Users’ Perceptions of and Willingness to Use Single-Sign-On Functionality
Date: July 2014
Publication: Symposium on Usable Privacy and Security (SOUPS) 2014
Source 1: http://cups.cs.cmu.edu/soups/2014/posters/soups2014_posters-paper31.pdf
Abstract or Summary:
Internet users are accumulating more and more identities. A seminal study by Florêncio and Herley found that a typical internet user has 25 different identities, each of which has different credentials. In part because managing these identities and credentials is difficult for users and encourages behaviors like password reuse, the US Government has declared the creation of a digital identity ecosystem a national security priority.
In such an ecosystem, single sign-on (SSO) systems allow users to authenticate to an identity provider (IdP); the IdP in turn vouches for the user to multiple service providers (SPs), absolving them of the need to authenticate users themselves. This frees users from remembering many sets of credentials, and service providers from the need to maintain their own authentication mechanisms. At the same time, relying on identity providers that have rich information about users (e.g., all information in a Facebook profile) creates the risk that users will lose oversight or control over the access that service providers are given to this information. To address such concerns, identity providers show users consent interfaces at sign on and provide audit tools for post hoc review.
In this poster, we report on a 424-participant on-line study through which we seek to understand the effectiveness of consent interfaces for single sign-on, and use this understanding to provide an alternative design for single sign-on dialogs. We induced participants to log in with one of three identity providers, and measured their awareness of the information that was being sent by identity providers to service providers, their awareness of identity providers’ audit tools, and their sentiment about various aspects of single sign-on.
In summary, our study reveals that several aspects of how user information is handled in single sign-on systems are currently largely opaque to users; users neither understand in detail what information about them is sent by identity providers to service providers, nor do they believe they have control over this process. We also present a new, alternative design for single sign-on dialogs, PrivacyLens, which uses the recommendations of this study to improve the privacy of users.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.