Privacy Issues Regarding Federated Login’s

From IIW

Privacy issues regarding federated login

Wednesday 2J

Convener: Jonas L.

Notes-taker(s): Berit S.

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Privacy preserving authentication, UProve, OpenID Connect, local storage of credentials, attribute based credentials, Jonas gave a presentation based on the following slides:

http://jonaslindstrom.dk/slides/iiw-2015.pdf

He explained how the use of an IdP could be replaced by an Identity Proxy, which provides the user with a certificate signing that this person has these credentials at this IdP. The user can then use this certificate directly with the SP, without involving the IdP. This setup also allows for the use of pseudonyms.

The question: Does OpenID Connect protect the login history from the IdP? Was discussed, since this would solve part of the problem, the presented solution is aimed at solving. (answered after the session – the answer is no, the OpenID Connect protocol does give the IdP information about where and when the user logs in) There was an emphasis on the local storage of credentials – meaning that the user cannot be tracked The identity proxy uses Microsoft UProve to only present part of her identity

Link to demo: http://ec2-54-171-208-102.eu-west-1.compute.amazonaws.com/AmazingServiceProvider/index.aspx

Advantages for SP: Don’t have to store user info + user just needs to check a box to provide info to the service provider giving a better user experience.