Clarity of Facebook Connect Login Permissions
Date: July 2014
Publication: Symposium on Usable Privacy and Security (SOUPS) 2014
Source 1: http://cups.cs.cmu.edu/soups/2014/posters/soups2014_posters-paper11.pdf
Abstract or Summary:
Single Sign-On (SSO) systems allow users to log in to websites using their username and password from a third-party identity provider. Facebook Connect, based off of OAuth, is perhaps the most common SSO system. It does more than just allow a user to sign in: sites can request access to parts of the user's Facebook profile. When the developer integrates the login system with their website, they request various permissions from Facebook to read information from the user's profile or publish content to their profile.
Users logging in with Facebook Connect place a lot of trust in Facebook to only share information that the user authorizes. This relies both on Facebook granting only the permissions presented in the authorization messages and users correctly interpreting these messages. We explored user understanding of authorization messages via an online survey conducted over Amazon Mechanical Turk presenting users with Facebook permissions dialogues and asking them to identify which permissions would be granted if they approved the applications. We identified a number of areas where user understanding is inconsistent with the mechanics of Facebook Connect. In general, users believe that Facebook Connect authorizes far less information to be shared than it actually authorizes.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.