Single Sign On on the Web: What’s broken and What can be fixed?

With Ph.D. student San-Tsai Sun, we have been investigating single-sign-on for Web.

We have been looking at usability, business, and technical aspects of web single sign on (SSO) solutions:

  • He has analyzed OpenID protocol and 200 OpenID-enabled web sitesand found, among other things, that 50% of OpenID-enabled websites are vulnerable to cross-site request forgery attack (CSRF), 75% of evaluated websites allow an attacker to force the victim to log in their websites as the attacker. With additional reasonable capabilities (e.g., trick users to use a malicious wireless access point or install a malicious browser extension) that enable an attacker to intercept the authentication response from the identity provider, an adversary can impersonate the victim on 65% of OpenID-enabled websites and re-masquerade the victim on 6% of the websites by simply applying the intercepted authentication responses.
  • He (together with LERSSE postdoc (at that time) Kirstie Hawkey and another Ph.D. student Yazan Boshmafhas also looked into business and human aspects of the problem of low acceptance rate of OpenID. As a result, we propose that Web SSO technology should shift from its current shared-identity paradigm to a true Web single sign-on and sign-out experience in order to function as a platform to motivate RPs’ adoption.
  • On a more technical site, San-Tsai is investigating a browser-based Web SSO solution that requires minimal user interaction and provide relying parties with clear value propositions to motivate their adoption. Our approach builds OpenID support into web browsers, hides OpenID identifiers from users by using their existing email accounts, extends the OpenID protocol to perform authentication directly by browsers, and introduces an OpenIDAuth HTTP access authentication scheme to convey authenticated identities automatically into websites that support OpenID for authentication.