A Longitudinal Characterization of the Third-Party Authentication LandscapeShow others and affiliations
2022 (English)In: 2022 IFIP Networking Conference (IFIP Networking), IEEE , 2022Conference paper, Published paper (Refereed)
Abstract [en]
Many websites offer users to authenticate using third-party identity providers (IDPs) such as Facebook or Google. As part of the signup process, these websites often ask the user to give them additional permissions with the IDP (e.g., some data sharing or authorize some actions) that can have significant privacy implications. Motivated by the increased scrutiny of Facebook and other popular IDPs (e.g., due to the 2018 Cambridge Analytica scandal), we present a longitudinal analysis of the IDP usage and permissions changes over the past nine years (2012–2021) as well as a large-scale characterization of the current state. Our longitudinal analysis identifies trends and characterizes changes in both the IDP usage and permission agreements of different subsets of websites. For our large-scale analysis, we develop and share a Selenium-based measurement framework that we use to collect datasets. Using this data, we study the IDP usage across popularity ranges, the permissions used in the wild, and highlight differences between websites using different IDPs and those that do not. Our analysis shows increased IDP usage, especially among the most popular websites, and that the permission requests on average are becoming more modest but also brings forward significant exceptions that may need further scrutiny.
Place, publisher, year, edition, pages
IEEE , 2022.
National Category
Computer Sciences
Identifiers
URN: urn:nbn:se:liu:diva-188888DOI: 10.23919/IFIPNetworking55013.2022.9829804ISI: 000855528800043ISBN: 9783903176485 (electronic)OAI: oai:DiVA.org:liu-188888DiVA, id: diva2:1700110
Conference
IFIP Networking Conference (IFIP Networking), Catania, ITALY, jun 13-16, 2022
2022-09-292022-09-292022-11-10Bibliographically approved