Add to collection(s) Add to saved
  1. No category

Third-party Identity Management Usage on the Web ¹Linköping University, Sweden

advertisement 
Third-party Identity Management Usage on the Web
Anna Vapen¹, Niklas Carlsson¹, Anirban Mahanti², Nahid Shahmehri¹
¹Linköping University, Sweden
²NICTA, Australia
Third-party Web Authentication
Web Authentication
• Registration with each website
• Many passwords to remember
Third-party authentication
• Use an existing IDP (identity provider) account
to access an RP (relying party)
• Log in less often; Stronger authentication
• Increase personalization opportunities
• Share information between websites
2
Motivation
• An emerging third-party authentication landscape
• Increasing usage of third-party identity providers
• Complex, nested relationships between RPs and IDPs
• Authorization protocol (OAuth) used for authentication
• Applications acting on user’s behalf
• Data transfer between parties; Less control over data
• IDP selection
• Privacy implications
3
Contributions
• Novel Selenium-based data collection methodology
• Identification and validation of RP-IDP relationships
• Popularity-based logarithmic sampling technique
• Characterization of identified RP-IDP relationships
• Impact on IDP selection of RP characteristics
• Comparison to third-party content-delivery relationships
4
Methodology (1)
• Popularity-based logarithmic sampling
• 80,000 points uniformly on a logarithmic range
• Power-law distribution
• Capturing data from different popularity segments
1 million
most
popular
websites
5
Sampled
websites
Methodology (2)
• Selenium-based crawling and relationship identification
• Able to process Web 2.0 sites with interactive elements
• Low number of false positives
• Validation with semi-manual classification and text-matching
1 million
most
popular
websites
6
Sampled
websites
Collected Data
1,6 terabyte
analyzed data
25 million
analyzed links
WHOIS, server location
and audience location
35,620 sampled sites
3,329 unique relationships
50 IDPs and 1,865 RPs
Total site size and number
of links and objects
7
IDP Usage
• More than 75% of the RPs are served by 5% of the IDPs
• RPs tend to select popular sites as IDPs
• Only 15 of the 44 IDPs outside top 10 on Alexa serve more
than 10 sampled RPs
75% of RPs served by
5% of IDPs
8
Top IDPs
IDP
rank
Alexa rank
IDP
Protocol
Number of IDP relationships
1
2
Facebook.com
Oauth
1293
2
10
Twitter.com
OAuth
378
3
9
QQ.com
OAuth
278
4
1
Google.com
Oauth / OpenID 250
5
4
Yahoo.com
Oauth / OpenID 141
6
16
Sina.com.cn
Oauth
127
7
-
OpenID field
OpenID
87
8
4173
Vkontakte.ru
Oauth
73
9
25
Weibo.com
Oauth
64
10
12
Linkedin.com
Oauth
63
**
*
**
* Domain change to vk.com
9
Login with any OpenID provider
** Authentication with Sina.com.cn redirects to Weibo.com
Top IDPs
IDP
rank
Alexa rank
IDP
Protocol
Number of IDP relationships
1
2
Facebook.com
Oauth
1293
2
10
Twitter.com
OAuth
378
3
9
QQ.com
OAuth
278
4
1
Google.com
Oauth / OpenID 250
5
4
Yahoo.com
Oauth / OpenID 141
6
16
Sina.com.cn
Oauth
127
7
-
OpenID field
OpenID
87
8
4173
Vkontakte.ru
Oauth
73
9
25
Weibo.com
Oauth
64
10
12
Linkedin.com
Oauth
63
**
*
**
* Domain change to vk.com
10
Social networks
(except no. 7)
Login with any OpenID provider
** Authentication with Sina.com.cn redirects to Weibo.com
IDP Selection
• Popular sites as IDPs, instead of specialized IDPs
Popular sites with
• Lots of existing users
• Personal information
Specialized IDPs with stronger
authentication methods
11
Number of IDPs per sampled RP
IDP widgets providing
a pre-selected large
set of IDPs
Estimated weighted
average: < 3 IDPs / RP
12
IDPs per RP Based on Popularity
Number of IDPs per RP
4
3.5
3
> 10^6
2.5
(10^5 - 10^6]3
2
(10^4 - 10^5]
1.5
(10^3- 10^4]
1
(10^2 - 10^3]
(10 - 10^2]
0.5
[1 - 10]
0
[1 - 10] (10 - 10^2] (10^2 10^3]
(10^310^4]
(10^4 10^5]
(10^5 10^6]3
Alexa site rank of RPs
Breakdown of the average number of IDPs selected per RP and popularity segment
13
Comparison with Content Services
• Content: scripts, images and other third-party objects
• IDPs much more popular sites than content providers
14
Service-based Analysis
200 most popular websites
Manual classification
Using social IDPs: file sharing, info
Likely to be RPs
Likely to be IDPs;
Many RPs in this
category
News
File sharing
Video
Tech
Early adopters, using several IDPs
15
Info
Commerce
Social/portal
Ads
CDN
Using IDPs from same category: tech, commerce
Cultural and Geographical Analysis
• North American and Chinese RPs use local IDPs to a large extent
• Content delivery usage less biased to local providers
North America
Europe
China
Russia
Asia (all)
Identity
management
Content
delivery
16
North America
China
Asia (rest)
Europe
Russia
Other
Summary and Conclusions
• Large-scale characterization of third-party Web authentication
• Novel data collection methodology with popularity-based sampling
• Few large third-parties serve many websites
•
Comparison with content sharing
•
IDP selection much more biased
• Risk for privacy leaks
17
•
Few large third-parties handling a lot of information
•
The most popular IDPs are using protocols not adapted for strong
authentication
Related documents
Future directions for the protection of IDPs through domestic law and
Future directions for the protection of IDPs through domestic law and
Economic Tussles in Federated Identity Management Tyler Moore
Economic Tussles in Federated Identity Management Tyler Moore
Initiating the process: preparatory steps
Initiating the process: preparatory steps
Continuing concern over security in Mazar
Continuing concern over security in Mazar
Information Sharing and User Privacy in the Third-party Identity Management Landscape
Information Sharing and User Privacy in the Third-party Identity Management Landscape
Download
advertisement