{"id":"https://openalex.org/W3211475103","doi":"https://doi.org/10.1145/3463676.3485600","title":"Empirical Analysis and Privacy Implications in OAuth-based Single Sign-On Systems","display_name":"Empirical Analysis and Privacy Implications in OAuth-based Single Sign-On Systems","publication_year":2021,"publication_date":"2021-11-05","ids":{"openalex":"https://openalex.org/W3211475103","doi":"https://doi.org/10.1145/3463676.3485600","mag":"3211475103"},"language":"en","primary_location":{"id":"doi:10.1145/3463676.3485600","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3463676.3485600","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5017469251","display_name":"Srivathsan G. Morkonda","orcid":"https://orcid.org/0009-0005-2218-1935"},"institutions":[{"id":"https://openalex.org/I67031392","display_name":"Carleton University","ror":"https://ror.org/02qtvee93","country_code":"CA","type":"education","lineage":["https://openalex.org/I67031392"]}],"countries":["CA"],"is_corresponding":true,"raw_author_name":"Srivathsan G. Morkonda","raw_affiliation_strings":["Carleton University, Ottawa, ON, Canada"],"affiliations":[{"raw_affiliation_string":"Carleton University, Ottawa, ON, Canada","institution_ids":["https://openalex.org/I67031392"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5048641215","display_name":"Sonia Chiasson","orcid":"https://orcid.org/0000-0001-7314-2198"},"institutions":[{"id":"https://openalex.org/I67031392","display_name":"Carleton University","ror":"https://ror.org/02qtvee93","country_code":"CA","type":"education","lineage":["https://openalex.org/I67031392"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Sonia Chiasson","raw_affiliation_strings":["Carleton University, Ottawa, ON, Canada"],"affiliations":[{"raw_affiliation_string":"Carleton University, Ottawa, ON, Canada","institution_ids":["https://openalex.org/I67031392"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5011846293","display_name":"Paul C. van Oorschot","orcid":"https://orcid.org/0000-0002-5038-5370"},"institutions":[{"id":"https://openalex.org/I67031392","display_name":"Carleton University","ror":"https://ror.org/02qtvee93","country_code":"CA","type":"education","lineage":["https://openalex.org/I67031392"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Paul C. van Oorschot","raw_affiliation_strings":["Carleton University, Ottawa, ON, Canada"],"affiliations":[{"raw_affiliation_string":"Carleton University, Ottawa, ON, Canada","institution_ids":["https://openalex.org/I67031392"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5017469251"],"corresponding_institution_ids":["https://openalex.org/I67031392"],"apc_list":null,"apc_paid":null,"fwci":3.8557,"has_fulltext":false,"cited_by_count":16,"citation_normalized_percentile":{"value":0.94116069,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":95,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"195","last_page":"208"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11800","display_name":"User Authentication and Security Systems","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11800","display_name":"User Authentication and Security Systems","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9987999796867371,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/login","display_name":"Login","score":0.938671350479126},{"id":"https://openalex.org/keywords/internet-privacy","display_name":"Internet privacy","score":0.665878176689148},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6503028869628906},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.5760641098022461},{"id":"https://openalex.org/keywords/single-sign-on","display_name":"Single sign-on","score":0.5585398077964783},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5285851955413818},{"id":"https://openalex.org/keywords/authentication","display_name":"Authentication (law)","score":0.5250394344329834},{"id":"https://openalex.org/keywords/service-provider","display_name":"Service provider","score":0.50728839635849},{"id":"https://openalex.org/keywords/data-breach","display_name":"Data breach","score":0.4966040253639221},{"id":"https://openalex.org/keywords/variety","display_name":"Variety (cybernetics)","score":0.44228360056877136},{"id":"https://openalex.org/keywords/information-privacy","display_name":"Information privacy","score":0.4206858277320862},{"id":"https://openalex.org/keywords/service","display_name":"Service (business)","score":0.19234371185302734},{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.1777329444885254}],"concepts":[{"id":"https://openalex.org/C113324615","wikidata":"https://www.wikidata.org/wiki/Q472302","display_name":"Login","level":2,"score":0.938671350479126},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.665878176689148},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6503028869628906},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.5760641098022461},{"id":"https://openalex.org/C2776362682","wikidata":"https://www.wikidata.org/wiki/Q568494","display_name":"Single sign-on","level":3,"score":0.5585398077964783},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5285851955413818},{"id":"https://openalex.org/C148417208","wikidata":"https://www.wikidata.org/wiki/Q4825882","display_name":"Authentication (law)","level":2,"score":0.5250394344329834},{"id":"https://openalex.org/C116537","wikidata":"https://www.wikidata.org/wiki/Q2169973","display_name":"Service provider","level":3,"score":0.50728839635849},{"id":"https://openalex.org/C165609540","wikidata":"https://www.wikidata.org/wiki/Q1172486","display_name":"Data breach","level":2,"score":0.4966040253639221},{"id":"https://openalex.org/C136197465","wikidata":"https://www.wikidata.org/wiki/Q1729295","display_name":"Variety (cybernetics)","level":2,"score":0.44228360056877136},{"id":"https://openalex.org/C123201435","wikidata":"https://www.wikidata.org/wiki/Q456632","display_name":"Information privacy","level":2,"score":0.4206858277320862},{"id":"https://openalex.org/C2780378061","wikidata":"https://www.wikidata.org/wiki/Q25351891","display_name":"Service (business)","level":2,"score":0.19234371185302734},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.1777329444885254},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.0},{"id":"https://openalex.org/C162853370","wikidata":"https://www.wikidata.org/wiki/Q39809","display_name":"Marketing","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3463676.3485600","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3463676.3485600","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G6623911613","display_name":null,"funder_award_id":"950-231004-2016; 950-231002-2016","funder_id":"https://openalex.org/F4320320994","funder_display_name":"Canada Research Chairs"},{"id":"https://openalex.org/G85771609","display_name":null,"funder_award_id":"RGPIN-05339-2018; RGPAS-2017-507902","funder_id":"https://openalex.org/F4320334593","funder_display_name":"Natural Sciences and Engineering Research Council of Canada"}],"funders":[{"id":"https://openalex.org/F4320320994","display_name":"Canada Research Chairs","ror":"https://ror.org/0517h6h17"},{"id":"https://openalex.org/F4320334593","display_name":"Natural Sciences and Engineering Research Council of Canada","ror":"https://ror.org/01h531d29"}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":24,"referenced_works":["https://openalex.org/W1578972423","https://openalex.org/W1963828660","https://openalex.org/W2002979297","https://openalex.org/W2012921353","https://openalex.org/W2030112111","https://openalex.org/W2033811191","https://openalex.org/W2089775132","https://openalex.org/W2107906795","https://openalex.org/W2133723082","https://openalex.org/W2133824719","https://openalex.org/W2217843339","https://openalex.org/W2229250518","https://openalex.org/W2257242910","https://openalex.org/W2399231848","https://openalex.org/W2400427673","https://openalex.org/W2535603283","https://openalex.org/W2725419186","https://openalex.org/W2798879067","https://openalex.org/W2889521075","https://openalex.org/W3014823986","https://openalex.org/W3027735641","https://openalex.org/W3107473573","https://openalex.org/W3125207128","https://openalex.org/W4288086176"],"related_works":["https://openalex.org/W4256170434","https://openalex.org/W4235220108","https://openalex.org/W4315650027","https://openalex.org/W2392755385","https://openalex.org/W2364108391","https://openalex.org/W4319777932","https://openalex.org/W2086663091","https://openalex.org/W4292509751","https://openalex.org/W2378423392","https://openalex.org/W2357607877"],"abstract_inverted_index":{"Single":[0],"sign-on":[1],"authentication":[2],"systems":[3],"such":[4,25],"as":[5,26],"OAuth":[6,67],"2.0":[7],"are":[8,192],"widely":[9],"used":[10],"in":[11,84,209],"web":[12],"services.":[13],"They":[14],"allow":[15,126],"users":[16,46,127],"to":[17,30,32,128,170,195],"use":[18,80],"accounts":[19],"registered":[20],"with":[21,56,155],"major":[22],"identity":[23,103,136],"providers":[24,104],"Google":[27],"and":[28,47,108,110,146,213],"Facebook":[29],"login":[31,132,167],"a":[33,49,175],"wide":[34],"variety":[35],"of":[36,51,66,81,121,148,207],"independent":[37],"services":[38,42,113,125,142],"(relying":[39],"parties).":[40],"These":[41,185],"can":[43],"both":[44],"identify":[45],"access":[48],"subset":[50],"the":[52,57,62,73,79,85,118],"user's":[53],"data":[54,77,98,116,150],"stored":[55],"provider.":[58],"We":[59,75,95,163],"empirically":[60],"investigate":[61],"end-user":[63],"privacy":[64,186,190],"implications":[65],"implementations":[68],"by":[69,101],"relying":[70],"parties":[71],"around":[72],"world.":[74],"collect":[76],"on":[78,198],"OAuth-based":[82],"logins":[83],"Alexa":[86],"Top":[87],"500":[88],"sites":[89],"per":[90],"country":[91],"for":[92,216],"five":[93],"countries.":[94],"categorize":[96],"user":[97,115,183],"made":[99],"available":[100],"four":[102],"(Google,":[105],"Facebook,":[106],"Apple,":[107],"LinkedIn)":[109],"evaluate":[111],"popular":[112],"accessing":[114],"from":[117,130,151],"SSO":[119],"platforms":[120],"these":[122,211],"providers.":[123],"Many":[124],"choose":[129],"multiple":[131],"options":[133,179],"(with":[134],"different":[135,144,152],"providers).":[137],"Our":[138],"results":[139],"reveal":[140],"that":[141,165,180],"request":[143],"categories":[145],"amounts":[147],"personal":[149],"providers,":[153],"often":[154],"at":[156],"least":[157],"one":[158],"choice":[159],"undeniably":[160],"more":[161,182],"privacy-intrusive.":[162],"find":[164],"privacy-friendly":[166],"choices":[168,187],"tend":[169],"be":[171],"listed":[172],"last,":[173],"suggesting":[174],"dark":[176],"pattern":[177],"favoring":[178],"release":[181],"data.":[184],"(and":[188],"their":[189],"implications)":[191],"highly":[193],"invisible":[194],"users.":[196],"Based":[197],"our":[199],"analysis,":[200],"we":[201],"consider":[202],"challenges":[203],"(e.g.,":[204],"opposing":[205],"goals":[206],"stakeholders)":[208],"addressing":[210],"concerns":[212],"discuss":[214],"ideas":[215],"further":[217],"exploration.":[218]},"counts_by_year":[{"year":2025,"cited_by_count":2},{"year":2024,"cited_by_count":6},{"year":2023,"cited_by_count":5},{"year":2022,"cited_by_count":3}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}