liu.seSearch for publications in DiVA
Endre søk
Begrens søket
1 - 11 of 11
RefereraExporteraLink til resultatlisten
Permanent link
Referera
Referensformat
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Annet format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annet språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
Treff pr side
  • 5
  • 10
  • 20
  • 50
  • 100
  • 250
Sortering
  • Standard (Relevans)
  • Forfatter A-Ø
  • Forfatter Ø-A
  • Tittel A-Ø
  • Tittel Ø-A
  • Type publikasjon A-Ø
  • Type publikasjon Ø-A
  • Eldste først
  • Nyeste først
  • Skapad (Eldste først)
  • Skapad (Nyeste først)
  • Senast uppdaterad (Eldste først)
  • Senast uppdaterad (Nyeste først)
  • Disputationsdatum (tidligste først)
  • Disputationsdatum (siste først)
  • Standard (Relevans)
  • Forfatter A-Ø
  • Forfatter Ø-A
  • Tittel A-Ø
  • Tittel Ø-A
  • Type publikasjon A-Ø
  • Type publikasjon Ø-A
  • Eldste først
  • Nyeste først
  • Skapad (Eldste først)
  • Skapad (Nyeste først)
  • Senast uppdaterad (Eldste først)
  • Senast uppdaterad (Nyeste først)
  • Disputationsdatum (tidligste først)
  • Disputationsdatum (siste først)
Merk
Maxantalet träffar du kan exportera från sökgränssnittet är 250. Vid större uttag använd dig av utsökningar.
  • 1. Bestill onlineKjøp publikasjonen >>
    Vapen, Anna
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska högskolan.
    Contributions to Web Authentication for Untrusted Computers2011Licentiatavhandling, monografi (Annet vitenskapelig)
    Abstract [en]

    Authentication methods offer varying levels of security. Methods with one-time credentials generated by dedicated hardware tokens can reach a high level of security, whereas password-based authentication methods have a low level of security since passwords can be eavesdropped and stolen by an attacker. Password-based methods are dominant in web authentication since they are both easy to implement and easy to use. Dedicated hardware, on the other hand, is not always available to the user, usually requires additional equipment and may be more complex to use than password-based authentication.

    Different services and applications on the web have different requirements for the security of authentication.  Therefore, it is necessary for designers of authentication solutions to address this need for a range of security levels. Another concern is mobile users authenticating from unknown, and therefore untrusted, computers. This in turn raises issues of availability, since users need secure authentication to be available, regardless of where they authenticate or which computer they use.

    We propose a method for evaluation and design of web authentication solutions that takes into account a number of often overlooked design factors, i.e. availability, usability and economic aspects. Our proposed method uses the concept of security levels from the Electronic Authentication Guideline, provided by NIST.

    We focus on the use of handheld devices, especially mobile phones, as a flexible, multi-purpose (i.e. non-dedicated) hardware device for web authentication. Mobile phones offer unique advantages for secure authentication, as they are small, flexible and portable, and provide multiple data transfer channels. Phone designs, however, vary and the choice of channels and authentication methods will influence the security level of authentication. It is not trivial to maintain a consistent overview of the strengths and weaknesses of the available alternatives. Our evaluation and design method provides this overview and can help developers and users to compare and choose authentication solutions.

    Fulltekst (pdf)
    Contributions to Web Authentication for Untrusted Computers
    Download (pdf)
    COVER01
  • 2. Bestill onlineKjøp publikasjonen >>
    Vapen, Anna
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska fakulteten.
    Web Authentication using Third-Parties in Untrusted Environments2016Doktoravhandling, med artikler (Annet vitenskapelig)
    Abstract [en]

    With the increasing personalization of the Web, many websites allow users to create their own personal accounts. This has resulted in Web users often having many accounts on different websites, to which they need to authenticate in order to gain access. Unfortunately, there are several security problems connected to the use and re-use of passwords, the most prevalent authentication method currently in use, including eavesdropping and replay attacks.

    Several alternative methods have been proposed to address these shortcomings, including the use of hardware authentication devices. However, these more secure authentication methods are often not adapted for mobile Web users who use different devices in different places and in untrusted environments, such as public Wi-Fi networks, to access their accounts.

    We have designed a method for comparing, evaluating and designing authentication solutions suitable for mobile users and untrusted environments. Our method leverages the fact that mobile users often bring their own cell phones, and also takes into account different levels of security adapted for different services on the Web.

    Another important trend in the authentication landscape is that an increasing number of websites use third-party authentication. This is a solution where users have an account on a single system, the identity provider, and this one account can then be used with multiple other websites. In addition to requiring fewer passwords, these services can also in some cases implement authentication with higher security than passwords can provide.

    How websites select their third-party identity providers has privacy and security implications for end users. To better understand the security and privacy risks with these services, we present a data collection methodology that we have used to identify and capture third-party authentication usage on the Web. We have also characterized the third-party authentication landscape based on our collected data, outlining which types of third-parties are used by which types of sites, and how usage differs across the world. Using a combination of large-scale crawling, longitudinal manual testing, and in-depth login tests, our characterization and analysis has also allowed us to discover interesting structural properties of the landscape, differences in the cross-site relationships, and how the use of third-party authentication is changing over time.

    Finally, we have also outlined what information is shared between websites in third-party authentication, dened risk classes based on shared data, and proled privacy leakage risks associated with websites and their identity providers sharing data with each other. Our ndings show how websites can strengthen the privacy of their users based on how these websites select and combine their third-parties and the data they allow to be shared.

    Delarbeid
    1. Security Levels for Web Authentication using Mobile Phones
    Åpne denne publikasjonen i ny fane eller vindu >>Security Levels for Web Authentication using Mobile Phones
    2011 (engelsk)Inngår i: Privacy and Identity Management for Life / [ed] Simone Fischer-Hübner, Penny Duquenoy, Marit Hansen, Ronald Leenes and Ge Zhang, Boston: Springer , 2011, s. 130-143Konferansepaper, Publicerat paper (Fagfellevurdert)
    Abstract [en]

    Mobile phones offer unique advantages for secure authentication: they are small and portable, provide multiple data transfer channels, and are nearly ubiquitous. While phones provide a flexible and capable platform, phone designs vary, and the security level of an authentication solution is influenced by the choice of channels and authentication methods. It can be a challenge to get a consistent overview of the strengths and weaknesses of the available alternatives. Existing guidelines for authentication usually do not consider the specific problems in mobile phone authentication. We provide a method for evaluating and designing authentication solutions using mobile phones, using an augmented version of the Electronic Authentication Guideline.

    sted, utgiver, år, opplag, sider
    Boston: Springer, 2011
    Serie
    IFIP Advances in Information and Communication Technology, ISSN 1868-4238 ; 352
    Emneord
    Authentication, information security, mobile phone, security levels, evaluation method
    HSV kategori
    Identifikatorer
    urn:nbn:se:liu:diva-70058 (URN)10.1007/978-3-642-20769-3_11 (DOI)978-3-642-20768-6 (ISBN)
    Konferanse
    PrimeLife/IFIP Summer School 2010
    Tilgjengelig fra: 2011-08-17 Laget: 2011-08-17 Sist oppdatert: 2018-01-12
    2. 2-clickAuth - Optical Challenge-Response Authentication using Mobile Handsets
    Åpne denne publikasjonen i ny fane eller vindu >>2-clickAuth - Optical Challenge-Response Authentication using Mobile Handsets
    2011 (engelsk)Inngår i: International Journal on Mobile Computing and Multimedia Communications, ISSN 1937-9412, E-ISSN 1937-9404, Vol. 3, nr 2, s. 1-18Artikkel i tidsskrift (Fagfellevurdert) Published
    Abstract [en]

    Internet users often have usernames and passwords at multiple web sites. To simplify things, many sites support federated identity management, which enables users to have a single account allowing them to log on to different sites by authenticating to a single identity provider. Most identity providers perform authentication using a username and password. Should these credentials be compromised, all of the user’s accounts become compromised. Therefore a more secure authentication method is desirable. This paper implements 2-clickAuth, a multimedia-based challenge-response solution which uses a web camera and a camera phone for authentication. Two-dimensional barcodes are used for the communication between phone and computer, which allows 2-clickAuth to transfer relatively large amounts of data in a short period of time. 2-clickAuth is more secure than passwords while easy to use and distribute. 2-clickAuth is a viable alternative to passwords in systems where enhanced security is desired, but availability, ease-of-use, and cost cannot be compromised. This paper implements an identity provider in the OpenID federated identity management system that uses 2-clickAuth for authentication, making 2-clickAuth available to all users of sites that support OpenID, including Facebook, Sourceforge, and MySpace.

    sted, utgiver, år, opplag, sider
    Hershey, USA: IGI Global, 2011
    Emneord
    Authentication, federated identity management, mobile computing, OpenID, QR code, trusted device
    HSV kategori
    Identifikatorer
    urn:nbn:se:liu:diva-70063 (URN)10.4018/jmcmc.2011040101 (DOI)
    Tilgjengelig fra: 2011-08-17 Laget: 2011-08-17 Sist oppdatert: 2018-01-12
    3. Third-party identity management usage on the web
    Åpne denne publikasjonen i ny fane eller vindu >>Third-party identity management usage on the web
    2014 (engelsk)Inngår i: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Springer Berlin/Heidelberg, 2014, Vol. 8362 LNCS, s. 151-162Konferansepaper, Publicerat paper (Fagfellevurdert)
    Abstract [en]

    Many websites utilize third-party identity management services to simplify access to their services. Given the privacy and security implications for end users, an important question is how websites select their third-party identity providers and how this impacts the characteristics of the emerging identity management landscape seen by the users. In this paper we first present a novel Selenium-based data collection methodology that identifies and captures the identity management relationships between sites and the intrinsic characteristics of the websites that form these relationships. Second, we present the first large-scale characterization of the third-party identity management landscape and the relationships that makes up this emerging landscape. As a reference point, we compare and contrast our observations with the somewhat more understood third-party content provider landscape. Interesting findings include a much higher skew towards websites selecting popular identity provider sites than is observed among content providers, with sites being more likely to form identity management relationships that have similar cultural, geographic, and general site focus. These findings are both positive and negative. For example, the high skew in usage places greater responsibility on fewer organizations that are responsible for the increased information leakage cost associated with highly aggregated personal information, but also reduces the users control of the access to this information. © 2014 Springer International Publishing Switzerland.

    sted, utgiver, år, opplag, sider
    Springer Berlin/Heidelberg, 2014
    Serie
    Lecture Notes in Computer Science, ISSN 0302-9743, E-ISSN 1611-3349
    HSV kategori
    Identifikatorer
    urn:nbn:se:liu:diva-116404 (URN)10.1007/978-3-319-04918-2_15 (DOI)2-s2.0-84900600203 (Scopus ID)9783319049175 (ISBN)
    Konferanse
    15th International Conference on Passive and Active Measurement, PAM 2014
    Tilgjengelig fra: 2015-03-26 Laget: 2015-03-26 Sist oppdatert: 2021-04-26
    4. A Look at the Third-Party Identity Management Landscape
    Åpne denne publikasjonen i ny fane eller vindu >>A Look at the Third-Party Identity Management Landscape
    2016 (engelsk)Inngår i: IEEE Internet Computing, ISSN 1089-7801, E-ISSN 1941-0131, Vol. 20, nr 2, s. 18-25Artikkel i tidsskrift (Fagfellevurdert) Published
    Abstract [en]

    Many websites act as relying parties (RPs) by allowing access to their services via third-party identity providers (IDPs), such as Facebook and Google. Using IDPs simplifies account creation, login activity, and information sharing across websites. However, different websites use of IDPs can have significant security and privacy implications for users. Here, the authors provide an overview of third-party identity managements current landscape. Using datasets collected through manual identification and large-scale crawling, they answer questions related to which sites act as RPs, which sites are the most successful IDPs, and how different classes of RPs select their IDPs.

    sted, utgiver, år, opplag, sider
    IEEE COMPUTER SOC, 2016
    HSV kategori
    Identifikatorer
    urn:nbn:se:liu:diva-127053 (URN)10.1109/MIC.2016.38 (DOI)000372015500003 ()
    Tilgjengelig fra: 2016-04-13 Laget: 2016-04-13 Sist oppdatert: 2021-04-26
    5. Information Sharing and User Privacy in the Third-party Identity Management Landscape
    Åpne denne publikasjonen i ny fane eller vindu >>Information Sharing and User Privacy in the Third-party Identity Management Landscape
    2015 (engelsk)Inngår i: ICT Systems Security and Privacy Protection: 30th IFIP TC 11 International Conference, SEC 2015, Hamburg, Germany, May 26-28, 2015, Proceedings / [ed] Hannes Federrath, Dieter Gollmann, Springer, 2015, s. 174-188Konferansepaper, Publicerat paper (Fagfellevurdert)
    Abstract [en]

    The cross-site information sharing and authorized actions of third-party identity management can have significant privacy implications for the users. In this paper, we use a combination of manual analysis of identified third-party identity management relationships and targeted case studies to (i) capture how the protocol usage and third-party selection is changing, (ii) profile what information is requested to be shared (and actions to be performed) between websites, and (iii) identify privacy issues and practical problems that occur when using multiple accounts (associated with these services). By characterizing and quantifying the third-party relationships based on their cross-site information sharing, the study highlights differences in the privacy leakage risks associated with different classes of websites, and provides concrete evidence for how the privacy risks are increasing. For example, many news and file/video-sharing sites ask users to authorize the site to post information to the third-party website. We also observe a general increase in the breadth of information that is shared across websites, and find that due to usage of multiple third-party websites, in many cases, the user can lose (at least) partial control over which identities they can merge/relate and the information that is shared/posted on their behalf.

    sted, utgiver, år, opplag, sider
    Springer, 2015
    Serie
    IFIP Advances in Information and Communication Technology, ISSN 1868-4238 ; 455
    HSV kategori
    Identifikatorer
    urn:nbn:se:liu:diva-117543 (URN)10.1007/978-3-319-18467-8_12 (DOI)000364779100012 ()978-3-319-18466-1 (ISBN)978-3-319-18467-8 (ISBN)
    Konferanse
    30th IFIP TC 11 International Conference, SEC 2015, Hamburg, Germany, May 26-28, 2015
    Tilgjengelig fra: 2015-05-04 Laget: 2015-05-04 Sist oppdatert: 2021-04-26bibliografisk kontrollert
    6. Longitudinal Analysis of the Third-party Authentication Landscape
    Åpne denne publikasjonen i ny fane eller vindu >>Longitudinal Analysis of the Third-party Authentication Landscape
    2016 (engelsk)Konferansepaper, Publicerat paper (Fagfellevurdert)
    Abstract [en]

    Many modern websites offer single sign-on (SSO) services, which allow the user to use an existing account with a third-party website such as Facebook to authenticate. When using SSO the user must approve an app-rights agreement that specifies what data related to the user can be shared between the two websites and any actions (e.g., posting comments) that the origin website is allowed to perform on behalf of the user on the third-party provider (e.g., Facebook). Both cross-site data sharing and actions performed on behalf of the user can have significant privacy implications. In this paper we present a longitudinal study of the third-party authentication landscape, its structure, and the protocol usage, data sharing, and actions associated with individual third-party relationships. The study captures the current state, changes in the structure, protocol usage, and information leakage risks.

    sted, utgiver, år, opplag, sider
    Internet Society, 2016
    HSV kategori
    Identifikatorer
    urn:nbn:se:liu:diva-127301 (URN)1-891562-44-4 (ISBN)
    Konferanse
    NDSS Workshop on Understanding and Enhancing Online Privacy Workshop (UEOP@NDSS).21-24 February 2016 Catamaran Resort Hotel & Spa in San Diego, California
    Merknad

    DOI does not work: 10.14722/ueop.2016.23008

    Tilgjengelig fra: 2016-04-19 Laget: 2016-04-19 Sist oppdatert: 2021-04-26bibliografisk kontrollert
    Fulltekst (pdf)
    Web Authentication using Third-Parties in Untrusted Environments
    Download (pdf)
    omslag
    Download (jpg)
    presentationsbild
  • 3.
    Vapen, Anna
    et al.
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska högskolan.
    Byers, David
    Linköpings universitet, Tekniska högskolan. Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik.
    Shahmehri, Nahid
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska högskolan.
    2-clickAuth - Optical Challenge-Response Authentication2010Inngår i: International Conference on Availability, Reliability, and Security, 2010. ARES '10, IEEE COMPUTER SOC, 10662 LOS VAQUEROS CIRCLE, PO BOX 3014, LOS ALAMITOS, CA 90720-1264 USA , 2010, s. 79-86Konferansepaper (Fagfellevurdert)
    Abstract [en]

    Internet users today often have usernames and passwords at multiple web sites. To simplify things, many sites support some form of federated identity management, such as OpenID, that enables users to have a single account that allows them to log on to many different sites by authenticating to a single identity provider. Most identity providers perform authentication using a username and password. Should these credentials be compromised, e. g. captured by a key logger or malware on an untrusted computer, all the users accounts become compromised. Therefore a more secure authentication method is desirable. We have implemented 2-clickAuth, an optical challenge-response solution where a web camera and a camera phone are used for authentication. Two-dimensional barcodes are used for the communication between phone and computer, which allows 2-clickAuth to transfer relatively large amounts of data in a short period of time. 2-clickAuth is considerably more secure than passwords while still being easy to use and easy to distribute to users. This makes 2-clickAuth a viable alternative to passwords in systems where enhanced security is desired, but availability, ease-of-use, and cost cannot be compromised. We have implemented an identity provider in the OpenID federated identity management system that uses 2clickAuth for authentication, making 2-clickAuth available to all users of sites that support OpenID, including Facebook, Sourceforge and MySpace.

  • 4.
    Vapen, Anna
    et al.
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska högskolan.
    Carlsson, Niklas
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska högskolan.
    Mahanti, A.
    NICTA, Sydney NSW, Australia.
    Shahmehri, Nahid
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska högskolan.
    Third-party identity management usage on the web2014Inngår i: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Springer Berlin/Heidelberg, 2014, Vol. 8362 LNCS, s. 151-162Konferansepaper (Fagfellevurdert)
    Abstract [en]

    Many websites utilize third-party identity management services to simplify access to their services. Given the privacy and security implications for end users, an important question is how websites select their third-party identity providers and how this impacts the characteristics of the emerging identity management landscape seen by the users. In this paper we first present a novel Selenium-based data collection methodology that identifies and captures the identity management relationships between sites and the intrinsic characteristics of the websites that form these relationships. Second, we present the first large-scale characterization of the third-party identity management landscape and the relationships that makes up this emerging landscape. As a reference point, we compare and contrast our observations with the somewhat more understood third-party content provider landscape. Interesting findings include a much higher skew towards websites selecting popular identity provider sites than is observed among content providers, with sites being more likely to form identity management relationships that have similar cultural, geographic, and general site focus. These findings are both positive and negative. For example, the high skew in usage places greater responsibility on fewer organizations that are responsible for the increased information leakage cost associated with highly aggregated personal information, but also reduces the users control of the access to this information. © 2014 Springer International Publishing Switzerland.

    Fulltekst (pdf)
    fulltext
  • 5.
    Vapen, Anna
    et al.
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska fakulteten.
    Carlsson, Niklas
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska fakulteten.
    Mahanti, Anirban
    NICTA, Australia.
    Shahmehri, Nahid
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska fakulteten.
    A Look at the Third-Party Identity Management Landscape2016Inngår i: IEEE Internet Computing, ISSN 1089-7801, E-ISSN 1941-0131, Vol. 20, nr 2, s. 18-25Artikkel i tidsskrift (Fagfellevurdert)
    Abstract [en]

    Many websites act as relying parties (RPs) by allowing access to their services via third-party identity providers (IDPs), such as Facebook and Google. Using IDPs simplifies account creation, login activity, and information sharing across websites. However, different websites use of IDPs can have significant security and privacy implications for users. Here, the authors provide an overview of third-party identity managements current landscape. Using datasets collected through manual identification and large-scale crawling, they answer questions related to which sites act as RPs, which sites are the most successful IDPs, and how different classes of RPs select their IDPs.

    Fulltekst (pdf)
    fulltext
  • 6.
    Vapen, Anna
    et al.
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska högskolan.
    Carlsson, Niklas
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska högskolan.
    Mahanti, Anirban
    NICTA, Australia.
    Shahmehri, Nahid
    Linköpings universitet, Institutionen för datavetenskap, IISLAB - Laboratoriet för intelligenta informationssystem. Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska högskolan.
    Information Sharing and User Privacy in the Third-party Identity Management Landscape2015Inngår i: Proc. ACM Conference on Data and Application Security and Privacy (ACM CODASPY), ACM Digital Library, 2015, s. 151-153Konferansepaper (Fagfellevurdert)
    Abstract [en]

    Third-party identity management services enable cross-site information sharing, making Web access seamless but also raise significant privacy implications for the users. Using a combination of manual analysis of identified third-party identity management relationships and targeted case studies we capture how the protocol usage and third-party selection is changing, profile what information is requested to be shared (and actions to be performed) between websites, and identify privacy issues and practical problems that occur when using multiple accounts (associated with these services). The study highlights differences in the privacy leakage risks associated with different classes of websites, and shows that the use of multiple third-party websites, in many cases, can cause the user to lose (at least) partial control over which information is shared/posted on their behalf.

    Fulltekst (pdf)
    fulltext
  • 7.
    Vapen, Anna
    et al.
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska högskolan.
    Carlsson, Niklas
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska högskolan.
    Mahanti, Anirban
    NICTA, Australia.
    Shahmehri, Nahid
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska högskolan.
    Information Sharing and User Privacy in the Third-party Identity Management Landscape2015Inngår i: ICT Systems Security and Privacy Protection: 30th IFIP TC 11 International Conference, SEC 2015, Hamburg, Germany, May 26-28, 2015, Proceedings / [ed] Hannes Federrath, Dieter Gollmann, Springer, 2015, s. 174-188Konferansepaper (Fagfellevurdert)
    Abstract [en]

    The cross-site information sharing and authorized actions of third-party identity management can have significant privacy implications for the users. In this paper, we use a combination of manual analysis of identified third-party identity management relationships and targeted case studies to (i) capture how the protocol usage and third-party selection is changing, (ii) profile what information is requested to be shared (and actions to be performed) between websites, and (iii) identify privacy issues and practical problems that occur when using multiple accounts (associated with these services). By characterizing and quantifying the third-party relationships based on their cross-site information sharing, the study highlights differences in the privacy leakage risks associated with different classes of websites, and provides concrete evidence for how the privacy risks are increasing. For example, many news and file/video-sharing sites ask users to authorize the site to post information to the third-party website. We also observe a general increase in the breadth of information that is shared across websites, and find that due to usage of multiple third-party websites, in many cases, the user can lose (at least) partial control over which identities they can merge/relate and the information that is shared/posted on their behalf.

    Fulltekst (pdf)
    fulltext
  • 8.
    Vapen, Anna
    et al.
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska fakulteten.
    Carlsson, Niklas
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska fakulteten.
    Shahmehri, Nahid
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska fakulteten.
    Longitudinal Analysis of the Third-party Authentication Landscape2016Konferansepaper (Fagfellevurdert)
    Abstract [en]

    Many modern websites offer single sign-on (SSO) services, which allow the user to use an existing account with a third-party website such as Facebook to authenticate. When using SSO the user must approve an app-rights agreement that specifies what data related to the user can be shared between the two websites and any actions (e.g., posting comments) that the origin website is allowed to perform on behalf of the user on the third-party provider (e.g., Facebook). Both cross-site data sharing and actions performed on behalf of the user can have significant privacy implications. In this paper we present a longitudinal study of the third-party authentication landscape, its structure, and the protocol usage, data sharing, and actions associated with individual third-party relationships. The study captures the current state, changes in the structure, protocol usage, and information leakage risks.

    Fulltekst (pdf)
    fulltext
  • 9.
    Vapen, Anna
    et al.
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska högskolan.
    Shahmehri, Nahid
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska högskolan.
    2-clickAuth - Optical Challenge-Response Authentication using Mobile Handsets2011Inngår i: International Journal on Mobile Computing and Multimedia Communications, ISSN 1937-9412, E-ISSN 1937-9404, Vol. 3, nr 2, s. 1-18Artikkel i tidsskrift (Fagfellevurdert)
    Abstract [en]

    Internet users often have usernames and passwords at multiple web sites. To simplify things, many sites support federated identity management, which enables users to have a single account allowing them to log on to different sites by authenticating to a single identity provider. Most identity providers perform authentication using a username and password. Should these credentials be compromised, all of the user’s accounts become compromised. Therefore a more secure authentication method is desirable. This paper implements 2-clickAuth, a multimedia-based challenge-response solution which uses a web camera and a camera phone for authentication. Two-dimensional barcodes are used for the communication between phone and computer, which allows 2-clickAuth to transfer relatively large amounts of data in a short period of time. 2-clickAuth is more secure than passwords while easy to use and distribute. 2-clickAuth is a viable alternative to passwords in systems where enhanced security is desired, but availability, ease-of-use, and cost cannot be compromised. This paper implements an identity provider in the OpenID federated identity management system that uses 2-clickAuth for authentication, making 2-clickAuth available to all users of sites that support OpenID, including Facebook, Sourceforge, and MySpace.

  • 10.
    Vapen, Anna
    et al.
    Linköpings universitet, Tekniska högskolan. Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik.
    Shahmehri, Nahid
    Linköpings universitet, Tekniska högskolan. Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik.
    Security Levels for Web Authentication using Mobile Phones2011Inngår i: Privacy and Identity Management for Life / [ed] Simone Fischer-Hübner, Penny Duquenoy, Marit Hansen, Ronald Leenes and Ge Zhang, Boston: Springer , 2011, s. 130-143Konferansepaper (Fagfellevurdert)
    Abstract [en]

    Mobile phones offer unique advantages for secure authentication: they are small and portable, provide multiple data transfer channels, and are nearly ubiquitous. While phones provide a flexible and capable platform, phone designs vary, and the security level of an authentication solution is influenced by the choice of channels and authentication methods. It can be a challenge to get a consistent overview of the strengths and weaknesses of the available alternatives. Existing guidelines for authentication usually do not consider the specific problems in mobile phone authentication. We provide a method for evaluating and designing authentication solutions using mobile phones, using an augmented version of the Electronic Authentication Guideline.

  • 11.
    Vapen, Anna
    et al.
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska högskolan.
    Shahmehri, Nahid
    Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska högskolan.
    Security Levels for Web Authentication using Mobile Phones2010Konferansepaper (Annet vitenskapelig)
    Abstract [en]

    Mobile phones offer unique advantages for secure authentication: they are small and portable, provide multiple data transfer channels, and are nearly ubiquitous. While phones provide a flexible and capable platform, phone designs vary, and the security level of an authentication solution is influenced by the choice of channels and authentication methods. It can be a challenge to get a consistent overview of the strengths and weaknesses of the available alternatives. In this paper we provide a method for evaluating and designing authentication solutions using mobile phones. The method also considers availability and usability, which are often overlooked factors. The goal is to help developers to create secure authentication, considering the user's priorities on security, availability and usability.

1 - 11 of 11
RefereraExporteraLink til resultatlisten
Permanent link
Referera
Referensformat
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Annet format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annet språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf