Centralizing the Decentralized The Value Implications Of Single Sign-on Services

Kartik Rishi Teresa Lam Augustus Yuan Scott Kuehnert

Agenda
Introduction & Stakeholders SSO Integrators SSO Users
Understand the premise behind why we conducted our study and a glimpse in to how the direct/indirect stakeholders interact with Single Sign-On services. A quick look at the utilization of SSO systems by existing services An in-depth look on the prevalence of SSO as a service through an empirical investigation

SSO Providers

We provide an analysis of three large SSO services on how they treat users and their data

Best Practices & Conclusion

By synthesizing the work that weve done, we have some methods that users can adopt to stay safe and secure online.

introduction
Everyone knows this, its huge.

Internet is Growing

Our constant interactions online establish our personal identity online

Self-Identity

The amount of businesses/services online for users is growing exponentially

Growing Services

A growing trend where services act to authenticate you as a unique individual

Points of Authority

Stakeholders
Direct Stakeholders SSO Users
Ex. Groupon, LivingSocial

Indirect Stakeholders Government Data Aggregation Services Marketing Agencies

SSO Integrators SSO Providers

Ex. Facebook, Google, OpenID

SSO Integrators
Stack Exchange A collection of sites focusing on Questions & Answers services Focuses on convenience of the user Allows access to 90+ sites with one account Manage accounts easier and provide profiles for career employers Social Deals A type of service that uses social media to target niche markets with deals. Focuses on the personalization of the user Specifically target ads/deals based on user interests Wolfram-Alpha Computational engine used to understand Big Data through human lens Focuses on making data accessible to the user Develops algorithms to improve site services based on user entries & data

SSO Users
Methods & Demographics
Age
18-21 22-25 26-30 31-40 41-50 51-60 61-70

We utilized Amazon Mturk to reach a far and greater audience in a short period of time.
n
17 43 41 28 9 3 1

%
12% 30.3% 28.9% 19.7% 6.3% 2.1% 0.7%

Gender

Country

India Male 94 66.2% USA

116

81.7%

17

12%

Pakistan Female 48 33.8% Other

1.4%

4.9%

SSO Users
Why do you use Single Sign-On services?
Its easy and convenient Much easier and fast to sign up to website with this service It provides security as one time login and logout. Also no need to remember all the passwords every time SSO services are quite easy to use and fast as well. It reduces the threat of phishing and many other online privacy issues. Hence using SSO services is safe and secure.

SSO Users
Why do you use Single Sign-On services?

SSO Users
Usage of SSOs vs Privacy violation in the future?
1.
Do you ever worry that your privacy might be violated in the future? Please mark the scale from 1 5:

Not Worried At All: 47/142 and 32/47 = 68.1% use SSOs

2. Somewhat Worried: 17/142 and 9/17 = 52.9% use SSOs 3. Neutral: 26/142 and 13/26 = 50% use SSOs 4. Worried: 33/142 and 19/33 = 57.6% use SSOs 5. Extremely Worried: 19/142 and 10/19 = 52.6% use SSOs

SSO Users
Privacy Violated in Past vs Privacy Violated in Future Only 11 out of the 142 participants actually had their privacy violated in the
past. 72.7% of the 11 participants answered either a 5 Extremely Worried or a 4 Worried

for their privacy being violated in the future.

This shows that people who had their privacy violated in the past are more concerned about their future privacy.

SSO Providers
Motivation
Develop a better understanding of SSO systems & provide useful research

Prior Research

Utilized research done by privacychoice.org & knowprivacy.org

Methods

Read through privacy- and data use- policies at least twice:

Once to get an overview of the text and locations of certain types of clauses Again to mark specific locations of text

SSO Providers
Draft a list of specific allowances Create a table to track occurrences of each allowance Each value in brackets refers to a specific policy

Methods

Findings

More focus on data collection in Google More focus on data sharing from Facebook More focus on the rights of companies vs.
rights of users

SSO Providers

SSO Providers

SSO Providers

SSO Providers

SSO Providers
Findings
No companies had explicit policies to alert users to government access attempts No companies explicitly share information they get about you from third parties

Conclusions

Pros: Quantitative Allows for direct comparison of policies Cons: Not comprehensive Can be misleading

Best Practices
Be Mindful On The Value of YOU Stay Up-To-Date
Understand the value of your identity online and your stake in web security Policies change and being knowledgable about updates can keep you better informed

Manage Access To Your Information Manage Different Kinds of Data

Determine if you no longer use services and shut them down to control data access Conduct an audit of what kinds of information you have online, and control it

Evaluate The Value Of Services Used

Take a chance to think about whether you really should use some services online

Questions? We Have Answers.