What makes users refuse web single sign-on?: an empirical investigation of OpenID

Authors:
San-Tsai Sun;Eric Pospisil;Ildar Muslukhov;Nuray Dindar;Kirstie Hawkey;Konstantin Beznosov
Affiliations:
University of British Columbia, Vancouver, BC, Canada;University of British Columbia, Vancouver, BC, Canada;University of British Columbia, Vancouver, BC, Canada;University of British Columbia, Vancouver, BC, Canada;Dalhousie University, Halifax, NS, Canada;University of British Columbia, Vancouver, BC, Canada
Venue:
Proceedings of the Seventh Symposium on Usable Privacy and Security
Year:
2011

Citing 20
Cited 8

User acceptance of computer technology: a comparison of two theoretical models

Management Science
Users are not the enemy

Communications of the ACM
A convenient method for securely managing passwords

WWW '05 Proceedings of the 14th international conference on World Wide Web
The battle against phishing: Dynamic Security Skins

SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
Why phishing works

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Do security toolbars actually prevent phishing attacks?

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Passpet: convenient password management and phishing protection

SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Password management strategies for online accounts

SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Web wallet: preventing phishing attacks by revealing user intentions

SOUPS '06 Proceedings of the second symposium on Usable privacy and security
A large-scale study of web password habits

Proceedings of the 16th international conference on World Wide Web
The Emperor's New Security Indicators

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
A usability study and critique of two password managers

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Consumer Acceptance of Electronic Commerce: Integrating Trust and Risk with the Technology Acceptance Model

International Journal of Electronic Commerce
Security and identification indicators for browsers against spoofing and phishing attacks

ACM Transactions on Internet Technology (TOIT)
The Seven Flaws of Identity Management: Usability and Security Challenges

IEEE Security and Privacy
So long, and no thanks for the externalities: the rational rejection of security advice by users

NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
Secure Web 2.0 Content Sharing Beyond Walled Gardens

ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Crying wolf: an empirical study of SSL warning effectiveness

SSYM'09 Proceedings of the 18th conference on USENIX security symposium
OpenIDemail enabled browser: towards fixing the broken web single sign-on triangle

Proceedings of the 6th ACM workshop on Digital identity management
A billion keys, but few locks: the crisis of web single sign-on

Proceedings of the 2010 workshop on New security paradigms

The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems

Proceedings of the 2012 ACM conference on Computer and communications security
Comparative eye tracking of experts and novices in web single sign-on

Proceedings of the third ACM conference on Data and application security and privacy
Robust and flexible tunnel management for secure private cloud

ACM SIGAPP Applied Computing Review
Taking data exposure into account: how does it affect the choice of sign-in accounts?

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
My profile is my password, verify me!: the privacy/convenience tradeoff of facebook connect

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Confused Johnny: when automatic encryption leads to confusion and mistakes

Proceedings of the Ninth Symposium on Usable Privacy and Security
A comparison of users' perceptions of and willingness to use Google, Facebook, and Google+ single-sign-on functionality

Proceedings of the 2013 ACM workshop on Digital identity management
Investigating Users’ Perspectives of Web Single Sign-On: Conceptual Gaps and Acceptance Model

ACM Transactions on Internet Technology (TOIT)

Quantified Score

Hi-index	0.00

Visualization

Abstract

OpenID is an open and promising Web single sign-on (SSO) solution. This work investigates the challenges and concerns web users face when using OpenID for authentication, and identifies what changes in the login flow could improve the users' experience and adoption incentives. We found our participants had several behaviors, concerns, and misconceptions that hinder the OpenID adoption process: (1) their existing password management strategies reduce the perceived usefulness of SSO; (2) many (26%) expressed concerns with single-point-of-failure related issues; (3) most (71%) held the incorrect belief that the OpenID credentials are being given to the content providers; (4) half exhibited an inability to distinguish a fake Google login form, even when prompted; (5) many (40%) were hesitant to consent to the release of their personal profile information; and (6) many (36%) expressed concern with the use of SSO on websites that contain valuable personal information or, conversely, are not trustworthy. We also found that with an improved affordance and privacy control, more than 60% of study participants would use Web SSO solutions on the websites they trust.