A billion keys, but few locks

The crisis of web single sign-on

San Tsai Sun, Yazan Boshmaf, Kirstie Hawkey, Konstantin Beznosov

Research output: Chapter in Book/Report/Conference proceedingConference contribution

39 Citations (Scopus)

Abstract

OpenID and InfoCard are two mainstream Web single sign-on (SSO) solutions intended for Internet-scale adoption. While they are technically sound, the business model of these solutions does not provide content-hosting and service providers (CSPs) with sufficient incentives to become relying parties (RPs). In addition, the pressure from users and identity providers (IdPs) is not strong enough to drive CSPs toward adopting Web SSO. As a result, there are currently over one billion OpenID-enabled user accounts provided by major CSPs, but only a few relying parties. In this paper, we discuss the problem of Web SSO adoption for RPs and argue that solutions in this space must offer RPs sufficient business incentives and trustworthy identity services in order to succeed. We suggest future Web SSO development should investigate and fulfill RPs' business needs, identify IdP business models, and build trust frameworks. Moreover, we propose that Web SSO technology should build identity support into browsers in order to facilitate RPs' adoption.

Original languageEnglish
Title of host publicationProceedings - New Security Paradigms Workshop 2010, NSPW 2010
Pages61-71
Number of pages11
DOIs
Publication statusPublished - 2010
Externally publishedYes
EventNew Security Paradigms Workshop, NSPW 2010 - Concord, MA, United States
Duration: 21 Sep 201023 Sep 2010

Other

OtherNew Security Paradigms Workshop, NSPW 2010
CountryUnited States
CityConcord, MA
Period21/9/1023/9/10

Fingerprint

Industry
Acoustic waves
Internet

Keywords

  • authentication
  • infocard
  • openid
  • web identity management
  • web single sign-on

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Hardware and Architecture
  • Software
  • Information Systems

Cite this

Sun, S. T., Boshmaf, Y., Hawkey, K., & Beznosov, K. (2010). A billion keys, but few locks: The crisis of web single sign-on. In Proceedings - New Security Paradigms Workshop 2010, NSPW 2010 (pp. 61-71) https://doi.org/10.1145/1900546.1900556

A billion keys, but few locks : The crisis of web single sign-on. / Sun, San Tsai; Boshmaf, Yazan; Hawkey, Kirstie; Beznosov, Konstantin.

Proceedings - New Security Paradigms Workshop 2010, NSPW 2010. 2010. p. 61-71.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Sun, ST, Boshmaf, Y, Hawkey, K & Beznosov, K 2010, A billion keys, but few locks: The crisis of web single sign-on. in Proceedings - New Security Paradigms Workshop 2010, NSPW 2010. pp. 61-71, New Security Paradigms Workshop, NSPW 2010, Concord, MA, United States, 21/9/10. https://doi.org/10.1145/1900546.1900556
Sun ST, Boshmaf Y, Hawkey K, Beznosov K. A billion keys, but few locks: The crisis of web single sign-on. In Proceedings - New Security Paradigms Workshop 2010, NSPW 2010. 2010. p. 61-71 https://doi.org/10.1145/1900546.1900556
Sun, San Tsai ; Boshmaf, Yazan ; Hawkey, Kirstie ; Beznosov, Konstantin. / A billion keys, but few locks : The crisis of web single sign-on. Proceedings - New Security Paradigms Workshop 2010, NSPW 2010. 2010. pp. 61-71
@inproceedings{b4d57410935a4dd2928661bf78d5787f,
title = "A billion keys, but few locks: The crisis of web single sign-on",
abstract = "OpenID and InfoCard are two mainstream Web single sign-on (SSO) solutions intended for Internet-scale adoption. While they are technically sound, the business model of these solutions does not provide content-hosting and service providers (CSPs) with sufficient incentives to become relying parties (RPs). In addition, the pressure from users and identity providers (IdPs) is not strong enough to drive CSPs toward adopting Web SSO. As a result, there are currently over one billion OpenID-enabled user accounts provided by major CSPs, but only a few relying parties. In this paper, we discuss the problem of Web SSO adoption for RPs and argue that solutions in this space must offer RPs sufficient business incentives and trustworthy identity services in order to succeed. We suggest future Web SSO development should investigate and fulfill RPs' business needs, identify IdP business models, and build trust frameworks. Moreover, we propose that Web SSO technology should build identity support into browsers in order to facilitate RPs' adoption.",
keywords = "authentication, infocard, openid, web identity management, web single sign-on",
author = "Sun, {San Tsai} and Yazan Boshmaf and Kirstie Hawkey and Konstantin Beznosov",
year = "2010",
doi = "10.1145/1900546.1900556",
language = "English",
isbn = "9781450304153",
pages = "61--71",
booktitle = "Proceedings - New Security Paradigms Workshop 2010, NSPW 2010",

}

TY - GEN

T1 - A billion keys, but few locks

T2 - The crisis of web single sign-on

AU - Sun, San Tsai

AU - Boshmaf, Yazan

AU - Hawkey, Kirstie

AU - Beznosov, Konstantin

PY - 2010

Y1 - 2010

N2 - OpenID and InfoCard are two mainstream Web single sign-on (SSO) solutions intended for Internet-scale adoption. While they are technically sound, the business model of these solutions does not provide content-hosting and service providers (CSPs) with sufficient incentives to become relying parties (RPs). In addition, the pressure from users and identity providers (IdPs) is not strong enough to drive CSPs toward adopting Web SSO. As a result, there are currently over one billion OpenID-enabled user accounts provided by major CSPs, but only a few relying parties. In this paper, we discuss the problem of Web SSO adoption for RPs and argue that solutions in this space must offer RPs sufficient business incentives and trustworthy identity services in order to succeed. We suggest future Web SSO development should investigate and fulfill RPs' business needs, identify IdP business models, and build trust frameworks. Moreover, we propose that Web SSO technology should build identity support into browsers in order to facilitate RPs' adoption.

AB - OpenID and InfoCard are two mainstream Web single sign-on (SSO) solutions intended for Internet-scale adoption. While they are technically sound, the business model of these solutions does not provide content-hosting and service providers (CSPs) with sufficient incentives to become relying parties (RPs). In addition, the pressure from users and identity providers (IdPs) is not strong enough to drive CSPs toward adopting Web SSO. As a result, there are currently over one billion OpenID-enabled user accounts provided by major CSPs, but only a few relying parties. In this paper, we discuss the problem of Web SSO adoption for RPs and argue that solutions in this space must offer RPs sufficient business incentives and trustworthy identity services in order to succeed. We suggest future Web SSO development should investigate and fulfill RPs' business needs, identify IdP business models, and build trust frameworks. Moreover, we propose that Web SSO technology should build identity support into browsers in order to facilitate RPs' adoption.

KW - authentication

KW - infocard

KW - openid

KW - web identity management

KW - web single sign-on

UR - http://www.scopus.com/inward/record.url?scp=78751558943&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=78751558943&partnerID=8YFLogxK

U2 - 10.1145/1900546.1900556

DO - 10.1145/1900546.1900556

M3 - Conference contribution

SN - 9781450304153

SP - 61

EP - 71

BT - Proceedings - New Security Paradigms Workshop 2010, NSPW 2010

ER -