View article

Internet users are accumulating more and more identities. A seminal study by Florêncio and Herley found that a typical internet user has 25 different identities, each of which has different credentials [3]. In part because managing these identities and credentials is difficult for users and encourages behaviors like password reuse, the US Government has declared the creation of a digital identity ecosystem a national security priority. 2 In such an ecosystem, single sign-on (SSO) systems allow users to authenticate to an identity provider (IdP); the IdP in turn vouches for the user to multiple service providers (SPs), absolving them of the need to authenticate users themselves. This frees users from remembering many sets of credentials, and service providers from the need to maintain their own authentication mechanisms. Identity providers such as Google and Facebook are increasingly used to sign in to third-party services like Flickr and USA Today. For users, this can increase convenience (eg, fewer passwords to remember) and security (eg, service providers need not keep passwords). At the same time, relying on identity providers that have rich information about users (eg, all information in a Facebook profile) creates the risk that users will lose oversight or control over the access that service providers are given to this information. To address such concerns, identity providers show users consent interfaces at sign on and provide audit tools for post hoc review. A study by Sun et al. found that users would value the convenience provided by SSO systems but have privacy and other concerns about adopting SSO systems. The authors found a large …