{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,8]],"date-time":"2026-04-08T23:27:03Z","timestamp":1775690823881,"version":"3.50.1"},"reference-count":87,"publisher":"Association for Computing Machinery (ACM)","issue":"5","license":[{"start":{"date-parts":[[2020,9,28]],"date-time":"2020-09-28T00:00:00Z","timestamp":1601251200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100000038","name":"Natural Sciences and Engineering Research Council of Canada","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100000038","id-type":"DOI","asserted-by":"crossref"}]},{"name":"Canada Research Chair in Authentication and Computer Security, and a Discovery Grant"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2021,9,30]]},"abstract":"<jats:p>We perform a comprehensive analysis and comparison of 14 web single sign-on (SSO) systems proposed and\/or deployed over the past decade, including federated identity and credential\/password management schemes. We identify common design properties and use them to develop a taxonomy for SSO schemes, highlighting the associated tradeoffs in benefits (positive attributes) offered. We develop a framework to evaluate the schemes, in which we identify 14 security, usability, deployability, and privacy benefits. We also discuss how differences in priorities between users, service providers, and identity providers impact the design and deployment of SSO schemes.<\/jats:p>","DOI":"10.1145\/3409452","type":"journal-article","created":{"date-parts":[[2020,9,28]],"date-time":"2020-09-28T10:45:25Z","timestamp":1601289925000},"page":"1-34","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":22,"title":["Comparative Analysis and Framework Evaluating Web Single Sign-on Systems"],"prefix":"10.1145","volume":"53","author":[{"given":"Furkan","family":"Alaca","sequence":"first","affiliation":[{"name":"School of Computing, Queen\u2019s University, Kingston, ON, Canada"}]},{"given":"Paul C. Van","family":"Oorschot","sequence":"additional","affiliation":[{"name":"School of Computer Science, Carleton University, Ottawa, ON, Canada"}]}],"member":"320","published-online":{"date-parts":[[2020,9,28]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1147\/JRD.2016.2559358"},{"key":"e_1_2_1_2_1","unstructured":"F. Alaca and P. C. van Oorschot. 2018. Comparative analysis and framework evaluating web single sign-on systems. arXiv:1805.00094 [cs.CR].  F. Alaca and P. C. van Oorschot. 2018. Comparative analysis and framework evaluating web single sign-on systems. arXiv:1805.00094 [cs.CR]."},{"key":"e_1_2_1_3_1","volume-title":"Retrieved","author":"Atwood M.","year":"2018"},{"key":"e_1_2_1_4_1","volume-title":"Retrieved","author":"Balfanz D.","year":"2016"},{"key":"e_1_2_1_5_1","volume-title":"Retrieved","author":"Balfanz D.","year":"2018"},{"key":"e_1_2_1_6_1","volume-title":"Push API. Retrieved","author":"Beverloo P.","year":"2018"},{"key":"e_1_2_1_7_1","volume-title":"Retrieved","author":"Bharadwaj V.","year":"2018"},{"key":"e_1_2_1_8_1","volume-title":"Proceedings of the IEEE Symposium on Security 8 Privacy. 553--567","author":"Bonneau J."},{"key":"e_1_2_1_9_1","volume-title":"Proceedings of the Workshop on the Economics of Information Security (WEIS\u201910)","author":"Bonneau J."},{"key":"e_1_2_1_10_1","volume-title":"Retrieved","author":"Callahan D.","year":"2014"},{"key":"e_1_2_1_11_1","volume-title":"Security in Communication Networks. LNCS","volume":"2576","author":"Camenisch J."},{"key":"e_1_2_1_12_1","volume-title":"Retrieved","author":"CANARIE.","year":"2018"},{"key":"e_1_2_1_13_1","volume-title":"Proceedings of the ACM Conference on Computer and Communications Security (CCS\u201914)","author":"Chen E. Y."},{"key":"e_1_2_1_14_1","doi-asserted-by":"crossref","unstructured":"S. Das A. Dingman and L. J. Camp. 2018. Why johnny doesn\u2019t use two factor a two-phase usability study of the FIDO U2F Security Key. In Financial Cryptography and Data Security.  S. Das A. Dingman and L. J. Camp. 2018. Why johnny doesn\u2019t use two factor a two-phase usability study of the FIDO U2F Security Key. In Financial Cryptography and Data Security.","DOI":"10.1007\/978-3-662-58387-6_9"},{"key":"e_1_2_1_15_1","volume-title":"Retrieved","author":"Davis P.","year":"2018"},{"key":"e_1_2_1_16_1","unstructured":"Deloitte. 2016. A Blueprint for Digital Identity: The Role of Financial Institutions in Building Digital Identity. World Economic Forum.  Deloitte. 2016. A Blueprint for Digital Identity: The Role of Financial Institutions in Building Digital Identity. World Economic Forum."},{"key":"e_1_2_1_17_1","volume-title":"Proceedings of the USENIX Security Symposium.","author":"Dietz M."},{"key":"e_1_2_1_18_1","volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS\u201914)","author":"Dietz M."},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-14527-8_1"},{"key":"e_1_2_1_20_1","unstructured":"ETSI. 2003. TR 102 203--Mobile Commerce (M-COMM); Mobile Signatures; Business and Functional Requirements.  ETSI. 2003. TR 102 203--Mobile Commerce (M-COMM); Mobile Signatures; Business and Functional Requirements."},{"key":"e_1_2_1_21_1","volume-title":"Proceedings of the IEEE Symposium on Security 8 Privacy. 673--688","author":"Fett D."},{"key":"e_1_2_1_22_1","volume-title":"Proceedings of the IEEE Computer Security Foundations Symposium. 189--202","author":"Fett D."},{"key":"e_1_2_1_23_1","volume-title":"Proceedings of the Symposium on Usable Privacy and Security Symposium on Usable Privacy and Security (SOUPS\u201910)","author":"Florencio D."},{"key":"e_1_2_1_24_1","unstructured":"International Organization for Standardization. 2013. ISO\/IEC 29115: Information technology--Security techniques--Entity authentication assurance framework.  International Organization for Standardization. 2013. ISO\/IEC 29115: Information technology--Security techniques--Entity authentication assurance framework."},{"key":"e_1_2_1_25_1","volume-title":"Retrieved","year":"2016"},{"key":"e_1_2_1_26_1","volume-title":"Retrieved","author":"Help Google Chrome","year":"2017"},{"key":"e_1_2_1_27_1","volume-title":"Retrieved","author":"Platform Google Identity","year":"2018"},{"key":"e_1_2_1_28_1","volume-title":"Retrieved","author":"Verify GOV.UK","year":"2017"},{"key":"e_1_2_1_29_1","doi-asserted-by":"crossref","unstructured":"Paul A. Grassi M. Garcia and J. Fenton. 2017. Digital Identity Guidelines. NIST SP-800-63-3.  Paul A. Grassi M. Garcia and J. Fenton. 2017. Digital Identity Guidelines. NIST SP-800-63-3.","DOI":"10.6028\/NIST.SP.800-63-3"},{"key":"e_1_2_1_30_1","doi-asserted-by":"crossref","unstructured":"P. A. Grassi J. P. Richer S. K. Squire J. L. Fenton E. M. Nadeau N. B. Lefkovitz J. M. Danker Y. Choong K. K. Greene and M. F. Theofanos. 2017. Digital Identity Guidelines: Federation and Assertions. NIST SP-800-63-3C.  P. A. Grassi J. P. Richer S. K. Squire J. L. Fenton E. M. Nadeau N. B. Lefkovitz J. M. Danker Y. Choong K. K. Greene and M. F. Theofanos. 2017. Digital Identity Guidelines: Federation and Assertions. NIST SP-800-63-3C.","DOI":"10.6028\/NIST.SP.800-63c"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2012.162"},{"key":"e_1_2_1_32_1","unstructured":"GSM Association. 2015. CPAS04 Authenticator Options.  GSM Association. 2015. CPAS04 Authenticator Options."},{"key":"e_1_2_1_33_1","volume-title":"Retrieved","author":"GSM Association","year":"2015"},{"key":"e_1_2_1_34_1","volume-title":"Retrieved","author":"GSM Association","year":"2016"},{"key":"e_1_2_1_35_1","volume-title":"Retrieved","author":"GSM Association","year":"2016"},{"key":"e_1_2_1_36_1","volume-title":"Proceedings of the W3C Workshop on Identity in the Browser.","author":"Hanson M."},{"key":"e_1_2_1_37_1","first-page":"192","article-title":"J-PAKE: Authenticated key exchange without PKI","volume":"6480","author":"Hao F.","year":"2010","journal-title":"Trans. Comput. Sci. XI LNCS"},{"key":"e_1_2_1_38_1","doi-asserted-by":"crossref","unstructured":"D. Hardt. 2012. The OAuth 2.0 authorization framework. RFC 6749 (IETF).  D. Hardt. 2012. The OAuth 2.0 authorization framework. RFC 6749 (IETF).","DOI":"10.17487\/rfc6749"},{"key":"e_1_2_1_39_1","volume-title":"Retrieved","author":"Research Zurich IBM","year":"2018"},{"key":"e_1_2_1_40_1","unstructured":"ITU-T. 2012. X.1254--Cyberspace security--Identity management.  ITU-T. 2012. X.1254--Cyberspace security--Identity management."},{"key":"e_1_2_1_41_1","doi-asserted-by":"crossref","unstructured":"M. Jones J. Bradley and N. Sakimura. 2015. JSON Web Token (JWT). RFC 7519 (IETF).  M. Jones J. Bradley and N. Sakimura. 2015. JSON Web Token (JWT). RFC 7519 (IETF).","DOI":"10.17487\/RFC7519"},{"issue":"0","key":"e_1_2_1_42_1","first-page":"2898","article-title":"PKCS #5","volume":"2","author":"Kaliski B.","year":"2000","journal-title":"Password-Based Cryptography Specification Version"},{"key":"e_1_2_1_43_1","volume-title":"Retrieved","year":"2017"},{"key":"e_1_2_1_44_1","doi-asserted-by":"crossref","unstructured":"H. Krawczyk and P. Eronen. 2010. HMAC-based Extract-and-Expand Key Derivation Function (HKDF). RFC 5869 (IETF).  H. Krawczyk and P. Eronen. 2010. HMAC-based Extract-and-Expand Key Derivation Function (HKDF). RFC 5869 (IETF).","DOI":"10.17487\/rfc5869"},{"key":"e_1_2_1_45_1","volume-title":"Proceedings of the Annual Conference on the World Wide Web (WWW\u201918)","author":"Krawiecka K."},{"key":"e_1_2_1_46_1","volume-title":"Retrieved","author":"Krebs B.","year":"2010"},{"key":"e_1_2_1_47_1","volume-title":"Security Keys: Practical cryptographic second factors for the modern web. In Financial Cryptography and Data Security. 422--440.","author":"Lang J.","year":"2016"},{"key":"e_1_2_1_48_1","unstructured":"A. Langley E. Kasper and B. Laurie. 2013. Certificate Transparency. RFC 6962 (IETF).  A. Langley E. Kasper and B. Laurie. 2013. Certificate Transparency. RFC 6962 (IETF)."},{"key":"e_1_2_1_49_1","volume-title":"Proceedings of the USENIX Security Symposium. 465--479","author":"Li Z."},{"key":"e_1_2_1_50_1","unstructured":"S. Machani R. Philpott S. Srinivas J. Kemp and J. Hodges. 2017. FIDO UAF Architectural Overview. Retrieved September 9 2018 from https:\/\/fidoalliance.org\/specs\/fido-uaf-v1.2-rd-20171128\/FIDO-UAF-COMPLETE-v1.2-rd-20171128.pdf.  S. Machani R. Philpott S. Srinivas J. Kemp and J. Hodges. 2017. FIDO UAF Architectural Overview. Retrieved September 9 2018 from https:\/\/fidoalliance.org\/specs\/fido-uaf-v1.2-rd-20171128\/FIDO-UAF-COMPLETE-v1.2-rd-20171128.pdf."},{"key":"e_1_2_1_51_1","volume-title":"Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P\u2019\u201917)","author":"Mainka C."},{"key":"e_1_2_1_52_1","volume-title":"Retrieved","author":"Marlinspike M.","year":"2017"},{"key":"e_1_2_1_53_1","volume-title":"Password Managers: Comparative Evaluation, Design, Implementation and Empirical Analysis. Master\u2019s thesis","author":"McCarney D.","year":"2013"},{"key":"e_1_2_1_54_1","volume-title":"Retrieved","author":"MDN","year":"2018"},{"key":"e_1_2_1_55_1","volume-title":"Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P\u2019\u201916)","author":"Minka C."},{"key":"e_1_2_1_56_1","volume-title":"Retrieved","year":"2017"},{"key":"e_1_2_1_57_1","volume-title":"Retrieved","author":"Mozilla Corporation","year":"2018"},{"key":"e_1_2_1_58_1","volume-title":"Retrieved","author":"Murdoch S. J.","year":"2014"},{"key":"e_1_2_1_59_1","doi-asserted-by":"crossref","unstructured":"C. Neuman S. Hartman and K. Raeburn. 2005. The Kerberos Network Authentication Service (V5). RFC 4120 (IETF).  C. Neuman S. Hartman and K. Raeburn. 2005. The Kerberos Network Authentication Service (V5). RFC 4120 (IETF).","DOI":"10.17487\/rfc4120"},{"key":"e_1_2_1_60_1","volume-title":"Retrieved","author":"OASIS.","year":"2017"},{"key":"e_1_2_1_61_1","volume-title":"Retrieved","author":"OCLC.","year":"2018"},{"key":"e_1_2_1_62_1","volume-title":"Proceedings of the 8th Australasian Conference on Information Security and Privacy. 249--264","author":"Pashalidis A."},{"key":"e_1_2_1_63_1","volume-title":"Proceedings of the IEEE Global Communications Conference (GLOBECOM\u201904)","author":"Pashalidis A."},{"key":"e_1_2_1_64_1","unstructured":"A. Popov D. Balfanz A. Langley and J. Hodges. 2018. The Token Binding Protocol Version 1.0. RFC 8471 (IETF). Retrieved September 9 2019 from https:\/\/tools.ietf.org\/html\/rfc8471.  A. Popov D. Balfanz A. Langley and J. Hodges. 2018. The Token Binding Protocol Version 1.0. RFC 8471 (IETF). Retrieved September 9 2019 from https:\/\/tools.ietf.org\/html\/rfc8471."},{"key":"e_1_2_1_65_1","volume-title":"Retrieved","author":"Recordon D.","year":"2018"},{"key":"e_1_2_1_66_1","volume-title":"Proceedings of the ACM Workshop on Digital Identity Management. 11--16","author":"Recordon D."},{"key":"e_1_2_1_67_1","volume-title":"Retrieved","author":"Rennie D.","year":"2017"},{"key":"e_1_2_1_68_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. 872--888","author":"Reynolds Joshua"},{"key":"e_1_2_1_69_1","volume-title":"Retrieved","author":"Sachs E.","year":"2008"},{"key":"e_1_2_1_70_1","volume-title":"Retrieved","author":"Sakimura N.","year":"2018"},{"key":"e_1_2_1_71_1","volume-title":"Retrieved","year":"2014"},{"key":"e_1_2_1_72_1","volume-title":"Retrieved","author":"Shibboleth Consortium","year":"2017"},{"key":"e_1_2_1_73_1","volume-title":"Retrieved","author":"Wiki Shibboleth","year":"2017"},{"key":"e_1_2_1_74_1","volume-title":"Proceedings of the USENIX Security Symposium. 449--464","author":"Silver D."},{"key":"e_1_2_1_75_1","volume-title":"Retrieved","year":"2015"},{"key":"e_1_2_1_76_1","unstructured":"S. Srinivas D. Balfanz E. Tiffany and A. Czeskis. 2019. Universal 2nd Factor (U2F) Overview. Retrieved September 9 2019 from https:\/\/fidoalliance.org\/specs\/fido-u2f-v1.2-ps-20170411\/FIDO-U2F-COMPLETE-v1.2-ps-20170411.pdf.  S. Srinivas D. Balfanz E. Tiffany and A. Czeskis. 2019. Universal 2nd Factor (U2F) Overview. Retrieved September 9 2019 from https:\/\/fidoalliance.org\/specs\/fido-u2f-v1.2-ps-20170411\/FIDO-U2F-COMPLETE-v1.2-ps-20170411.pdf."},{"key":"e_1_2_1_77_1","volume-title":"Proceedings of the Symposium on Usable Privacy and Security Symposium on Usable Privacy and Security (SOUPS\u201914)","author":"Stobert E."},{"key":"e_1_2_1_79_1","volume-title":"Proceedings of the ACM Conference on Computer and Communications Security (CCS\u201912)","author":"Sun S."},{"key":"e_1_2_1_80_1","volume-title":"Proceedings of the New Security Paradigms Workshop. 61--72","author":"Sun San-Tsai"},{"key":"e_1_2_1_81_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2012.02.005"},{"key":"e_1_2_1_82_1","volume-title":"Proceedings of the Symposium on Usable Privacy and Security (SOUPS\u201911)","author":"Sun S."},{"key":"e_1_2_1_83_1","volume-title":"Proceedings of the 3rd International Conference on Security Privacy Communication Networks. 473--482","author":"van der Horst T. W."},{"key":"e_1_2_1_84_1","volume-title":"Proceedings of the USENIX Security Symposium. 399--314","author":"Wang R."},{"key":"e_1_2_1_85_1","volume-title":"Retrieved","author":"Warner B.","year":"2014"},{"key":"e_1_2_1_86_1","volume-title":"Retrieved","author":"Warner B.","year":"2015"},{"key":"e_1_2_1_87_1","volume-title":"Retrieved","author":"Windows Dev Center","year":"2017"},{"key":"e_1_2_1_88_1","volume-title":"Proceedings of the USENIX Security Symposium. 495--510","author":"Zhou Y."}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3409452","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3409452","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:38:40Z","timestamp":1750199920000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3409452"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,9,28]]},"references-count":87,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2021,9,30]]}},"alternative-id":["10.1145\/3409452"],"URL":"https:\/\/doi.org\/10.1145\/3409452","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"value":"0360-0300","type":"print"},{"value":"1557-7341","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,9,28]]},"assertion":[{"value":"2018-04-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-07-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-09-28","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}