Pomcor
Research in Web Technology
Skip to content
  • Home
  • Blog
  • Search Technology
  • Noflail Search
  • Internet Identity
  • Web Security
  • Collaboration
  • Patents
  • About
  • Contact
← Welcome to the Pomcor Blog
Thoughts about NSTIC after NIST IDtrust Workshop →

Social Login without Application Registration

Posted on April 5, 2011 by Francisco Corella

Tonight I’m in Washington DC with Karen Lewison for the NIST IDTrust workshop, which takes place tomorrow and the day after (April 6-7). We’ll be showing a poster on PKAuth, our proposed social login protocol. By social login I mean the buttons that allow you to log in to Web applications with your identity at a social network such as Facebook, LinkedIn or Twitter, giving the application access to your social context at the site. I believe the term social login was coined by Janrain.

Today social login uses the OAuth protocol, which requires prior registration of the application with the social site. The registration process establishes a shared secret that the site later uses to authenticate the application, and provides the site with information that it later uses to identify the application to the user at it asks permission to grant the application access to the user’s social context.

The problem with that is that the social site gains the power to disable the application by revoking its registration. Why is that a problem? Because social login is becoming so popular that the day may come when all applications have to register with the dominant social site (currently Facebook) just to be able to authenticate their users. The dominant social site will then have the power to disable any Web application by revoking its registration. That would be bad for users, for applications, and for the dominant social site itself, which would no doubt face registration by multiple governments.

That’s why we are proposing PKAuth. In PKAuth registration is optional. A site will be able to require registration for special applications that need, say, administrative access to the user’s account, while not requiring it for others. Applications that only want to delegate user authentication should not have to register.

Instead of registration, PKAuth relies on the Web’s public key infrastructure, using the application’s ordinary SSL certificate to authenticate the application and identify it to the user.

We have just published a revised version of the PKAuth white paper and I will be talking about other benefits of PKAuth in future posts.

This entry was posted in Identity and tagged Facebook, Internet identity, OAuth, PKAuth, registration, security protocols, social login. Bookmark the permalink.
← Welcome to the Pomcor Blog
Thoughts about NSTIC after NIST IDtrust Workshop →

  • Follow Us on Twitter

    Follow @fcorella

  • Subscribe

    RSS feed

    Subscribe to our blog's RSS feed.

    Your browser Bloglines Google Live Netvibes Newsgator Yahoo! What's This?

  • Blog Posts

    • One-Click OpenID: A Solution to the NASCAR Problem
    • OpenID Providers Invited to Join in an NSTIC Pilot Proposal
    • After CardSpace, Microsoft Calls for Research on Passwords
    • Credential Sharing: A Pitfall of Anonymous Credentials
    • Trip Report: Meeting on Privacy-Enhancing Cryptography at NIST

  • Our Old Noflail Search Blog

    • Breadth-First Search
    • How To Search Blogs Conveniently
    • An Unusual Feature of Noflail Search

  • NSF Funding

  • CONNECT Springboard

  • About Us

    • Company
      • Founders
      • Advisory Board
    • Contact Us
    • Blog
    • CONNECT Springboard Mentoring
    • NSF Funding

  • Our Research

    • Search Technology
      • Browsing Real-Time Search Results
      • Noflail Search, a Multisearch Engine
      • Zero-Result Analysis
      • Browsing Multiple Result Sets At Once
    • Internet Identity
      • A Proposed Architecture for NSTIC
      • Social Login without Application Registration
    • Web Security
      • Security of Double Redirection Protocols
      • File-Sharing Security
      • Password Security for User-Administered Collaborative Applications

  • Papers

    • Pomcor's Comments on the Cybersecurity Green Paper
    • Pomcor's Response to the NSTIC Notice of Inquiry
    • PKAuth: A Social Login Protocol for Unregistered Applications
    • Security Analysis of Double Redirection Protocols
    • A parallel algorithm for computing cooperative responses through a Web API
    • A Brief Overview of Cooperative Answering
    • Retaining Queries in Noflail Search
    • Searching the Web More Effectively with Multiple Simultaneous Queries; companion animated presentation
    • Protecting a Web Application Against Attacks Through HTML Shared Files
    • Secure Password Reset in a Multiuser Web Application
    • Protecting a Multiuser Web Application against On-Line Password-Guessing Attacks

  • Archived Papers

    • NSTIC, Privacy and Social Login
    • Achieving the Privacy Goals of NSTIC in the Short Term
    • A Proposed Architecture for the NSTIC Ecosystem

  • Blogroll

    • Ben Laurie
    • Eran Hammer-Lahav–Hueniverse
    • Identity Weblog
    • ImperialViolet
    • PandoDaily
    • Phil Hunt–Independent Identity
    • ProgrammableWeb
    • ReadWriteWeb
    • Rich Newman
    • Search Engine Journal
    • Search Engine Land
    • Search Engine Watch
    • SoCalTech
    • TechCrunch

  • Sites

    • NSTIC
Pomcor
Proudly powered by WordPress.