Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
What makes users refuse Web single sign-on?: An empirical investigation of OpenID
Sun S., Pospisil E., Muslukhov I., Dindar N., Hawkey K., Beznosov K.  SOUPS 2011 (Proceedings of the 7th Symposium on Usable Privacy and Security, Pittsburgh, PA, Jul 20-22, 2011)1-20.2011.Type:Proceedings
Date Reviewed: May 25 2012

The authors pose a very pertinent question: Why do users reject OpenID, a Web single sign-on (SSO)? As a user who rejects OpenID SSO, I am prompted to ask why users would want to deploy this method in the first place?

It is important to note that the authors are advocates of SSO. They’d rather blame users for the failure of OpenID than acknowledge a healthy distrust of demands for personal data access. The findings from their first empirical study suggest six reasons for user distrust:

(1) Subjects prefer their existing password management strategies.
(2) Subjects have concerns about a single point of failure.
(3) Subjects rightly or wrongly believe that the OpenID credentials are being given to the content provider.
(4) Half of the subjects were unable to detect a fake Google login even when prompted.
(5) Many subjects are simply uncomfortable about consenting to release their personal profile information.
(6) Many subjects expressed concern with using SSO on Web sites that contain valuable personal information or are perceived as untrustworthy.

However, the authors suggest that with a more intuitive login page and more visible indications of privacy control, the study participants would use Web SSO solutions on the Web sites they trust.

The authors next describe a Web interface they developed to increase user trust of SSO, and present results from a second study of 35 subjects. Although they found increased user acceptance, they continue to blame users for the following: having incorrect mental models; preferring weak passwords; and failing to accept that data collection for user profile development is somehow necessary.

However, the authors fail to address the long-term privacy and safety of user profile data. There is no mention of potential changes in legislation, or issues resulting from the liquidation or takeover of companies that have substantial user data in storage. Nor do they address international differences in legislation. I am not convinced that a Web SSO has advantages for safe Internet use, especially for those who may be vulnerable.
Reviewer:  Alyx Macfadyen Review #: CR140191 (1210-1047)
Bookmark and Share
  Reviewer Selected
Featured Reviewer 		 
 
Authentication (D.4.6 ... )
 
Would you recommend this review?
yes
no
Other reviews under "Authentication": Date
Showing credentials without identification: transferring signatures between unconditionally unlinkable pseudonyms
Chaum D. (ed)  Advances in cryptology (, Sydney, Australia, Jan 8-11, 1990)2641990. Type: Proceedings		 Jan 1 1992
Some constructions and bounds for authentication codes
Stinson D.  Advances in cryptology--CRYPTO ’86 (, Santa Barbara, CA, Aug 11-15, 1987)4251987. Type: Proceedings		 Sep 1 1988
A pauper’s callback scheme
Bishop M. Computers and Security 5(2): 141-144, 1986. Type: Article		 Mar 1 1987
more...
E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use | Privacy Policy