://www.novell.com/products/ securelogin/, 2009.
50. OASIS. Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML). http://saml.xml.org/, April 2009.
51. OAuth Core Workgroup. Oauth core 1.0 specification. http://oauth.net/ core/1.0/, December 2007.
52. Open Identity Exchange. Building trust online identity. http://openidentityexchange.org/, March 2010.
53. OpenID Foundation. Promotes, protects and nurtures the OpenID community and technologies. http://openid.net/foundation/, 2009.
54. OpenID Foundation. OpenID Directory. http://openiddirectory.com/, 2010.
55. OpenID Wiki. Openid user experience. http://wiki.openid.net/browse/view= ViewFolder¶m=user-experience, April 2010.
56. R. Oppliger. Microsoft .NET Passport and identity management. Information Security Technical Report, 9(1):26-34, 2004.
57. D. Recordon and B. Fitzpatrick. OpenID authentication 2.0. http://openid.net/specs/openid-authentication-2 0.html, December 2007.
58. E. Sachs. Usability Research on Federated Login. http://sites.google.com/ site/oauthgoog/UXFedLogin, October 2008.
59. R. Sausner. Authentication Software: Widespread Adoption Seen As Unlikely Before 2011. http://www.americanbanker.com/usb issues/116 4/-274048-1.html, 2006.
60. S. E. Schechter, R. Dhamija, A. Ozment, and I. Fischer. The emperor's new security indicators. In Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 51-65, Washington, DC, USA, 2007. IEEE Computer Society.
61. P. Steiner. On the Internet, nobody knows you're a dog. http://en.wikipedia.org/wiki/On-the-Internet,-nobody-knows-youre-a-dog, 2010.
62. I. Strouchliak. Conversion rate optimization. http://www.seochat.com/c/a/ Website-Marketing-Help/Conversion-Rate-Optimization/, 2009.
63. S.-T. Sun, K. Hawkey, and K. Beznosov. Secure Web 2.0 content sharing beyond walled gardens. In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC), pages 409-418. ACSA, IEEE Press, December 7-11 2009.
64. J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor. Crying Wolf: An empirical study of SSL warning effectiveness. In Proceedings of 18th USENIX Security Symposium, pages 399-432, 2009.
65. Sxipper Inc. Sxipper form manager Firefox extension. http://www.sxipper. com/, 2009.
66. The Eclipse Foundation. Higgins Card Selectors. http://www.eclipse.org/ higgins/, 2009.
67. The Information Card Foundation. Advance the use of Information Card. http://informationcard.net/foundation, 2009.
68. University of Michigan. Cosign: Secure, intra-institutional web authentication. http://weblogin.org/, 2009.
69. University of Washington. Pubcookie: open-source software for intra-institutional web authentication. http://www.pubcookie.org/, 2008.
70. VeriSign Inc. VeriSign OpenID SeatBelt Plugin. https://pip.verisignlabs. com/seatbelt.do, 2009.
71. Wikipedia. Password fatigue. http://en.wikipedia.org/wiki/Password- fatigue, 2009.
72. M. Wogalter. Purpose and scope of warnings. In Handbook of Warnings, pages 3-9. Lawrence Erlbaum Associates, 2006.
73. L. Wroblewski. Web Form Design: Fill in the blanks, chapter Gradual Engagement. Rosenfeld media, 2008.
74. M. Wu, R. C. Miller, and S. L. Garfinkel. Do security toolbars actually prevent phishing attacks? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems(CHI '06), pages 601-610, New York, NY, USA, 2006. ACM.
75. M. Wu, R. C. Miller, and G. Little. Web wallet: preventing phishing attacks by revealing user intentions. In SOUPS '06: Proceedings of the Second Symposium on Usable Privacy and Security, pages 102-113, New York, NY, USA, 2006. ACM.
76. Yahoo Inc. Browser-Based Authentication (BBAuth). http://developer.yahoo. com/auth/, December 2008.
77. Yale University. CAS: Central authentication service. http://www.jasig.org/cas, 2009.
78. K.-P. Yee and K. Sitaker. Passpet: convenient password management and phishing protection. In SOUPS '06: Proceedings of the Second Symposium on Usable Privacy and Security, pages 32-43, New York, NY, USA, 2006. ACM.
79. Y. Zhang, S. Egelman, L. Cranor, and J. Hong. Phinding phish: Evaluating anti-phishing tools. In Proceedings of the 14th Annual Network and Distibuted System Security Symposium (NDSS 2007), 2007.