A Longitudinal Characterization of the Third-Party Authentication Landscape

• Many websites offer users to authenticate using third-party identity providers (IDPs) such as Facebook or Google. As part of the signup process, these websites often ask the user to give them additional permissions with the IDP (e.g., some data sharing or authorize some actions) that can have significant privacy implications. Motivated by the increased scrutiny of Facebook and other popular IDPs (e.g., due to the 2018 Cambridge Analytica scandal), we present a longitudinal analysis of the IDP usage and permissions changes over the past nine years (2012–2021) as well as a large-scale characterization of the current state. Our longitudinal analysis identifies trends and characterizes changes in both the IDP usage and permission agreements of different subsets of websites. For our large-scale analysis, we develop and share a Selenium-based measurement framework that we use to collect datasets. Using this data, we study the IDP usage across popularity ranges, the permissions used in the wild, and highlight differences between websites using different IDPs and those that do not. Our analysis shows increased IDP usage, especially among the most popular websites, and that the permission requests on average are becoming more modest but also brings forward significant exceptions that may need further scrutiny.

Ämnesord

NATURVETENSKAP  -- Data- och informationsvetenskap -- Datavetenskap (hsv//swe)

NATURAL SCIENCES  -- Computer and Information Sciences -- Computer Sciences (hsv//eng)

Publikations- och innehållstyp

ref (ämneskategori)

kon (ämneskategori)