Awareness and trust of web users on information sharing in social logins

Narayana, Chaithanya Kumar

January 2020

Accessing websites using social networking credentials, also known as social login, is becoming increasingly popular as users do not need to create and maintain accounts on each and every website they access. During these social logins, the private information of users is shared with third-party websites from their social profile, and much of this happens behind the scenes which is abstracted from the user. However, as social logins are widespread, it is essential to understand the users’ views and appreciation towards the information being shared in the background. There is also a possibility of data leak or misuse when information is exchanged between a website and social networking site. Accordingly, the purpose of this study is to explore the perception of users towards their awareness and trust in social login. In addition, based on users’ needs and desires, the study aims to formulate suggestions for improving the awareness and trust of social login. Semi-structured interviews were conducted with 6 students from Linnaeus University of Sweden to collect data. These interviews were transcribed and analyzed using thematic analysis. The findings revealed that users are conscious of their personal attributes being shared but are not aware that they can control, revise and revoke information sharing permissions. It was also found that users trust third parties to some extent but not the social networking sites. The study also suggested some improvement ideas for enhancing the awareness and trust of web users in social logins. In addition to contributing to the field of social login, the outcomes of this study also benefit users and web companies by helping to understand and increase the awareness and trust of web users on social logins.

Social Network

Social Login

User Awareness

Information Sharing

Information Exchange

Trust

Trust on Social Login

Information Systems

Undersökning av webbsidors säkerhet vid användning avFacebook Login : Vidareutveckling och analys av OAuthGuard

Hedmark, Alice

January 2019

Single Sign-On (SSO) är en autentiseringsprocess som tillåter en utvecklare att delegera autentiseringsansvaret till en dedikerad tjänst. OAuth 2.0 är ett auktoriseringsramverk som ofta står som grund för ett autentiseringslager som i sin tur möjliggör SSO. En identitetsleverantör är tjänsten som står för hantering av användaruppgifterna och autentiseringen, två vanliga identitetsleverantörer är Google och Facebook som i sin tur implementerar SSO med hjälp utav autentiseringslagren OpenID Connect respektive Facebooks egna autentiseringslager. Det har visat sig att många klienter som ska utnyttja SSO med OAuth 2.0 implementerar det fel så att säkerhetsbrister uppstår, studier har utförts med förslag till lösningar men många bristande implementationer fortsätter produceras och existera. Att skapa diverse verktyg för att främja säkerhet i dessa sammanhang är en metod där OAuthGuard utvecklats med visionen att även kunna skydda användaren, direkt från en webbläsare. OAuthGuard har även tidigare använts för att analysera säkerheten med Google SSO och visat att 50% av undersökta klienter har brister, men motsvarande studie eller verktyg saknas för Facebook SSO. Denna studie gjorde en motsvarande undersökning för Facebook SSO-klienter med en vidareutvecklad version av OAuthGuard och fann att de lider av brister med liknande trend som tidigare studies resultat mot Google-SSO-klienter, men att färre Facebook- SSO-klienter har brister i jämförelse. Vid vidareutvecklingen av OAuthGuard upptäcktes ett antal svårigheter och framtiden för denna typ av verktyg behöver vidare analyseras. Vidare analys behöver även göras för att bedöma om Facebook-SSO kan vara att föredra över Google-SSO ur säkerhetsperspektiv samt vidare utforskande av nya säkerhetsfrämjande metoder behöver utföras. / Single Sign-On (SSO) is an authentication process that allows a developer to delegate the authentication responsibility to a dedicated service. OAuth 2.0 is an authorization framework that often serves as a base for authentication layers to be built upon that in turn allows for SSO. An identity provider is the service that is responsible for handling user credentials and the authentication, two common identity providers are Google and Facebook that implement SSO with the authentication layers OpenID Connect respectively Facebooks own authentication layer. It has been shown that many clients using OAuth 2.0 as base for SSO make faulty implementations leading to security issues, a number of studies has proposed solutions to these issues but faulty implementations are continually being made. To create various tools to promote security in these contexts is a method where OAuthGuard has been developed with the vision to also directly protect the common website user directly from the browser. OAuthGuard has been used in an earlier study to analyze the security of clients using Google SSO and discovered that 50% of the analyzed clients had flaws, no comparable study has been done for clients using Facebook SSO, which is the second largest third party log in variant. This study made a comparable investigation for Facebook SSO clients with a further developed version of OAuthGuard and found that these clients suffer from flaws with a similar trend as the previous study with Google-SSO clients, although fewer Facebook-SSO clients suffer from these flaws. When further developing OAuthGuard a dumber of difficulties was discovered and the future of these kind of tools needs to be investigated. Further analysis needs to be done to assess if Facebook-SSO should be recommended over Google-SSO from a security perspective and also further exploration of new methods to promote security needs to be done.

Web browser extensions

OpenID Connect

OIDC

OAuth2.0

Single Sign-On

SSO

Security

Facebook

Social login.

Webbläsartillägg

OpenID Connect

OIDC

OAuth 2.0

Single

Sign-On

SSO

Säkerhet

Facebook

Social login.

Software Engineering

Programvaruteknik