Third-party Identity Management Usage on the Web Anna Vapen, Niklas - - PowerPoint PPT Presentation

third party identity management usage on the web
SMART_READER_LITE
LIVE PREVIEW

Third-party Identity Management Usage on the Web Anna Vapen, Niklas - - PowerPoint PPT Presentation

Oct 09, 2023 93 likes •282 views

Third-party Identity Management Usage on the Web Anna Vapen, Niklas Carlsson, Anirban Mahanti, Nahid Shahmehri Linkping University, Sweden NICTA, Australia Third-party Web Authentication Web Authentication Registration with

slide-1
SLIDE 1

Third-party Identity Management Usage on the Web

Anna Vapen¹, Niklas Carlsson¹, Anirban Mahanti², Nahid Shahmehri¹

¹Linköping University, Sweden ²NICTA, Australia

slide-2
SLIDE 2

Third-party Web Authentication

Web Authentication

  • Registration with each website
  • Many passwords to remember

Third-party authentication

  • Use an existing IDP (identity provider) account

to access an RP (relying party)

  • Log in less often; Stronger authentication
  • Increase personalization opportunities
  • Share information between websites

2

slide-3
SLIDE 3

Motivation

3

  • An emerging third-party authentication landscape
  • Increasing usage of third-party identity providers
  • Complex, nested relationships between RPs and IDPs
  • Authorization protocol (OAuth) used for authentication
  • Applications acting on user’s behalf
  • Data transfer between parties; Less control over data
  • IDP selection
  • Privacy implications
slide-4
SLIDE 4

Contributions

  • Novel Selenium-based data collection methodology
  • Identification and validation of RP-IDP relationships
  • Popularity-based logarithmic sampling technique
  • Characterization of identified RP-IDP relationships
  • Impact on IDP selection of RP characteristics
  • Comparison to third-party content-delivery relationships

4

slide-5
SLIDE 5

Methodology (1)

  • Popularity-based logarithmic sampling
  • 80,000 points uniformly on a logarithmic range
  • Power-law distribution
  • Capturing data from different popularity segments

5

1 million most popular websites Sampled websites

slide-6
SLIDE 6

Methodology (2)

  • Selenium-based crawling and relationship identification
  • Able to process Web 2.0 sites with interactive elements
  • Low number of false positives
  • Validation with semi-manual classification and text-matching

6

1 million most popular websites

Sampled websites

slide-7
SLIDE 7

Collected Data

7

1,6 terabyte analyzed data 25 million analyzed links 35,620 sampled sites 3,329 unique relationships 50 IDPs and 1,865 RPs WHOIS, server location and audience location Total site size and number

  • f links and objects
slide-8
SLIDE 8

IDP Usage

  • More than 75% of the RPs are served by 5% of the IDPs
  • RPs tend to select popular sites as IDPs
  • Only 15 of the 44 IDPs outside top 10 on Alexa serve more

than 10 sampled RPs

8

75% of RPs served by 5% of IDPs

slide-9
SLIDE 9

Top IDPs

9

IDP rank Alexa rank IDP Protocol Number of IDP relationships 1 2 Facebook.com Oauth 1293 2 10 Twitter.com OAuth 378 3 9 QQ.com OAuth 278 4 1 Google.com Oauth / OpenID 250 5 4 Yahoo.com Oauth / OpenID 141 6 16 Sina.com.cn Oauth 127 7

  • OpenID field

OpenID 87 8 4173 Vkontakte.ru Oauth 73 9 25 Weibo.com Oauth 64 10 12 Linkedin.com Oauth 63

* ** **

* Domain change to vk.com ** Authentication with Sina.com.cn redirects to Weibo.com Login with any OpenID provider

slide-10
SLIDE 10

Top IDPs

10

IDP rank Alexa rank IDP Protocol Number of IDP relationships 1 2 Facebook.com Oauth 1293 2 10 Twitter.com OAuth 378 3 9 QQ.com OAuth 278 4 1 Google.com Oauth / OpenID 250 5 4 Yahoo.com Oauth / OpenID 141 6 16 Sina.com.cn Oauth 127 7

  • OpenID field

OpenID 87 8 4173 Vkontakte.ru Oauth 73 9 25 Weibo.com Oauth 64 10 12 Linkedin.com Oauth 63

Social networks (except no. 7)

* ** **

* Domain change to vk.com ** Authentication with Sina.com.cn redirects to Weibo.com Login with any OpenID provider

slide-11
SLIDE 11

IDP Selection

11

  • Popular sites as IDPs, instead of specialized IDPs

Specialized IDPs with stronger authentication methods Popular sites with

  • Lots of existing users
  • Personal information
slide-12
SLIDE 12

Number of IDPs per sampled RP

12

IDP widgets providing a pre-selected large set of IDPs Estimated weighted average: < 3 IDPs / RP

slide-13
SLIDE 13

13

0.5 1 1.5 2 2.5 3 3.5 4

[1 - 10] (10 - 10^2] (10^2 - 10^3] (10^3- 10^4] (10^4 - 10^5] (10^5 - 10^6]3

Number of IDPs per RP Alexa site rank of RPs

> 10^6 (10^5 - 10^6]3 (10^4 - 10^5] (10^3- 10^4] (10^2 - 10^3] (10 - 10^2] [1 - 10]

Breakdown of the average number of IDPs selected per RP and popularity segment

IDPs per RP Based on Popularity

slide-14
SLIDE 14

Comparison with Content Services

  • Content: scripts, images and other third-party objects
  • IDPs much more popular sites than content providers

14

slide-15
SLIDE 15

Service-based Analysis

15

200 most popular websites Manual classification Social/portal Tech Commerce News CDN Ads File sharing Info Video

Likely to be RPs Early adopters, using several IDPs Likely to be IDPs; Many RPs in this category Using IDPs from same category: tech, commerce Using social IDPs: file sharing, info

slide-16
SLIDE 16

Cultural and Geographical Analysis

  • North American and Chinese RPs use local IDPs to a large extent
  • Content delivery usage less biased to local providers

16

Identity management Content delivery

North America Europe Russia China Other Asia (rest)

North America Europe China Russia Asia (all)

slide-17
SLIDE 17

Summary and Conclusions

  • Large-scale characterization of third-party Web authentication
  • Novel data collection methodology with popularity-based sampling
  • Few large third-parties serve many websites
  • Comparison with content sharing
  • IDP selection much more biased
  • Risk for privacy leaks
  • Few large third-parties handling a lot of information
  • The most popular IDPs are using protocols not adapted for strong

authentication

17