OpenID

Abstract: Single sign-on (SSO) protocols allow one person to use the same login credentials for several organizations Enterprises face increasing competitive pressure to position themselves with regard to SSO, yet the ramifications of a move to SSO are not fully understood In this paper we discuss OpenID, a relatively new SSO protocol that is gaining traction on the web We apply enterprise application modelling techniques to OpenID in order to obtain well-founded decision aids for enterprises: we show how published modelling approaches can be used to analyse risks in OpenID, and show that these can identify security problems with common OpenID practice Finally, we propose analysis principles that condense important general insights of authentication modelling

Abstract: Systems, methods, and instrumentalities are disclosed that may provide for integration of trusted OpenID (TOpenID) with OpenID. The authentication may be accomplished, in part, via communications between a trusted ticket server on a UE and a network application function. The UE may retrieve platform validation data (e.g., from a trusted platform module on the UE). The UE may receive a platform verification in response to the platform validation data. The platform verification may indicate that the network application function has verified the platform validation data and the user. The platform verification may indicate that the platform validation data matches a previously generated reference value.

Abstract: OpenID is an open and promising Web single sign-on (SSO) solution. This work investigates the challenges and concerns web users face when using OpenID for authentication, and identifies what changes in the login flow could improve the users' experience and adoption incentives. We found our participants had several behaviors, concerns, and misconceptions that hinder the OpenID adoption process: (1) their existing password management strategies reduce the perceived usefulness of SSO; (2) many (26%) expressed concerns with single-point-of-failure related issues; (3) most (71%) held the incorrect belief that the OpenID credentials are being given to the content providers; (4) half exhibited an inability to distinguish a fake Google login form, even when prompted; (5) many (40%) were hesitant to consent to the release of their personal profile information; and (6) many (36%) expressed concern with the use of SSO on websites that contain valuable personal information or, conversely, are not trustworthy. We also found that with an improved affordance and privacy control, more than 60% of study participants would use Web SSO solutions on the websites they trust.

Abstract: This paper proposes a challenge-response authentication system for web applications called Snap2Pass that is easy to use, provides strong security guarantees, and requires no browser extensions. The system uses QR codes which are small two-dimensional pictures that encode digital data. When logging in to a site, the web server sends the PC browser a QR code that encodes a cryptographic challenge; the user takes a picture of the QR code with his cell phone camera which results in a cryptographic response sent to the server; the web server then logs the PC browser in. Our user study shows that authentication using Snap2Pass is easy to learn and considerably faster than existing one-time password and challenge-response systems. By implementing our solution as an OpenID provider, we have made this scheme available to over 30,000 websites that use OpenID today. This paper also proposes Snap2Pay, an extension of Snap2Pass, to improve the usability and security of online payments. Snap2Pay allows a consumer to use one-time credit cards as well as the Verified by Visa or Mastercard SecureCode services securely and easily with just a snap of a QR code.