Papers
Topics
Authors
Recent
Search
2000 character limit reached

Influences of Displaying Permission-related Information on Web Single Sign-On Login Decisions

Published 24 Aug 2023 in cs.HC | (2308.13074v2)

Abstract: Web users are increasingly presented with multiple login options, including password-based login and common web single sign-on (SSO) login options such as "Login with Google" and "Login with Facebook". There has been little focus in previous studies on how users choose from a list of login options and how to better inform users about privacy issues in web SSO systems. In this paper, we conducted a 200-participant study to understand factors that influence participants' login decisions, and how they are affected by displaying permission differences across login options; permissions in SSO result in release of user personal information to third-party web sites through SSO identity providers. We compare and report on login decisions made by participants before and after viewing permission-related information, examine self-reported responses for reasons related to their login decisions, and report on the factors that motivated their choices. We find that usability preferences and inertia (habituation) were among the dominant factors influencing login decisions. After participants viewed permission-related information, many prioritised privacy over other factors, changing their login decisions to more privacy-friendly alternatives. Displaying permission-related information also influenced some participants to make tradeoffs between privacy and usability preferences.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (38)
  1. Comparative Analysis and Framework Evaluating Web Single Sign-on Systems. ACM Computing Surveys, 53(5):112:1–112:34, 2020.
  2. Security and Privacy Perceptions of Third-Party Application Access for Google Accounts. In USENIX Security, 2022.
  3. A Comparison of Users’ Perceptions of and Willingness to Use Google, Facebook, and Google+ Single-Sign-On Functionality. In ACM Workshop on Digital Identity Management, pages 25–36, 2013.
  4. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In IEEE Symp. Security and Privacy, 2012.
  5. V. Braun and V. Clarke. Thematic Analysis. In APA handbook of research methods in psychology, Volume 2, Chapter 4, pages 57–71. American Psychological Association, 2012.
  6. A Large Scale Study of User Behavior, Expectations and Engagement with Android Permissions. In USENIX Security, pages 803–820, 2021.
  7. Multiple Password Interference in Text Passwords and Click-Based Graphical Passwords. In ACM CCS, 2009.
  8. B. Davis. Expanding the App Defense Alliance. https://security.googleblog.com/2022/12/app-defense-alliance-expansion.html, December 15, 2022.
  9. S. Egelman. My Profile is My Password, Verify Me! The Privacy/Convenience Tradeoff of Facebook Connect. In CHI, page 2369–2378, 2013.
  10. S. Englehardt and A. Narayanan. Online Tracking: A 1-million-site Measurement and Analysis. In ACM CCS, 2016.
  11. Facebook. Facebook Login. https://developers.facebook.com/docs/facebook-login/guides/permissions, Accessed: April 7, 2023.
  12. Facebook Login. Introduction - App Review. https://developers.facebook.com/docs/app-review/introduction, Accessed: April 25, 2023.
  13. Canarytrap: Detecting Data Misuse by Third-Party Apps on Online Social Networks. Proceedings on Privacy Enhancing Technologies, 2020(4):336–354, 2020.
  14. A. Felt and D. Evans. Privacy Protection for Social Networking APIs. Web 2.0 Security and Privacy (W2SP), 2008.
  15. How to Ask for Permission. In Proceedings of the 7th USENIX Conference on Hot Topics in Security, HotSec’12, page 7, 2012.
  16. O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web. In USENIX Security, 2018.
  17. Google. OAuth API verification FAQs. https://support.google.com/cloud/answer/9110914, Accessed: April 25, 2023.
  18. D. Hardt. RFC 6749: The OAuth 2.0 Authorization Framework. https://tools.ietf.org/html/rfc6749, 2012.
  19. DISTINCT: Identity Theft using In-Browser Communications in Dual-Window Single Sign-On. In ACM CCS, 2022.
  20. A Longitudinal Characterization of the Third-Party Authentication Landscape. In International Federation for Information Processing (IFIP) Networking, 2022.
  21. Follow My Recommendations: A Personalized Privacy Assistant for Mobile App Permissions. In SOUPS, pages 27–41, June 2016.
  22. Empirical Analysis and Privacy Implications in OAuth-based Single Sign-On Systems. In Workshop on Privacy in the Electronic Society, 2021.
  23. SSOPrivateEye: Timely Disclosure of Single Sign-On Privacy Design Differences, 2022. Manuscript. A preliminary version is at: https://arxiv.org/abs/2209.04490.
  24. A. Parecki. It’s Time for OAuth 2.1. https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1, 2019.
  25. G. L. Polites and E. Karahanna. Shackled to the Status Quo: The Inhibiting Effects of Incumbent System Habit, Switching Costs, and Inertia on New System Acceptance. MIS quarterly, pages 21–42, 2012.
  26. Cerberus: Query-driven Scalable Security Checking for OAuth Service Provider Implementations. In ACM CCS, 2022.
  27. N. Robinson and J. Bonneau. Cognitive Disconnect: Understanding Facebook Connect Login Permissions. In ACM COSN, 2014.
  28. G. Rosen. Facebook Security Update - Security issue affecting almost 50 million accounts. https://about.fb.com/news/2018/09/security-update/, September 28, 2018.
  29. OpenID Connect Core 1.0. https://openid.net/specs/openid-connect-core-1_0.html, 2014.
  30. Sign in with Apple. Communicating using the Private Email Relay Service. https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/communicating_using_the_private_email_relay_service, Accessed: April 25, 2023.
  31. Sign in with Google. Setup - Configure your OAuth Consent Screen. https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid, Accessed: April 7. 2023.
  32. S.-T. Sun and K. Beznosov. The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems. In ACM CCS, 2012.
  33. What Makes Users Refuse Web Single Sign-On? An Empirical Investigation of OpenID. In SOUPS, 2011.
  34. ”I Added‘!’at the End to Make It Secure”: Observing Password Creation in the Lab. In SOUPS, 2015.
  35. Third-party apps on facebook: Privacy and the illusion of control. In ACM Symposium on Computer Human Interaction for Management of Information Technology, 2011.
  36. Oh, the Places You’ve Been! User Reactions to Longitudinal Transparency About Third-Party Web Tracking and Inferencing. In ACM CCS, pages 149–166, 2019.
  37. The Feasibility of Dynamically Granted Permissions: Aligning Mobile Privacy with User Preferences. In IEEE Symp. Security and Privacy, pages 1077–1093, 2017.
  38. Y. Zhou and D. Evans. SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities. In USENIX Security, 2014.
Citations (2)
View on Semantic Scholar

Summary

No one has generated a summary of this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Summarize

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up