University of Twente Student Theses


On the security of authentication when linking federated identities

Oude Roelink, B.M. (2020) On the security of authentication when linking federated identities.

[img] PDF
Abstract:Authenticating for an account is increasingly more common for web-based services. This leads to secure and easy authentication methods being more necessary than ever before. For that reason, logins by means of federated identity providers like Google, Facebook, Twitter etc. are becoming a more common authentication method. Services that allow to create an account by using federated identities often also allow creation of a local account. In some cases, these local and federated accounts get linked together. This can have serious security implications for users on websites that perform such linking, such as an attacker gaining access to local user accounts. This research aims to collect information on how common the practice of linking local and federated identities is and what the security implications of linking those different identities are. To do so, we examine 60 websites that allow a user to log in with both a local and federated identity, and survey whether these identities get linked together and if so in what way. We analyse the results to determine to what degree service providers on the Internet link federated accounts, and what that means for the security of the service and their users. The contribution of this paper is that it shows that 46 of 60 researched websites link federated logins to a local account. Of those 46 websites 35 do so implicitly, i.e. without notifying the user and asking for authentication for the local account. That shows that there are improvements to be made in using federated identities for authentication.
Item Type:Essay (Bachelor)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science BSc (56964)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page